Computer Networks

Difference between multiplexing and multistreaming

2012-01-27T00:05:00.000+05:30

Multiplexing sends data from multiple sources to a single tape or disk device. This is useful if you have a tape or disk device that writes faster than a single system can send data, which (at this point) is just about every tape device.

Multiplexing does require tuning considerations with regards to restoration of the data. Generally speaking, the higher the multiplexing setting you use, the greater impact it can have on performance of an individual stream from within the set of multiplexed data. (If you're recovering all streams multiplexed together, MPX should have minimal impact on restore performance.) If NBU multiplexed several backups together, and you're only restoring one of them, it has to read all of the backups and throw away what it doesn't need. This reduces the overall effective throughput of the drive. If it reduces that speed to a speed slower than the bandwidth you have available for the restore, then it will slow you restore down.

Multistreaming establishes multiple connections, or threads, from a single system to the backup server. This is useful if you have a large system with multiple I/O devices and large amounts of data that need backing up.

Multistreaming also requires planning for implementation. To run effectively it needs to be able to get all needed resources at the same time to provide the shortest possible backup window. It also needs to be tested against the source storage to find the optimal number of streams that can be run. The more drives that are added will increase the backup speeds until the point where the source storage cannot provide the data any faster. At this point the backup times will start to increase because the storage is at 100% utilization.

The good news about Multistreaming is that it is able to shorten restore times for the same data. In general the destination storage will have a bottleneck at the writing of the data. With proper tuning of NUMBER_DATA_BUFFERS and SIZE_DATA_BUFFERS combined with fast tape and disk drives, restores in a Multistreaming configuration can approach a 1:1 ratio. This is a very good thing with respect to Disaster Recovery / Business Contingency.

Checkpoint restart

2012-01-26T02:30:00.001+05:30

Checkpoint restart is a facility offered by some database management systems (DBMSs) and backup-restore software. Checkpoints are taken in anticipation of the potential need to restart a software process.

Many ordinary batch processes on impersonal computers are time-consuming, as are backup and restore operations. They consist of many units of work. If checkpointing is enabled, checkpoints are initiated at specified intervals, in terms of units of work or of processing time. At each checkpoint, intermediate results and a log recording the process's progress are saved to non-volatile storage. The contents of the program's memory area may also be saved.

The purpose of checkpointing is to minimize the amount of time and effort wasted when a long software process is interrupted by a hardware failure, a software failure, or resource unavailability. With checkpointing, the process can be restarted from the latest checkpoint rather than from the beginning.

Checkpoint Frequency

Checkpoints should occur frequently enough to minimize wasted effort when a restart is necessary but not so frequently as to prolong the process unduly with checkpoint overhead. Optimal checkpoint frequency depends on the mean time between failures (MTBF), among other factors.

Disk Staging

2012-01-26T00:47:00.000+05:30

Disk staging is using disks as an additional, temporary stage of backup process before finally storing backup to tape. Backups stay on disk typically for a day or a week, before being copied to tape in a background process and deleted afterwards.

The process of disk staging is controlled by the same software that performs actual backups, which is different from virtual tape library where intermediate disk usage is hidden from main backup software. Both techniques are known as D2D2T (disk-to-disk-to-tape).

Data is restored from disk if possible. But if the data exists only on tape it is restored directly (no backward-staging on restore).

Reasons behind using D2D2T:

increase performance of small, random-access restores: disk has much faster random access than tape
increase overall backup/restore performance: although disk and a tape have similar streaming throughput, you can easily scale disk throughput by the means of striping (and tape-striping is a much less established technique)
increase utilization of tape drives: tape shoe-shining effect is eliminated when staging (note that it may still happen on tape restores)

Synthetic Backups

2012-01-26T00:33:00.000+05:30

A synthetic backup is identical to a regular full backup in terms of data, but it is created when data is collected from a previous, older full backup and assembled with subsequent incremental backups. The incremental backup will consist only of changed information. A synthetic backup would be used when time or system requirements do not allow for a full complete backup. The end result of combining a recent full backup archive with incremental backup data is two kinds of files which is merged by a backup application to create the synthetic backup. Benefits to using a synthetic backup include a smaller amount of time needed to perform a backup, and system restore times and costs are reduced. This backup procedure is called "synthetic" because it is not a backup created from original data.

Data Encryption

2012-01-26T00:18:00.000+05:30

Data Encryption Standard (DES) is a widely-used method of data encryption using a private (secret) key that was judged so difficult to break by the U.S. government that it was restricted for exportation to other countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.

DES applies a 56-bit key to each 64-bit block of data. The process can run in several

modes and involves 16 rounds or operations. Although this is considered "strong" encryption, many companies use "triple DES", which applies three keys in succession. This is not to say that a DES-encrypted message cannot be "broken." Early in 1997, Rivest-Shamir-Adleman, owners of another encryption approach, offered a $10,000 reward for breaking a DES message. A cooperative effort on the Internet of over 14,000 computer users trying out various keys finally deciphered the message, discovering the key after running through only 18 quadrillion of the 72 quadrillion possible keys! Few messages sent today with DES encryption are likely to be subject to this kind of code-breaking effort.

DES originated at IBM in 1977 and was adopted by the U.S. Department of Defense. It is specified in the ANSI X3.92 and X3.106 standards and in the Federal FIPS 46 and 81 standards. Concerned that the encryption algorithm could be used by unfriendly governments, the U.S. government has prevented export of the encryption software. However, free versions of the software are widely available on bulletin board services and Web sites. Since there is some concern that the encryption algorithm will remain relatively unbreakable, NIST has indicated DES will not be recertified as a standard and submissions for its replacement are being accepted. The next standard will be known as the Advanced Encryption Standard (AES).

when to use Authorization Manager (AzMan)

2012-01-14T23:21:00.000+05:30

Authorization Manager (AzMan) enables you to define individual operations, which can be grouped together to form tasks. You can then authorize roles to perform specific tasks and/or individual operations. AzMan provides an administration tool as a Microsoft Management Console (MMC) snap-in to manage roles, tasks, operations, and users. You can configure an AzMan policy store in an XML file, Active Directory, or in an Active Directory Application Mode (ADAM) store.
ASP.NET version 2.0 role management provides an API that enables you to manage application roles and users' membership of roles. By configuring the ASP.NET role manager to use the AuthorizationStoreRoleProvider, you can use the role management API against an AzMan policy store.
The AuthorizationStoreRoleProvider does not support AzMan business rules ("BizRules"), which are scripted extensions to authorization checks, because the current role manager implementation does not have the concept of extended data that can be passed along during an authorization check. To use AzMan BizRules, you need to use COM interop

Data deduplication Drawbacks and concerns

2012-01-08T11:02:00.001+05:30

Whenever data is transformed, concerns a rise about potential loss of data. By definition, data deduplication systems store data differently from how it was written. As a result, users are concerned with the integrity of their data. The various methods of deduplicating data all employ slightly different techniques. However, the integrity of the data will ultimately depend upon the design of the deduplicating system, and the quality used to implement the algorithms. As the technology has matured over the past decade, the integrity of most of the major products has been well proven.

One method for deduplicating data relies on the use of cryptographic hash functions to identify duplicate segments of data. If two different pieces of information generate the same hash value, this is known as a collision. The probability of a collision depends upon the hash function used, and although the probabilities are small, they are always non zero. Thus, the concern arises that data corruption can occur if a hash collision The hash functions used include standards such as SHA-1, SHA-256 and others. These provide a far lower probability of data loss than the risk of an undetected and uncorrected hardware error in most cases and can be in the order of 10^-49% per petabyte (1,000 terabyte) of data. occurs, and additional means of verification are not used to verify whether there is a difference in data, or not. Both in-line and post-process architectures may offer bit-for-bit validation of original data for guaranteed data integrity.

