dunxd's questions

Several users have reported receiving phishing emails, and one at least has admitted to following the link. Investigation found that their Microsoft 365 account had been compromised (despite MFA being enabled, it doesn't look like it was required) and I discovered in their Outlook mailbox rules to move certain messages to RSS Feeds folder (why is that still a thing by default) where they wouldn't be found.

I suspect other users might have been similarly compromised but may not know or want to admit it. Amongst other things I'm investigating I wondered if it is possible to identify all mailboxes that have rules created in the last 14 days, or mailboxes that have non-empty RSS Feeds folder.

I recently took over management of a company's DNS records. Looking at the records, everything seems to be in order. But there is one record I can't figure out what it is for:

TXT domain.com "vs-f1 a mx -all"

There is no documentation about this record. Googling the record just gives me loads of sites about F1 racing.

It looks similar to an SPF record, but those are in place and start v=spf1.

Can anyone shed any light?

I have a Windows 7 computer on my domain that is behaving oddly.

• It is possible to ping www.google.com
• It can ping internal hosts using their IP address
• It can ping the local Domain Controller/DNS server for that office using its hostname and IP address
• It cannot ping other internal hosts by their hostname or FQDN
• The client has not registered itself in DNS
• nslookup can resolve internal host names to their correct IP addresses and uses the correct DNS server
• The client gets its IP settings via DHCP the same as other clients - it has an address in the correct subnet, the correct DNS servers applied and has the correct suffix added to resolve hostnames
• The Local Area Connection network connection shows a SSID name that was previously used in the space that would be used to show the domain name or the WiFi status - see image

I'm really baffled as to why this might be happening. Because internal DNS resolution is not happening, the computer is not able to communicate with the domain properly, so Group Policy can't be applied and I doubt authentication is working properly.

I have tried clearing the DNS cache with ipconfig /flushdns, disabling/restarting the cache with netsh stop dnscache. I've reset Winsock and the IP stack, and rebooted numerous times with no difference. Other clients in the same network are working just fine.

The current workaround is to put entries in the hosts file for the most important hosts for services the user may need to use. This has worked ok, but isn't really sustainable long term, and doesn't address communication with Active Directory.

Any idea how to fix this, before I rebuild the thing?

Update I have installed Wireshark on the effected computer. When I do nslookup domain.local I see all the DNS traffic as expected. When I do ping domain.local I don't see any DNS traffic at all - no request and no reply. When I do ping www.google.com I see both DNS request and reply.

Also, this is a laptop with both Wired LAN and Wireless. I get exactly the same issue when connected via Wired LAN or via WiFi to the internal network.

An odd thing I noticed is that under the name of the network connection (Local Area Network) rather than displaying the domain name as I would expect, but rather the name of a VLAN we used to use. I'm hesitant to remove the computer from the domain, in case I cannot join it again. I'd rather try some other things before I go down a route that might involve reinstalling Windows.

Update this looks relevent

Update I have tried netsh winsock reset catalog, netsh int ip reset, and sfc scannow none of which have fixed the behaviour. The computer cannot leave and rejoin the domain, as it can't communicate with a domain controller. ifconfig /registerdns also doesn't work for the same reason. I've also tried stopping the dns client service to no avail.

Active Directory user objects include a number of fields that can be considered an identifier. The following lists some of these with their label in ADUC and their attribute name:

• Full Name - cn
• ? - name
• User sAMAccountName logon - sAMAccountName
• User UPN Logon: userPrincipalName
• ? - distinguishedName

I'm trying to get our developers to standardise on using only one of these when writing custom code that authenticates against AD - trouble is I'm not sure which is the "right" one, or if different ones are the right one in different circumstances. I'm not even sure any of the above fields should be used!

Has anyone else picked one to use consistanly, and what influenced you in that decision? Any documentation that clarifies the issue?

One of our remote offices has given a security contract to a company that came in and set up IP security cameras and a server in our office. They clearly didn't know anything about integration of their system into an existing network, as they completed the job without talking to anyone in our team.

