Securing OpenBSD web serv

The OpenBSD team prides itself on producing one of the most—if not the most—secure operating systems in the world. If you are concerned about keeping the sensitive data within your organization protected, consider OpenBSD. As a member of the 4.4BSD-lite family of operating systems, OpenBSD sets itself apart by claiming to be "secure by default". The basis for this claim is the diligence of the OpenBSD code auditing team and the inclusion of military grade cryptography in the base system (including Kerbos, OpenSSH, and IPSec). OpenSSH runs best with this OpenBSD (as it was developed by the OpenBSD team).

You can install OpenBSD in a couple of ways. The easiest method is to order the OpenBSD CD-ROM from the OpenBSD ordering page. The OpenBSD team, headed by Theo de Raadt, relies on the sale of these CD-ROM packages for its financial survival, so it prefers that users choose this method. Installation via CD-ROM is outlined in detail inside the CD case.

The second—and faster—way of installing OpenBSD is over the Internet via FTP or HTTP. Though this install is free, a post-installation courtesy is to order the CD-ROM anyway, make a donation to OpenBSD, and / or buy a limited edition OpenBSD T-shirt or poster.

This tutorial demonstrates a network install of the OpenBSD operating system, along with PHP4 and MySQL. It presents an advanced system administrator build, which assumes basic knowledge of the VI editor.

[Author's Note: Because OpenBSD is a Canadian-made product, export of the security suite and source code is not restricted in any way. However, while U.S. readers can download (import) OpenBSD, exporting or re-exporting cryptographic software from the US is still a serious criminal offence. For those of you living in the US, do not attempt to export the OpenBSD operating system once you've downloaded it. If you are an American citizen located outside the US, do not download OpenBSD from an American site. You have been warned! Of course, downloading OpenBSD from an American site to an American location is fine. Always choose the server nearest you.]

Create OpenBSD Boot Floppy
OpenBSD runs on a number of hardware platforms. The following directions are somewhat specific to "IBM PC" aka "Intel/AMD" architecture machines. To install OpenBSD over the network, your host computer needs either a floppy or a CD-ROM drive and an Ethernet card that OpenBSD can recognize. So check your hardware first. If you use an Intel-based system, your information is under i386.

To create a bootable CD-ROM, you need a CD burner and CD creation software. To simplify the multi-step process of creating the floppy boot install disk on Windows, which is somewhat involved, I developed an installer package. I did not alter the boot installer in any way, but if you prefer to receive the software directly from the OpenBSD site, you'll find it in the tools section of the 3.6 release site. Navigate to your relevant hardware and download the necessary files.

To complete the example install, you need 1-3 floppy disks and a standard 1.44M floppy drive on your Windows computer. For a standard build, you need only the first disk. The second disk is for special RAID and SCUSI situations, and the third is for laptops. This tutorial uses Windows 2000, but floppy disk creation should work seamlessly with Windows NT and XP as well. If you use an older DOS system or Windows 95/98, then you must use the fdimage.exe file included in the downloadable openbsd36_floppy_install.zip file (with documentation).

The following steps will guide you through a Windows 2000, XP, and NT OpenBSD boot floppy creation:

1. Download the OpenBSD 3.6 floppy images.
2. Format your floppy disk: My computer –> 3 1/2 floppy A: –> right click –> format.
3. Place the directory openbsd36_floppy_install on your c:\ drive as C:\openbsd36_floppy_install.
4. Open a dos prompt and type:

cd C:\openbsd36_floppy_creation

5. Now that openbsd36_floppy_creation is your working directory type:

ntrw floppy36.fs a:

For a standard Intel architecture, you need only the first disk. If the first disk does not take you to the install screen (or you are using a laptop), you may have to make one or two more floppy boot disks. Again, format your second and third floppy disks then type the following, respectively (see Figure 1):

ntrw floppyB36.fs a:
ntrw floppyC36.fs a:
Figure 1. OpenBSD Floppy Creation (Win2000)

Put your newly created floppy boot installer in the a: drive of the computer on which you want to install OpenBSD. Make sure your CMOS is set up to boot from floppy first, and then boot from hard drive second.

To complete the install, you need an Ethernet card that OpenBSD supports. The networking setup procedure is quite straightforward. The following instructions explain how to set up DHCP for a DSL connection. At each listed prompt, just follow the instructions:

1. Would you like to (I)nstall, (U)pgrade, or (S)hell? Choose I. ENTER.
2. Terminal type? ENTER
3. Do you wish to select a keyboard-encoding table? Choose no. ENTER.
4. Proceed with install? Press y. ENTER.
5. Which one is the root disk? Choose "(or 'done')[wd0]". ENTER.
6. Do you want to use *all* of wd0 for OpenBSD? Choose no. ENTER.
7. fdisk: 1>q. ENTER.
8. Initial label editor (Enter '?' for help at this prompt.)
9. TYPE: ">?". ENTER.

The tools you see are part of the OpenBSD label/partition editor. The disk label editor screen might not look pretty, but it is very powerful. The most important commands for a basic install are 'a' for add partition, 'd' for delete partition, 'p' for print label, and 'q' for quit. OpenBSD requires a manual file system setup. During this process 'm' is for megabytes and 'g' is for gigabytes. This tutorial assumes you are installing OpenBSD on a system dedicated to OpenBSD. (For dual boot issues, see the FAQ.)

Configure the File Structure and the Network
Now on with the install. First, clear the possibility that OpenBSD recognized an existing partition on your hard-drive by typing the following:

z a. ENTER.

The "z" command zeroes the partitions, leaving only C. Author Note: Thanks to Joel Dinel for the partition zeroing hint.

Now you can add the file structure. This consists of /(root), /var, /swap, /usr, and /home. File size is an important consideration:

* The root / must be at least 150m; 500m is recommended.
* /tmp can be as small as 150m. Performance can increase if this is larger.
* /var should be larger for a server because /var/www and /var/mail can fill up quickly (especially if you expect to handle larger mail attachments).
* swap should be twice the size of the RAM you have or twice the size of the RAM you expect to have.
* 512MB of RAM makes a swap space of 1,024MB ideal. One gig of RAM makes two gigs of swap space.
* /usr and /home need to be larger if you are creating a desktop workstation with X Windows.

I am using a 10GB hard drive. You should use values that make sense for your situation. Keep in mind that the values for offset will differ depending on the size of your hard drive. The following instructions create the basic file structure for the operating system:

TYPE: a a. ENTER.
offset:[63]. ENTER.
size:500m. ENTER.
FS type: [4.2BSD]. ENTER.
mount point:[none] /. ENTER.

TYPE: a b. ENTER.
offset:[614880]. ENTER.
size: [19386045] 1024m. ENTER.
FS type: [swap]. ENTER.

TYPE: a d. ENTER.
offset: [2712528]. ENTER.
size: [17288397] 500m. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /tmp. ENTER.

TYPE: a e. ENTER.
offset: [3327408]. ENTER.
size: [16673517] 3g. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /var. ENTER.

TYPE: a f. ENTER.
offset:[5425056]. ENTER.
size: [14575869] 2g. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /usr. ENTER.

TYPE: a g. ENTER.
offset: [9619344]. ENTER.
size: [10381581] 2g. ENTER.
FS type: [4.2BSD]. ENTER.
mount point: [none] /home. ENTER.

Now that you have created the file structure, write the changes:

TYPE: p. ENTER.

This shows the partitions you are about to create. Leave a little extra space for future changes (like RAM upgrades, or log files filling /var) or leave the size of the g partition unspecified and g will use up the rest of your hard disk:

TYPE: q. ENTER.
Write new label? Choose y. ENTER.

Now, cycle through the options you have created. Hit ENTER until the /home directory appears, then type "done".

The next step destroys all existing data on these partitions:

Are you sure that you're ready to proceed? TYPE: y. ENTER.

You will be prompted for a system hostname. Use any name you like. I used the name ftknox.

