thomasrutter's questions

I use openssl to generate private keys and CSRs in a script. The script needs to generate the key first, then call chmod 400 whatever.key to change the permissions of the private key to something more secure.

Is there any way to eliminate the second step and have openssl create the file with appropriate permissions from the start? It would seem cleaner to me to not have the private key readable by other processes, even for a millisecond.

Can you use umask in a script to do something like this or is there another way?

I'm wanting to set up a secondary MX server using Postfix but I am wondering what is the best way to test this prior to putting into production (by adding its MX entry)?

One possible way is to test it with an entirely different domain name, ie buy a domain like "fake-test-domain.com" and set it up its DNS zone with ONLY this backup MX server.

Any easier way I can just force a mail server to send a message to this server before it's listed in DNS?

I don't think I can use the hosts file on the sending system because that wouldn't emulate an MX record, right?

Yesterday the CPU on my Xen-based VPS server went to 100% for two hours and then went back to normal, seemingly naturally.

I have checked logs including syslog, auth.log and more and nothing seems out of the ordinary.

• During this time, the server seemed to be operating as normal as indicated by people logging in, emails received etc
• Memory, disk and network usage during this time appeared to be normal.
• I hadn't rebooted the server in weeks, and I wasn't working on it that morning.
• I keep it updated with security updates and the like. It's 12.04 LTS.
• It runs nginx, mysql and postfix along with a few other things.

Around the start of the event syslog contains these entries:

Apr 27 07:55:34 ace kernel: [3791215.833595] [UFW LIMIT BLOCK] IN=eth0 OUT= MAC=___ SRC=209.126.230.73
 DST=___ LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=2962 PROTO=TCP SPT=49299 DPT=465 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 27 07:55:34 ace dovecot: pop3-login: Disconnected (no auth attempts): rip=209.126.230.73, lip=___
Apr 27 07:55:34 ace kernel: [3791216.012828] [UFW LIMIT BLOCK] IN=eth0 OUT= MAC=___ SRC=209.126.230.73
 DST=___ LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=58312 PROTO=TCP SPT=49299 DPT=25 WINDOW=1024 RES=0x00 SYN URGP=0
Apr 27 07:55:34 ace kernel: [3791216.133155] [UFW LIMIT BLOCK] IN=eth0 OUT= MAC=___ SRC=209.126.230.73
 DST=___ LEN=76 TOS=0x00 PREC=0x00 TTL=244 ID=63315 PROTO=UDP SPT=49299 DPT=123 LEN=56

But then again, I get these all the time. It just indicates UFW/iptables successfully blocked some unwanted connections. It shouldn't be related.

I have a daily backup that runs just under 2 hours prior to the start of this "event". It seemed to run normally although it did cause a higher server load (but not CPU utilisation) than normal, pointing to a possible I/O congestion issue. But it didn't coincide with the 100% CPU event.

My question is: how can I investigate the cause of an event like this that happened in the past, given that it's no longer happening?

As the title says.

The design of DNSSEC and its implementation in Bind (and things like Unbound) quite clearly allow for either use. They can optionally do DNSSEC validation, returning SERVFAIL if the validation fails. Or alternatively they can be set to "support" DNSSEC but not to do the actual validation, allowing client software to use the "DO" bit (with EDNS) to request the DNSSEC records and do validation itself.

Notably, Google's own public DNS servers seem to follow the latter, allowing DNSSEC requests to pass through them but not doing DNSSEC validation themselves.

Which of these two ways was DNSSEC envisioned to be run? If you want context, imagine you have a few small web application servers and a caching recursive DNS server for them to do DNS requests through.

I am using UFW with a default logging policy of "low".

I would like to keep this logging on for the default deny action, but disable it for a particular IP address only. So I'd like to create one particular new rule that doesn't have logging.

Is there a way to achieve this?

I have a rather uncomplicated ufw setup so far, like this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere (v6)
80/tcp                     ALLOW       Anywhere (v6)
443/tcp                    ALLOW       Anywhere (v6)

Is there any speed benefit to using a .com.au domain rather than a .com if your customers, hosting and DNS services are in Australia, specifically in the worst typical case (domain is not cached in any local DNS relay for customer)? Assuming that both domains pointed to the same nameservers in the end.

I know this is mostly academic because we are talking about a DNS lookup that would take at most a few hundred milliseconds and would only be relevant once at the beginning of a session. I just was curious.

I know that an uncached .com lookup will involve consulting at least one ?.gtld-servers.net. server and an uncached .com.au will involve consulting at least one ?.au. server.

Now, what I guess I'd need to know is

• Are the various ?.gtld-servers.net. servers using anycast technology that would have local fully authoritative nodes in Australia, making them just as fast to Australians as ?.au. and avoiding a 200ms+ overseas latency, or are some or all of them hosted only in the US or in the northern hemisphere?

In the last few months my mail server has been getting massive amounts of spam from yahoo.com's mail servers. Each one appears to be from a different Yahoo mail free account.