Our internal network is running on 10.6.n.0/24. They set up their equipment to use 192.168.1.0/24. It's all plugged into the same network infrastructure - the same broadcast domain. Of course, all their equipment can talk to each other, so the security system works, internally at least.

If we have no requirement for external access to or from the security system, are there any issues that would necessitate proper integration with our network? Or can I safely leave the equipment set up as it is?

This is a Canonical Question about Compile Dependencies and Package Management.

I have a question regarding compiling ports/software or installing RPMs on my *nix server. When I try to do this I receive lots of messages about missing dependencies.

Can the Server Fault community please help?

I am shipping a bunch of ESXi 5.1 servers to remote offices where they will be powered via APC UPS.

I would like to have the UPS trigger a shutdown of the connected server - I would then rely on the ESXi configuration to take care of the shutdown/suspension of the VMs hosted on it.

I can see that APC have a solution documented using their PowerChute Network Shutdown, but this involves setting up an extra server per office, and requires network cards on each UPS. We are generally using UPS without a network card (e.g. Back-UPS Pro) - they come with a USB connector, and they are readily available in the locations where our offices are.

How can I connect a UPS to a ESXi host via USB, then have ESXi detect a power outage and then act accordingly? Has anyone managed to do this.

If you set the Manager for a User object in Active directory, it creates a clear relationship between the user and their manager. This is reported in Exchange's Global Address List amongst other things.

For a Group object, the Manager is able to edit members of the group via the Address List in Outlook, if you enable it.

The same Manager field exists for computer objects in Active Directory. Does this relate to any functionality anywhere?

Is the Location field in Active Directory used for anything other than listing where objects are physically located?

I am interested if this is just a user friendly field to help people find printers etc. or if a change to this field will have some other effect.

I know that DNS records starting with * are called Wildcard records. What is the name for DNS record starting with @ (the at symbol). This is a record for the root domain (e.g. just example.com, not www.example.com)

I want to find out more, but searching for "@ record dns" in Google doesn't return any useful results.

What is the correct terminology for this type of record, and where might I find it described in more detail?

RFC 1035 describes the use of @ in a DNS record, but doesn't go as far as giving it a name.

This is not a question about what the @ symbol does or how it works. It is a question about the name for this kind of record.

I want to be able to use Home, End and Delete keys when using PuTTY to access the CLI on my Cisco ASAs. Currently when I use these keys I see the ~ character.

I have tried changing the PuTTY session Keyboard setting for Home and End from Standard to rxvt - this resulted in Delete giving ~, Home doing nothing at all, and End giving w.

Is it possible to get my keyboard to behave?

I have this all working fine for connections to Linux, but not Cisco devices.

I've just installed and configured monit according to the monit documentation. All services apart from Apache are listed as Running, but Apache says Not Monitored.

The relevant lines in monit's config are:

check process apache with pidfile /var/run/httpd.pid
        group www
        start program = "/etc/init.d/httpd start"
        stop program = "/etc/init.d/httpd stop"
        if failed host localhost port 80
        protocol http then restart
        if 5 restarts within 5 cycles then timeout

I can access http://localhost/server-status and http://localhost fine from the server. Monit lists Monitoring mode for Apache as active.

Server is running CentOS 5.4.

PID file is correct for parent httpd server:

[server ~]$ cat /var/run/httpd.pid
2905
[server ~]$ ps auxc | grep httpd
root      2905  0.0  0.9  26952  4808 ?        Ss   11:36   0:00 httpd

My VPS web server running on CentOS 5.4 (Linux kernel 2.6.16.33-xenU) irregularly (like once a month give or take a few weeks) becomes unresponsive due to oom-killer kicking in. Monitoring of the server shows that it doesn't normally run out of memory, just every so often.

I've read a couple of blogs that point to this page which discusses configuring the kernel to better manage overcommit using the following sysctl settings:

vm.overcommit_memory = 2
vm.overcommit_ratio = 80

My understanding of this (which may be wrong, but I can't find a canonical definition to clarify) is that this prevents the kernel over-allocating memory beyond swap + 80% of physical memory.

