Shtééf's questions

We have a small network of servers for which DNS service is critical. However, it seems to be a pain to set up redundant DNS service.

What we currently have is two caching/forward resolving servers set up running Ubuntu with Unbound. With the standard resolv.conf set-up, it seems the best we can do is configure a very short timeout.

I'm finding very little help with Google. The solution that seems to be most common is to create a virtual IP or set up heartbeat. But I'm not sure that'd work in our case, because the forwarding servers are in separate subnets and physical locations.

Regardless, I'm wondering:

• Wouldn't it make sense to have stub resolvers on each host fire queries in parallel? Nobody seems to be doing this, perhaps for a good reason I'm missing.

• Are there good solutions for this besides heartbeat?

I work for a service provider, and we've suffered an attack. We've learned from it, but nonetheless it has cost us. The good thing is we have pcap traces of the event, and IP addresses.

Now my question is, how does one send a good abuse mail to the other provider?

The situation complicates, because there is money involved, and the other provider is a regular ISP serving private people, in another country. We'd love to see our money back, but has anyone ever succeeded at doing that?

We have a single public /24 subnet, with a BGP router as the primary gateway. Now I'm interested in configuring a second router for redundancy.

How do I deal with multiple gateways on the servers in our public subnet?

I found some other questions related to multiple gateways that seem to deal with NAT set-ups. In my situation, the servers all have public routed IP-addresses. So from what I can tell, it doesn't really matter which route incoming or outgoing packets take.

But I figure the servers need some way of telling when one of the gateways is down, and route around it? Is this accomplished with protocols such as OSPF? And do I need to deploy this on all my servers?

We're currently using Quagga with Debian Linux to run a full table BGP router. The set-up has been dead simple up to now, but we've come to a point where I have to reconfigure the router quite a bit, and want to tighten things up.

I've never really understood Quagga, and always found its documentation to be lacking. It appears to be mimicking Cisco, of which I only have basic understanding.

BIRD has caught my eye recently. The couple of articles / presentations I found promote it as lightweight and more responsive under stress compared to Quagga. And it actually seems to have very decent documentation.

So I'd like to know:

• Who's running BIRD right now, and in what kind of set-up?
• How is it stability-wise? I've read about it running in a couple of sites in production.
• Let's say I don't care at all for a Cisco-feel to configuration. How is configuration, maintainance, monitoring, etc. of BIRD in general?
• And any other notable experiences you may have with it.

I'm trying to fix a very strange problem remotely on a machine at a customer site. The machine is a Dell PowerEdge 1950. The machine's NIC is a dual-port on-board Broadcom NetXtreme II BCM5708 Gigabit Ethernet, using the bnx2 driver.

The primary interface eth0 works perfectly, and is in fact how I am ssh'd in.

However, the secondary interface eth1 is not transmitting. I can see this in ifconfig output, for example, where the TX field is always 0. However, it is receiving, and tcpdump shows ARP requests coming from the ISP's gateway on the other side.

The interface is physically connected to a Siemens BSTU4 modem, configured by the ISP. The link is properly set to 10MBps and full duplex, without negotation, as the ISP requested. A small /30 subnet is configured. For the sake of anonymity, let's say the machine is 3.3.3.2/30, and the ISP's gateway .1. The machine has no firewall settings whatsoever.

Even running something like arping -I eth1 3.3.3.1, and running tcpdump alongside, shows no traffic whatsoever being transmitted on the interface. (But the other side keeps steadily sending ARP requests, and that is all that can be seen.)

What could be causing this?

Here's some output, anonymized, which may hopefully help:

$ ethtool eth1
Settings for eth1:
    Supported ports: [ TP ]
    Supported link modes:   10baseT/Half 10baseT/Full 
                            100baseT/Half 100baseT/Full 
                            1000baseT/Full 
    Supports auto-negotiation: Yes
    Advertised link modes:  Not reported
    Advertised auto-negotiation: No
    Speed: 10Mb/s
    Duplex: Full
    Port: Twisted Pair
    PHYAD: 1
    Transceiver: internal
    Auto-negotiation: off
    Supports Wake-on: d
    Wake-on: d
    Link detected: yes

$ ip link show eth1
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:15:c5:xx:xx:xx brd ff:ff:ff:ff:ff:ff

$ ip -4 addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 3.3.3.2/30 brd 3.3.3.3 scope global eth1

$ ip -4 route show match 3.3.3.0/30
3.3.3.0/30 dev eth1  proto kernel  scope link  src 3.3.3.2
default via 10.0.0.5 dev eth0 

I'm faced with the task of setting up a public-internet-facing email server, that will be relaying mail for all of our other servers in the network.