Some cite the computational resource intensity of the process as a drawback of data deduplication. However, this is rarely an issue for stand-alone devices or appliances, as the computation is completely offloaded from other systems. This can be an issue when the deduplication is embedded within devices providing other services. To improve performance, many systems utilize weak and strong hashes. Weak hashes are much faster to calculate but there is a greater risk of a hash collision. Systems that utilize weak hashes will subsequently calculate a strong hash and will use it as the determining factor to whether it is actually the same data or not. Note that the system overhead associated with calculating and looking up hash values is primarily a function of the deduplication workflow. The reconstitution of files does not require this processing and any incremental performance penalty associated with re-assembly of data chunks is unlikely to impact application performance.

Another area of concern with deduplication is the related effect on snapshots, backup, and archival, especially where deduplication is applied against primary storage (for example inside a NAS filer). Reading files out of a storage device causes full reconstitution of the files, so any secondary copy of the data set is likely to be larger than the primary copy. In terms of snapshots, if a file is snapshotted prior to deduplication, the post-deduplication snapshot will preserve the entire original file. This means that although storage capacity for primary file copies will shrink, capacity required for snapshots may expand dramatically.

Another concern is the effect of compression and encryption. Although deduplication is a version of compression, it works in tension with traditional compression. Deduplication achieves better efficiency against smaller data chunks, whereas compression achieves better efficiency against larger chunks. The goal of encryption is to eliminate any discernible patterns in the data. Thus encrypted data cannot be deduplicated, even though the underlying data may be redundant. Deduplication ultimately reduces redundancy. If this was not expected and planned for, this may ruin the underlying reliability of the system. (Compare this, for example, to the LOCKSS storage architecture that achieves reliability through multiple copies of data.)

Scaling has also been a challenge for deduplication systems because ideally, the scope of deduplication needs to be shared across storage devices. If there are multiple disk backup devices in an infrastructure with discrete deduplication, then space efficiency is adversely affected. A deduplication shared across devices preserves space efficiency, but is technically challenging from a reliability and performance perspective.

Security concerns exist with deduplication. In some systems, an attacker can retrieve data owned by others by knowing or guessing the hash value of the desired data.

Data Deduplication Benefits

2012-01-08T10:54:00.000+05:30

Storage-based data deduplication reduces the amount of storage needed for a given set of files. It is most effective in applications where many copies of very similar or even identical data are stored on a single disk—a surprisingly common scenario. In the case of data backups, which routinely are performed to protect against data loss, most of data in a given backup isn't changed from the previous backup. Common backup systems try to exploit this by omitting (or hard linking) files that haven't changed or storing differences between files. Neither approach captures all redundancies, however. Hard linking does not help with large files that have only changed in small ways, such as an email database; differences only find redundancies in adjacent versions of a single file (consider a section that was deleted and later added in again, or a logo image included in many documents).

Network data deduplication is used to reduce the absolute number of bytes that must be transferred between endpoints, which can reduce the amount of bandwidth required. See WAN optimization for more information.

Virtual servers benefit from deduplication because it allows nominally separate system files for each virtual server to be coalesced into a single storage space. At the same time, if a given server customizes a file, deduplication will not change the files on the other servers—something that alternatives like hard links or shared disks do not offer. Backing up or making duplicate copies of virtual environments is similarly improved.

Data deduplication

2012-01-08T10:51:00.000+05:30

In computing, data deduplication is a specialized data compression technique for eliminating coarse-grained redundant data. The technique is used to improve storage utilization and can also be applied to network data transfers to reduce the number of bytes that must be sent across a link. In the deduplication process, unique chunks of data, or byte patterns, are identified and stored during a process of analysis. As the analysis continues, other chunks are compared to the stored copy and whenever a match occurs, the redundant chunk is replaced with a small reference that points to the stored chunk. Given that the same byte pattern may occur dozens, hundreds, or even thousands of times (the match frequency is a factor of the chunk size), the amount of data that must be stored or transferred can be greatly reduced.

This type of deduplication is different than that which is performed by standard file compression tools such as LZ77 and LZ78. Whereas these tools identify short repeated substrings inside individual files, the intent of storage-based data deduplication is to inspect large volumes of data and identify large sections – such as entire files or large sections of files – that are identical, in order to store only one copy of it. This copy may be additionally compressed by single-file compression techniques. For example a typical email system might contain 100 instances of the same one megabyte (MB) file attachment. Each time the email platform is backed up, all 100 instances of the attachment are saved, requiring 100 MB storage space. With data deduplication, only one instance of the attachment is actually stored; the subsequent instances are referenced back to the saved copy for deduplication ratio of roughly 100 to 1.

Major features of NetBackup

2012-01-08T10:32:00.000+05:30

Data Deduplication
- Client or server-side deduplication via integration with the PureDisk data deduplication engine

Security
- Data Encryption
- Access Control

Performance
- Synthetic Backups
- Disk Staging
- Checkpoint restart
- Multiplexed Backup
- Multi-streamed Backup
- Inline Copy
- Online NetBackup catalog backup

Management and Reporting
- Web-based management reporting (VERITAS NetBackup Operations Manager)
- Tape volume, drive and library viewing
- Error message identification, categorization and troubleshooting

Media Management
- Enterprise Media Manager
- Automatic robotic/tape drive configuration
- Broad tape device support

Heterogeneous Support
- Broad platform support
- Bare-metal restore
- Support for leading networking topologies
- Advanced software and hardware snapshot support
- NetBackup RealTime

History of Net BackUp

2012-01-08T10:25:00.000+05:30

In 1987, Chrysler Corporation engaged Control Data Corporation to write a backup software solution. A small group of engineers (Rick Barrer, Rosemary Bayer, Paul Tuckfield and Craig Wilson) wrote the software. Other Control Data customers later adopted it for their own needs.
In 1990, Control Data formed the Automated Workstation Backup System business unit. The first version of AWBUS supported two tape drives in a single robotic carousel with the SGI IRIX operating system.
In 1993, Control Data renamed the product to BackupPlus 1.0 (this is why many NetBackup commands have a 'bp' prefix). Software improvements included support for media Volume Management and Server Migration/Hierarchical Storage Management.
In late 1993, Openvision acquired the product and Control Data’s Storage Management 12-person team. This is why, on UNIX platforms, NetBackup installs into /usr/openv. During this time, Open Vision renamed Backup Plus to NetBackup.
On May 6, 1997 Veritas acquired Openvision, including absorption of the NetBackup product line.
In 2005 Symantec acquired Veritas and NetBackup became a Symantec product. Also at that time, Symantec released NetBackup 6.0, the 30th version of the software.

How to change the drive letter in Windows XP for an external USB stick or hard drive

2010-01-10T11:22:00.000+05:30

This is a guide on how to change a drive letter in Windows XP for an external device. Here’s a common problem that I have seen: Plug a USB flash drive into your computer and it’s says ready to use, but for some reason nothing shows up in the list of drives. Take it out, plug it back in and still nothing shows up!!! What the heck is the problem? Well, it could be several things, but the most common issue is that the drive letter Windows is trying to assign to your device is already taken by some other drive or maybe mapped to a network drive.

Sadly, Windows XP does not figure this out itself (which is should) and your drive is basically lost in la-la land somewhere. In order to fix it, we need to go to Computer Management and change the drive letter there manually. There are two ways to get to the Computer Management dialog in Windows, one through Control Panel and the second by right-clicking My Computer and choosing Manage.