The following steps guide you through configuring the network using DHCP:

* Configure the network? Choose yes. ENTER.
* If you are using an Ethernet card that is supported by OpenBSD, then you should be prompted to initialize an interface. Press ENTER.
* Symbolic (host) name for vr0? TYPE: "([ftknox] dlink530TX)". ENTER. You should see the speed options for your Ethernet card.
* Do you want to change the media options? Choose no. ENTER.
* IPv4 address for vr0? (or 'none' or 'dhcp') TYPE: dhcp. ENTER.
* Enter your DNS domain name and the address of your DNS nameserver.
* Default IPv4 route? Choose dhcp. ENTER.
* Edit hosts with ed? Choose no. ENTER.
* Do you want to do any manual network configuration? Choose no. ENTER.
* Password for root account? Do not use any word in any language. Numbers and letters and special characters are best in combination.

Now that the network and file structure configuration is done, it is time to access an (F)TP server to install the operating system:

Where are the install sets? (or 'done') TYPE: f ENTER.
HTTP/FTP proxy URL? (e.g., 'http://proxy:8080'. or 'none') Choose none. ENTER.
Display the list of known FTP servers? Choose yes. ENTER.

Find the server that is closest to you (heeding the warnings from the introduction regarding international distribution):

* Server? (IP address, hostname, list#, 'done' or '?') TYPE: "ftp.openbsd.org". ENTER.
* Does the server support passive mode FTP? Choose yes. ENTER.
* Server directory? Choose pub/OpenBSD/3.6/i386. ENTER.
* Login? Choose anonymous. ENTER.

The following sets are available:

* File name? (or 'done') [bsd.mp] TYPE all. ENTER.
* File name? (or 'done') TYPE: "-game36.tgz". ENTER.
* File name? (or 'done') TYPE: "done". ENTER.
* Ready to install sets? TYPE: "yes" ENTER.

And away you go. You are now installing the entire OpenBSD operating system over the Internet to your host (server) computer. So depending on your connection speed, this could take minutes or hours. If it works, you will see various messages about getting somefile.tgz, followed by a percentage. Of course, 100 percent is the target.

Then you will be prompted with the following questions:

* Where are the install sets? (or 'done') TYPE: done ENTER.
* Start sshd(8) by default? Choose yes. ENTER.
* Do you expect to run the X window System? Choose either yes or no. ENTER. (*/ I personally believe that X Windows has no place on a server, but you may think differently.\*)
* Change the default console to com0? Choose no ENTER.
* Set your time zone. This one's self-explanatory.

You should now have a congratulations screen and a root prompt. Take your boot floppy out of the a: drive and TYPE halt. Reboot your machine to start using OpenBSD. You will notice that because you started sshd by default that it will have generated a new dsa and rsa host key. This is excellent. OpenSSH runs seamlessly with OpenBSD because the same people make both. For further information, read the OpenSSH FAQ. The afterboot section of the man pages offers a wealth of information that you should read as well:

TYPE: "man afterboot".

One of the strengths of OpenBSD is the high quality of its man pages. Make sure you read these before attempting to post a question on any OpenBSD forum. (Browsing Hint: Page Up and Page Down move you through the man pages; ENTER scrolls one line; TYPE "q" to quit.)

Set Up SU
To use SU, you must first create a regular user, which you will regularly log in as:

1. Log in as root.
2. TYPE: "adduser".
3. Choose your favorite shell. I use the default [sh].
4. Use the default login class.
5. Use the default Home partition: [/home].

Continue using the defaults, unless you have a special situation. I choose not to send a message to myself and to be prompted for passwords by default. One thing I do change is the password encryption method. Blowfish is my algorithm of choice (and is likely the default). Enter username and full name when prompted.

Now continue as root:

1. TYPE: "vi /etc/group".
2. The top line should read: "wheel:*0:root".
3. TYPE "i" to enter vi insert mode.
4. Move to the end of the first line using the right arrow.
5. Add a comma and the username of the user you just created. (e.g., wheel:*0:root,user1)
6. Press ESC and TYPE ":wq" to write the file and exit vi.

Test this out:

1. Press CTRL-ALT-F2 to open a new login screen.
2. Log in as the new user you just created.
3. TYPE "su".
4. Enter your root password.

You should once again have a root prompt ‘#’. Use this prompt to install the ports and package collections. The following section shows you how.

Install Ports and the Package Collection
Now that su is installed and working, OpenBSD’s functionality considerably expands with the installation of both the ports and the package collections. Installing new functionality on OpenBSD requires Root or pseudo (su) Root privileges. All of the following instructions require that you be logged in as the SuperUser (root).

Issue the following commands to install several thousand program skeletons:

1. ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/ports.tar.gz
2. mv ports.tar.gz /usr
3. cd /usr
4. tar -xzf ports.tar.gz

Pop back into your open root console:

TYPE: CTRL-ALT-F1.

Notice that true root keeps track of all uses of su. Press ENTER to get your prompt back, and type "login". Log in as the user you created. Type "su", enter the root password, and voila!

Using Ports: Invoking the tcsh Shell
All of the ports work in a similar fashion. Navigate to the port directory you want and type "make && make install" within the port directory that includes the Makefile. For example, to install the tcsh shell:

1. TYPE: "cd /usr/ports/shells/tcsh".
2. TYPE: "make && make install".

And that is the basic formula for installing ports. Many ports, like tcsh, have special instructions that appear during or following the install. In this case:

1. TYPE: "vi /etc/shells".
2. Add the line /bin/tcsh to this file.
3. Save and quit (ESC, :wq).

At the root prompt, type "/usr/local/bin/tcsh" to invoke the tcsh shell. I like this shell for its up-arrow command history function (never type the same thing twice). You can perform subsequent invocations of this shell by typing tcsh at the command prompt. I suggest continuing to use the tcsh shell for the rest of the tutorial.

Packages Collection
The packages collection is the preferred way of installing software onto your OpenBSD system. Packages "automagically" install the required dependencies. As with the Ports system, you must be logged in as the SuperUser (root). You can browse the packages online. (Note: Intel architecture is i386.) Tell pkg_add where to find the packages via FTP. Do not attempt to install packages from an older or a newer release number of OpenBSD. Because this tutorial builds OpenBSD version 3.6, make sure you get the packages from the version 3.6 folder (setenv as seen below):

TYPE setenv PKG_PATH ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/

Install MySQL and PHP
Install MySQL4:

TYPE: "pkg_add mysql-server-4.0.20.tgz"

Note the instructions on the screen. You will return to this after you install PHP.

Install PHP4:

TYPE pkg_add php4-core-4.3.10.tgz

Enable the PHP4 module:

TYPE /usr/local/sbin/phpxs -s
TYPE cp /usr/local/share/doc/php4/php.ini-recommended /var/www/conf/php.ini

Install PHP4_MySQL4 connectivity:

TYPE pkg_add php4-mysql-4.3.10.tgz
TYPE /usr/local/sbin/phpxs -a mysql

Enable MCRYPT:

TYPE pkg_add php4-mcrypt-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a mcrypt

Enable MHASH:

TYPE pkg_add php4-mhash-4.3.10
TYPE /usr/loca./sbin/phpxs –a mhash

Enable IMAP:

TYPE pkg_add php4-imap-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a imap

Enable DOMXML:

TYPE pkg_add php4-domxml-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a domxml

Enable PEAR libraries:

TYPE pkg_add php4-pear-4.3.10.tgz

Use PHP to manipulate graphics:

TYPE pkg_add php4-gd-4.3.10-no_x11.tgz
TYPE /usr/local/sbin/phpxs –a gd

Enable CURL:

TYPE pkg_add php4-curl-4.3.10.tgz
TYPE /usr/local/sbin/phpxs –a curl

Create MYSQL passwords and user:

TYPE /usr/local/bin/mysqld_safe &
TYPE /usr/local/bin/mysqladmin -u root password mypassword

Access the server with your new password:

TYPE /usr/local/bin/mysql -u root –p

Enter your password at the prompt. You should see the mysql prompt. A problem with MySQL is it ships with two anonymous users who have no passwords. Change this within MySQL by entering the following (Note: the '' marks are two single quotation marks in a row):

mysql> TYPE SELECT Host, User FROM mysql.user;
mysql> TYPE SET PASSWORD FOR ''@'localhost' = PASSWORD('newpwd');
mysql> TYPE SET PASSWORD FOR ''@'host_name' = PASSWORD('newpwd');

Change ''@'host_name' to the value that corresponds to the name you gave your system, displayed on your screen under Host where User = root (e.g., lockdown.cyborgspiders.com):

mysql> TYPE exit

Now that you are back at the '#' prompt, TYPE ps to verify that mysqld_safe is still running.

