|
evol262 posted:If you really care, you should read this. This is very much true. Although, fail2ban does do DoS mitigation that can arise from brute-forcing. We have a rule in production to block an IP for x minutes if y failures occur during a given interval. Before this, it wasn't uncommon for Dovecot login processes to swell and max out while some attacker enumerated over every username A-Z. Same idea for SASL authentication via SMTP with Postfix. A similar practice is used for MySQL and iptables, since it's been the target of a brute-force in production. Use rate limiting to restrict the number of remote MySQL connections. This only works though, because the majority of MySQL traffic originates on the same server as the MySQL server itself. Remote access is provided as a convenience. Important thing is to follow guidelines with some discretion. Know why you're doing it in addition to what you're doing.
|
#
¿
Dec 6, 2013 17:25
|
|
|
|
| # ¿ Apr 23, 2024 17:24 |
|
|
Having made the conversion from SysV[init] to systemd, that's an asinine argument to keep some obsoleted shell scripts still functional. systemd is fantastic: automatic restarts, built-in watchdog, parallelized start-up, auditing, coherent interface, and if you so choose, there is backwards-compatibility with service/chkconfig.
|
|
#
¿
Oct 17, 2014 04:54
|
|
|
Cidrick posted:Also related: wpscan is something you can automate fairly easy to run against each of your sites and notify you if there are any plugins or themes with known vulnerabilities. For purely academic reasons, it's probably worth running against your box that got owned just so you can see what sort of stuff you potentially missed. Skip that and setup a cron to check and update as needed with wp cli. It's as simple as code:
|
|
#
¿
Jul 7, 2016 03:59
|
|
|
mike12345 posted:I've set up tiny tiny rss, and everything seems to be working, except the updater is one hour off from system time. Do I have to set the timezone in php or apache, or maybe that's a tiny tiny rss config option I missed? Via /etc/php.ini set date.timezone or date_default_timezone_set() at the beginning of your application.
|
|
#
¿
Nov 17, 2016 18:25
|
|
|
Also do you have a "10.10.10.10/32 -j ACCEPT" rule before the fail2ban chain processing in your INPUT chain? -I places the rule at the front of your INPUT chain, so the DROP will supersede any whitelisting.
|
|
#
¿
Nov 22, 2016 01:30
|
|
|
Volguus posted:When it does. When it doesn't ... god help you. Though, as a developer I must say that writing systemd service files is a shitton easier than init scripts. Edit: see also, sendmail -> Postfix. nem fucked around with this message at 06:30 on Aug 2, 2017 |
|
#
¿
Aug 2, 2017 06:27
|
|
|
anthonypants posted:People hate systemd with an immense passion, so I'd expect to see CentOS 6 sticking around for a while. It's an irrational hatred of change. Frankly, gently caress SysV. I had to patchwork every RPM init script. With systemd I override the init; systemd incorporates, I'm ecstatic. Packages upgrade seamlessly and services restart without any hitch. Before I had to chattr +i the init script and prayed the RPM didn't bail. For whatever reason Linux draws ire of curmudgeonly bastards that hate to fix that what is not broken in their ecosystem.
|
|
#
¿
Sep 28, 2017 07:34
|
|
|
jre posted:This is a reason never to use Ubuntu, not a reason to avoid redhat Have there been any prevailing instances where Canonical's rapid release schedule caused more problems than addressed?
|
|
#
¿
Oct 13, 2017 19:25
|
|
|
jre posted:If you are happy installing obviously untested changes to your production server environment then go hog wild, I feel sorry for anyone using your service though. CentOS crew  It's to assess new players in the hosting panel market now, both RunCloud and ServerPilot rely on Ubuntu LTS. This feedback strengthens selling a solution built on CentOS/RHEL.
|
|
#
¿
Oct 14, 2017 01:08
|
|
|
evol262 posted:But a kernel build on RHEL runs a full regression against almost 1000 different pieces of hardware. If I understand correctly, wouldn't this be less of a concern on guest machines with virtio devices, since that serves as an abstraction layer dependent upon the host kernel? Testing a kernel against virtio devices would be the same irrespective hardware provided the host kernel has no regressions. Edit \/\/\/: thanks for clearing that up! nem fucked around with this message at 05:44 on Oct 15, 2017 |
|
#
¿
Oct 14, 2017 17:46
|
|
|
Jerk McJerkface posted:However I have a couple clients that don't allow xinetd, so the service is started up and backgrounded, then they use monit to keep it online. Are you running the latest Monit, 5.24, or from EPEL, 5.14? Monit generated a ton of spurious connection issues to Apache and SpamAssassin that cleared up after upgrading to 5.24.