While the software in itself is set up in few keystrokes, what little experience I have with managing an email server has thought me that there are tons of awkward filtering techniques employed by other email systems. Systems that my own server will inevitably interact with a some point.

Hence, my questions:

• What things should be kept in mind and double checked when setting up an email server?
• What resources are available for checking if my email server is set-up correctly?

I'm specifically NOT looking for instructions for any given mail server, such as Exchange or Postfix. But it's okay to say: “you should have X and Y in your set-up, because when talking to server software Z, it typically tries to weed out open relays by checking for these.”

Some things I've discovered myself:

• Make sure forward and reverse DNS are set up.

  Mail servers tend to do a reverse lookup for the peer IP-address when receiving. Matching a reverse look up with a follow-up forward lookup is probably employed to weed out open relays run through malware on home networks.

• Make sure the user in the From-address exists.

  The From-address is easily spoofed. A receiving mail server may try to contact the mail server in the From-domain, and see if the From-user actually exists.

The company I work for recently got hands on a batch of second hand PowerEdge SC1425 machines. We'd like to put these to good use. Our operating system of choice is Ubuntu Server 10.04 64-bit, which installs just peachy on this type of machine.

Now I'd like to install the firmware updates from Dell, which are apparently marked as recommended. This includes the updates for the BIOS, the BMC, and possibly some other hardware.

I find it incredibly difficult to locate the files on the Dell website, and install any of them on an Ubuntu system:

• I downloaded the file OM_6.2.0_SUU_A01.iso.
  • I believe I've read that the SUU DVD should be able to update any recent PowerEdge. Is this correct?
  • Is this the latest version? Besides the version number, does A01 have any meaning?
  • Is this image bootable? (At the moment, I just nosed around with a loop device mount.)

• Running /bin/bash ./suu from the DVD, I get:

  # /bin/bash ./suu
  ./suu: line 262: ./java/linux/i386/bin/java: No such file or directory
  

  The file exists and is executable, though. But I cannot execute it directly from the shell either.

I'm on Ubuntu 10.04, and trying to set up a repository using reprepro. I'd also like the pin everything in that repository to be preferred over anything else, even if packages are older versions. (It will only contain a select set of packages.)

However, I cannot seem to get the pinning to work, and believe it has something to do with the repository side of things, rather than the apt configuration on the client.

I've taken the following steps to set up my repository

• Installed a web server (my personal choice here is Cherokee),
• Created the directory /var/www/apt/,

• Created the file conf/distributions, like so:

  Origin: Shteef
  Label: Shteef
  Suite: lucid
  Version: 10.04
  Codename: lucid
  Architectures: i386 amd64 source
  Components: main
  Description: My personal repository
  

• Ran reprepro export from the /var/www/apt/ directory.

Now on any other machine, I can add this (empty) repository over HTTP to my /etc/apt/sources.list, and run apt-get update without any errors:

Ign http://archive.lan lucid Release.gpg
Ign http://archive.lan/apt/ lucid/main Translation-en_US
Get:1 http://archive.lan lucid Release [2,244B]
Ign http://archive.lan lucid/main Packages
Ign http://archive.lan lucid/main Sources
Ign http://archive.lan lucid/main Packages
Ign http://archive.lan lucid/main Sources
Hit http://archive.lan lucid/main Packages
Hit http://archive.lan lucid/main Sources

In my case, now I want to use an old version of Asterisk, namely Asterisk 1.4. I rebuilt the asterisk-1:1.4.21.2~dfsg-3ubuntu2.1 package from Ubuntu 9.04 (with some small changes to fix dependencies) and uploaded it to my repository.