However, I have also read some other sources suggesting that these settings are not a good idea - although the critics of this approach seem to be saying "don't do things to break your system, rather than attempting this kludge" in the assumption that causation is always known.

So my question is, what are the pros and cons of this approach, in the context of an Apache2 web server hosting about 10 low traffic sites? In my specific case, the web server has 512Mb RAM, with 1024Mb swap space. This seems to be adequate for the vast majority of the time.

We have a number of branch offices where having an AD/DNS server would make a big difference to user experience. The following characteristics apply:

• There is no air conditioned server room, and no budget to set one up
• Offices are located in developing world, so high temperature, humidity and dust are common
• There are no IT staff in these offices
• Getting replacement parts generally means sending something from Europe
• Small form factor is preferred due to logistical challenges of transporting equipment to the office
• Offices have 2-25 users

I've been thinking about the possibility of deploying low powered flash based mini PCs running Windows 2008 R2 as Read Only Domain Controllers. I see it is possible to get Mini ITX devices with Atom 1.6GHz processor, 2Gb of RAM and mSATA flash based storage (32Gb) (e.g. Soekris net6501-70) This looks like it will meet the minimum requirements for running Windows Server 2008 R2.

• Has anyone rolled out a production system like this and able to share experience?
• Am I wrong to think that fanless/solid-state drives are better given the environmental conditions?
• Would 32Gb storage be sufficient for running RODC for our size of domain (800 users, Group Policy under review)?

Is it worthwhile running fail2ban, sshdfilter or similar tools, which blacklist IP addresses which attempt and fail to login?

I've seen it argued that this is security theatre on a "properly secured" server. However, I feel that it probably makes script kiddies move on to the next server in their list.

Let's say that my server is "properly secured" and I am not worried that a brute force attack will actually succeed - are these tools simply keeping my logfiles clean, or am I getting any worthwhile benefit in blocking brute force attack attempts?

Update: Lots of comments about brute force guessing of passwords - I did mention that I wasn't worried about this. Perhaps I should have been more specific and asked whether fail2ban had any benefits for a server that only allows key based ssh logins.

Due to an intermittent internet connecton and some fat fingered typing, I came very close to sending the command chown -R me.group / to my server, which I think would be fairly disruptive.

Is there a way to backup just the permissions on all the files on the system?

I use PuTTY to SSH to my linux server. Today I noticed that when I enter a long command that goes beyond the right hand of the screen, instead of wrapping down to the next line, the text starts at the left of the screen on the same line, writing over the top of the characters. I can't figure out what might have changed to cause this. Can anyone give any pointers at what might cause this, and how to resolve? I have Auto wrap mode initially on ticked in PuTTY.

I haven't made any changes to the PuTTY settings for this server, so at a loss why this stopped working correctly.

I have a small virtual private server running CentOS and www/mail/db, which has recently had a couple of incidents where the web server and ssh became unresponsive.

Looking at the logs, I saw that oom-killer had killed these processes, possibly due to running out of memory and swap.

Can anyone give me some pointers at how to diagnose what may have caused the most recent incident? Is it likely the first process killed? Where else should I be looking?

I think I understand Sharepoint, but to be honest I don't know what I don't know.

A link to some clear documentation would be helpful, or short of that, descriptions of what the following are:

• A Web Application
• A managed path
• A site collection
• A site

When would I use each, and how do they all relate to each other?

I've looked at Microsoft's discussion of Information Architecture, but it doesn't join the dots.

I am running TFTPD via xinetd on a Centos 5.4 server. I am able to access files via tftp fine, so I know the service is running ok. However, whenever I try and upload a file I get a 0 Permission denied message.

I have already created the file in /tftpboot and set the permissions to 666.

My tftpd config has verbose logging (-vvvv), but all I see in my /var/log/messages is:

START: tftp pid=20383 from=192.168.77.4

I have seen some mention that SELinux can prevent TFTPD uploads, but I'd expect to see something in the logs. I have SELinux set in permissive mode.

Any ideas?