freewlan.info site report
Monday, 7. April 2008 17:36 - daniel - Server - 0 Comments
Some stuff has been going on behind the scenes at freewlan.info. Mainly, we moved some of the services from the other servers to my box.
The first step was to move addons.freewlan.info to my server. Our old host kicked the whole site off his server, because the update service created a too high load on his box. We were partly to blame, because we didn't spread the load of our update service properly, but it's still annoying if your website gets blocked without prior notice.
Well, in the end we moved the addons.freewlan.info stuff and with that the update service to my box, and updated the autoupdate function of the add-ons to spread the load better. I didn't had any problems on my server since. The main site remained on the old server.
The next step was to update the forums. phpBB released version 2.0.23. It was kinda trick to install it since we use a lot of plugin to counter spam, add functions for the admins and users and make phpBB generally behave like we want. But in the end we had a up to date board again ;). We also enabled some addition checks to prevent spambots from registering. Namely, some bots that use gmail.com addresses and a very distinctive usernames that may look like real ones but follow a clear pattern.
Recently, the svn and trac service was about to shut down. So I spend the whole day today to move svn and trac from the old box to mine. Both services seems to be running fine after I got the config right and installed all the previously enabled plug-ins for trac.
If you find errors or got suggestions, you can leave a comment or send me a mail to daniel@tac-ops.net (PGP Key) or server@freewlan.info.
SNAT
Thursday, 14. February 2008 8:32 - daniel - Server - 0 Comments
There was a litte problem with the new SPF records yesterday. I'm running openvpn on my server and use SNAT to send the traffic to another IP than the http, ftp, dns services are listening on. But apparently it also sent the traffic originating from my server from this IP. Atleast one mail server had problems with this:
<someuser@gmx.net> host mx0.gmx.de[213.165.64.100] said: 550-5.7.1 {mx090} The
recipient does not accept mails from 'tac-ops.net' over foreign
mailservers. 550-5.7.1 According to the domain's SPF record your host
'78.*.*.*' is not a designated sender. 550 5.7.1 (
http://portal.gmx.net/serverrules ) (in reply to RCPT TO command)
The solution was simple. Instead of directing all traffic I added an additional source IP match to the command.
From:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 78.b.c.d
To:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 78.b.c.d --source 10.8.0.0/24
SPF record
Monday, 11. February 2008 7:34 - daniel - Server - 0 Comments
I just created a SPF (wiki) record for tac-ops.net. If anyone experiences problems sending or receiving mail from tac-ops.net, let me know.
SSL for server2.dgb-gaming.com
Saturday, 20. October 2007 16:56 - daniel - Server - 0 Comments
We recently moved from NGZ to Hetzner. NGZ was a nice host, but they recently changed their price model, resulting in higher prices for our server.
The move gave me the opportunity to change a few things in the servers configuration, on of this is things is SSL for the web interface. SSL certificates are normally very expensive, but there are a few organisations that grant free class 1 certificates. One of them is startcom, a certification authority and linux vendor form Israel. You can even get a class 2 certificate (verification of your identity) for 20$. The startcom root cert is already recognized by a large number of browser and if your browser doesn't include it, you can install it.
Anyway, server2.dgb-gaming.com is now using SSL for http (including web interface, webmail, etc), FTP over SSL, imap/pop3-ssl and smtp-tls.
Poison for you mail server: virus scanning - Update
Sunday, 5. August 2007 22:07 - daniel - Server - 0 Comments
I'm running spamassassin + clamav on my server to filter spam and virus emails. This is pretty effective and keeps my inbox nearly 100% clean. But this also has some downsides. Over the last few days I received hundreds of email bounces. Everyone of these messages is passed through the scanners. The result was a 14 hour email queue and a load of nearly 2 on my 2500+ AMD Athlon box. Since that box is also used as a webserver I had a problem. The solution was to disable clamav.
Without clamav parsing every message, the quese was gone within minutes and the load dropped to a normal value. I have no idea why clamav needs that much processor time, but if you have load problems on you system with a similar setup, consider disabling the anti virus scanner.
[Update Oct. 21, 2007]
You can avoid this by using clamav-daemon instead a direct call to clamav. Syscp's default is a direct call to clamav. Not very clever if you ask me.