Right-click My Computer

Computer Management in Administrative Tools

Click on Disk Management under the Storage section and the right side will show you all of the current drives and partitions on your drive. If you don’t know what that means, don’t worry, just find the drive you are looking for in the graphs at the bottom. They are usually named Disk 0, Disk 1, CD-ROM, CD-ROM1, etc. If you’re looking for a USB flash drive, you’ll see the word “Removable” underneath Disk X.

As you can see from my computer, I plugged in a USB flash drive and it’s currently assigned drive letter is F. If you want to change this, right-click in the white space to the right of the drive letter and choose Change Drive Letter and Paths.

Click the Change button in the dialog box and then pick a new letter from the drop-down list. Just for your info, the Mount in the following NTFS folder option is used if you had right clicked on an external hard drive and instead of giving it a drive letter, you wanted to just have it show up as a folder on your current hard drive. That means you could create a folder in My Documents called pictures that actually points to another hard drive instead of one where all of your My Documents are currently stored.

Click Ok twice and your drive should now have the new letter assigned. Usually, if you USB stick was not showing up before, once you change the letter, it will automatically pop up and ask you what you want to do. And that’s about it! You can also use Disk Management to format disks, determine the type of File System, and see the amount of free space available.

[tags]windows xp, change drive letter, change xp drive letter, windows xp[/tags]

Fix “\\computer is not accessible. You might not have permission to use this network resource”

2010-01-10T11:09:00.000+05:30

I’ve previously written an article on how to network two computers together that are running Windows XP. I’ve also written about a cool program called WiPeer that lets you connect two computers wirelessly and share data!

However, I’ve never really written a troubleshooting guide for file sharing or networking two computers. Unfortunately, Windows can be finicky and even though you may think everything should work, accessing a share on another computer may not work.

So if you’ve read my post on creating a peer to peer network at home, but still cannot access a share on another computer on the same network, try out the following troubleshooting tips!

1. Workgroup – Make sure that each computer that you want to access is in the same workgroup. The name of the workgroup should be exactly the same on every computer. Also, be sure to use the same case for the names (all upper or all lower).

2. File and Printer Sharing – Make sure that file and printer sharing is turned on for the network adapter. You can enable this by going to Control Panel, Network Connections, right-clicking on the network connection, choosing Properties and making sure File and Printer Sharing for Microsoft Networks is checked.

3. Correct Subnet and IP addresses – You really shouldn’t have this problem if all your computers are connected to the same router, but it’s still worth mentioning.

Make sure that the Subnet Mask and Default Gateway are the same for all computers. If these are not the same, then you will have issues connecting the computers over the network.

You can view these details by going to Start, Run, typing CMD and then typing IPCONFIG /ALL at the command prompt on each computer.

4. Check Firewalls – My suggestion here would be to first disable the Windows Firewall on all computers and then try to access the shared folders. Also, be sure to disable any third-party firewall programs like Norton or Comodo.

If you find that the sharing works with the firewall off, make sure to add File and Printer Sharing to the exceptions list in your Windows Firewall and third-party firewall programs.

5. Shared Permissions – If you are getting the “You might not have permission to use this network resource…Access is Denied.”, your problem could also be that the permissions for the shared directory are not properly set.

Depending on whether you are running XP Home or XP Pro, you will have to configure the sharing properly. For XP Home, you can only share files using Simple File Sharing. It’s pretty easy because they have a wizard to walk you through the sharing process.

For XP Pro, you need to disable Simple File Sharing and set the NTFS permissions and share permissions to allow everyone access. You can read my post here on how to configure share and NTFS permissions in Windows.

6. Use TCP/IP Protocol – You probably don’t have to worry about this either, but just to cover all bases, you need to make sure that the computers on the network are all using the Internet TCP/IP protocol to communicate and not IPX/SPX or NetBEUI.

You can go to Start, Control Panel, Network Connections, right-click on the network connection, choose Properties and see which protocol is listed in the list box.

7. Username and Passwords – If you’ve done everything above correctly and still can’t connect, then you can also try making sure that the usernames and passwords on all computers are exactly the same.

It’s best to have passwords on all accounts and to create a new account on each computer with the same username and password. Sometimes it’s important to create a new account instead of just changing the name or password on an existing account. Make sure the accounts are Administrators.

8. Computer Names – Make sure that the NetBIOS names for all computers are unique. NetBIOS names are only 8 characters, so if you named one computer JohnnyBoy1 and JohnnyBoy2, they will have the same NetBIOS name.

Make sure that the first eight characters of a computer name are unique, otherwise you will have problems.

9. Local Security Policy – Another reason you may not be able to access another computer across the network is because of a local security policy.

You can go to Control Panel, Administrative Tools, Local Security Policy, Local Policies, Security Options. Now find the following policy:

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Make sure that the value is set to Disabled. Also, make sure to disable only the setting that says “SAM accounts and shares” not the one that says “SAM accounts” only.

10. Uninstall anti-virus and Internet Security – Finally, make sure that all your anti-virus programs are either turned off or uninstalled to test out the connection. If you have any Internet Security program such as Norton Internet Security or Kaspersky Internet Security, disable them!

That’s about it! Those are all the tips I can think of for troubleshooting file sharing issues in Windows! If you still can’t access a network share, post what you’ve tried up till now and I’ll try to help!

How to create an "Invisible" hidden drive in Windows

2010-01-10T10:59:00.001+05:30

You’ve probably read a bunch of posts on how to create hidden folders, secure folders, locked folders, etc, etc in Windows on many occasions! Hell, one of the most popular articles on this blog is How to create a secure and locked folder in Windows XP. However, hiding a folder is a tricky proposition and usually doesn’t work well unless you use something like Truecrypt.

But there’s yet ANOTHER way you can hide your “private” files using a nifty little registry hack that will completely remove an entire drive from your computer. The drive will not show up in My Computer, will not be accessible from the command prompt, and won’t even show up in Safe Mode!

Ok, so here’s how to implement the hack: first off, back up your registry as this requires adding a key to the registry. Once you’ve backed up your registry, open the registry editor by clicking on Start, Run and typing in regedit.

Now navigate to the following registry hive shown below:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer

Right-click on Explorer and choose New and then DWORD Value.

Name the new value NoDrives and then double click on it to open the properties dialog box. Click on Decimal for the Base unit.

Type in one of the following values depending on that drive letter you want to hide.

A: 1B: 2C: 4D: 8

E: 16

F: 32G: 64H: 128I: 256

J: 512

K: 1024L: 2048M: 4096N: 8192

O: 16384

P: 32768Q: 65536R: 131072S: 262144

T: 524288

U: 1048576V: 2097152W: 4194304X: 8388608

Y: 16777216

Z: 33554432All: 67108863

If you want to hide drive E, just type in the value 16. The really cool thing about this trick is the fact that you can hide multiple drives by adding the numbers of the particular drives together. For example, if you want to hide drive E and drive G, you would type in the number 80, which is 64 + 16.

Restart your computer and your drive will now be hidden! Trying to hide your system drive (C) will not work as Windows has to use this drive to run correctly, so don’t store your secret files there!

When you want to get your drives back, change the value of NoDrives to 0 or simply delete the value altogether. Of course, having to do this everyday can be a pain, so if you’re up for it, you can try and write a registry file that will allow you to insert and delete the value by just double-clicking a file.

This trick also works for mapped drives, so if you want to hide mapped drives, you can do it this way (though it might just be easier to disconnect a mapped drive).

Enjoy!