|
|
#
¿
Oct 26, 2017 22:01
|
|
|
What's your /etc/hosts value for your edge-facing IP address + output from "postconf myhostname"? If it isn't spitting out a FQDN, check that mydomain is properly set. Otherwise does sending an email via "mail" work?
|
|
#
¿
Dec 6, 2017 16:11
|
|
|
Ashex posted:But the output filename always comes out as '.mp4'. code:code:
|
|
#
¿
Dec 7, 2017 22:55
|
|
|
fletcher posted:Still haven't been able to figure this one out but I found another difference between the machines that may have something to do with it. What's nem fucked around with this message at 09:11 on Dec 8, 2017 |
|
#
¿
Dec 8, 2017 08:59
|
|
|
fletcher posted:/etc/nsswitch.conf is identical for both machines: Resolver config is your problem. 127.0.0.1 will append your domain to the end on an errant request whereas Google's OpenDNS returns a failed DNS. I don't use Ubuntu, so this is an opportunity to bushwack on your own... Find a way to: In /etc/resolv.conf, add: search foobar.com Where foobar.com is the domain of your machine name, so if I've got "luna" as the machine and I have "hostineer.com" as the domain to which "luna.hostineer.com" resolves back 64.22.68.4: In resolv.conf: search hostineer.com Then to confirm via shell: # dig luna.hostineer.com -> 64.22.68.4 Now, if you send mail on the local machine, which is "fuckdickballs" and it fails to resolve on Google's end, which I'd hope so, it'll append your domain to it. Once Postfix resolves that suffixation, it'll re-query, learn that "fuckdickballs.fletchlives.com" resolves back to something and introduce itself to the mailserver as that.
|
|
#
¿
Dec 8, 2017 09:59
|
|
|
jaegerx posted:Why are you using swap? There’s utility...
|
|
#
¿
Feb 14, 2018 23:14
|
|
|
minato posted:I don't know of any Apache-native way, but you can use Piped Logs to send your logs through a process which can intelligently de-dupe and roll-up log lines. I guess those scripts tend to be bespoke because people use different formats and have varying opinions on what fields are compared to the previous, but a quick Google found a few (say) Python libs that would assist. Piped isn’t always optimal since you create an IO chokepoint by losing the ability to buffer logs (Bufferedlogs on) and if the sink dies Apache craps itself... at least it did in 1.3. Best solution is to fix whatever is emitting those error messages. If you have to run a log filter, then roll something out in Node with a buffer? I’d advise against piping, especially if you can reasonably fix the error.
|
|
#
¿
Feb 28, 2018 08:38
|
|
|
minato posted:Does anyone still use Apache 1.3? It halted development in 2011. No, but the last time I used piped logs in production was during the 1.x era. Seems they did fix it in 2.x 
|
|
#
¿
Feb 28, 2018 18:34
|
|
|
MJP posted:
“Directory” needs a path following it. Without AllowOverride set on those directories Apache won’t look for a .htaccess file, which is mapping your requests to a dispatcher, usually index.php.
|
|
#
¿
Apr 13, 2018 16:01
|
|
|
What's the recommended tool to automate RPM builds from source, then update the yum repo on a git commit?
|
|
#
¿
Apr 28, 2018 17:32
|
|
|
Postfix + nexthop sender transport to a service that uses SMTP authentication. Disable “mynetworks” from smtpd_auth_restrictions to provide some audit trail either through the local pickup service or SASL authentication for mail that originates from the server. Edit: formatting... phone, rotting in a Dillard’s. Save me Late edit: and use iptables to restrict SMTP access to postfix uid/mail gid. nem fucked around with this message at 23:26 on May 12, 2018 |
|
#
¿
May 12, 2018 21:43
|
|
|
Grump posted:httpd.conf  I hate tutorials, because they explain what to do not why you do it. DO's incentivization structure to exchange tutorials for hosting credit is creating an absolute mess by diminishing the role of system administrator resulting in half-rear end setups such as what they're recommending. It's broken because of virtualhost resolution. Apache will match a hostname:port to its corresponding virtualhost container. With this configuration both mysite.com:80 and www.mysite.com:80 will serve content from /var/www/html/mysite.com. Because you don't have a separate virtualhost container setup for *:443 with both mysite.com and www.mysite.com as a ServerAlias, it'll default to your system DocumentRoot setting in httpd.conf that is outside any <virtualhost>...</virtualhost> container. Setup a another virtualhost container, use the same config, add SSLEngine On, setup your SSL* directives, and that should do it. Utilizing a nested document root structure is considered bad practice too. If foobar.com serves from /var/www/html, then you can unintentionally leak mysite.com by accessing foobar.com/mysite.com/whatever. Put your subordinate domains under /var/www/<domain> and your primary under /var/www/html. Plus it causes problems with htaccess rule inheritance as mysite.com under /var/www/html/mysite.com will check for and inherit any directives in /var/www/html assuming AllowOverride is set for /var/www. quote:The tutorial I was using told me to add an MX record of mysite.com with a higher priority than mail.mysite.com? Could that be the issue? nem fucked around with this message at 21:06 on May 14, 2018 |
|
#
¿
May 14, 2018 21:03
|
|
|
Grump posted:I'm an absolute Linux noob Everyone is at one point. Best advice I can give you is pick up a book on Apache and read cover to cover. It provides the foundation of many critical RFCs that provide opportunities to learn further. Compile a kernel from source and learn too what the options under Processor features/General setup do at a bare minimum. You can use tutorials as a starting point, but buy a book to flesh out your knowledge unless you want your server to runaway and join the Syrian Liberation Army or Palestinian cause or Free Tibet or #notmypresident or whatever the fun ephemeral internet casus belli is this week. Tutorials only provide for shallow learning and on that level it’s not worth learning at all. The rest of what folks say around here is because we’ve got a killer porcelain tan and that takes many years of practical experience.
