hayalci's questions

I'm trying to set up DNS-over-TLS (DoT) with unbound resolver. i.e. I'm trying to encrypt the connection between the client and unbound I'm NOT trying to encrypt the unbound resolver → upstream connection, which many guides on the internet are talking about.

I have the following in the config file, as explained in the man page, and also described here:

 server:
   interface: 0.0.0.0@853

   tls-port: 853
   tls-service-key: "/etc/letsencryp/live/DOMAIN/privkey.pem"
   tls-service-pem: "/etc/letsencryp/live/DOMAIN/fullchain.pem"

But when I try to restart unbound, I get the following permission denied on the certificate files.

package-helper[778]: /var/lib/unbound/root.key has content
package-helper[778]: success: the anchor is ok
unbound[813]: [1586107523] unbound[813:0] error: error for cert file: /etc/letsencryp/live/DOMAIN/fullchain.pem
unbound[813]: [1586107523] unbound[813:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0200100D:system library:fopen:Permission denied
unbound[813]: [1586107523] unbound[813:0] error: and additionally crypto error:20074002:BIO routines:file_ctrl:system lib
unbound[813]: [1586107523] unbound[813:0] error: and additionally crypto error:140DC002:SSL routines:use_certificate_chain_file:system lib
unbound[813]: [1586107523] unbound[813:0] fatal error: could not set up listen SSL_CTX
systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE

I have tried moving the files out of this directory, and experimented with setting root or unbound as the owner. The only way I could make it work was to place the files directly in the /etc/unbound/ directory. A symlink in the same location pointing to letsencrypt managed files didn't work either. This is not ideal, as I'd need to regularly copy the certificate files out of letsencrypt directory whenever a certificate renewal occurs and/or unnecessarily restart the DNS resolver.

I have thoroughly checked that a chroot is not configured in config files, or default settings, or compiled in the binary. In fact, it has been explicitly disabled by default in Debian (bug report)

How can unbound be unable to read files, that is right there, with unbound:unbound as owner:group, and permissions set as readable?

I'm using unbound version 1.9.0-2+deb10u1 on Debian buster (10), if it's of any importance.

I'm trying to use goaccess log analysis tool, to analyse vsftpd FTP server's logs. I'm aware that being a web server log analyser, goaccess is not the best tool for this. That being said, it's flexible enough with the log format and we're already using it to analyse the web server's log, so I decided to give it a try.

By default vsftpd has a very chatty log:

Mon Mar 23 06:00:00 2020 [pid 11111] CONNECT: Client "1.1.1.1"
Mon Mar 23 06:00:00 2020 [pid 11111] [ftp] OK LOGIN: Client "1.1.1.1", anon password "blablabla"
Mon Mar 23 06:00:00 2020 [pid 11111] [ftp] FAIL DOWNLOAD: Client "1.1.1.1", "/file1", 0.00Kbyte/sec
Mon Mar 23 06:00:00 2020 [pid 11111] [ftp] OK DOWNLOAD: Client "1.1.1.1", "/file2", 17500 bytes, 203.15Kbyte/sec

As modern servers ­—usually— have single a line of log for a particular request, my first step was to change the logging to xferlog format, which gives a single line per transfer.

# /etc/vsftpd.conf
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd.log

Now I have log lines like the following.

Sat Mar 28 06:00:00 2020 1 1.1.1.1 17500 /file1 b _ o a anonymous ftp 0 * c
Sat Mar 28 06:00:00 2020 1 1.1.1.1 0 /file2 b _ o a anonymous@host ftp 0 * i

As this is a download server only getting anonymous & passive FTP requests, I can assume the anonymous and anonymous@host are whatever the client provides for anonymous FTP.

How can I analyse this log with goaccess?

Edit I have thought that excessive number of "deny" lines are confusing apache into blocking unlisted IPv4 addresses. But comment of @Ladadadada made me pinpoint the exact issue. You can read my old question below. The problem is, the following line:

deny from 42.1.0.0/19

blocks the IPv6 addresses

2a01:4f8:120:8201::2
2a01:1e8:e100:ce::2

How is this possible?

I have a really long list of blocked IP addresses, activated by an Include directive inside the Directory block.

This file only contains IPv4 addresses, but my server is also blocking a limited number of IPv6 addresses. It's not blocking all IPv6 traffic. If I remove the blocks, those IPv6 addresses can access the server just fine.