How to create a Windows XP hidden folder share

2010-01-10T10:50:00.001+05:30

If you have multiple computers on a network and want to share folders between them, you can add an extra bit of security by creating a hidden Windows share. This guide is fairly basic and assumes that you are in either a workgroup or domain Windows environment. Hidden shares are useful if you want to share a folder, but only want it accessed by people who you’ve given the share name to.

Of course, a hidden share does NOT ensure that someone cannot gain access to the folder if they try hard enough. It’s best to use this as an extra security step along with your other network security policies. If you’re in a Windows domain, like within a corporate network, you will find that 99% of the time, your local hard drives are shared out. These are called admin shares in IT lingo. Basically, it’s configured that way so that any administrator can connect to any computer on the network and access all of the local files.

The admin shares are also all hidden shares, so that anyone browsing the network will not see them. You can see if your local drives are shared out by going to My Computer, right-clicking on the local C drive (or whatever letter you have), and choosing Properties. Click on the Sharing tab and you’ll see that “Share this folder” is selected and the share name is C$.

The $ symbol after the share name is what makes the folder hidden on the network. As you can see here, my entire C hard drive is shared out since I’m on a corporate domain. Remember, this means that any Administrator can access all of your files at any time! So you really have no privacy in a Windows domain.

Of course, to share a folder on a home network or even in your office, follow the same procedure as described above. By default, when you click Share this folder, the share name is filled in with the name of the folder. Just add the $ right after the share name without any spaces. Also, if you want people to be able to add and delete files in the folder, you’ll need to click on the Permissions button and click either Change or Full Control.

Change is usually good enough because it allows people to add files and delete files. Full Control allows someone to change the permissions on the folder itself.

In order to access the hidden share in Windows, you need to go to Windows Explorer (My Computer) and type the full UNC path to the folder. If that didn’t make any sense, the UNC path is simply the computer name and folder name that you want to access. So if I shared a folder called MyFiles as MyFiles$ on a computer named Comp1, I would access that folder by going to My Computer and typing in the address bar:

\\Comp1\MyFiles$

As long as everything was setup correctly, the contents of the folder should pop up without a problem!

And that’s it! You have now shared a folder on the network that is hidden! Enjoy!

[tags]windows hidden share, folder share, windows admin share, administrative share, create hidden share, view hidden share[/tags]

How to hide files in JPEG pictures

2010-01-10T10:40:00.000+05:30

If you’re looking to hide files on your PC hard drive, you may have read about ways to encrypt folders or change the attributes on a file so that they cannot be accessed by prying eyes. However, a lot of times hiding files or folders in that way requires that you install some sort of software on your computer, which could then be spotted by someone else.

I’ve actually written quite a few articles on how you can hide files and folders in Windows XP and Vista before, but here I’m going to show you a new way to hide files that is very counter-intuitive and therefore pretty safe! Using a simple trick in Windows, you can actually hide a file inside of the JPG picture file!

You can actually hide any type of file inside of an image file, including txt, exe, mp3, avi, or whatever else. Not only that, you can actually store many files inside of single JPG file, not just one! This can come in very handy if you need to hide files and don’t want to bother with encryption and all that other technical stuff.

Hide File in Picture

In order to accomplish this task, you will need to have either WinZip or WinRAR installed on your computer. You can download either of these two off the Internet and use them without having to pay anything. Here are the steps for creating your hidden stash:

Create a folder on your hard drive, i.e. C:\Test and put in all of the files that you want to hide into that folder. Also, place the image that you will be using to hide the files in.

Now select all of the files that you want to hide, right-click on them, and choose the option to add them to a compressed ZIP or RAR file. Only select the files you want to hide, not the picture. Name it whatever you want, i,e. “Hidden.rar”.

Now you should have a folder that looks something like this with files, a JPG image, and a compressed archive:

Now here’s the fun part! Click on Start, and then click on Run. Type in “CMD” without the quotes and press Enter. You should now see the command prompt window open. Type in “CD \” to get to the root directory. Then type CD and the directory name that you created, i.e. “CD Test“.

Now type in the following line: “copy /b DSC06578.JPG + Hidden.rar DSC06578.jpg” and press Enter. Do not use the quotes. You should get a response like below:

Just make sure that you check the file extension on the compressed file, whether it is .ZIP or .RAR as you have to type out the entire file name with extension in the command. I have heard that some people say that they have had problems doing this with a .ZIP extension, so if that doesn’t work, make sure to compress to a .RAR file.

And that’s it! The picture file will have been updated with the compressed archive inside! You can actually check the file size of the picture and see that it has increased by the same amount as the size of the archive.

You can access your hidden file in two ways. Firstly, simply change the extension to .RAR and open the file using WinRAR. Secondly, you can just right-click on the JPG image and choose Open With and then scroll down to WinRAR. Either way, you’ll see your hidden files show up that you can then extract out.

That’s it! That is all it takes to hide files inside JPG picture files! It’s a great way simply because not many people know it’s possible and no one even thinks about a picture as having to the ability to “hide” files. Enjoy!

[tags]hide files, hide file in picture, hide file in pictures, hiding files in pictures, hide file in image[/tags]

How to map a drive in Windows

2010-01-10T10:36:00.000+05:30

Mapping drives is Windows

is one of the essential actions everyone should know how to do. Whether you are at home or at the office, there comes a time in everyone’s life when they have to map a drive! It sounds all complicated, but it’s actually really simple to do.

You may need to get some information from your IT administrator at work, since mapping a drive usually means connecting to a server

share. A server share is basically a folder on a different computer that is being shared with everyone else. So when you “map a drive”, you are just saying that you want access to that folder on your computer also, which is done by mapping it to a letter, i.e. F, G, H, etc.

In this article, I’ll explain how you can map a drive in Windows XP, Windows Vista, and even map a drive via the command prompt.

Map a drive in Windows XP

Open My Computer and click on the Tools menu option. From the drop down list, choose Map Network Drive.

Pick a drive letter that you want to use to access the shared folder and then type in the UNC path to the folder. UNC path is just a special format for pointing to a folder on another computer. You first use two slashes “\\” and then the computer name, \\testcomp and then another “\” followed by the shared folder name, \\testcomp\foldername.

Click on “Reconnect at logon” to make the connection permanent, which means the drive will still be mapped even after you restart the computer.

If you’re not sure what the name of the folder is, you can click on Browse and try to find the computer that way. Click on Entire Network, then Microsoft Windows Network and then expand out the workgroup or domain that your computer is in.

If there are any shared folders on a computer, you will be able to see them here by expanding each computer individually. Click Finish and you have now mapped a drive!

How to map a network drive in Vista

Mapping a network drive in Vista is slightly different than in XP, but pretty simple also. First, click on Computer from your Start Menu or Desktop. You’ll see a couple of buttons across the top, one of them being “Map network drive“.

Other than the fancy interface, all of the options are the same! Choose a drive letter, type in the folder path, choose “Reconnect at logon” and click Finish!

Remember, the folder can be located on a local or remote server or even to a FTP site!

How to map a drive using command prompt

First click on Start and then Run. Type cmd in the Open box.

Then type the following DOS command to map the network drive:

net use x: \\computer name\share name

where x: is the drive letter you want to assign to the shared folder.

You can delete a mapped network drive using the command prompt by typing in

net use x: /delete

If you have any problems mapping a drive in Windows, post a comment and I’ll try to help you out! Enjoy!

