Tag Archive server

Windows Server 2008 Disk Requirements

Do note that the disk requirement for the latest generation of Windows operating systems are extremely heavy. As usual for “minimum” requirements, the recommendation of 32GB for system partitions is far too small.† Perusing Microsoft’s MSDN forums lends credence to the common recommendation of 50-60GB for the system partition.

The biggest contributor to the problem is the notorious winsxs directory. Microsoft’s brute force “solution” to DLL hell was to just keep a copy of every single old version of a file. Every service pack, security patch, or other update retains every old version of every file. It adds up, and quickly.

Unfortunately winsxs cannot be moved or files trimmed from the directory. Reportedly one shouldn’t even compress the directory, though I normally compress C:\ on virtual machines and haven’t experienced troubles — yet.

Microsoft MVP moderators on the MSDN technical forum uniformly state that the solution is to get a bigger hard drive. SSD and virtualization users are considered “early adopters” and just have to lump it.

Microsoft’s justification is that cost per gigabyte has  continued to drop over time. While this is true for dedicated physical servers, virtualization is widespread these days, and cost per GB does not drop. In fact, costs can scale non-linearly. Doubling the amount of disk space on a virtual machine can triple or quadruple monthly hosting costs.

Now it is true that I’ve become jaded over the years when it comes to Microsoft’s lack of finesse in their software engineering practice, but I still shake my head over this knuckle-headed architectural decision. However, if Microsoft technology is chosen, we have to bow to Redmond’s whims.

It goes without saying that this additional hidden cost for virtualization users makes LAMP stacks all the more attractive.

† My own anecdotal experience is that on one particular server, the best I can do without getting drastic is 3% free space on a 30GB partition.

Tags, , ,

Zimbra Administration Gotchas

Zimbra has proven to be a fabulous platform that matches what we’ve needed over the past few years. I’ve run into two small setup problems that were fairly easy to fix.

Server Status Shows Nothing But Red X

We’ve run Zimbra on CentOS for years, upgrading across multiple Zimbra versions. (Again, my hat’s off to the team tasked with handling upgrades.) The Server Status panel showed nothing but red X marks everywhere. The cause turned out to be syslogd was running, preventing rsyslogd from starting. I disabled syslogd from the startup, and enabled rsyslogd. Problem fixed.

Mail Server Statistics Giving Error

Specifically, the ever-so intuitive:

exception during auth {RemoteManager: mail.xxxxx.com->zimbra@mail.xxxx.com:22} Error code: service.FAILURE Details:soap:Receiver

Zimbra is built to be distributed across several machines, so even when run on a single machine it uses cryptographic keys to enable secure passwordless access to the statistics. The Mail Queue Monitoring wiki entry had a number of suggestions for diagnosing and correcting the problem. Following its instructions I regenerated the cryptographic keys. When that didn’t work then it dawned on me that I run sshd on an alternate port to help keep the number of unauthorized access attempts down. Zimbra assumes port 22, so obviously the ssh login was failing.

Tags, , , , , , , ,

Remove Extraneous RedHat Services to Help Secure Servers

One of the principles of server security is to run only those services and daemons that are absolutely necessary, and no more. A good, hardened server shouldn’t be having extraneous conversations with other machines.

While this is by no means a comprehensive list, here are some extraneous services that may be running on your server after a fresh CentOS or RedHat install. Obviously, you should look at your server’s purpose and skip those that are needed for your particular machine.

Detecting Running Services

There are various commands that will show what’s listening on what port. I personally like

# lsof -i

Disabling Daemons

If one can’t just remove a daemon, one may disable it.

  1. Stop the daemon.
    # service daemon name stop
  2. Disable the daemon from running automatically.
    # chkconfig --level 0123456 daemon name off

Daemons to Consider Removing

My servers aren't doing Zeroconf to talk to new machines that appear on the network. If it says, "Bonjour", my server isn't listening. Avahi is embedded pretty deeply in the system, so you'll probably not be able to remove the avahi package without neutering your server.
For some reason the printer subsystem CUPS is embedded pretty deeply in the system, and you may not be able to remove it without erasing administrative tools that you might want to keep.
For some reason the LSB RPM depends on Exim, so again I simply disable Exim. Cron jobs can still send e-mail without Exim running. If you don't care about LSB compliance, you can sudo yum erase exim.

There are others. Please suggest more!

Tags, , , , , , , , , ,