Hi Everyone,
I'm stuck in a never-ending conference call at work because of
significant enterprise-wide outages. These outages have been caused by
apparently valid certificates failing to verify.
Our investigation has revealed that the AddTrust Root CA certificate
expired today but our certificate issuer sold us 2 year certs without
checking every cert in the chain of trust was valid until the expiry
date of the certs we bought (There was only 1 year remaining on the Root
CA cert on the day they sold us a 2 year cert signed with it.)
You may wish to check the chains of trust on your certificates...
All the best,
Paul.
Bitfolk's monitoring service is great:
https://tools.bitfolk.com/wiki/Monitoring
but it just occurred to me that (IIUC) it only monitors for *reachable*
services, not for unreachable ones - i.e. whether the firewall is
correctly shielding a particular port or protocol.
Now, I know that best practice is to ensure that all running services are
correctly configured to only listen to traffic from the networks from which
they can safely receive it, and that a good sysadmin should be able to
sleep comfortably at night even when his firewall is off (wide open).
However, that does not invalidate defence in depth; I don't think anyone
who advocates the above best practice would seriously recommend ditching
firewall rules. Therefore it makes sense (to me, at least) to try to
implement at least some basic tests to monitor the correct behaviour of the
firewall.
The kind of test I imagine is an attempted connection to a TCP or UDP port
which passes when the response is ICMP port unreachable (in the case of a
REJECT rule), or when a timeout expires without any response (in the case
of a DROP rule). The test could fail if a RST was received in the TCP
case, or in any case if any other response was received.
Of course there are way too many ports for such a monitor to check them
all, but even checking a single port for which no services are expected to
be running would be a lot better than nothing, since this could catch a
large number of cases where basic firewall configuration errors have been
made, or where the firewall was accidentally turned off or simply failed to
start.
Does this make sense or has the sun gone to my head?
Cheers,
Adam
Hi,
Ubuntu 20.04 is scheduled to be released at some point today. As
things stand its kernel won't boot at BitFolk.
I think it's due to some bugs in Xen's LZ4 decompression. These
problems have since been fixed but it would mean a forced reboot to
deploy them and I'm not going to do that, for this.
I will let you know when there is a host available that will boot
these LZ4-compressed kernels, so if you are desperate to upgrade to
20.04 you can be moved there.
If you already did try to upgrade to 20.04 and now it doesn't boot,
your previous (18.04) kernel will boot, which clearly isn't ideal
but does at least regain access.
Possibly you could build a custom kernel that doesn't use LZ4 or
find a way to unpack (and optionally repack) the existing vmlinuz.
I'll follow up with more info as I experiment with that.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Afternoon
I'm hoping someone can point me in the direction of a fix for my current
nftables config.
From the command line I can run the following:
sudo nft add table nat
sudo nft add chain nat post { type nat hook postrouting priority 0 \; \}
sudo nft add chain nat pre { type nat hook prerouting priority 0 \; \}
sudo nft add rule nat post ip saddr 10.10.10.0/24 oifname "eth0" masquerade
Listing my running nft rules shows this appended to the end:
table ip nat {
chain post {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.10.10.0/24 oifname "eth0" masquerade
}
chain pre {
type nat hook prerouting priority 0; policy accept;
}
I then try to transfer that config to my nftables.conf but on reading in
the .conf file I get the errors:
sudo nft -f /etc/nftables.conf
/etc/nftables.conf:67:1-5: Error: syntax error, unexpected table
table ip nat {
^^^^^
/etc/nftables.conf:70:55-64: Error: NAT is only supported for IPv4/IPv6
ip saddr 10.10.10.0/24 oifname "eth0" masquerade
I'm obviously missing some piece of information here that will allow me
to fix it.
If you'd like to help me add the masquerade for IPv6 as well that would
be brilliant.
Hopefully someone has the answer as I currently stumped
Cheers
Steve
Hi All,
My VPN hosts a small selection of web sites. I have noticed a LOT of
attacks recently.
The errors in the log file is typically something like this.