[tags]map network drives, map drives, map a drive, how to map a drive, how to map network drives[/tags]

Layer by Layer Troubleshooting with a Cisco Router

2010-01-04T19:13:00.002+05:30

Every network admin is going to have trouble with network links on a Cisco router, at one point or another. The best way to troubleshoot any networking issues is to use the OSI model and go layer by layer. In my article How to use the OSI Model to Troubleshoot Networks, we talked about the different troubleshooting approaches and how to use them to troubleshoot your network, in general. In this article, you will find out how to use the OSI model to troubleshoot, bottom up, using a Cisco router.

OSI Model - Bottom Up Troubleshooting

If you will recall, the OSI model starts with the physical layer (layer 1) and goes up to layer 7 (application). When troubleshooting with a Cisco router, much of your time will be spent working in layers 1-3. They are:

Layer 3 - Network
Layer 2 - Data Link
Layer 1 - Physical

Because these layers build on each other, Layer 1 is most critical, without layer 1, layer 2 will not function. Without layer 1 & 2, layer 3 will not function, and so on. For this reason, I start troubleshooting at layer 1, physical, and move on up from there.

Router Troubleshooting at OSI Layer 1 & 2 - Physical & Data link

Remember, if Layer 1 isn't up, nothing else will work so make sure you start here. Examples of layer 1 are your T1 circuit or your Ethernet cable - physical connectivity. I usually troubleshoot layer 1 and layer 2 in union because they are so closely paired. Examples of layer 2 - data link - are your line protocol (such as Ethernet, ATM, 802.11, PPP, frame-relay, HDLC, or PPP).

To troubleshoot at these layers, the first thing I would do on your router is a show interface. Here is an example of a LAN Gigabit Ethernet circuit:

Router# show interface
GigabitEthernet0/0 is up, line protocol is up
Hardware is BCM1125 Internal MAC, address is 0015.2b46.5000 (bia 0015.2b46.5000)
Description: LAN Connection to Data center
Internet address is 10.20.100.1/16
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is autonegotiation, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 750000 kilobits/sec
5 minute input rate 3218000 bits/sec, 1715 packets/sec
5 minute output rate 1390000 bits/sec, 2129 packets/sec
1416888620 packets input, 15402720 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1556005 multicast, 0 pause input
0 input packets with dribble condition detected
1666663097 packets output, 573841802 bytes, 0 underruns
19 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
19 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

Here is what a WAN T1or T3 circuit might look like:

Routerl# show interface serial 3/0
Serial3/0 is up, line protocol is up
Hardware is DSXPNM Serial
Description: Sprint T3
Internet address is 10.2.100.2/30
MTU 4470 bytes, BW 9000 Kbit, DLY 200 usec,
reliability 255/255, txload 77/255, rxload 26/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 18394
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 927000 bits/sec, 1914 packets/sec
5 minute output rate 2752000 bits/sec, 1504 packets/sec
1560997932 packets input, 3254680247 bytes, 0 no buffer
Received 255480 broadcasts, 1 runts, 1 giants, 0 throttles
1567 input errors, 1567 CRC, 976 frame, 496 overrun, 0 ignored, 908 abort
1303636803 packets output, 3737276508 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions
DSU mode 1, bandwidth 9000, real bandwidth 9000, scramble 0

Here is the quick version:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.20.100.1 YES NVRAM up up
Serial3/0 10.2.100.2 YES NVRAM up up

Here is what you look for:

Is the interface UP?
Is the line protocol UP?
If both the interface and line protocol are NOT up, your connection is never going to work.
To resolve a line down, I look at the cable or the keepalives
To resolve a line protocol down, check to make sure that the protocols match on each side of the connection(notice the "line protocol" on each of the interfaces above).
Are you taking input, CRC, framing, or other errors on the line (notice how the serial interface above does show errors)? If so, check your cable or contact your provider.

In general, verify that you have a good cable on each side, verify that line protocols match, and that clocking settings are correct.

If this is an Ethernet connection, is there a link light on the switch?

If this is a serial connection, do you have an external CSU/DSU? If it is an external CSU, check that the Carrier Detect (CD) light & data terminal ready (DTR) lights are on. If not, contact your provider. This also applies if you have an internal Cisco WIC CSU card. If that is the case, take a look at this Cisco link on understanding the lights on that card.

You can, of course, use the Cisco IOS test commands to test your network interfaces with internal staff and with your telecommunications providers.

Do not proceed to upper level layers until your Physical interface on the router shows as being UP and your line protocol is UP. Until then, don't worry about IP addressing, pinging, access-lists or anything like that.

Router Troubleshooting at OSI Layer 3 - Network

Once you have Layers 1 & 2 working (your show interface command shows the line is "UP & UP", it is time to move on to layer 3 - the OSI Network layer. The easiest thing to do here to see if layer 3 is working is to ping the remote side of the LAN or WAN link from this router. Make sure you ping as close as possible to the router you are trying to communication with - from one side across to the other side.

Here are examples of successful & failed pings:

Router# ping 10.2.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#
Router#
Router#
Router#
Router# ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

The easiest way to check the status of Layer 3 - the network layer - is to do a show ip interface brief, as I did above. Here is an example:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.20.100.1 YES NVRAM up up
Serial3/0 10.2.100.2 YES NVRAM up up

Notice the IP addressing on each of these interface. Also do a show running-config, like this (you can even specify an interface, like this):

Router# show running-config int serial3/0
Building configuration...

Current configuration : 225 bytes
!
interface Serial3/0
description Sprint T3
bandwidth 9000
ip address 10.2.100.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
dsu mode 1
dsu bandwidth 9000
no cdp enable
end

Router#

I would recommend taking this interface configuration and comparing it, side by side, with the remote WAN connection to ensure they are the same. Ask yourself questions like:

Are these interfaces on the same IP network?
Do these interfaces have the same subnet mask?
Are there any access-lists (ACL) that are blocking your traffic?
Can you remove all optional IP features to make sure that the basic configuration works before adding additional features that could be causing trouble?

Here is an example. Look at the two interfaces below. What is the real problem, causing these two to not communicate?

Router 1

interface Serial3/0 description Sprint T3 - TO ROUTER 2 bandwidth 9000 ip address 10.2.100.2 255.255.255.252

Router 2

interface Serial3/0 description Sprint T3 - TO ROUTER 1 bandwidth 1500 ip address 10.2.100.5 255.255.255.252

No, there is no problem with the bandwidth statement. Bandwidth statements are only used as comments and by routing protocols to select the best route. The real problem here is that the second router's serial interface is not on the same IP subnet as router #1. Even though they have the same subnet, the 10.2.100.5 IP address will never be able to communicate to the 10.2.100.2 IP address because they are on different networks but directly connected.

Let's say that you are now able to ping across the link, from one side to another. While that is a great sign, it doesn't always mean that everything is "fixed". You still may not be able to communicate from a client on the LAN of one router, to a client on the LAN of another router, due to things like improperly configured IP routing protocols.

