If you have visited a website and been greeted with a list of files instead of a webpage, the web server is configured to use directory indexes. Directory indexes can be helpful for users who need to locate unknown files, but pose a considerable security threat, and are often used by unscrupulous individuals to locate sensitive data (e.g., passwords, quicken files, product designs, etc.).
Due to the security issues associated with directory indexes, I prefer to disable them on the Apache web servers I support. This is easily accomplished by negating the “Indexes” option in the httpd.conf Directory and Location stanzas, or by overriding the Indexes option in an .htaccess file:
$ cat .htaccess
Options -Indexes
If an .htaccess file is used to override the web server directory indexing default configuration, the web server will need to be configured to allow overrides. There is also a performance penalty associated with .htaccess files, since the web server needs to check for the existance of an .htaccess file in each directory it processes.
While performing some network throughput testing, I wanted to see how much additional throughput could be gained by using Ethernet jumbo frames. Before beginning my testing, I checked the compatibility matrix to make sure my switch (Cisco Catalyst) and NIC (Sun CE gigabit Ethernet adaptor) supported jumbo frames. Once I knew jumbo frames were supported, I logged into my Solaris server and used the ndd(1m) and ifconfig(1m) utilities to enable jumbo frame support on ce instance 0:
$ ifconfig ce0 unplumb
$ ndd -set /dev/ce instance 0
$ ndd -set /dev/ce accept-jumbo 1
$ ifconfig ce0 plumb
The ce device drivers “accept-jumbo” option will enable jumbo frames and instruct the upper layer protocols that the device is capable of processing jumbo frames. The documentation indicates that some older releases of Solaris will not set the mtu (maximum transmission size) when jumbo frame support is enabled. When these conditions occur, the ifconfig(1m) utility can be used to increase the MTU to a higher value:
$ ifconfig ce0 inet 1.2.3.4 netmask 255.255.255.0 mtu 9194
The ndd(1m) and ifconfig(1m) configuration will not be persisted through system reboot. To make the configuration persistent, the ce device drivers configuration file (ce.conf) needs to be updated to enable jumbo frame support (this is documented in the ce device driver manual) when the device driver is initialized at system boot time. In addition to configuring the host to support jumbo frames, the Ethernet switch port that will be passing jumbo frames needs to be configured*. To enable jumbo frames on a CatOS-based Cisco switch, “set port jumbo” can be executed in privileged exec mode:
switch1> (enable) **set port jumbo 1/1 enable**
Jumbo frames enabled on port 1/1.
To verify that jumbo frames were enabled, “show port” can be run:
switch1> (enable) **show port jumbo**
Jumbo frames MTU size is 9216 bytes.
Jumbo frames enabled on port(s) 1/1.
From my limited testing, jumbo frames make a significant difference with backup throughput. If I get time, I will post the ttcp output, and the list of reasons for not enabling jumbo frames (the list of reasons not to use jumbo frames is somewhat lengthy!).
From what I can tell from the available documentation, very few vendors enable jumbo frames by default for compatibility reasons.
I am a huge Alice In Chains fan, and have followed their lead guitarist Jery Cantrell since the band parted ways. I recently picked up Jerry’s Boogy Depot CD, and am kicking myself for not purchasing this album sooner! This album is incredible, and I think “My Song” and “Cut You In” are two of his best works ever. If you like Alice In Chains, I highly recommend picking up this CD.
When a Solaris server is configured to support network services, it is valuable to know which clients are connecting to these services. If the network service is controlled by inetd(1m), each connection can be logged by setting ENABLE_CONNECTION_LOGGING to “YES” in the /etc/default/inetd configuration file:
$ grep ENABLE_CONNECTION_LOGGING /etc/default/inetd
ENABLE_CONNECTION_LOGGING=YES
If you are using Solaris 10, you can also use the new inetadm(1m) utilities “-M� (change the values of the specified inetd default properties) option to enable connection logging:
$ inetadm -M tcp_trace=true
This will enable connection logging for all inetd-based services, and is identical to setting “ENABLE_CONNECTION_LOGGING=YES” in the /etc/default/inetd configuration file. If you are using Solaris 10, you can verify that connection logging is enabled by checking for “tcp_trace=TRUE” in the inetadm(1m) “-p” (lists all default inet service property values provided by inetd in the form of name=value pairs) output:
$ inetadm -p
NAME=VALUE
bind_addr=""
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=TRUE
tcp_wrappers=FALSE
Once connection logging is enabled, a system logfile entry similar to the following will be created for each new connection:
Oct 15 17:05:12 tigger inetd[228]: [ID 317013 daemon.notice imaps[16566] from 192.168.1.8 53935
This lists the IP address, TCP source port, and the service (imaps in this example) the client tried to connect to. Connection logging is some good stuff!
I have used awk(1) for years to tokenize strings and to extract specific lines fom files. To tokenize a string, you can use awk(1)‘s positional parameters when processing a file:
$ ` awk '{ print 1, 2 }' /etc/services | head -10`
#ident "@(#)services
#
#
# Copyright
# All
#
# Network
#
tcpmux 1/tcp
echo 7/tcp
When awk(1) processes the file /etc/services, each line will be split into tokens based on the value of IFS and placed into positional parameters (e.g., $1 … $N). The awk(1) print function is then used to print all of the values passed as an argument. You can also process files ranges by invoking awk(1) with two comparison statements separated by a comma:
$ awk ' /ssh/ , /smtp/ { print 0 }' /etc/services
ssh 22/tcp # Secure Shell
telnet 23/tcp
smtp 25/tcp mail
If you need to grab all lines from a beginning point to the end of the file, awk(1)‘a EOF keyword can be used in one of the comparison statements:
$ awk ' /dtspc/ , /EOF/ { print 0 }' /etc/services
dtspc 6112/tcp # CDE subprocess control
fs 7100/tcp # Font server
apocd 38900/udp
snmpd 161/udp snmp # SMA snmp daemon
I find myself using awk(1) pretty regularly, and really dig some of the cool stuff that is built-in!