Originally the block file had each IP block on a separate "deny from" line. I tried combining every 40 of them to reduce the rule count and file size. It still did not help. But when I truncated the rules to 4-5 deny lines, it worked as expected and did not block the IPv6 addresses.

These are sample logs from access log.

2a01:4f8:120:8201::2 - - [03/Mar/2013:15:01:07 +0200] "GET /tdf/ HTTP/1.1" 403 387 "-" "MirrorBrain Probe (see http://mirrorbrain.org/probe_info)"

and from error log

[Sun Mar 03 15:01:07 2013] [error] [client 2a01:4f8:120:8201::2] client denied by server configuration: /mirror/pub/tdf/

How can I list a large number of "deny" directives ? I cannot control the firewall of the machine, so it's out of the question.

Is there a central place to report spam to various blacklists ?

I regularly report to spamcop, but

1. I do not see the addresses I reported as listed. (I guess nobody else bothers with my regular spammer. After being frustrated with bayes and spammcop, I blocked its /24 subnet)
2. Spamcop is only a single service. I want to make the spammer known to a large number of services, and hopefully blocked by many of them.

I looked for some other blacklists to report to, but the ones I looked do not consider user submissions (or they hide it well)

I have some disks that were being used on a Solaris system. The disks are formatted as UFS. I attached them to a Debian system (with FreeBSD kernel. Debian/kFreeBSD), but I cannot mount them.

$ mount -t ufs /dev/da2s1 /mnt/diska
mount: /dev/da2s1 : Invalid argument

Also the tunefs.ufs does not work;

$ tunefs.ufs -p /dev/da2s1
tunefs.ufs: /dev/da2s1: could not read superblock to fill out disk

Is there an incompatibility between FreeBSD UFS and Solaris UFS? Is it possible to mount one, under the other OS ?

Note: tunefs.ufs works on the root partition

$ tunefs.ufs -p /dev/da7s2
tunefs.ufs: ACLs: (-a)                                         disabled
tunefs.ufs: MAC multilabel: (-l)                               disabled
tunefs.ufs: soft updates: (-n)                                 disabled
tunefs.ufs: gjournal: (-J)                                     disabled
tunefs.ufs: maximum blocks per file in a cylinder group: (-e)  2048
tunefs.ufs: average file size: (-f)                            16384
tunefs.ufs: average number of files in a directory: (-s)       64
tunefs.ufs: minimum percentage of free space: (-m)             8%
tunefs.ufs: optimization preference: (-o)                      time
tunefs.ufs: volume label: (-L) 

I want to run two instances of bind on a server, one for authoritative answers and one for recursive queries. MaraDNS can easily be configured to run multiple instances. You just add a line for each instance in /etc/default/maradns file, stating configuration file for that instance

What is the best way of doing this with bind in debian ? Copying the initscript and modifying paths seams like a hack.

I want to prepare a custom installer of Thunderbird and Firefox, which will come preconfigured with the address book, proxy settings etc.

I found some forum topics on the issue: here and here, there someone recommends using mozptch but it currently is discontinued and recommends using http://opsi.org/

I also found out the WPKG package installer, from this question and this one.

They all assume the configuration is done later by MDC.

But I do not prefer doing a massive install of package managers and then install and configure programs with them. (Because my Active Directory knowledge is very limited). I highly prefer creating a customized installer, which can be run on both office computers and home computers by the users.

What method can you recommend for creating a customized and preconfigured installer for Thunderbird and Firefox ?

We have upgraded a Debian Squeeze machine recently, which was installed in February 2010 and was never upgraded after that. After the upgrade, while booting the machine prints some messages and after "waiting for /dev with devices" it does not print anything else. The system actually boots and works, is connectible through ssh. But we don't get any console or X output.

ps command shows the running getty processes. but no virtual console (ctr+alt+fX) shows a login prompt. Actually, I suspect the keyboard stops working as the "numlock" key does not light up the led. The gdm login is also not accessible.

I tried dpkg-reconfigure on console-setup and a few other packages, and rebooted after changes, but to no avail.

I want to add new ACL rules to a Cisco router. I have no previous experience with cisco.

Many resources about Cisco acls have instructions on applying the acl rules to an interface. But I need to know which ACL rule is already active in an interface, so that I can add new rules to it.

show interfaces command does not display the ACLs, which command is used to get the ACLs on an interface?