|
|
#
¿
May 15, 2018 15:02
|
|
|
Technical books are the only book format that don’t put me to sleep  As long as the material is comprehensive you can use it. Just not tutorials. Red hat publishes some great, thorough documentation.
|
|
#
¿
May 15, 2018 15:07
|
|
|
Jerk McJerkface posted:Get an apache book and read it is basically saying "RTFM newb". I'll 100% agree that this is a good recommendation, but man it's just not fun. Do something practical and interesting. Get a Chromebook and get linux working on it, or setup your own Fedora server at home and move your 100TB of Anime to it, setup NFS on it and figure out how to mount it on your laptop, get working in linux, and learn as you go. There are no silver bullets to proper system administration, just lead (and SO). It’s an enormous space to learn. I’ve run into more situations that don’t fit textbook situations but required overlapping knowledge to figure out. Deep learning is crucial to mastering this space. RTFM really is the best way to accomplish this so you’re aware of what features/options/pathways exist in a particular tool chain. Every bit of technology is built upon existing technology. Understanding fundamentals goes a long way even if those fundamentals are a bit dry.
|
|
#
¿
May 15, 2018 19:40
|
|
|
Grump posted:So this is what I ended up with quote:RewriteEngine on That's unnecessary. You're saying if it's domain or https://www.domain.com then redirect to the [url]https://[/url] flavor... and you have that placed in the https flavor  . You probably have another VirtualHost container setup in /etc/httpd/conf.d/ssl.conf too or however the default mod_ssl config is named. code:
|
|
#
¿
May 17, 2018 05:23
|
|
|
Store the certificates on a network mount that's shared between machine A and machine B (nfs, cifs), then on machine A point your Nginx config to use those SSL files from LE? Or comedy option rsync after you finish. If you're tied down by Python or other library reasons on machine A, getssl is a bash implementation that'll work without issue.
|
|
#
¿
May 26, 2018 00:23
|
|
|
_default_ is an oddity. If you have a virtualhost that's named with the IP address, it'll fall through to the first (or last... can't recall the specifics) virtualhost that matches it. _default_ only gets used when no other possible <VirtualHost IP:PORT> combination can match it. Name your IP address in there or don't name your IP address in any other <VirtualHost> container. If you have 1.2.3.4 as your sole IP address and <VirtualHost 1.2.3.4:*> that'll match before _default_ matches.
|
|
#
¿
Jun 24, 2018 00:22
|
|
|
Presto posted:Problem with tar, etc, is that you only get the files. I want the entire space. All the bytes. To copy over xattr or do you want to copy over sparse files hole for hole too? And if so, what am I missing why you'd want to do this other for block-level integrity reasons? 
|
|
#
¿
Jul 28, 2018 00:49
|
|
|
Maybe kernel.printk is to blame?
|
|
#
¿
Jul 31, 2018 01:19
|
|
|
I've an EC key created through OpenSSL, which I can use to connect via openssl s_client to an Apache 2.4.6 non-EC server. Both machines are RHEL 7.5. Both machines use the same CA.code:code:Edit: came across RHEL documentation on NSS support with RHEL6, specifically "certificates with EC keys and DSA or SHA-256 signatures". Still no luck with sha256 or DSA signatures... Converted from PEM to DER, same problem. Simpler test with openssl: code:
nem fucked around with this message at 20:11 on Aug 11, 2018 |
|
#
¿
Aug 11, 2018 04:07
|
|
|
Jerk McJerkface posted:Maybe the user running the binary doesn't have permissions to read the library file? He's running the binary directly and it's not a matter of exporting LD_LIBRARY_PATH to a child process? What about putting the library path in /etc/ld.so.conf and running ldconfig?
