Tometzky's questions

After upgrading Ubuntu 16.04 kernel to linux-image-4.4.0-151-generic some of our clients stopped being able to connect with TCP. Specifically using SSH.NET library from Windows servers with SFTP service provided by CrushFTP.

We had to rollback the upgrade, but the issues fixed in this kernel version look very serious (CVE-2019-11477, CVE-2019-11478 {SACK Panic}, CVE-2019-11479):

Version: 4.4.0-151.178  2019-06-19 13:11:04 UTC

  linux (4.4.0-151.178) xenial; urgency=medium

  * Remote denial of service (system crash) caused by integer overflow in TCP
    SACK handling (LP: #1831637)
    - SAUCE: tcp: limit payload size of sacked skbs
    - SAUCE: tcp: fix fack_count accounting on tcp_shift_skb_data()

  * Remote denial of service (resource exhaustion) caused by TCP SACK scoreboard
    manipulation (LP: #1831638)
    - SAUCE: tcp: tcp_fragment() should apply sane memory limits

 -- Stefan Bader <email address hidden> Tue, 11 Jun 2019 09:36:19 +0200

Do you know and can share any links for more information about similar problems experienced after upgrade to this specific Ubuntu kernel?

I have a TCP service in a datacenter that is doing filtering and rate limiting based on source IP address. I'd like to move it to another datacenter.

I'd like to provide the same service on an IP address from the new datacenter and forward all traffic on a single port to the old one, so both new and old will work at the same time. I can't just change the hostname, as some clients are using IP address for connecting (sigh) and some are using outgoing connections IP filtering based on IP address (sigh) and it will take weeks to change them.

I know that I can SNAT the connections, but if I do this all the connections will be sourced from the same IP, which conflicts with filtering and rate limiting based on source IP address.

I can DNAT the connections and route them through a VPN tunnel, but this means that the return packets will try to go with the service's default route and service source IP address and will be ignored by the clients.

Is there a way with Linux to somehow mark the TCP packets that were DNAT'ed so the return packets can be routed back through the VPN tunnel instead of the service's default route?

My sendmail server on CentOS 5 started to reject some connections with the following message logged:

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40

When I try to connect to it using openssl from CentOS 6 server I get the following error:

$ openssl s_client -starttls smtp -crlf -connect hostname.example.net:smtp
(...)
error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3331
(...)
Server Temp Key: DH, 512 bits
(...)

Mail on CentOS 6 server is temporarily rejected with Deferred: 403 4.7.0 TLS handshake failed.

What to do to be able to send mail from CentOS 6 / RHEL 6 to CentOS6 / RHEL5 server?

Could you provide a minimal unattend.xml file for use in Windows 7, which will be manually installed, updated and configured on one workstation, then SysPrep will be run like this:

C:\Windows\System32\sysprep>
sysprep /generalize /oobe /unattend:unattend.xml /shutdown

and then C: partition cloned to multiple workstations (I use partimage from a Linux LiveUSB for this).

This unattend.xml should configure a workstation so it will not ask for anything after cloning. Workstation should just show an ordinary login screen with accounts configured before. It should create random computer name and don't try to join Active Directory, as I'm not comfortable with storing passwords in unattend.xml.

I don't want to use Windows System Image Manager (Windows SIM) from Windows Automated Installation Kit (Windows AIK) as this is overkill — too complicated for my tastes.

Sendmail Delivery Status Notification looks like this:

The original message was received at Fri, 8 Feb 2013 10:49:11 +0100
from host1.example.local [192.168.0.1]

   ----- The following addresses had permanent fatal errors -----
<[email protected]>
    (reason: 550 Host unknown)

   ----- Transcript of session follows -----
550 5.1.2 <[email protected]>... Host unknown (Name server: example.com.: host not found)
... while talking to mx.example.org.:
>>> DATA
<<< 450 4.7.1 <[email protected]>: Recipient address rejected: Policy Rejection- Please try later.
<[email protected]>... Deferred: 450 4.7.1 <[email protected]>: Recipient address rejected: Policy Rejection- Please try later.
<<< 554 5.5.1 Error: no valid recipients
... while talking to mx.example.net.:
>>> DATA
<<< 451 4.7.1 Service unavailable - try again later
<[email protected]>... Deferred: 451 4.7.1 Service unavailable - try again later 

This is all perfectly clear for me (1 bad address, 2 deferred by greylisting). But this is very confusing for my users: there's Error (panic); [email protected] is valid address, but it is mentioned in Returned Mail, so it clearly wasn't delivered etc.

Is there any way to disable Transcript of session follows part of Sendmail's DSN? Ideally using some option in sendmail.mc. I hope it does not need to use this language resembling BrainF*CK, in which Rewriting Rules in sendmail.cf are written.

Sendmail 8.13.8 on CentOS5, but soon 8.14.4 on CentOS6

I have a Windows Server 2008 R2 x64 server that is AD controller and file server. I have a problem that Windows XP clients experience terribly slow (less than 10Mbps, really less than ten-megabits-per-second) downloading of files from a share.

Server is connected to 1Gbps switch using 1Gbps Nvidia NForce card and client is connected using 100Mbps built-in card.

This slow downloading can also be seen when I've booted client computer from CentOS Linux 5.5 Live-USB and used smbclient for downloading. But downloading from a Samba share on Linux server, which is also connected using 1Gbps link is fast.

What is very strange I've created a pair of programs (attached below) which test plain TCP throughput in C#, and they're performing as expected — at about 89Mbps.