At this point I can see the new package in aptitude, but it naturally prefers the newer Asterisk 1.6 currently in the Ubuntu 10.04 repositories. To try and fix that, I have created /etc/apt/preferences.d/personal like so:

Package: *
Pin: release o=Shteef
Pin-Priority: 1000

But when I try to install the asterisk package, it will still prefer the 1.6 version over my own 1.4 version. This is what apt-cache policy asterisk shows:

asterisk:
  Installed: (none)
  Candidate: 1:1.6.2.5-0ubuntu1
  Version table:
     1:1.6.2.5-0ubuntu1 0
        500 http://nl.archive.ubuntu.com/ubuntu/ lucid/universe Packages
     1:1.4.21.2~dfsg-3ubuntu2.1shteef1 0
        500 http://archive.lan/apt/ lucid/main Packages

Clearly, it is not picking up my pin. In fact, when I run just apt-cache policy, I get the following:

Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://archive.lan/apt/ lucid/main Packages
     origin archive.lan
 500 http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Packages
     release v=10.04,o=Ubuntu,a=lucid-security,n=lucid,l=Ubuntu,c=multiverse
     origin security.ubuntu.com
[...]

Unlike Ubuntu's repository, apt doesn't seem to pick up a release-line at all for my own repository. I'm suspecting this is the cause why I can't pin on release o=Shteef in my preferences file. But I can't find any noticable difference between my repository's Release files and Ubuntu's that would cause this.

Is there a step I've missed or mistake I've made in setting up my repository?

UPDATED

Thanks to some help by maxb on #ubuntu-server, I was able to find out some more about what's going on.

It looks like apt downloads package lists into /var/lib/apt/lists/. There's a subdirectory there called partial, which the manpage apt-cache(8) describes as:

Storage area for state information in transit.

But my repository Release file gets stuck in there, and is never copied to the parent lists directory. I can get the pinning to work if I do this step manually:

$ mv /var/lib/apt/lists/partial/archive.lan* /var/lib/apt/lists/
$ rm -f /var/cache/apt/*.bin
$ apt-cache policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
1000 http://puppet.motto/apt/ lucid/main Packages
     release v=10.04,o=Motto,a=lucid,n=lucid,l=Motto,c=main
     origin puppet.motto
 500 http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Packages
     release v=10.04,o=Ubuntu,a=lucid-security,n=lucid,l=Ubuntu,c=multiverse
     origin security.ubuntu.com
[...]

But the manual step is undesirable, of course.

I also noticed that the Sources file is missing in my repository, but Sources.gz is generated. Recreating the Sources file by unzipping Sources.gz creates a file that matches the size and hashes in the Release file. But it doesn't appear to fix my problem.

It appears to be common practice to not use the first address in a subnet, that is the IP 192.168.0.0/24, or a more exotic example would be 172.20.20.64/29.

The ipcalc tool I frequently use follows the same practice:

$ ipcalc -n -b 172.20.20.64/29
Address:   172.20.20.64         
Netmask:   255.255.255.248 = 29 
Wildcard:  0.0.0.7              
=>
Network:   172.20.20.64/29      
HostMin:   172.20.20.65         
HostMax:   172.20.20.70         
Broadcast: 172.20.20.71         
Hosts/Net: 6                     Class B, Private Internet

But why is that HostMin is not simply 64 in this case? The 64 address is a valid address, right? And whatever the answer, does the same apply to IPv6?

Perhaps slightly related: it also appears possible to use a TCP port 0 and an UDP port 0. Are these valid or used anywhere?

On my Ubuntu 9.10 system, there's a shadow system group. There does not appear to be any user assigned to this group at all. The only files that I can find belonging to this group are /etc/shadow and /etc/gshadow.

I'm aware that the purpose of these files is to store the passwords separately, out of reach from regular users who still might want to access passwd for other reasons.

But what is the purpose of the shadow group?

The reason I'm curious about this, is because I'm thinking about configuring nsswitch.conf to store it elsewhere, and would like to know if anything is actually trying to access the shadow database using shadow group credentials.