Edit APACHE httpd.conf file:

1. vi /var/www/conf/httpd.conf
2. Change the email address for ServerAdmin to you@youraddress.com.
3. Change your ServerName to a valid DNS entry. If you do not have a valid DNS name for your host, enter the IP address associated with your LAN.
4. TYPE ifconfig –a to find the INET address associated with your working Ethernet card.
5. Find the line that says inet 192.168.1.106 or some similar value.
6. AddType application/x-httpd-php .php and delete the comment tag '#'.
7. Also, you must add php to the Apache Directory Index: DirectoryIndex index.html index.php (Optionally, add index.phtml, index.php4, and index.php3.).
8. Exit VI and save forced.
9. Press ESC and TYPE ":wq!" ENTER.

Starting and Stopping APACHE as the SuperUser
To start Apache:

TYPE apachectl start (c as in current, t as in table, l as in linux)

To stop Apache:

TYPE apachectl stop (c as in current, t as in table, l as in linux)

Start Apache now. Then navigate to the htdocs directory to test PHP:

TYPE cd /var/www/htdocs
TYPE ls

You are now viewing the htdocs directory. This is the directory from which Apache serves files to the world:

TYPE lynx 127.0.0.1

This should show you a congratulations screen. Apache is running with the index.html file.

For PHP to work, you must create an index.php file:

TYPE vi index.html

Remember, press i for insert mode. Beneath the tag, add . Press ESC:wq index.php. This saves the file as index.php with your changes. Test this out:

TYPE lynx 127.0.0.1/index.php

You should see a very detailed display about your new PHP-enabled Apache Web server. Read through it. Notice how the variables in the httpd.conf file and the php.ini file affect the output. Depending on your purposes, you will want to make configuration changes to these files. (Note: the Apache documentation is installed by default. To avoid embarrassment (and death threats) on the mailing lists, RTFM.)

Connect to MySQL Using PHP
To connect to MySQL from PHP, you need to create a new PHP document:

vi mysql.php

Mission Accomplished
If you followed these directions correctly, you now have the magic key to OpenBSD 3.6, Apache 1.3.29 mod_ssl/2.8.16, OpenSSL/0.9.7d, MySQL 4.0.20, and PHP 4.3.10. NEVER GIVE UP ROOT! OpenBSD ships "secure by default", meaning all non-essential services are disabled. The OpenBSD code-auditing team promotes open source as the only real solution to a truly transparent security model. This working model greatly simplifies the system administrator’s security duties. Security becomes a consideration prior to implementing new services rather than an after-the-fact, hole-plugging technique.

OpenBSD also ships with Apache chrooted by default. While this will create some challenges for the system admin with certain programs, the benefit is that should Apache become compromised the cracker will not have write access to the operating system. Running Apache "jailed" restricts the daemon from "seeing" beyond the root directory of the chrooted directory (the cracker may not get beyond read access to Apache).

While not immune to security breaches, OpenBSD takes a proactive stance against cracking techniques. Buffer overflow attacks are historically a weak point in *nix systems, so OpenBSD has taken measures to protect the stack and to ensure that no page is both writeable and executable at the same time. It is a credit to the OpenBSD community that security announcements are few and far between.

Proactive security, however, is a continual process. Keeping up to date is important. To receive security announcements from OpenBSD, send an email to OpenBSD.org with "subscribe security-announce" in the message body.

Security concerns need to be based on the value of your data. My next article will demonstrate how to use SSH to remotely administer your OpenBSD/Apache/PHP/MySQL Web server

MySQL Master Master Repliction

MySQL Master Master Repliction Tutorial

This tutorial describes how to set up MySQL master-master replication. We need to replicate MySQL servers to achieve high-availability (HA). In my case I need two masters that are synchronized with each other so that if one of them drops down, other could take over and no data is lost. Similarly when the first one goes up again, it will still be used as slave for the live one.

Here is a basic step by step tutorial, that will cover the mysql master and slave replication and also will describe the mysql master and master replication.

Notions: we will call system 1 as master1 and slave2 and system2 as master2 and slave 1.
Step 1:

Install mysql on master 1 and slave 1. configure network services on both system, like

Master 1/Slave 2 ip: 192.168.16.4
Master 2/Slave 1 ip : 192.168.16.5


Step 2:

On Master 1, make changes in my.cnf:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
old_passwords=1

log-bin
binlog-do-db= # input the database which should be replicated
binlog-ignore-db=mysql # input the database that should be ignored for replication
binlog-ignore-db=test

server-id=1

[mysql.server]
user=mysql
basedir=/var/lib


[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Step 3:

On master 1, create a replication slave account in mysql.
Remove ads

mysql> grant replication slave on *.* to 'replication'@192.168.16.5 \
identified by 'slave';

and restart the mysql master1.


Step 4:

Now edit my.cnf on Slave1 or Master2 :

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
old_passwords=1

server-id=2

master-host = 192.168.16.4
master-user = replication
master-password = slave
master-port = 3306

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Step 5:

Restart mysql slave 1 and at

mysql> start slave;
mysql> show slave status\G;


*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.16.4
Master_User: replica
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: MASTERMYSQL01-bin.000009
Read_Master_Log_Pos: 4
Relay_Log_File: MASTERMYSQL02-relay-bin.000015
Relay_Log_Pos: 3630
Relay_Master_Log_File: MASTERMYSQL01-bin.000009
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 4
Relay_Log_Space: 3630
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 1519187

1 row in set (0.00 sec)

Above highlighted rows must be indicate related log files and Slave_IO_Running and Slave_SQL_Running: must be to YES.


Step 6:

On master 1:

mysql> show master status;
+------------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------------+----------+--------------+------------------+
|MysqlMYSQL01-bin.000008 | 410 | adam | |
+------------------------+----------+--------------+------------------+
1 row in set (0.00 sec)

The above scenario is for master-slave, now we will create a slave master scenario for the same systems and it will work as master master.


Step 7:

On Master2/Slave 1, edit my.cnf and master entries into it:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
server-id=2

master-host = 192.168.16.4
master-user = replication
master-password = slave
master-port = 3306

log-bin #information for becoming master added
binlog-do-db=adam

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid


Step 8:

Create a replication slave account on master2 for master1:

mysql> grant replication slave on *.* to 'replication'@192.168.16.4 identified by 'slave2';


Step 9:

Edit my.cnf on master1 for information of its master.

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1


log-bin
binlog-do-db=adam
binlog-ignore-db=mysql
binlog-ignore-db=test

server-id=1
#information for becoming slave.
master-host = 192.168.16.5
master-user = replication
master-password = slave2
master-port = 3306

[mysql.server]user=mysqlbasedir=/var/lib


Step 10:

Restart both mysql master1 and master2.

On mysql master1:

mysql> start slave;

On mysql master2:

mysql > show master status;

On mysql master 1:

mysql> show slave status\G;


*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.16.5
Master_User: replica
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: Mysql1MYSQL02-bin.000008
Read_Master_Log_Pos: 410
Relay_Log_File: Mysql1MYSQL01-relay-bin.000008
Relay_Log_Pos: 445
Relay_Master_Log_File: Mysql1MYSQL02-bin.000008
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 410
Relay_Log_Space: 445
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 103799
1 row in set (0.00 sec)

ERROR:
No query specified

Check for the hightlighted rows, make sure its running. Now you can create tables in the database and you will see changes in slave. Enjoy!!

Alkisah seorang anak perempuan yang baru masuk sekolah bertanya kepada ibunya..
'Mama, mama? sex itu apa sih Ma?'..

Terkejutlah si ibu.. Teringat akan kemodernan zaman sekarang yang membuat manusia berfikiran lebih terbuka. Sesuai dengan konsep pendidikan seks yg sedang hangat dikatakan, mulailah si ibu mencari jawaban yang sesuai untuk anaknya dengan harapan anaknya takkan terjebak dalam arus pendidikan global.