I've disabled firewall on client and I'm using dot_nc_l 21000 > NIL on client and dot_nc [client_ip] < 100m.dat on Windows server. And I get about 9 seconds, when copying the same 100MB file from share takes over 2 minutes.

How to eliminate this?

Some pictures generated with wireshark on Linux client:

Downloading 100MB file from Windows 2008 CIFS file server connected with 1Gbps NIC to Centos 5 Linux client connected with 100Mbps NIC with smbclient:

Downloading 100MB file from Fedora Linux CIFS file server on Samba connected with 1Gbps NIC to Centos 5 Linux client connected with 100Mbps NIC with smbclient (same scale as above):

Here are these programs (linked are compiled using mono's gmcs, require .NET2):

dot_nc.cs

using System;
using System.IO;
using System.Diagnostics;
using System.Net.Sockets;

public class dot_nc
{
 public static void Main(string[] args) {
  string hostname = args[0];
  int port = int.Parse(args[1]);

  Stopwatch stopwatch = new Stopwatch();

  stopwatch.Start();
  TcpClient client = new TcpClient(hostname, port);
  stopwatch.Stop();
  Console.WriteLine("Connection: {0}ms", stopwatch.ElapsedMilliseconds);

  stopwatch.Reset();
  stopwatch.Start();
  byte[] buffer = new byte[4096];
  {
   Stream stdin = Console.OpenStandardInput();
   NetworkStream netout = client.GetStream();
   while ( true ) {
    int bytesread = stdin.Read(buffer, 0, buffer.Length);
    if ( bytesread <= 0 ) {
     break;
    }
    netout.Write(buffer, 0, bytesread);
   }
  }
  stopwatch.Stop();
  Console.WriteLine("Sending: {0}ms", stopwatch.ElapsedMilliseconds);
  client.Close();
 }
}

dot_nc_l.cs

using System;
using System.IO;
using System.Diagnostics;
using System.Net;
using System.Net.Sockets;

public class dot_nc
{
 public static void Main(string[] args) {
  int port = int.Parse(args[0]);

  TcpListener server = new TcpListener(IPAddress.Any, port);
  server.Start();
  TcpClient client = server.AcceptTcpClient();
  NetworkStream netin = client.GetStream();

  byte[] buffer = new byte[4096];

  Stream stdout = Console.OpenStandardOutput();
  int processed_bytes = 0;
  int processed_chunks = 0;
  while ( true ) {
   int bytesread = netin.Read(buffer, 0, buffer.Length);
   if ( bytesread <= 0 ) {
    break;
   }
   stdout.Write(buffer, 0, bytesread);
   processed_bytes += bytesread;
   processed_chunks++;
  }
  netin.Close();
  client.Close();
  server.Stop();
  Console.Error.WriteLine(
   "Received: {0} chunks of data of {1} average size", 
   processed_chunks, processed_bytes/processed_chunks
  );
 }
}

I'm trying to choose a antivirus solution for tiny non-profit organization (5 workstations, no server).

Is it possible to buy licenses and run Microsoft Forefront Client Security Agent on these workstations? $12/year per device license is a good price.

But if I have to purchase Management console for $1000, which reporting features I don't need, and a server, it won't make any sense.

Microsoft Security Essentials would suffice, but it's impossible to buy it for non-personal use - and free license does not allow it.

Is there any way to disable Thunderbird Migration Assistant after upgrade from Thunderbird 2.0 to 3.1?

The defaults there are sensible, but my users will likely be confused by this Assistant and for example choose to enable caching of IMAP folders, which will wreak havoc in roaming profiles and backups.

Disabling of options which do not make sense in corporate environment I can just append to user's prefs.js file.

Is there any way of working around Citibank's Citidirect forcing usage of vulnerable Java Runtime Enviromnent, as it is described in my posting on Full Disclosure?

When Java 5 was still supported installing two versions of Java made a trick - Citidirect worked with unsupported version as long as supported old version was also installed. Only latest version of Java files were open so I think it was secure. But it does not work with Java 6.

Maybe there's a way of limiting Java plugin to one domain, for example citibank.com? Java is not needed for anything else. My users have Windows XP Professional and use Internet Explorer 8 as a browser.

How to simply remove everything from a current or specified directory on Linux?

Several approaches:

1. rm -fr *
rm -fr dirname/*
   Does not work — it will leave hidden files — the one's that start with a dot, and files starting with a dash in current dir, and will not work with too many files

2. rm -fr -- *
rm -fr -- dirname/*
   Does not work — it will leave hidden files and will not work with too many files

3. rm -fr -- * .*
rm -fr -- dirname/* dirname/.*
   Don't try this — it will also remove a parent directory, because ".." also starts with a "."

4. rm -fr * .??*
rm -fr dirname/* dirname/.??*
   Does not work — it will leave files like ".a", ".b" etc., and will not work with too many files

5. find -mindepth 1 -maxdepth 1 -print0 | xargs -0 rm -fr
find dirname -mindepth 1 -maxdepth 1 -print0 | xargs -0 rm -fr
   As far as I know correct but not simple.

6. find -delete
find dirname -delete
   AFAIK correct for current directory, but used with specified directory will delete that directory also.

7. find -mindepth 1 -delete
find dirname -mindeph 1 -delete
   AFAIK correct, but is it the simplest way?

Some time ago my Windows XP workstations started to show "Windows Genuine Advantage Notification Installer" popup every time I login as an administrator. How to get rid of it using a script? I know that I have a genuine Windows.