For one LAN to communicate to another LAN, through routers (through a WAN, usually), you MUST have either static routes or dynamic routes configured. To ensure you have a route configured for the network you are trying to reach, do:

Router# show ip routes

and look at

Router# show ip protocols

For troubleshooting layers 3, all the way up, look at the output of this command:

Router# show ip interfaces

GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.20.100.1/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled

Router Troubleshooting at OSI Layers 4 - 7

Now, let's say that you have made it to the point where you can ping from LAN to LAN, through your WAN. Congratulations - that is a very good sign. If you are still having trouble, it must be in OSI Layers4-7. Here are those layers listed out and possible issues you might experience in each layer:

Layer 4 - Transport - in the transport layer are TCP and UDP - you could be have an ACL or QoS feature blocking or slowing this traffic. Your TCP traffic could also be fragmented to the point that it could not be reassembled. Another option is that you may not be receiving an ACK back from your traffic that was successfully sent.
Layer 5 - Session - in the session layer are protocols like SQL, NFS, SMB, or RPC - you could be taking errors on any one of these session protocols. I would recommend using a protocol analyzer like Wireshark to analyze your session data.
Layer 6 - Presentation - in the Presentation layer are data encryption, compression, and formatting - your VPN tunnel could be failing or perhaps you are sending one type of data (like a MPEG) and the receiver is trying to view it as a WMV file.
Layer 7 - Application - in the Application layer are, of course, your applications like FTP, HTTP, SCP, TFTP, TELNET, SSH, and more - you could be trying to connect to a telnet server with the SSH protocol, for example.
Layer 8 - End User - the standing joke is that "Layer 8" is the user - the user could be just mistyping their username or password or you, the network admin, could have been troubleshooting the wrong IP address all along.

Summary

In summary, using the OSI model to troubleshoot connectivity issues is the fastest and most efficient way to troubleshoot any network issue. Even if someone calls you to work on a Windows share problem, all of the same principles in this article apply to that troublesooting process. So remember, the next time you work on a network issue - remember the OSI model and how to use the bottom-up approach to troubleshooting! It could same you a while lot of time!

WIsh u a very Happy New Year.-20new year wall papers

2010-01-04T18:59:00.002+05:30

20 Happy New Year 2010 wallpapers

The new year 2010 (MMX) will be a common year starting on Friday in accordance with the Gregorian calendar. It will also be the first year of the 2010s decade. Since we are facing problems related to climate change, the United Nations also proclaimed the year 2010 as the International Year of Biodiversity. The proclamation of the International Year of Biodiversity is aimed at raising the awareness of people worldwide about the importance of biodiversity. Saving biodiversity requires an effort from everyone. The UN hopes that through activities and events in many countries, the global community will work together to ensure a sustainable future for us all.

Meanwhile, according to the Chinese Zodiac, the Year of 2010 is the Year of the Tiger, which begins on February 14, 2010 and ends on February 2, 2011. The Tiger is the third sign in the cycle of Chinese Zodiac, which consists of 12 animal signs. It is a sign of courage. This fearless and fiery fighter is revered by the ancient Chinese as the sign that wards off the three main disasters of a household: fire, thieves and ghosts.

Thus, the Biodiversity Year and the year of the tiger has been the dominant theme of most New Year wallpapers for 2010. Here, we gathered 20 of the most creative new year wallpaper designs to welcome 2010. Have a happy new year everyone!

Happy New year 2010 Cool Wallpapers 01

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 02

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 03

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 04

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 05

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 06

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 07

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 08

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 09

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 10

DOWNLOAD NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 11

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 12

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 13

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 14

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 15

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 16

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 17

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 18

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 19

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Happy New year 2010 Cool Wallpapers 20

DOWNLOAD HAPPY NEW YEAR WALLPAPER

Top 10 Open Source Web-Based Project Management Software

2009-08-12T19:32:00.000+05:30

This is an user contributed article.

Project management software is not just for managing software based project. It can be used for variety of other tasks too. The web-based software must provide tools for planning, organizing and managing resources to achieve project goals and objectives. A web-based project management software can be accessed through an intranet or WAN / LAN using a web browser. You don't have to install any other software on the system. The software can be easy of use with access control features (multi-user). I use project management software for all of our projects (for e.g. building a new cluster farm) for issue / bug-tracking, calender, gantt charts, email notification and much more.

Obviously I'm not the only user, the following open source software is used by some of the biggest research organizations and companies world wild. For e.g. NASA's Jet Propulsion Laboratory uses track software or open source project such as lighttpd / phpbb use redmine software to keep track of their projects.

You use the following top 10 software for personal or business use. Keep track of all your projects in one place and finish them successfully on time.

#1: Codendi

Codendi is an open-source collaborative development platform offered by Xerox. From only one interface, it gathers, all the needed tools for software development teams: management and versioning of code, bugs, requirements, documents, reporting, tests etc. It is mainly used for managing software project processes.

Download Codendi

#2: Redmine

Redmine is a flexible project management web application. Written using Ruby on Rails framework, it is cross-platform and cross-database. It includes calendar and gantt charts to aid visual representation of projects and their deadlines.

Download redmine

#3: ProjectPier

ProjectPier is a Free, Open-Source, self-hosted PHP application for managing tasks, projects and teams through an intuitive web interface. ProjectPier will help your organization communicate, collaborate and get things done Its function is similar to commercial groupware/project management products, but allows the freedom and scalability of self-hosting.

Download ProjectPier

#4: Trac

Trac is an open source, web-based project management and bug-tracking tool. Trac allows hyperlinking information between a computer bug database, revision control and wiki content. It also serves as a web interface to a version control system like Subversion, Git, Mercurial, Bazaar and Darcs.

Download Trac

#5: Project HQ

Project HQ is a collaborative open source project management tool, similar to Basecamp and activeCollab. Project HQ is built on open source technologies like Python, Pylons and SQLAlchemy and is fully database independent. Project HQ uses a structured workflow to assist you in managing your projects.

Download Project HQ

#6: Collabtive

Collabtive is a web-based project management software that is being published as Open Source software. The project was started in November 2007. It strives to provide an Open Source alternative to proprietary tools like Basecamp or ActiveCollab.

Download Collabtive

#7: eGroupWare

eGroupWare is a free open source groupware software intended for businesses from small to enterprises. Its primary functions allow users to manage contacts, appointments, projects and to-do lists.

It is used either via its native web-interface, making access platform-independent, or by using different supported groupware clients, such as Kontact, Novell Evolution, or Microsoft Outlook. It can also be used by mobile phone or PDA via SyncML.

Download eGroupWare

#8: KForge

KForge is an open-source (GPL) system for managing software and knowledge projects. It re-uses existing best-of-breed tools such as a versioned storage (subversion), a tracker (trac), and wiki (trac or moinmoin), integrating them with the system’s own facilities (projects, users, permissions etc). KForge also provides a complete web interface for project administration as well a fully-developed plugin system so that new services and features can be easily added.

Download KForge

#9: OpenGoo

It is a complete online solution focused on improving productivity, collaboration, communication and management of your teams. OpenGoo main features include document management, contact management, e-mail, project management, and time management. Text documents and presentations can be created and edited online. Files can be uploaded, organized and shared, independent of file formats.

Download OpenGoo

#10: ClockingIT

ClockingIT is a free Project Management solution, which helps your team stay focused and on top of things.

Download ClockingIT

Ed: The following two paragraphs added by Vivek Gite:

I also use project management software to keep track of how much time I spent per client and project.

My Personal Choice

redmine is my personal choice because I like to use ruby on rails and I often work with small teams. We track networking issues, data center issues, capacity planning, trouble tickets and much more using redmine. I can track multiple projects and its flexible role-based access control make sure only authorized eyes can view the details.

Other FOSS Project Management Software Projects

JotBug
Bugzilla (only bug tracking)
OpenProj (desktop app - replacement for MS-project)

How do you manage your IT / software and other projects? Are you using a better option? Let us know in the comments.

About the author: Rocky Jr., is an engineer with VSNL - a leading ISP / global telecom company and a good friend of nixCraft.

Top 20 OpenSSH Server Best Security Practices

2009-08-12T19:31:00.001+05:30

OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.