Edit: this page states show ip access-list interface tunnel 0 command for displaying ACLs on an interface, but it is usable only on IOS 12.4 and newer. What are my options in an IOS 11.1 router?

Solution: The issue is solved, but I don't know how :) I was told that somebody else™ fixed the issue.

We are using rsnapshot for backups. It uses hard links to efficiently store unchanged files, and rsyncs the changed files from servers.

The hard linking part calls a command like this

  cp -al /current /old

But this process uses up ALL the available memory. Is there a way to limit memory of cp process, or is there a memnice utility a la nice/ionice?

I am having a problem with smbpasswd, an LDAP backend server and SSL/TLS certificates. The client machine that I run smbpasswd on is a Debian Etch machine, and the Ldap server is Sun DS running on Solaris. All the following occurs on the client.

When I disable SSL, by setting "ldap ssl = no" in smb.conf, the smbpasswd program works without errors.

When I set "ldap ssl = start tls", the following messages are printed by smbpasswd and there is a long timeout period before any password is asked by it

Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
..... long delay .....
New SMB password:
Retype new SMB password:
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
smbpasswd: /tmp/buildd/openldap2-2.1.30/libraries/liblber/io.c:702: ber_get_next: Assertion `0' failed.
Aborted

I conducted some tests with "ldapsearch -ZZ". It was not working at first, but after I added the TLS_CACERT line to /etc/ldap/ldap.conf, /etc/libnss-ldap.conf and /etc/pam_ldap.conf, it started working. So relevant TLS sections in all those files are:

ssl start_tls
tls_checkpeer no
tls_cacertfile /path/to/ca-root.pem
TLS_CACERT /path/to/ca-root.pem

But the smbpasswd program continued giving the error.

I tried creating /etc/smbldap-tools/smbldap.conf file with following content (after consulting debian docs for smbldap-tools package) But as I see, smbpasswd comes with samba-common package and does not use the configuration for smbldap-tools utilities.

verify="optional"
cafile="/path/to/ca-root.pem"

My question is: How can I set which SSL CA Certificate is used by smbpasswd program ?

We want to run an SSL only lighttpd process. Which configuration option should be used to turn off port 80 with its unencrypted traffic ?

Lighttpd documents only provide a "redirection" to https traffic, but we want a complete silence on port 80. We want to keep lighttpd listening only on 443 for encrypted(https) traffic.

Update [Solution]

Setting only "server.port = 443" does not help. SSL config was :

$SERVER["socket"] == "0.0.0.0:443" {
                  ssl.engine                  = "enable"
                  ssl.pemfile                 = "/etc/cert.pem"
}

That gave the error.

can't bind to port: 0.0.0.0 443 Address already in use

Removing the conditional SSL altogether solved the issue, the config became:

server.port                 = 443
ssl.engine                  = "enable"
ssl.pemfile                 = "myweb.pem"

SFTP is probably the most widely used "ssh subsystem". This O'Reilly chapter gives some more usage examples; it presents subsytems as "shortcuts" to various commands that can be used.

How do you use this subsytem feature ?

Is there a practical way to limit an ssh key to a subsystem, possibly replacing command restriction option of ssh keys?

What software do you use for central network management ?

What I mean is, you record a machine's name, mac address, open ports and other info, and the program generates DHCP, DNS and Firewall configuration snippets, to be included from main config files.

For example the central network manager tool has the following fields in the config file:

machine1 | 10.0.0.22 | 01:23:45:67:89:ab | 80/tcp, 53/udp, 53/tcp | owner | room

This becomes three files, one for DNS

machine1 IN A   10.0.0.22 ; owner , room

one for DHCP

host machine1 { hardware ethernet 01:23:45:67:89:ab; fixed-address 10.0.0.22; } # owner , room

one for Firewall (example for Linux iptables)

-A mycustomchain -d 10.0.0.22 -p tcp --dport 80 -j ACCEPT  # machine1, owner, room
-A mycustomchain -d 10.0.0.22 -p udp --dport 53 -j ACCEPT # machine1, owner, room

It is not too hard to code something by hand, but are there any good ready made solutions with good track record ? Possible plusses: supporting different dns, dhcp, firewall software, having plugin-like support for copying the updated confiurations to relevant servers and restarting services.

I am looking for a tool targeting Linux systems, but windows or BSD only solutions are welcome for completeness' sake.