mgjk's questions

In the diagram, we have one vnet, two subnets, and three systems.

• Azure "IP Forwarding" is enabled on the router interfaces.
• Routing tables are created for "trust" and "untrust" subnets
• Static routes are created on the machines (the obscured routes are host routes to make sure I don't cut myself off)

We can see that bob is successfully pinging alice.

Despite bob's default route being the router, the azure routing table setting bob's default route to the router, and alice is not in the same subnet, the traffic does not pass through the router!?

This raises two big questions for me

• Why and how is Azure doing this? This seems to completely defy Layer3 logic.

• How are we supposed to do this in Azure?

My next guess on this is that this might need to be done with distinct vnets, but if I use vnets, does that mean 3 vnets? 1 for the virtual appliance and 1 for each subnet?

I'm trying to collect simple logs from Cisco devices using netsnmp with SNMP v3.

I can get the messages to appear in my snmptrapd, but I have to manually add the EngineID to for them to talk. E.g., until I do so, I see messages like:

usm: no match on engineID (80 00 00 09 03 00 3C 01 02 03 04 05 usm: no match on engineID (80 00 00 09 03 00 3C 01 02 03 04 05 )

Then I have to go into /etc/snmp/snmptrapd.conf and manually add the engine in a new createUser line.

I will have to add some 200 devices shortly and there's going to need to be a regular procedure to add new ones. Is there a way to improve this situation without losing encryption?

Is there a way to have a Cisco switch reveal the MAC address of a device via Syslog when it is plugged in?

I get messages that a device is connected, but there isn't a lot of detail:

Sep  9 12:50:51 10.9.8.7 6531: *Sep  9 12:47:50: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
Sep  9 12:50:51 10.9.8.7 6532: *Sep  9 12:47:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

The hope is that if unrecognized devices are plugged into the network, we can be notified at the switch level.

I'm taking syslog events from a proprietary app. This could be the app's fault or it could be rsyslogd.

Events are written like:

Aug 15 16:00:00 10.11.12.13 Event1 from this wonderful product using this odd
Aug 15 16:01:00 10.11.12.13 format. Event2 from this wonderful product using 
Aug 15 16:02:00 10.11.12.13 this odd format. Event3 from this wonderful produ
Aug 15 16:03:00 10.11.12.13 ct using this odd format.

you get the picture. Each record in syslog is ~2000 characters.

I'm not sure if this is an issue with the poorly defined nature of TCP syslog?

Does any expert on rsyslogd or syslog TCP have any advice as to where the problem might be? Is it likely that there's something I can do on the rsyslogd side to fix this? Or is this a normal mess for the state of TCP syslog?

Is it possible to use folder redirection with Windows 7 on Samba 3.5 as a PDC of an NT4 domain? I want this to be able to redirect the My Documents folder for a small environment (~25 workstations) of Win7 machines.

It seems like the only way to redirect folders in Windows 7 is to use group policies in AD. Group Policy Objects seem to be the key.

But Samba 3.x doesn't support AD, so...

Is there some other way? E.g., running a script against the machines?

Editing the registry under HKCU won't help unless it can be done before the desktop is loaded. This is because the profiles may be used on any number of different machines, meaning HKCU would need to be modified on-the-fly as a user logs on.

Thanks,

More info: https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles#Configuring_folder_redirection

This is a common problem in Snort, but I'm not sure why the rule triggers at all.

The rule below comes from the Debian repositories. Apparently it is designed to trigger when there are more than 300 hits on port 5060, and will only alert once every 60 seconds if it continues.

/etc/snort/rules/community-sip.rules (whitespace added, other rules removed):

...
alert ip any any -> any 5060 (
  msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy";
  threshold: type both, track by_src, count 300, seconds 60;
  classtype:attempted-dos;
  sid:100000160;
  rev:2;
)
...

http://manual.snort.org/node35.html

But the rule seems to trigger on stuff which has nothing to do with port 5060 at all. E.g., here's an alert:

e.g.,

[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**]
[Classification: Attempted Denial of Service] [Priority: 2] 
08/06-12:19:07.399163 1.2.3.4:61253 -> 5.6.7.8:22
TCP TTL:55 TOS:0x10 ID:59727 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xE2B759E9  Ack: 0xB01D0B90  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 129954676 287277196 

Some Googling reveals that people say "this is a bad rule", but I can't see how.

Yesterday around 1am, our server ground to a crawl. This doesn't happen often, but I'm trying to get to the bottom of it.

There is no unusual traffic volume, no unusual processes running, just all of the sudden the server started killing fcgid processes.