Maka si ibu pun mulai memberikan jawaban mengenai apa itu sex dengan perumpamaan
antara kumbang dan bunga, diikuti dengan pembentukan bayi dalam kandungan dan
diselitkan juga dengan kisah percintaan antara mama dan papanya dari zaman
kuliah hingga dengan kehadiran si cantik yaitu anak gadisnya yang bertanya itu..

Tiba-tiba si anak menangis terisak-isak. Si ibu keheranan dan bertanya.
Si anak menjawab dalam tangisan..
"Jawaban mami itu panjang, tempat jawabnya pendek saja, Niih..." katanya seraya
menyerahkan buku latihan yang tertulis dicovernya:

NAME :...........
SEX :............
CLASS :..........
SUBJECT:..........

Siap2 nyoba pake WAP54G yang udah rusak ethernete :(



PostPosted: Wed Sep 27, 2006 10:17 am Post subject: Easy success on WAP54G v2 MDG2 Reply with quote
I installed the latest DD-WRT (v23 SP2) on two WAP54G's here, and had great success!

I made the mistake a while ago of buying WAP54G instead of the more powerful (and cheaper!) WRT54G. And they were selling WRT54G v4's by the pallet load back then, too, sigh.... I'm glad DD-WRT micro edition now works on WAP54G as well as the newer crippled WRT54G v5 and v6's.

Everything worked the first time :)

That is something that did NOT happen when running the original Linksys firmware (2.08)! What a headache that was to keep running. The things lost connection all the time.

Now, DD-WRT is rock solid. The micro generic version worked great.

Some instructions to clarify:

1) After doing the full factory reset of your original Linksys firmware, go to this "secret" webpage and make sure both are set to Disable. Click Apply and then Go Home. Otherwise, you'll get that stupid "You cannot downgrade the firmware" error. BTW, there is no need to rename .bin to .trx, as other pages suggested in the past. Flashing the .bin file worked just fine for me.

http://192.168.1.245/fw-conf.asp

2) After flashing with DD-WRT micro generic, the reset button no longer worked. I was able to do a factory reset from the web interface, and that seemed to work just as well.

3) Your MAC address will get corrupted after doing the upgrade. It will get changed to 00-90-4C-60-04-01. You can keep this if you want, but since I had 2 WAP54G's on my network, they needed to be different. So, I "cloned" the MAC address back to what I had originally!

4) On WAP54G, the LAN and wireless ports seem to be the same thing, and the WAN port does not exist. Changing the MAC address of the LAN also affects the wireless, and vice versa!

5) Since there's no WAN port, set WAN to disabled and firewall to off, and disable other stuff you can find that uses the WAN. Turn off DHCP server, set gateway to Router instead, disable routing, and so forth. This will also free up some memory, which will help your stability.

I also installed DD-WRT standard generic edition on a sweet WRT54G v4 that was up at my parent's house. Gave them some more range, and got my Dad interested in wireless stuff, by watching the live signal bars go back and forth. Now my Dad's moving the laptop around and trying to find the strongest spot that is still convenient :)

Thanks for this great firmware, I will definitely be donating....

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=5025&highlight=wap54g+radius

6.14 - How can I do equal-cost multipath routing?
Equal-cost multipath routing refers to having multiple routes in the routing table for the same network, such as the default route, 0.0.0.0/0. When the kernel is doing a route lookup to determine where to send packets destined to that network, it can choose from any of the equal-cost routes. In most scenarios, multipath routing is used to provide redundant uplink connections, e.g., redundant connections to the Internet.
The route(8) command is used to add/change/delete routes in the routing table.
The -mpath argument is used when adding multipath routes.

# route add -mpath default 10.130.128.1
# route add -mpath default 10.132.0.1
Verify the routes:
# netstat -rnf inet grep default
default 10.130.128.1 UGS 2 134 - fxp1
default 10.132.0.1 UGS 0 172 - fxp2

In this example we can see that one default route points to 10.130.128.1 which is accessible via the fxp1 interface, and the other points to 10.132.0.1 which is accessible via fxp2.
Since the mygate(5) file does not yet support multipath default routes, the above commands should be added to the bottom of the hostname.if(5) files for the fxp1 and fxp2 interfaces.
The /etc/mygate file should then be deleted.

/etc/hostname.fxp1
!route add -mpath default 10.130.128.1
/etc/hostname.fxp2
!route add -mpath default 10.132.0.1

Lastly, don't forget to activate the use of multipath routes by enabling the proper sysctl(3) variable.

# sysctl net.inet.ip.multipath=1
# sysctl net.inet6.ip6.multipath=1
Be sure to edit sysctl.conf(5) to make the changes permanent.
Now try a traceroute to different destinations. The kernel will load balance the traffic over each multipath route.

# traceroute -n 154.11.0.4
traceroute to 154.11.0.4 (154.11.0.4), 64 hops max, 60 byte packets
1 10.130.128.1 19.337 ms 18.194 ms 18.849 ms
2 154.11.95.170 17.642 ms 18.176 ms 17.731 ms
3 154.11.5.33 110.486 ms 19.478 ms 100.949 ms
4 154.11.0.4 32.772 ms 33.534 ms 32.835 ms

# traceroute -n 154.11.0.5
traceroute to 154.11.0.5 (154.11.0.5), 64 hops max, 60 byte packets
1 10.132.0.1 14.175 ms 14.503 ms 14.58 ms
2 154.11.95.38 13.664 ms 13.962 ms 13.445 ms
3 208.38.16.151 13.964 ms 13.347 ms 13.788 ms
4 154.11.0.5 30.177 ms 30.95 ms 30.593 ms

For more information about how the route is chosen, please refer to RFC2992, "Analysis of an Equal-Cost Multi-Path Algorithm".
It's worth noting that if an interface used by a multipath route goes down (i.e., loses carrier), the kernel will still try to forward packets using the route that points to that interface. This traffic will of course be blackholed and end up going nowhere. It's highly recommended to use ifstated(8) to check for unavailable interfaces and adjust the routing table accordingly.



source : http://www.openbsd.org/faq/faq6.html#Multipath

Perbandingan antara menggunakan kurang kurawal {} dan tidak.
Ternyata untuk website2 intenasional, kyak Yahoo dan temen deketnya tidak menyukai nat berdasarkan device.
Berdasarkan pengalaman, YM sama mail.yahoo jadi lelet dan kadang gk mau di buka klo natnya pake {}

contoh nat yg running well :

nat on $ext_if inet from -> $ext_ip
nat on $ext_if inet from -> $ext_ip
nat on $ext_if inet from -> $ext_ip
nat on
$ext_if inet from !$ext_if to -> $ext_rad

rdr on $int_if inet
proto tcp from to any port $redirect -> $proxy
rdr on $int_if inet
proto tcp from to any port $redirect -> $proxy

Junos 2300 Recovery Mode

Hit [Enter] to boot immediately, or space bar for command prompt.

ok boot -s
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

root@SURAKARTA> configure
Entering configuration mode
The configuration has been changed but not committed

[edit]
root@SURAKARTA# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root@SURAKARTA# commit
commit complete

[edit]
root@SURAKARTA#
root@SURAKARTA# exit
Exiting configuration mode
root@SURAKARTA> quit

Reboot the system? [y/n]y


http://www.juniper.net/techpubs/software/junos/junos81/jweb81-user-guide/jN23F2A.html

msdriveE:restore ur old messages

---

After installing msdriveE u'llsee tht all ur old messages r gone,

(source:tyRion)
"if you want to keep all the messages you had on your phone your going to have to copy over all the folders from c:\system\mail to e:\system\mail

FExplorer won't let you copy files within folders within folders, what happens is it copies the contents of a selected folder and pastes it to the current folder)

So what you do is go to C:\System (on your phone, via FExplorer) and copy Mail (press 1). Move to E:\System\Mail\ and paste (7) overriding all existing files

Then go back to C:\System\Mail\ and copy 00001001_S.
Back to E:\System\Mail\00001001_S and paste [tip * goes back to the drive select screen]

Here is where the annoyance starts
Go to C:\System\Mail\00001001_S and copy "0"
Paste this in E:\System\Mail\00001001_S\0

Repeat through all the hex numbers 0-f

You may have to repeat this for the 00100000_S folder if you use MMS but this was empty on mine."

