Jun 282011

After I wrote about Maildir replication, using ChironFS and DRBD, this time I will write how to make maildir replication, using a very well known program utility called rsync. basically, rsync itself, does not do realtime replication process. rsync only perform the synchronization/copy process when needed or scheduled by using the crontab. like cp, rsync is used to copy files from one directory to another directory in one system, or to a directory on another system. and vice versa.

How do we make the process of replication/copy that is almost realtime by using rsync?

we will use the inotify-tools (inotifywait) to monitor changes to system files or directories, in this case is the postfix maildir. Inotify has been included in the mainline Linux kernel from release 2.6.13 (June 18, 2005), and could be compiled into 2.6.12 and possibly earlier releases by use of a patch.

What is inotify?

Inotify is a Linux kernel subsystem that acts to extend filesystems to notice changes to the filesystem, and report those changes to applications. It replaces an earlier facility, dnotify, which had similar goals.

OK, without further ado, let’s continue with the first step, install inotify-tools. on my centos machine, it can be done in the following way.

$ sudo yum -y install inotify-tools

Assume that we have two servers, first server contains a postfix + maildir. second servers is used to backup maildir from the first server. using inotifywait, any changes in the maildir on first server will trigger rsync to update the maildir on the backup server. However, first we will make rsync can do the login automatically to the backup server via ssh using Public Key Based Authentication.

On First server

[first_server] $ ssh-keygen -t dsa -f ~/.ssh/identity && cat ~/.ssh/identity.pub | ssh -l postfix second_server -p 12345 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'

Continue reading »

Oct 252009

Sometimes we want to restricting ssh connection just from our own network to prevent abusives login.

this is how to do it with iptables:

# iptables -F
# iptables -N SSHD

# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s -j RETURN
# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s -j RETURN
# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s a.b.c.d/24 -j RETURN
# iptables -A SSHD -j REJECT --reject-with icmp-host-prohibited

# iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD

All connection, except from our network we’ve defined in iptables will be reject with icmp-host-prohibited

# iptables -nvL
Chain INPUT (policy ACCEPT 934K packets, 529M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 3252  207K SSHD       tcp  --  *      *             tcp dpt:22

Chain SSHD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  717 35832 RETURN     all  --  *      *           state NEW,RELATED,ESTABLISHED
 2535  171K RETURN     all  --  *      *           state NEW,RELATED,ESTABLISHED
    0     0 RETURN     all  --  *      *       a.b.c.d/24           state NEW,RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *           reject-with icmp-host-prohibited