Michael W. Lucas's Blog, page 82

With BIND 9.8, enabling DNSSec resolution and verification is now so simple and low-impact there's absolutely no reason to not do it. Ignore the complicated tutorials filling the Internet. DNSSec is very easy on recursive servers.

DNS is the weak link in Internet security. Someone who can forge DNS entries in your server can use that to leverage his way further into your systems. DNSSec (mostly) solves this problem. Deploying DNSSec on your own domains is still fairly complicated, but telling ...

Here's the cover rough for SSH Mastery, by my pet artist the highly talented Bradley K McDevitt. If you see anything wrong with it, please say so now.

SSH Mastery Cover

Last summer, preparing for the OpenSSH book, I attended a course on being your own publisher. If you're interested in publishing, I highly recommend the Think like a Publisher course. The hotel was decorated with a variety of nautical clutter.

This critter hung directly over the breakfast table.

The Hand of Karma

This was obviously the Hand of Fate. I borrowed a couple of really good cameras from fellow workshop attendees and snapped a bunch of photos. I'm a lousy photographer, but with good...

The OpenSSH book is in copyedit. I hope to get the copyedits back this year. I've seen the first round of copyedits, and they don't look too bad. Once I make the corrections, the book goes to the print-on-demand layout person and I start on the ebook conversion. The ebook should be out next month.

The best title I've had suggested was "SSH: You're Doing It Wrong." I love that title, but it's not really appropriate. Instead, it'll be "SSH Mastery: OpenSSH, PuTTY, Tunnels, and Keys." That's...

One of the nicest things about writing a book is that your tech reviewers tell you completely new but cool stuff about your topic. While I was writing the OpenSSH book, one of the more advanced reviewers mentioned that you could use your SSH agent as an authentication source for sudo via pam_ssh_agent_auth.

I have dozens of servers. They all have a central password provider (LDAP). They're all secured, but I can't guarantee that a script kiddie cannot crack them. This means I can't truly...

My more complex Web sites run atop WordPress on Apache and MySQL. Every so often, Apache devours all available memory and the server becomes very very slow. I must log in, kill Apache, and restart it. The more moving parts something has, the harder it is to debug. Apache, with all its modules, has a lot of moving parts.

After six months of intermittent debugging, I decided that with the new hardware I would switch Web server software, and settled on nginx. I'd like to switch to Postgres as...

For a year or so I've wanted to write a post about the impact of book reviews, specifically on Amazon book reviews, but Anne R. Allen has saved me the trouble.

In short: Amazon owns my writing career.

They make their decisions based on reviews by people like you.

And when I say "people like you," I mean you, personally.

The biggest thing you can do to help any author is review their book in twenty words or more, and rate it four or five stars, and post it on Amazon. (Amazon considers a 3-star...

I recently tried to mirror my hard drives in a new machine. The Handbook instructions, and those in my own Absolute FreeBSD, didn't work well. (The Handbook now warns about this in a big, friendly, hard-to-miss red box.) So how can I mirror my disk? By using per-partition mirroring rather than full-disk mirroring.

I should note up front that this article is the result of my researches and testing. I am not a filesystem developer. I'm not even a FreeBSD committer any more. You should check the ...

I'm installing a new FreeBSD server, and want to mirror the root disks. According to the instructions in the Handbook and my own Absolute FreeBSD, it's a simple process. The instructions are not valid for FreeBSD 9, however. It was late. I was tired. I tried anyway.

The first clue should have been that the disk devices now have different names. Rather than /dev/da0s1, they now look like /dev/da0p1. What difference does a letter make? Well, my test instance is virtualized. I took a snapshot...

My Nagios system ran FreeBSD-current/i386 from October 2010 and Nagios 3.0.6. Business factors drove me to make some changes, and I decided to upgrade the server before making those changes. Here's some things I observed. I don't know if these is useful to you, but I'll need them for other upgrades, so what the heck.

Back up before you start. (Yes, obvious, but everyone needs a reminder.)

Building 9-stable on a -current box that old is tricky. You have to do a variety of ugly things. So don't. ...