Default Config Files and SSH Port

/etc/ssh/sshd_config - OpenSSH server configuration file.
/etc/ssh/ssh_config - OpenSSH client configuration file.
~/.ssh/ - Users ssh configuration directory.
~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
/etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
/etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
SSH default port : TCP 22

SSH Session in Action

#1: Disable OpenSSH Server

Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off # yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart # service ip6tables restart

#2: Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

#3: Limit Users' SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn't in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#4: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.

#5: Disable .rhosts Files

Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#6: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#7: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying "don't login as root" is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#8: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:

+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.

+ At any time, the XYZG may inspect and seize data stored on this IS.

+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.

+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.

+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you've dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#10: Use Strong SSH Passwords and Passphrase

It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):

genpasswd() {
 local l=$1
       [ "$l" == "" ] && l=20
      tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

Run it:
genpasswd 16
Output:

uw8CnDVMwC6vOKgW

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems.

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
Fail2ban is a similar program that prevents brute force attacks against SSH.
security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
security/sshblock block abusive SSH login attempts.
security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
BlockHosts Automatic blocking of abusive IP hosts.
Blacklist Get rid of those bruteforce attempts.
Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip="202.54.1.5"
table  persist
block in quick from 
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload  flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo

fwknop is an implementation that combines port knocking and passive OS fingerprinting.
Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

#  Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on  reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
#  Specifies whether password authentication is allowed.  The default is yes.
PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t

Tighter SSH security with two-factor or three-factor (or more) authentication.

References:

The official OpenSSH project.
Forum thread: Failed SSH login attempts and how to avoid brute ssh attacks
man pages sshd_config, ssh_config, tcpd, yum, and apt-get.

If you have a technique or handy software not mentioned here, please share in the comments below to help your fellow readers keep their openssh based server secure.

Download PDF version (193K).

BIND 9 Dynamic Update DoS Security Update

2009-08-12T19:28:00.001+05:30

BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.

Our hosting provider seems to come under DoS attack too at the same time and their DNS server went down for couple of hours. So you may see some part of our site may not working, especially our css, js and image files comes from our service providers servers which are affected by BIND server problem.

Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC claims it does affects the all versions of BIND 9. However, another update from Red hat claimed that:

Updates with similar patch are undergoing quality assurance testing now and will be released as soon as they are fully tested.

How Do I Fix This Under Debian / Ubuntu Linux?

Upgrade your vulnerable package using the following commands:
# apt-get update # apt-get upgrade # /etc/init.d/bind9 restart

How Do I Fix This Under FreeBSD Operating System v6x and v7.x?

To patch your system download the relevant patch from the FreeBSD below, and verify the detached PGP signature using your PGP utility.
# cd /tmp # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc # cd /usr/src # patch < /tmp/bind.patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart # rm /tmp/bind.patch

How Do I Patch RHEL / Fedora / CentOS Linux Server?

~~Red Hat / CentOS specific patch is available here.~~

Update, Jul 30, 1:31: Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. You can grab the same from RHN or simply running the following command at a shell prompt:
# yum update

CentOS Linux use will get the same in day or two.

Other Suggestions

This slashdot user suggested use of the following iptables rules via U32 matching module:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Another user at Red hat support site suggested the following workaround:

Based on the original advisory, this appears to affect only "master" servers. One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet). This would seem to be a mitigation. This is a BCP (Best Common Practice) for those of us who have been doing this for years.

Another option is to use DJBDNS DNS server.

CentOS Linux Project In Trouble

2009-08-12T19:25:00.000+05:30

CentOS Linux Project In Trouble

CentOS is a community-supported, freely-available operating system based on Red Hat Enterprise Linux. Lance Davis created CentOS and now he goes absent without leave. In an open letter from his fellow CentOS developers:

You have long promised a statement of CentOS project funds; to this date this has not appeared. You hold sole control of the centos.org domain with no deputy; this is not proper. You have, it seems, sole 'Founders' rights in the IRC channels with no deputy ; this is not proper.

I just hope that Lance gets back to his fellow developers and gets things sorted out for all of us. This is concerning as we've large number of servers deployed using CentOS. It gets more interesting:

Lance vanished from the project some time in 2008. Everybody needs time off from projects from time to time, so there was no real need to worry about that. What there was to worry about is the following: Lance is the only one, who can make active changes to the centos.org domain, as he "owns it". Nobody else in the team is able to add nameservers, for instance. Recently he put an anonymizing service on the domain, so that nobody from the outside can see who that domain belongs to.

The third thing - and that is the one which hurts me the most - is that Lance is the one who has access to the Google AdSense and the Paypal accounts, again without a backup. We have asked for overviews of the accounts several times now and haven’t gotten back any answers. This money was donated towards the project and could have been used for professionally made media for fairs and conventions, professionally made advertisement material for the same, hardware, community support (give out media to people who want to show off CentOS) and so on. To make it clear: Nobody in the CentOS team wants to make money off the project, we all have jobs and do CentOS in our free time.

If he's disappeared, how they are going to move all servers and domain? May be Lance can keep money and handover domain, IRC admin access to his fellow developers. What do you think?

Update (Aug-1-2009): Long Live CentOS

From CentOS.org:

The CentOS Development team had a routine meeting today with Lance Davis in attendance. During the meeting a majority of issues were resolved immediately and a working agreement was reached with deadlines for remaining unresolved issues. There should be no impact to any CentOS users going forward.

The CentOS project is now in control of the CentOS.org and CentOS.info domains and owns all trademarks, materials, and artwork in the CentOS distributions.

CentOS is not dead or going away. The signers of the Open Letter are fully committed to continue the CentOS Project. Updates and new releases will continue.

Most of the Issues have been resolved, there is an action plan with agreed upon dates for any outstanding issues.

Top 5 Email Client For Linux, Mac OS X, and Windows Users

2009-08-12T19:22:00.001+05:30

Linux comes with various GUI based email client to stay in touch with your friends and family, and share information in newsgroups with other users. The following software is similar to Outlook Express or Windows Live Mail and is used by both home and office user.

Webmail interfaces allow users to access their mail with any standard web browser, from any computer, rather than relying on an e-mail client.

However, e-mail client remains extremely popular in a large corporate environment, small business, home and power users. An e-mail client (also mail user agent (MUA)) is a frontend computer program used to manage e-mail. Mail can be stored on the client, on the server side, or in both places. Standard formats for mailboxes include Maildir and mbox.

The following are top five amazing piece of cross-platform software from various projects to make your life easy with wide variety of plug-ins / add-ons.

#1: Mozilla Thunderbird

It is an e-mail and news cross-platform client software package by Mozilla Foundation. Thunderbird can manage multiple e-mail, newsgroup and RSS accounts and supports multiple identities within accounts. Features like quick search, saved search folders , advanced message filtering, message grouping, and labels help manage and find messages. Just like Firefox, the tons of extensions and themes for this client makes it very secure and flexible to to enhance your productivity.

Fig.01: Mozilla Thunderbird

=> Download Mozilla Thunderbird

#2: Claws Mail

Claws Mail is a free, GTK+-based, open source email and news client. It is very light lightweight. Like Firefox , the wide variety of plug-ins for this email client makes it very flexible and secure. Claws Mail runs on Windows, Mac OS X and Unix-like systems such as Linux, BSD, and Solaris.

Fig.02: Claws Mail in Action

=> Download Claws Mail

#3: Spicebird

Spicebird is a collaboration client that provides integrated access to email, contacts, calendaring and instant messaging in a single application. It provides easy access to various web services while retaining all the advantages of a desktop application. It is developed by an Indian company called Synovel. It is a free, open source and cross-platform software.