after u've done all this u hav to copy the file index from c: to e:
however this is not allowed as the index in e:system\mail is being used by the phone.first copy c:\system\mail\index to any other location(say e:\index)
Then shut down ur phone->remove mmc->restart ->go to messages
it'll say tht " mmc unavailable device mem.will be used"
now cut e:index(or whichever position u used) &paste it in c:system\mail->override the existing file
run msdriveE again and ur problem is solved

Password Recovery in Cisco Router1.Tekan Ctrl Break hasilnya akan seperti ini :
Code:rommon 1>#Boot router dan interrupt dengan Ctrl break, langsung saat router dinyalakan 2.lalu masukkan command seperti ini
Code:rommon 1>confreg 0x2142
rommon 2>#Ganti configuration register untuk tidak meload dari NVRAM3.tekan i (initiate) untuk me-reload router
Code:rommon 2> I#Router akan me-restart4.Masuk ke Priviledge
Code:Router>ena
Router#5.Copy startup-config ke running-config
Code:Router#copy start run
Router#6.Ganti password secretnya
Code:Router#conf t
Router(config)#enable secret new7.Ganti configuration register ke default (0x2102)
Code:Router(config)#
Router(config)#config-register 0x2102
Router(config)#8.Copy running-config ke startup-config
Code:Router(config)#exit
Router#copy run start
Router#9.Lihat configuration register di show version
Code:Router#show version
Configuration register is 0x2142 (will be 0x2102 at next reload)
Router#10.Reload Router
Code:Router#reload

"Adding static routes" - Huzeyfe Önal - (2006-01-18 13:00:04) [2393]

How to save routing entries in OpenBSD?

1) create file /etc/routes in the following format:

[-net | -host] destination gateway

where destination and gateway can be symbolic names if you have entries in
/etc/networks
and /etc/hosts respectively or have running DNS in latter case.

For example:
-net acct 10.0.255.251
10.10.0.0 gate02


2) put these into /etc/netstart:

if [ -f /sbin/route ]; then
if [ -f /etc/routes ]; then
cat /etc/routes | while read line
do
/sbin/route add $line
done
fi
else
echo "$0: /sbin/route does not exist"
exit 1
fi

from openbsd @tech mailing list..( radecki)

Out of inodes

This article shows you how I dealt with an "out of inodes" problem. I was installing the entire ports tree on a new box. It froze. So I restarted it. Then it froze again. OK, this time I noticed the following messages on the console: Jul 5 14:25:48 little /kernel: pid 431 (cpio), uid 0 on /usr2: out of inodes Jul 5 14:26:19 little last message repeated 2550 times Jul 5 14:28:20 little last message repeated 10276 times Jul 5 14:28:25 little last message repeated 451 times

inode background

The problem is that we didn't have enough inodes. This is a common problem when you have many files of a small size. If you look at the man page for newfs, you'll see the following: -f frag-size The fragment size of the file system in bytes. It must be a pow­ er of two ranging in value between blocksize/8 and blocksize. The default is 1024 bytes. -i number of bytes per inode Specify the density of inodes in the file system. The default is to create an inode for every (4 * frag-size) bytes of data space. If fewer inodes are desired, a larger number should be used; to create more inodes a smaller number should be given. One inode is required for each distinct file, so this value effectively specifies the average file size on the file system. As you can read, with lots of small files, you'll quickly use up the inodes. When you install the ports system, you are adding lots of small files.

Create a new file system

Here's how I created a new file system. Note that this removes all files from the device. Make a backup first if you wish to retain anything. In the message log, it mentions /usr2. If you look the output from mount, you can see what device is out of inodes. The default value for inodes is 4096. So by specifying 1024 below, I have effectively increased the number of inodes by a factor of 4. In order words, we can now have four times as many files as we used to have. We'll use this as a starting point and see how it goes. # mount /dev/wd0s1a on / (local, writes: sync 424 async 2307) /dev/wd0s1f on /usr (local, writes: sync 3 async 2158) /dev/wd0s1e on /var (local, writes: sync 2086 async 7972) procfs on /proc (local) /dev/wd1s1e on /usr2 (local, writes: sync 8360 async 12055) You can see that /usr2 is actually /dev/wd1s1e. So that's the device which needs to be modified. On my file system, /usr2 contained only the ports directory. # umount /dev/wd1s1e # newfs -i 1024 /dev/wd1s1e newfs: /dev/wd1s1e: not a character-special device Warning: Bytes per inode restrict cylinders per group to 12. Warning: 2448 sector(s) in last cylinder unallocated /dev/wd1s1e: 415344 sectors in 102 cylinders of 1 tracks, 4096 sectors 202.8MB in 9 cyl groups (12 c/g, 24.00MB/g, 20672 i/g) super-block backups (for fsck -b #) at: 32, 49184, 98336, 147488, 196640, 245792, 294944, 344096, 393248, # mount /dev/wd1s1e # cd /usr The next step is to recreate my symbolic links back to /usr/ports: # cd /usr2 # mkdir ports # ln -s /usr2/ports /usr/ports http://www.freebsddiary.org/inodes.php

DHCP Mikrotix


[tonix@Markothil] > /ip pool add name=dhcp-on-lab ranges=192.168.14.1-192.168.14.40
[tonix@Markothil] > /ip dhcp-server network add address=192.168.14.0/26 gateway=192.168.14.62 dns-server=10.40.0.100
[tonix@Markothil] > /ip dhcp-server add interface=to-clients address-pool=dhcp-on-lab
[tonix@Markothil] > /ip dhcp-server enable 0

Mikrotix
(tested @ ICT Lab)

Nah berikut command buat bagi bandwith berdasar komp yg terkoneksi atau akrab di sapa PCQ (perconnection Queue)

[tonix@Markothil] > /ip firewall mangle add chain=forward src-address=192.168.14.0/26 action=mark-connection new-connection-mark=koneksi-pengguna
[tonix@Markothil] > /ip firewall mangle add connection-mark=koneksi-pengguna action=mark-packet new-packet-mark=pengguna chain=forward

[tonix@Markothil] > /queue type add name=pcq-donlod kind=pcq pcq-classifier=dst-address
[tonix@Markothil] > /queue type add name=pcq-uplod kind=pcq pcq-classifier=src-address

[tonix@Markothil] > /queue tree add parent=to-clients queue=pcq-donlod packet-mark=pengguna
[tonix@Markothil] > /queue tree add parent=to-Public queue=pcq-uplod packet-mark=pengguna


Teorinya :


Pilihan lain metode bandwidth manajemen ini, kalau seandainya ingin
bandwidth tersebut dibagi sama rata oleh Mikrotik, seperti bandwidth
256kbps downstream dan 256kbps upstream. Sedangkan client yang akan
mengakses sebanyak 10 client, maka otomatis masing-masing client
mendapat jatah bandwidth upstream dan downstream sebanyak 256kbps
dibagi 10. Jadi masing-masing dapat 25,6kbps. Andaikata hanya 2 Client
yang mengakses maka masing-masing dapat 128kbps.

Untuk itu dipakai type PCQ (Per Connection Queue), yang bisa secara
otomatis membagi trafik per client. Tentang jenis queue di mikrotik
ini dapat dibaca pada manualnya di http://www.mikrotik.com/testdocs/
ros/2.9/root/queue.php.

Sebelumnya perlu dibuat aturan di bagian MANGLE. Seperti :

——————————————————————–
/ip firewall mangle add chain=forward src-address=192.168.0.0/27
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet
new-packet-mark=users chain=forward

Karena type PCQ belum ada, maka perlu ditambah, ada 2 type PCQ ini.
Pertama diberi nama pcq-download, yang akan mengatur semua trafik
melalui alamat tujuan/destination address. Trafik ini melewati
interface Local. Sehingga semua traffik download/downstream yang
datang dari jaringan 192.168.0.0/27 akan dibagi secara otomatis.

Tipe PCQ kedua, dinamakan pcq-upload, untuk mengatur semua trafik upstream
yang berasal dari alamat asal/source address. Trafik ini melewati
interface public. Sehingga semua traffik upload/upstream yang berasal
dari jaringan 192.168.0.0/27 akan dibagi secara otomatis.