[Thu Aug 02 01:17:32 2012] [warn] mod_fcgid: process 26460 graceful kill fail, sending SIGKILL

... for as many fcgid processes as we have...

CPU idle fell to 0% and I/O seemed to take up most of the load. The issue lasted about 5 minutes.

I suspect there was some swap activity, although I'm not sure if it was due to killed processes being swapped in to die, or if it was because some process ramped up memory usage faster than my process watching scripts can see them.

The oom-killer wasn't triggered (at least it's not logged), so I think this was Apache for some reason restarting the processes. This is not regular, and nothing obvious appears in cron.

Is there a normal Apache process which might cause this? We run dozens of different sites, and it was late at night, so volume was very, very low. (maybe 200 requests in a 10 minute period).

I just got a barrage of pop3-login attacks on one of my servers. I was surprised that fail2ban wasn't stopping them, then I realized that the service is listening on multiple IP addresses, and the attacker was spraying over all of them. Fail2ban only blocked my first IP.

fail2ban has a myip=x.y.z.a setting, but it doesn't seem to take multiple values. Is there a way to set this up?

I've needed to do some more sophisticated graphing and plotting as of late. While I know that gnuplot is up to the task, and can do it all from the command line, are there other, simpler or more powerful tools that I'm missing?

I'm a bit oldschool, so I tend to think of sed, awk, bash and gnuplot when I think of statistics and charting.

Ideally, I'd like to parse stuff into a local mysql db, create batch jobs, set alerts on incoming data, etc. A real-time graph would be fantastic too. Gnuplot can do all this, but I don't want to reinvent the wheel if I don't have to. There have been some great advances in visualization tools, and to be honest, although the output is great, parsing, grouping, and sorting logs and data into forms that are agreeable to gnuplot slows down my ability to quickly assemble intelligent queries.

Mixing SQL with gnuplot seems like the way to go... but they don't connect too nicely. It will be a bit of a pain.

As an example, my most recent project would be taking months of Apache log data and looking for attack patterns to build defensive signatures. Date/time/geography/site/url visited, there are endless possible things to plot and sift through. Grouping by date-ranges, etc.

The followup project to that would be to apply the signature (statistical or otherwise), and generate alerts/responses to the attack patterns. While one tool might dig through static logs nicely, it won't necessarily do dynamic stats.

We're getting the occasional error:

[warn] RSA server certificate wildcard CommonName (CN) `*.example.com' does NOT match server name!?

(This is not a duplicate of Apache Config: RSA server certificate CommonName (CN) ... NOT match server name? read on)

This is non-fatal and is only happening occasionally.

The error is accurate... our cert's CN is doesn't match the VirtualHost. That's how it's supposed to work. We match a Subject Alternative Name.

Any idea what might cause this?

Debian is running 2.6.32-5. Recent kernels seem to have addressed some kernel soft lockup issues, I'd like to try them. Although... the patches don't seem to be in the Debian-stable repository.

# dpkg -l linux-image-2.6.32-5-686
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version                Description
+++-======================-==================================================================================
ii  linux-image-2.6.32-5-6 2.6.32-44              Linux 2.6.32 for modern PCs

• Why is the Debian "Version" 2.6.32-44 when the kernel is 2.6.32-5 ?
• What does upgrading to Debian version 2.6.32-45 (of the 2.6.32-5 kernel) buy me? I can't seem to find the Debian release notes on this upgrade/fix/patch.
• I assume Debian isn't backporting Kernel patches. Can I just download the latest deb of the kernel, modules and dependencies and dpkg -i it? Sure I won't be on a "stable" kernel, but at least my system might not be doing the soft-lockups.

Any help would be appreciated. Pointers to specific Debian documentation on this would be ideal. There's something I'm missing here.

We have an APC Smart UPS 1500. The "Replace Battery" light is on, and apcupsd reports:

Emergency! Batteries have failed on UPS xxxx. Change them NOW

However, from this article,

http://sturgeon.apcc.com/kbasewb2.nsf/for+external/f39c4312fcaf7b948525679a005ebb78?OpenDocument

it seems that it's not so clear that the UPS battery needs to be replaced. Stranger, according to the information on the UPS, an 11 minute runtime at 42.9% load running at 27.7V isn't so bad.

Any thoughts about what to try next? We're a non-profit, money is an object. It would be a shame to replace a battery with a year or so left in it.