Fig.03: Spicebird in Action (image credit Spicebird project)

=> Download Spicebird

#4: Zimbra Collaboration Suite (Open Source Version)

Zimbra is a client and server platform for messaging and collaboration. The web client integrates email, contacts, shared calendar, VoIP, and online document authoring in a rich browser-based interface. This is more like MS-Exchange and Outlook combo. In other words it is compatible with proprietary clients such as Microsoft Outlook and Apple Mail, both through proprietary connectors, as well as the open-source Novell Evolution, so that mail, contacts, and calendar items can be synchronised from these to the ZCS server. Zimbra also provides native two-way sync to many mobile devices such as Nokia Eseries, BlackBerry, Windows Mobile, iPhone with 2.0 software.

Fig.04: Zimbra (credit offical Zimbra website)

=> Download Zimbra Collaboration Suite (Open Source Version)

#5: Sylpheed

Sylpheed is a free, GTK+-based, open source email and news client. It is very light lightweight. Sylpheed runs on Windows, Mac OS X and Unix-like systems such as Linux, and BSD.

Fig.05: Sylpheed in Action

=> Download sylpheed

Comparison of E-mail Clients - Essential Features

The following tables compare general and technical information between e-mail client programs.

Feature	Thunderbird	Claws Mail	Spicebird	Zimbra	Sylpheed
Cross-platform	Y	Y	Y	Y	Y
License	MPL, MPL/GNU GPL/GNU LGPL	GPL	MPL, MPL/GNU GPL/GNU LGPL	MPL (server) and ZPL (client)	GPL/LGPL
Cost	Free	Free	Free	Free	Free
Authentication	Y	Y	Y	Y	Y
SSL and TLS	Y	Y	Y	Y	Y
Image blocking	Y	Y	Y	Y	Y
Junk filtering	Y	Y	Y	Y	Y
Phishing filtering	Y	Y	Y	Y	?
Add-ons	Y	Y	Y	?	N
Thread view	Y	Y	Y	Y	Y
PGP support	Y	Y	Y	?	Y
Label Messages	Y	Y	?	Y	Y
Spell Checking	Y	Y	?	Y	N
Signatures	Y	Y	Y	Y	Y
Scheduled message	Y	?	?	?	?
Message templates	Y	Y	?	Y	Y
Database	mbox	MH, mbox	?	File system	MH
POP3	Y	Y	Y	Y	Y
IMAP4	Y	Y	Y	Y	Y
SMTP	Y	Y	Y	Y	Y
NNTP (News)	Y	Y	Y	Y	Y
RSS Feed	Y	Y	Y	Y	N
LDAP	Y	Y	Y	Y	N
iCalendar	Y	?	Y	Y	N
Paid Support	?	?	?	?	Y

Y = supported; N = not supported; ? = unknown; Privacy feature; Security features; Productivity features; Cross-platform - runs on Mac OS X, Windows and UNIX like operating systems.

Other Email Clients For UNIX Like Operating Systems

SeaMonkey - Mozilla SeaMonkey is an all-in-one Internet application suite that includes an Internet browser, email and newsgroup client, HTML editor, IRC chat, and web development tools. It includes a pop-up blocker, junk mail controls, and a tabbed interface.
Pine (Alpine) - Alpine is a rewrite of the Pine Message System that adds support for Unicode and other features. Alpine is meant to be suitable for both inexperienced email users and the most demanding of power users.
Evolution or Novell Evolution - Evolution provides integrated mail, addressbook and calendaring functionality to users of the GNOME desktop.

Our Recommendations:

Claws Mail - Highly recommended for netbook user due to lightweight usage.
Mozilla Thunderbird - The wide variety of add-on for this email client makes it very flexible, secure and easy to use. Highly recommended for desktop and power users.
Zimbra Collaboration Suite ~ Open Source Edition or Businesses Editon - Highly recommended for business and corporate users due to its support for a broad range of email clients and mobile devices via "over the air" sync.

All of the e-mail client listed above used by me at one point or another. If you know of, or use, another e-mail client that offers better features than those mentioned here, tell us in the comments.

Hacking the Dlink 502T router

2009-07-04T11:34:00.000+05:30

I have upgraded my 256kbps ADSL to 512kbps and it is bundled with Dlink 502T router. Soon after installation I found that it runs Linux :). Hacker inside me decided to play around this router.

How do I Log in to router interface via telnet

You can login over telnet. This is common feature of all router these days and this the only way to hack into box:

=> Default IP: 192.168.1.1
=> Default Username: admin (or use root both are having UID 0)
=> Default Password: admin

WARNING! These examples are not about stealing other users bandwidth or passwords. Most A/DSL provider control many properties on their end. Hacker is a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. This article is not about stealing or cracking other users network equipment.

I have changed IP of router to 192.168.1.254 so here is my first session:
$ telnet 192.168.1.254
Sample output:

Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.

BusyBox on (none) login: root
Password:

BusyBox v0.61.pre (2005.05.30-08:31+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

Let us see password file, enter:
# cat /etc/passwd
Output:

root:x:0:0:Root,,,:/:/bin/sh
admin:x:0:0:Admin,,,:/:/bin/sh

Hack #3: Get more information about router hardware and Linux

Since this is tiny device most of the userland command such as free, uname etc are removed. However /proc file system provides all information.

Display CPU Information
# cat /proc/cpuinfo
Display RAM Information
# cat /proc/meminfo
OR
# free

Display Linux versions
# cat /proc/version
Output:

Linux version 2.4.17_mvl21-malta-mips_fp_le (jenny@fd6e) (gcc version 2.95.3 20010315 (release/MontaVista)) #70 Mon May 30 16:34:48 CST 2005

Display list of running Processes:
# ps

Display list of all kernel module:
# lsmod

Hack # 3: Get more information about network

Display list of all network interfaces:
# ifconfig
Get your Internet public IP info:
# ifconfig ppp0
Output:

ppp0      Link encap:Point-Point Protocol
         inet addr:61.xxx.xxx.xxx  P-t-P:61.xxx.xxx.xxx  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1  ASYMMTU:1500
         RX packets:69586 errors:0 dropped:0 overruns:0 frame:0
         TX packets:62540 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:80566538 (76.8 Mb)  TX bytes:5349581 (5.1 Mb)

Get default routing information i.e. find out your ISP's router:
# route
Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
61.xxx.xxx.xxx  *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
239.0.0.0       *               255.0.0.0       U     1      0        0 br0
default         dsl-xx-00x.xx.x 0.0.0.0         UG    0      0        0 ppp0

Display ethernet statics such as speed and other details:
# cat /proc/avalanche/eth0_rfc2665_stats

Display DSL modem stats:
# cat /proc/avalanche/avsar_modem_stats

Display Iptables firewall rules:
# iptables -L -n

Flush/Stop firewall rules (don't flush untile and unless you have solid reason to do it )
# /etc/flush_firewall

Hack 4 : Secure your router

(A) Open a web browser such as firefox and login to web based interface. Type url http://192.168.1.1/

(B) Enable Firewall
By default firewall is disabled :/? turn it on to protect your router as it runs linux. Click on Home > Wan > Scroll down and select Firewall as Enabled. Click on Apply.

(D) Save changes and reboot router
Click on Tools > System > Click on Save and Reboot button

Please note that most ISP including Airtel, BSNL and others these days use this router. And by default admin password is not changed by user, in addition to that some software bug exists that allows remote administration via telnet/http. So turning on firewall saves your day.

Hack # 5: Miscellaneous information

Display developer information i.e. the people behind this router development:
# cat /proc/avalanche/developers

Quickly reboot the router:
# reboot

All your binary stored in /bin/ /usr/bin /sbin directory.