Perintah:
————————————————————————-
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
————————————————————————-

Setelah aturan untuk PCQ dan Mangle ditambahkan, sekarang untuk aturan
pembagian trafiknya. Queue yang dipakai adalah Queue Tree, Yaitu:

————————————————————————-
/queue tree add parent=Local queue=pcq-download packet-mark=users
/queue tree add parent=Public queue=pcq-upload packet-mark=users
————————————————————————-
Perintah diatas mengasumsikan, kalau bandwidth yang diterima dari provider
Internet berflukstuasi atau berubah-rubah. Jika kita yakin bahwa bandwidth
yang diterima, misalkan dapat 256kbs downstream, dan 256kbps upstream, maka
ada lagi aturannya, seperti :

Untuk trafik downstreamnya :
————————————————————————
/queue tree add name=Download parent=Local max-limit=256k
/queue tree add parent=Download queue=pcq-download packet-mark=users
————————————————————————-

Dan trafik upstreamnya :
—————————————————————————
/queue tree add name=Upload parent=Public max-limit=256k
/queue tree add parent=Upload queue=pcq-upload packet-mark=users
—————————————————————————

----- named.conf ------

acl "xfer" {
 202.202.202.2/32; // secondary ns domain misalnya
};

acl "trusted" {
 // Disini anda tempatkan blok IP Address yang anda bolehkan
// melakukan recursive query
 // tambah sesuai kebutuhan

 202.202.202.0/24; // misalnya
 192.168.0.0/24; // LAN
 localhost; // Server ini
};

acl "bogon" {
 // Hapus atau comment LAN anda dari acl bogon ini

 0.0.0.0/8;
 1.0.0.0/8;
 2.0.0.0/8;
 5.0.0.0/8;
 7.0.0.0/8;
 10.0.0.0/8;
 23.0.0.0/8;
 27.0.0.0/8;
 31.0.0.0/8;
 36.0.0.0/8;
 37.0.0.0/8;
 39.0.0.0/8;
 42.0.0.0/8;
 49.0.0.0/8;
 50.0.0.0/8;
 77.0.0.0/8;
 78.0.0.0/8;
 79.0.0.0/8;
 92.0.0.0/8;
 93.0.0.0/8;
 94.0.0.0/8;
 95.0.0.0/8;
 96.0.0.0/8;
 97.0.0.0/8;
 98.0.0.0/8;
 99.0.0.0/8;
 100.0.0.0/8;
 101.0.0.0/8;
 102.0.0.0/8;
 103.0.0.0/8;
 104.0.0.0/8;
 105.0.0.0/8;
 106.0.0.0/8;
 107.0.0.0/8;
 108.0.0.0/8;
 109.0.0.0/8;
 110.0.0.0/8;
 111.0.0.0/8;
 112.0.0.0/8;
 113.0.0.0/8;
 114.0.0.0/8;
 115.0.0.0/8;
 116.0.0.0/8;
 117.0.0.0/8;
 118.0.0.0/8;
 119.0.0.0/8;
 120.0.0.0/8;
 169.254.0.0/16;
 172.16.0.0/12;
 173.0.0.0/8;
 174.0.0.0/8;
 175.0.0.0/8;
 176.0.0.0/8;
 177.0.0.0/8;
 178.0.0.0/8;
 179.0.0.0/8;
 180.0.0.0/8;
 181.0.0.0/8;
 182.0.0.0/8;
 183.0.0.0/8;
 184.0.0.0/8;
 185.0.0.0/8;
 186.0.0.0/8;
 187.0.0.0/8;
 192.0.2.0/24;
 // LAN saya 192.168.0.0/16;
 197.0.0.0/8;
 223.0.0.0/8;
 224.0.0.0/3;
};

logging {
 channel default_syslog {
     syslog local2;
     severity debug;
 };

 channel audit_log {
     file "/var/named/named_audit.log";
     severity debug;
     print-time yes;
 };

 category default { default_syslog; };
 category general { default_syslog; };
 category security { audit_log; default_syslog; };
 category config { default_syslog; };
 category resolver { audit_log; };
 category xfer-in { audit_log; };
 category xfer-out { audit_log; };
 category notify { audit_log; };
 category client { audit_log; };
 category network { audit_log; };
 category update { audit_log; };
 category queries { audit_log; };
 category lame-servers { audit_log; };
};

options {
 directory "/etc/named";
 pid-file "/var/named/named.pid";
 statistics-file "/var/named/named.stats";
 memstatistics-file "/var/named/named.memstats";
 dump-file "/var/adm/named.dump";
 zone-statistics yes;

 // mengantisipasi serangan DoS dengan menciptakan
 // bogus permintaan transfer zone
 // dapat menyebabkan terjadinya kelambatan transfer zone
 // antar authoritative server yang lain
 notify no;

 // efisiensi zone transfer
 transfer-format many-answers;

 // maksimum transfer zone dalam detik
 // tambahkan jika berkas zone anda besar
 // dan membutuhkan waktu transfer lebih dari 1 menit
 max-transfer-time-in 60;

 // tidak ada interface dynamic
 interface-interval 0;

 // hanya mengijinkan transfer zone dari IP address
 // yang ada pada acl xfer
 allow-transfer { xfer; };

 // query hanya dapat dilakukan oleh acl trusted
 // mencegah DNS server kita digunakan oleh umum
 allow-query { trusted; };

 // menolak semua yang berasal dari acl bogon
 blackhole { bogon; };
};

view "internal-in" in {

 // untuk recursion
 // dapat diakses oleh client pada acl trusted
 // tempatkan disini untuk domain internal atau uji coba

 match-clients { trusted; };
 recursion yes;
 additional-from-auth yes;
 additional-from-cache yes;

 zone "." in {
     type hint;
     file "cache.db";
 };

 zone "0.0.127.in-addr.arpa" in {
     type master;
     file "127.0.0.db";
     allow-query { any; };
     allow-transfer { none; };
 };

 zone "kecoak.lab" in {
     type master;
     file "zone/kecoak.lab.db";
 };

 zone "0.168.192.in-addr.arpa" in {
     type master;
     file "zone/192.168.0.db";
     allow-query { any; };
 };   
};

view "external-in" in {

 // jika DNS server difungsikan juga sebagai authoritative
 // tempatkan disini domain anda
 // dapat diakses oleh semua
 // namun tidak diijinkan recursion

 match-clients { any; };
 recursion no;
 additional-from-auth no;
 additional-from-cache no;

 zone "." in {
     type hint;
     file "cache.db";
 };

 zone "contoh1.com" in {
     type master;
     file "zone/contoh1.com.db";
     allow-query { any; };
 };

 zone "contoh2.com" in {       
     type master;
     file "zone/contoh2.com.db";         
     allow-query { any; };
 };

 zone "202.202.202.in-addr.arpa" in {
     type master;
     file "zone/202.202.202.db";
     allow-query { any; };
 };
};

view "external-chaos" chaos {

 // dapat dilihat oleh semua

 match-clients { any; };
 recursion no;

 zone "." {
     type hint;
     file "/dev/null";
 };

 zone "bind" {
     type master;
     file "bind.db";

     // ganti menjadi any jika anda bermaksud memperlihatkan versi BIND
     // misalnya ketika dilihat oleh dnsreport.com
     allow-query { trusted; };
     allow-transfer { none; };
 };
};
----- akhir named.conf -----

sekarang buat berkas bind.db pada /etc/named/
 (sesuaikan dengan konfigurasi pada berkas named.conf diatas)
yang isinya :

----- bind.db -----
; thanks to Rob Thomas - robt_at_cymru.com
;
$TTL    1D
$ORIGIN bind.
@       1D      CHAOS   SOA     localhost. root.localhost. (
             2006070407      ; serial
             3H              ; refresh
             1H              ; retry
             1W              ; expiry
             1D )            ; minimum
     CHAOS NS        localhost.

version.bind.   CHAOS  TXT "Ini Bukan DNS server bapakmu!"
authors.bind.   CHAOS  TXT "seseorang yang lebih hebat dari saya!"
----- akhir bind.db -----