# apcaccess status
APC      : 001,041,1017
DATE     : Thu Mar 29 13:01:41 EDT 2012
HOSTNAME : oreilly2
VERSION  : 3.14.6 (16 May 2009) debian
UPSNAME  : xxxx
CABLE    : Custom Cable Smart
MODEL    : Smart-UPS 1500
UPSMODE  : Stand Alone
STARTTIME: Thu Mar 29 12:57:30 EDT 2012
STATUS   : ONLINE
LINEV    : 112.3 Volts
LOADPCT  :  42.9 Percent Load Capacity
BCHARGE  : 100.0 Percent
TIMELEFT :  11.0 Minutes
MBATTCHG : 5 Percent
MINTIMEL : 3 Minutes
MAXTIME  : 0 Seconds
OUTPUTV  : 112.3 Volts
SENSE    : High
DWAKE    : -01 Seconds
DSHUTD   : 090 Seconds
LOTRANS  : 106.0 Volts
HITRANS  : 127.0 Volts
RETPCT   : 000.0 Percent
ITEMP    : 23.8 C Internal
ALARMDEL : Always
BATTV    : 27.7 Volts
LINEFREQ : 60.0 Hz
LASTXFER : No transfers since turnon
NUMXFERS : 0
TONBATT  : 0 seconds
CUMONBATT: 0 seconds
XOFFBATT : N/A
SELFTEST : NO
STATFLAG : 0x07000008 Status Flag
SERIALNO : AS0603298896
BATTDATE : 2006-01-14
NOMOUTV  : 120 Volts
NOMBATTV :  24.0 Volts
FIRMWARE : 601.3.D USB FW:1.5
APCMODEL : Smart-UPS 1500
END APC  : Thu Mar 29 13:02:12 EDT 2012

Error when running upstest

You are using a SMART cable type, so I'm entering SMART test mode
mode.type = USB_UPS
Setting up the port ...
Hello, this is the apcupsd Cable Test program.
This part of apctest is for testing Smart UPSes.
Please select the function you want to perform.

1) Query the UPS for all known values
2) Perform a Battery Runtime Calibration
3) Abort Battery Calibration
4) Monitor Battery Calibration progress
5) Program EEPROM
6) Enter TTY mode communicating with UPS
7) Quit

Select function number: 2

First ensure that we have a good link and
that the UPS is functionning normally.
Simulating UPSlinkCheck ...
YWrote: Y Got:
getline failed. Apparently the link is not up.
Giving up.

I'm currently hosting a subdomain for a charity on Dreamhost. The charity is in control of the DNS records, and they're slow to update them.

So for example.com:

www.example.com -> A-record webserver
mail.example.com -> A-record mail server

About a year ago, I asked them to create:

foo.example.com -> A-record to 173.236.135.58 (Dreamhost's particular web server)

Trouble is, Dreamhost could change that server's IP at any time. The charity is slow to change records, so this could create an extended outage.

Should this be an NS record? e.g.,

foo.example.com -> NS-record ns1.dreamhost.com, ns2.dreamhost.com, ns3.dreamhost.com
ns[1-3].dreamhost.com -> foo.example.com is 173.236.135.58

Or is there another way to do this which I'm missing...? It might seem like an elementary question, but I'd like to get them to correct the record and add a new one, and I'd rather their site kept running :-)

There's a lot of stuff about this on the Internet, but most of the examples there are contrived. How does one delete files that are really stubborn? e.g.,

$ find ./ -inum 167794
./àKÈÿÿÿÿ@
$ find ./ -inum 167794 -exec rm \"{}\" \;
rm: cannot lstat `"./\037\340\025K\021\004\310\377\377\377\377@\020\002"': Invalid or incomplete multibyte or wide character

I'm trying to configure a complex firewall for my team. We're looking at six interfaces with different types of security zones and flows.

I have a well-documented, clean firewall configuration script, but if I run iptables-save, the results will of course have no comments. The results will also be out of sync with our documented policy.

Is there a nice, clean way that I can use my own configuration file on Redhat without undoing Redhat's Rube Goldberg scripts? at the same time, I'd like to ensure that those same scripts don't stomp on my config or e.g., rip the firewall wide-open as soon as somebody does an ifdown/ifup.

It looks like Debian has a default to run checkarray on the first Sunday of the month.

This causes massive performance problems and heavy disk usage for 12 hours on my 2TB mirror. Doing this "just in case" is bizzare to me. Discovering data out of sync between the two disks without quorum would be a failure anyway.

This massive checking could only tell me that I have an unrecoverable drive failure and corrupt data. Which is nice, but not all that helpful. Is it necessary?

Given I have no disk errors and no reason to believe my disks have failed, why is this check necessary? Should I take it out of my cron?

/etc/cron.d# tail -1 /etc/cron.d/mdadm
57 0 * * 0 root [ -x /usr/share/mdadm/checkarray ] && [ $(date +\%d) -le 7 ] && /usr/share/mdadm/checkarray --cron --all --quiet

Thanks for any insight,