The spam is all coming from yahoo.com servers and is DKIM verified by yahoo.com. Example:

Received: from nm2.bullet.mail.ird.yahoo.com (nm2.bullet.mail.ird.yahoo.com [77.238.189.59])

My mail server is postfix based. I'm after a solution that I can apply to postfix. I currently run mail through the Spamhaus Zen and PSBL which has up until now served me well. My spam filtering goal is to have a very low false positive rate to avoid losing any legitimate mail for the people who use my server.

None of this mail is caught by my existing UCE controls or blacklists because it is coming from Yahoo's servers and is DKIM signed. They also contain no hyperlinks in the body (except for in a base64 encoded HTML attachment). This looks like the latest way for spammers to get around spam controls - sending through Yahoo mail account so it isn't blocked and using hundreds of free accounts.

I'm one step away from just blocking all mail originating from yahoo.com at this point. They just don't seem to care about the volume of spam coming from their servers.

I'm not even sure that something like spamassassin could block this spam reliably. I deliver mail for a large number of people and really want any spam filtering to be highly tolerant so as not to block any legitimate mail.

Followup:

I have now installed Spamassassin. This yahoo-originated spam was getting around 2 or 3 points on Spamassassin, not enough to filter it, so I manually trained a few hundred of them with sa-learn (along with a couple of hundred ham).

Now these Yahoo spams are getting 4 or 5 points each, which is enough to tag them but not realistically enough to filter them outright.

So without wanting to put my server-wide threshold too low and risk false positives, my next step, I guess, will be to try to write a custom Spamassassin rule for them.

I have two forms of the same domain name, one being a common misspelling of the other, let's say tedswidgets.com and tedswigets.com.

I'd like to redirect all mail for <someone>@tedswigets.com to that same <someone>@tedswidgets.com.

There's plenty of information on how to catch all mail from a domain and redirect it to a single address, but I don't want to do that - I want to catch all mail from a domain and redirect it, keeping the username part, and remap it to the equivalent address on the other domain.

Sorry, I should have mentioned that I use virtual alias domains and have a lot of other domains that I serve email for on this server. These two domains are the only two of many that need to mirror each other.

I'm almost ashamed to admit that there is one thing I am still unsure about when it comes to file permissions.

Let's say I have a directory with 750 permission (drwxr.x...). Then I create some descendant files inside it with a rather common 644 permission (.rw.r..r..).

Can the files in that directory be read by any other user on the system (outside of their owner or group), and why? On the one hand, those files have a world readable bit, so that should indicate the file is readable by anybody. On the other hand, the ascendant directory is not world executable (nor readable) so as long as this prevents access to the directory's contents, the world readable bit on the files would be irrelevant. Is that definitively true or is there any way around this?

Now, I seem to regularly see instances where someone recommends a chmod -R o-rwx or something. On example is in Debian's Maildir directories created by postfix I believe - all files, not just the directory, have had world/group read removed. Is it really necessary to remove that world read bit from the files inside if the directory has no world access? I ask as I'm trying to plan how to set up /var/www on a server and have it not world-readable ie by other local users.

Let's say I have a large website which may have a number of email addresses on it that are getting picked up by spammers. I plan to obfuscate or remove them all.

What's the easiest way to crawl my website to find any email addresses I may be exposing?

Either through on-page text (which Google can pick up, but not very well) or mailto: links (which Google can't).

I'm using suexec to ensure that PHP scripts (and other CGI/FastCGI apps) are run as the account holder associated with the relevant virtual host. This allows for securing each users' scripts from reading/writing by other users.

However, it occurs to me that this opens up a different security hole. Previously, the web server ran as an unprivileged user, with read-only access to user's files (unless the user changed the file permissions for some reason). Now, the web server can also write to user's files.

So while I've prevented different users taking advantage of each other's scripts, I've made it so that in the event that some application has a remote code injection vulnerability, it now has not only read access but also write access to all that user's scripts and website.

How can I deal with this?

One idea I've had is to create a second user account for each user account in the system, so that each user has their own user account, and all their scripts are run under another user account. But that seems cumbersome.

I'm trying to weigh up whether DKIM signing should be done by the application sending mail (for instance, the mailing list software you're using) or at the mail transfer agent (sendmail, postfix etc).

Do you know any good arguments either way?

As far as I can see, doing it at the MTA, such as with dkim-milter, is a lot easier to set up.

However, if anyone gets access to the server, even just a normal unprivileged account such as a web hosting client's login, they'd be able to send email using sendmail and get the full blessing of my DKIM signature.

What do you think is the best solution for my situation? I'm using a Debian server with apache, postfix, php&mysql, etc.

In Debian or one of its derivatives, how can I list all packages which I have installed from lenny-backports?

The closest I've come up with is:

aptitude search ~i~Alenny-backports

However, that lists all installed packages for which there exists a version in backports even if the currently installed version is not the one from backports. I'd like to list only the packages for which the currently installed version is from backports (or, not lenny, if that's easier).

Cheers