In Memmorium of 24 February 2007

Rasanya masih seperti mimpi, dan salu berharap seperti itu, Tapi ketika terbangun dari
tidur aku tidak bisa mengelak bahkan ketika kuberusaha memaksakan untuk merasa ini hanya mimpi,
meski seburuk apapun mimpi itu.karena inilah kenyataannya, ini benar-benar terjadi... ini benar-
benar nyata terjadi...dan aku harus mengakuinya...aku harus menyadarinya...ini kenyataan yang
tak pernah ingin aku atau siapapun mengalaminya.
Hari itu....cerah sekali...tidak ada tanda-tanda akan hujan, sungguh Sabtu yang sangat cerah.
Semua berjalan seperti biasa, kecuali satu...hari itu aku ada acara untuk mengikuti diklat client
di smk 1 skh. Toni lohhh yang ngisi, dia memang pintar, aku salut sekali pada dia.
aku datang telat ke ICT, karena aku diajak makan siang dulu ke waduk mulur oleh diknas perencanaan,
sampai di ICT dah mulai session ke dua, aku ketemu Toni n Ferdy juga..., Wajah Toni saat itu
capek banget...dan terlihat sangat pusing, piye ya...ruwet pokoke, wajah yang tidak bisa diungkap
lewat kata-kata, gabungan capek, pusing, dan rasa sakit...tapi hebatnya dia masih tersenyum saat
memberi materi ama peserta diklat, bahkan sangat sabar melayani setiap pertanyaan.
Saat itu dia butuh Laptop, lalu kami ambil ke diknas, di perjalanan dia tidak berhenti bicara, dia
lebih banyak bicara dari biasanya, aku pilih jadi pendengar, karena aku tau mungkin itu ungkapan
rasa capek di tubuh dan pikirannya. dan hanya ingin ada orang untuk bersedia mendengarnya,
hanya mendengar...
melihat dia seperti itu, aku kesal karena tak bisa membantunya, kalo saja aku mengusai materi
diklat client dan punya sedikit keberanian, mungkin Toni gak perlu serepot ini kan?
Pas istirahat, aku Toni n Ferdy ngobrol, aku n Ferdy mencoba memfoto Toni yg keliatan agak suntuk
dan memang seperti itu, hei saat itu aku dapat suprise dari P. Jat kasih hadiah pulsa karna IP-ku
nurut beliau oke, Ohya lucunya Toni sempet bingung carane make kamera digitalll, kukira itu karna
pikiran dia terlalu banyak, Aku n Ferdy cuma tertawa n Ferdy bilang : pinter2 kok gak isoh ngurupke
yo...
Ditengah2 acara pas baru pada bikin kabel straight&cross, aku Toni n P.Darno bercanda, ngobrol banyak,
n sempet ngobrolin Ferdy yg baru dideketin Ika. saat itu dia terlihat lebih baek...lebih ceria...
atau tepatnya sedikit ceria....lebih ceria lagi pas dia asik YM-an ma temen2 nya disela2 ngajarin
aku ujian ccna.
sebenarnya aku udah mo balik, tapi trus saat itu ada yg bilang kalo ujian ccna 5-10 aktif,
kupikir dari pada di warnet, mending di ICT aja, lagian ada Toni n Ferdy bisa untuk tempat bertanya,
tapi saat itu udah sore sekali, klo aku mau ujian di ICT, aku balik naek apa? lalu aku bilang
ke Toni, n dia bilang ntar mau nganter aku, lagian diklat sebentar lagi selesai, ya udah..aku
ujian di ICT.
YM-an itu bahas ultah dia lohhh tapi gak ngaku...dasarrr
lalu setelah selesai ujian, aku ngajak balik, Toni iya aja, tapi P.Darno gak ngebolehin, nunggu
ntar bareng2, kami nunggu lama, aku liat Toni udah keliatan capek banget, aku trus bilang ke Ferdy
kalo dia aja yg nganter aku, Ferdy setuju, lalu bilang ke Toni, dia oke juga, tapi lagi2 P.Darno
gak ngebolehin, yg nyebelin sampe semalem itu gak ada yang namanya ada makan malam. saat itu jam
nunjukin pukul 21.00
setelah menunggu sangat lama, jam 22.15 an kami balik, tapi ke belakang dulu, kebelet. aku ditunggu
Toni, dibawake lagi tasku,eh ketika ready mo berangkat dengan aku ikut p.darno, eh sempat2nya kunci
kendaraan Toni ketinggalan, sambil nunggu Toni ambil kunci di lab, aku n Ferdy jalan ke gerbang
ambil helmku di pos satpam. Aku bilang ke Ferdy, Toni itu ngantuk n capek, ntar kamu ya yang di depan
Ferdy bilang oke, karena dia juga ngerti banget Toni capek n ngantuk n juga lapar.Habis Toni yang
disuruh ikut P.Darno juga gak mau. maunya naek montor dia, ya udah satu2nya jalan ya Ferdy yg didepan.
Tapi ternyata...dia juga gak mau, pengennya yang didepan n pake bilang gak pa2 kok
Lalu kami berhenti dulu untuk makan di angkringan lesehan P. Item solo baru. Lalu hebatnya,
P.Darno punya rencana mau ke tawangmangu ama p.marmut n p.danang nek gak salah nama,
katanya untuk refresing, karena kalo nganter aku terlalu ngalang, jadi aku tukeran ama Ferdy,
Ferdy diajak ke TW gak mau, trus Toni aja yg ke TW, aku balik ma Ferdy, tapi Toni juga gak mau,
Lagian kok aneh ya...capek2 n malem lagi,hanya untuk refresing aja ampe ke TW, bukanne malah makin capek di perjalanan?
aduhhh gak ngerti maksudnya kemaren itu... aku itu udah kasihan liat Toni yang secapek itu masih diajak sampe ke TW,
dan jam 8 pagi esoknya harus ngisi diklat lagiii....tapi memang Toninya sendiri juga gak mau,
katanya pilih balik ke rumah tidur.
hasilnya, aku bareng Toni, n Ferdy dianter P.Darno, aku n Toni ambil jalan yang cepet n deket,
tapi aku lupa waktu itu malam...jalanan seterang apapun di siang hari jadi gelap tanpa lampu.
kami kebablasan hampir mau sampe jalan solo jogja, lalu aku minta dia balik ke jalan semula,
akhirnya kami menemukan jalan yang benar, tapi karena sepi Toni agak kencang bahkan hampir mau masuk
selokan sawah, lalu kami sampai ke tugu lilin, lalu Toni mulai pelan jalannya, bahkan sempet bilang
besok nek pas siang n terang ngajak nyusuri jalan tadi yg sempat keblasuk, apa jedule benar2 jalan
solo jogja, saat itu aku iya in aja, karena aku pun setengahe penasaran juga. Lalu sampai di daerah
windan setelah rel kereta api, entah gimana saat itu aku liat ada orang ndorong gerobak, tadinya
kukira berhenti ternyata berjalan, dan makin kaget saat kusadari Toni berjalan lurus ke arah gerobak
itu, aku teriak : awas Ton...dia malah bertanya : Apa mbak...? seakan-akan dia juga kaget, dan
terlambat..Kami sudah menabrak gerobak itu, aku saat itu tidak tahu gimana aku jatuh,
kejadian dari aku sadar ada gerobak berjalan, Toni seakan-akan tak melihat dan aku yg teriak awas,
sangat cepat sekali...terlalu cepat...kalo saat itu sedikit lambat 1 detik, mungkin tidak akan
terjadi seperti ini...
yang kusadari, aku saat itu langsung berdiri mencari Toni...sempat kudengar bapak yg dorong gerobak
itu berkata : iki mau piye tooo kok isoh yo ngene... aku melihat pak gerobak itu sekilas mungkin Toni
di dekat dia, tapi tidak...Toni ada di jalan di depanku, aku berlari kearahnya, aku teriak2
memanggilnya, dia gak menjawab, kuhampiri dia yang tertelungkup, aku tarik tubuhnya, kupangku
kepalanya,saat itu aku panik sekali melihat darah yg hampir menutupi seluruh wajahnya.aku teriak2
memanggil namanya, kutepuk2 pipinya, kubilang ke dia jangan pingsan, harus tetap sadar, dan berteriak
minta tolong untuk membawanya ke rumah sakit, aku saat itu sudah hampir putus asa, melihat Toni hanya
menatapku dengan darah mengalir dari mata dan hidungnya, bahkn makin putus asa dan hanya bisa