|
|
#
¿
Sep 28, 2018 17:54
|
|
|
VikingofRock posted:I don't have root access on this machine so I don't think I can edit /etc/ld.so.conf No, you wouldn't. Is /pfs/jeltema/build/heasoft/heasoft-6.21/x86_64-unknown-linux-gnu-libc2.12/bin in your PATH and you're not using a script to load that binary indirectly? In such a case LD_LIBRARY_PATH wouldn't get passed to the child process (x86_64-unknown-linux-gnu-libc2.12/bin/nh) unless you export/declare -x the variable.
|
|
#
¿
Sep 28, 2018 18:59
|
|
|
How many files do you plan on backing up and how long for retention? I've got ~110 million file records in the database and it takes 30+ minutes to build the filesystem hierarchy before I can restore files. Otherwise works fine and have used it for 5+ years without issue.
|
|
#
¿
Oct 5, 2018 04:40
|
|
|
apropos man posted:Hmm. I can't tell you about how many files because our VPN is down. It's been eons since I set everything up and try my best not to take a peek at it lest it breaks. Incrementals start with a full backup then soft delete what's missing during that job from the catalog. I'm on 7, which is file-level. 9 has block-level backup support and looks to be quite good, 4-40x reduction in storage consumption. Yeah, you can change the accuracy of the backup using accurate=/verify= options in a FileSet. It's up to you what fidelity incremental/differential backups operate on. onefs= allows Bacula to backup other filesystems, but I'd suggest running a separate job for /boot. You don't want to backup /sys, /proc, and its ilk. Bacula won't lock those files prior to backup, but if you need to perform any housekeeping consider ClientRunBeforeJob/ClientRunAfterJob. I don't backup MySQL/PostgreSQL databases directly using Bacula, instead use mysqldump/pg_dump and backup those tarballs with Bacula. Files that vanish (lock/temp files) once the filelist is created won't get backed up; Bacula will emit a warning. If you expand to beyond 7 days, add in differentials. When reconstituting a backup all iterative layers must be stacked. Differential allows you to skip a collection of incrementals, e.g. full -> incremental -> incremental -> incremental x 20 -> composite layer full -> differential -> differential -> incremental -> composite layer Edit: oh other thing is that you can include via pipe in your configuration. For example my director configuration has "@|/etc/bacula/conf.d/include.sh", which in turn is a shell script that templates out different clients into different pools, so you can deduplicate configuration for each client  .
nem fucked around with this message at 20:50 on Oct 5, 2018 |
|
#
¿
Oct 5, 2018 20:46
|
|
|
That's a solid approach. It took me the better part of a year to work out the kinks. Nothing's more exciting than restoring from backup to discover your full backup got prematurely recycled
|
|
#
¿
Oct 5, 2018 21:50
|
|
|
Is there a command that creates a ring buffer of the last n seconds? I've got a tricky hangup that I can reproduce only so often and I'd like to record the last 60 seconds of an strace without growing the log infinitely large.
|
|
#
¿
Oct 20, 2018 20:01
|
|
|
xzzy posted:If you have Apache installed, look at the included rotatelogs command. Perfect, thanks! Ended up with this which works great: code:
|
|
#
¿
Oct 20, 2018 22:48
|
|
|
Quite tight knit. Opened a bug report for a systemd incongruity and got sent straight to Redhat by the CentOS maintainers. evol, work your magic. I need the e directive in tmpfiles to work per spec.  Major releases lag a month or less. Updates within the branch are 72 hours at most. I’ll look further tomorrow and maybe evol or someone on the inside is better positioned to answer that. AFAIK Redhat/CentOS is much more intertwined such that CentOS/EPEL backfeeds to RHEL releases for experimental releases. I recall coming across a presentation that suggests the relationship as so. Fedora is bleeding edge, RHEL your crotchety grandmother, and CentOS a compromise. Edit: no dice on said presentation nem fucked around with this message at 17:32 on Oct 24, 2018 |
|
#
¿
Oct 24, 2018 09:21
|
|
|
|
| # ¿ Apr 23, 2024 17:24 |
|
|
Or asciinema. That's what I use to playback a playbook.
|
|
#
¿
Nov 19, 2018 22:20
|
|