teriak memanggilnya dan minta tolong saat dia seakan tak sadarkan diri, aku menyebut nama Allah,
kenapa tadi bisa begini kenapa...saat itu aku masih memohon pada Allah ini hanya mimpi, aku panik dan bingung
sekali bahkan aku membayangkan bagaimana jika dia meninggal, aku seakan tak punya daya apapun bahkan
rasanya lama sekali saat orang2 pada datang menolong dan ada mobil berhenti untuk membawa kami
ke rumah sakit, aku saat itu baru sadar mencari montor Toni ada dimana, ternyata sudah diparkir di ayam bakar bu.sum
aku tadinya ingin ikut mengangkat dia ke mobil, tapi gak dibolehin, aku disuruh orang2 itu naek
di depan, rasanya lama sekali perjalanan ke rumah sakit, aku cuma bisa menangis dan memberikan
tisu ke orang2 yg membopong Toni, untuk membersihkan darahnya, meski banyak yg menenangkanku dan
menyarankanku supaya tenang, tapi tidak...saat itu aku seperti orang setengah gila...menangis
dan terus menangis, teriak memanggil Toni berharap dia akan menjawab panggilanku,aku bahkan memaksa
orang yg punya mobil tuk berjalan lebih cepat, meski aku tau beliau sudah berusaha secepatnya, ketika
hampir sampai yarsis aku mencoba menelpon p.darno, tapi nama itu seakan hilang dari daftar telponku
kucari terus...tapi gak ada..., lalu begitu sampai di yarsis aku langsung turun berlari ke ruang UGD
minta agar cepat menolong Toni, lalu setelah Toni di ruang UGD, dan aku gak boleh menunggunya karena
aku gak mau berhenti menangis,aku disuruh nunggu di luar, aku mencoba mnghubungi p.darno lagi,
kali ini namanya ada di daftar,
tapi gak diangkat.lalu aku telpon Ferdy, begitu tersambung aku bilang kalo aku n Toni kecelakaan dan
sekarang Toni di uGD, waktu ditanya Ferdy di rumah sakit mana, aku bingung, dan bertanya dengan
setengah berteriak dengan entah siapa orang disitu ini rumah sakit apa?lalu dijawab yarsis.
setelah itu bru aku telpon ortuku
aku terduduk lemas...kenapa kenapa kenapa...slalu itu yang ada di kepalaku...pertanyaan
dari orang2 yg menolongku kujawab seperti angin lalu...lalu aku dipanggil suster, dan mnjelaskan kalo
Toni tidak apa2, tapi agak sedikit amnesia karena tidak ingat kejadiannya bagaimana...aku hanya
menangis dan dimarahi suter, aku gak peduli aku bilang ke dia aku shock, tapi dia seakan gak ngerti
perasaanku, mungkin mngerti tapi setidaknya beri penjelasan dengan nada yang sedikit lembut...
suster itu cuma bisa mengobati tubuh yang sakit tapi tidak bisa buat hati tenang.
lalu ibu n bapak datang, disusul ferdy n p.darno, p.marmut, p.danang atau siapapun namanya.kutunjukkan
tempat Toni dirawat tapi aku gak mau ikut masuk melihat, aku tidak akan kuat...,Ferdy mencoba menenangkanku
ibu brhenti menyuruhku menngis dan menyutruhku istifar, berdoa supaya Toni tidak apa2, dan bersyukur
aku tidak apa2. lalu pak kas n keluarga datang. aku lalu ngajak ferdy ke masjid tuk cuci tanganku yang
saat itu masih penuh darah Toni. aku mencoba tuk tidak menangis lagi...agar orang orang tidak
kawatir lagi...tapi sebnearnya aku masih seakan-akan sepeti bermimpi...seakan-akan tidak mau menerima
kejadian seperti ini...
lalu ketika balik dari masjid, Toni udah dipindah ke kelas satu, al fajr, sampai disana kulihat yg
jaga ada bapak, p.marmut, n p.dodi. ferdy diajak p.darno tuk jemput ortu Toni, saat itu Toni tampak
kedinginan, matanya dibalut satu, aku dekati dia, ku berusaha menahan tangisku, mencoba tersenyum
ku berbisik : hai Ton..., aku bersyukur sekali dia masih kenal suaraku, dia menjawab : hai mbak...
piye Ton?
aku ga pa2 kok mbak, lha kowe piye mbak?
aku yo gak pa2...istifar Ton...
dan dia mengangguk dan langsung istifar...
lalu bapak mengajakku balik, karena udah ada yang menjaga TOni, yaitu P.marmut n P.dodi mungkin juga
p. kas karena ketika kubalik dia baru mau ke kamr toni.
Minggu pagi, aku n Lutfi nengok Toni...dan aku berusaha untuk tidak kelihatan sedih di mata Toni,
aku berusaha tenang dan tersenyum bahkan tertawa ketika disuruh cerita gimana kejadiannya, aku berha
rap toni tak tahu tertawaku hambar sekali karena aku hanya ingin menangis saja setiap melihatnya,
perih rasanya, aku berusaha membuat Toni agar sabar dan tetap semangat menghadapi ini semua, karena
melihat Toni berusaha sabar dan semngat bisa mengobati rasa sakit di hatiku, rasa sakit karena
merasa bersalah...kenapa aku ujian ccna di ICT, kenapa aku tidak nekat saja minta di antar ferdy,
kenapa aku tidak bisa memaksa toni untk ikut P.darno n biar aku dianter Ferdy? kenapa aku diantar
Toni, kalo saja Toni tidak mngantarku...
Aku bersyukur saat Toni bilang dia noleh pulang malam itu, tpi aku harus mnerima kabar sedih pagi
harinya kalo dia harus operasi, karena ada tulang penyangga korneanya retak n tulang hidungnya patah,
dan saat itu dia udah pindah ke d-17, lalu aku nengok dia setelah operasi, dia baru tidur,
aku menatapnya sedih...aku tidak tahu bagaimana caranya agar bisa ikut meringankn rasa sakitnya,
aku makin sedih saat dia menegeluh pegellah, sakitlah, aku bingung gimana bisa buat dia ringan dari
itu semua,bahkan dari biaya rumah sakit yang gak sedikit, yang bisa kulalukan hanya mnghiburnya
dengan kata2, tetap tersenyum mungkin senyumku rasanya pahit sekali...
aku sekarang bersyukur dia sudah kembali sehat dan semangAT, APALGI sebentar lagi dia msuk krja lgi
aku tau dan yakin semua ini ada hikmahnya, dan Allah tidak akan membri cobaan pada seseorang
melampaui batas kemampuan orang itu
aku sangat bersyukur Allah sangat sayang padaku n Toni....
iya kan tonn....
aku minta maaf atas semua ini ya...sori jika ada yang kurang dari cerita ini, aku sebenarnya tidak
mau mengingat kejadian ini, mungkin karena itu pula ada memori yg sedikit tertutup tentang bagaimana
aku jatuh aku tak tahu...sama sekali tidak ingat, semua itu karena keajaiban dari Allah.

OpenBSD DHCP Server

####################
# DHCP Server
####################



root@dikpora /root]$ nano -w /etc/rc.conf
dhcpd_flags="" # for normal use: ""



root@dikpora /root]$ nano -w /etc/dhcpd.interfaces

# $OpenBSD: dhcpd.interfaces,v 1.1 1998/08/19 04:25:45 form Exp $
#
# List of network interfaces served by dhcpd(8).

rl1


root@dikpora /root]$ nano -w /etc/dhcpd.conf
# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network: 192.168.1.0/255.255.255.0
# Domain name: dikpora.smk2-solo.sch.id
# Name servers: 192.168.10.1
# Default router: 192.168.1.1
# Addresses: 192.168.1.2 - 192.168.1.50
#
shared-network LOCAL-NET {
option domain-name "dikpora.smkn2-solo.sch.id";
option domain-name-servers 192.168.10.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;

range 192.168.1.2 192.168.1.50;
}
}



root@dikpora /root]$ touch /var/db/dhcpd.leases
root@dikpora /root]$ reboot
root@dikpora /root]$ ps ax |grep dhcpd
22945 ?? Is 0:00.00 /usr/sbin/dhcpd rl1