2020/04/29 11:08:12 [error] 831#831: *99107 FastCGI sent in stderr: "PHP
message: PHP Fatal error: Reseller record not found for
in /var/www/exampleone/htsecure/Classes/ApplicationFactory.php on line
86" while reading response header from upstream, client: 209.17.96.218,
server: exampleone.co.uk, request: "GET / HTTP/1.1", upstream:
"fastcgi://127.0.0.1:9000", host: "exampletwo"
This is very puzzling because exampletwo is any website I host, (except
exampleon) - including a site that DNS points to my server, but I don't
host!
The PHP error is caused because the value in $_SERVER['HTTP_HOST'] is
not something expected. I think it may be "\n" or missing.
It would appear that I have something screwy in my configuration for php
requests to one site to be passed to another - but I can't see it.
The default configuration is:
# Statements for default virtual host
server {
listen 80 default ;
# server name is catch all for unknown names#
server_name _ ;
root /etc/nginx/html;
index index.html;
# access_log /var/www/access_log;
try_files $uri =404;
}
This would be triggered when exampletwo is the domain pointed at my
server, that I don't (yet) host.
The only file in /etc/nginx/html is index.html and reports "the domain
you requested does not exist on this server". There are no php files.
The config for exampleone is (redacted for security).
# Statements for exampleone virtual host
# switched to letsencrypt cert 30/6/2019
server {
listen 80;
server_name exampleone.co.uk www.exampleone.co.uk;
rewrite ^(.*) https://exampleone .co.uk$1 permanent;
}
server {
listen 443 ssl http2;
server_name exampleone.co.uk www.exampleone.co.uk;
## SSL Certs
ssl_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/coachmaster.co.uk-0001/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
ssl_session_timeout 10m;
# Aditional Security Headers
# ref:
https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Sec…
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Op…
add_header X-Content-Type-Options nosniff always;
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref.
http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/etc/letsencrypt/live/exampleone.co.uk/fullchain.pem;
root /var/www/exampleone/htsecure;
access_log /var/log/nginx/exampleone.co.uk.access.log;
error_log /var/log/nginx/error.log;
index index.php;
location = / {
rewrite ^ /index.php last;
}
location /easyrtc {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# serve php files via fastcgi if the file exists
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param CENTRAL_ROOT $document_root;
fastcgi_param RESELLER_ROOT $document_root;
fastcgi_param ENVIRONMENT production;
fastcgi_param HTTPS ON;
}
# serve static files
try_files $uri $uri/ /index.php;
expires 30m;
# now to configure the long polling
location /publish {
nchan_publisher;
nchan_channel_id $arg_id;
nchan_message_buffer_length 10;
nchan_message_timeout 90s;
}
# public long-polling endpoint
location /activity {
nchan_subscriber;
nchan_channel_id $arg_id;
}
}
Sorry about the extra line breaks borking the layout. SNAFU. :)
Any idea why or how, a request to a site that does not exist, gets
switched to exampleone, when default is present?
I am running fail2ban, and that locks them out for an hour at the third
attempt, so it does not matter much, except that my nightly report of
errors is so full of this junk, I can't see any real problems. :(
Thanks for any insights.
Ian
--
Ian Hobson
Tel (+351) 910 418 473
--
This email has been checked for viruses by AVG.
https://www.avg.com
Hello,
I am wanting to upgrade my server from Debian 9 to Debian 10. I have done this on other systems without problems but have a question about the Bitfolk VM and network interface name.
For Debian 10 upgrades the legacy name definition file is not supported [1] :
/etc/udev/rules.d/70-persistent-net.rules
I define eth0 here using MAC i.e.
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="00:16:3e:1b:b2:db", NAME="eth0"
I have no files in /etc/systemd/network/.
Per [1], using udevadm to find the udev name :
# udevadm test-builtin net_id /sys/class/net/eth0 2>/dev/null
ID_NET_NAME_MAC=enx00163e1bb2db
ID_OUI_FROM_DATABASE=Xensource, Inc.
it is wanting to use "enx00163e1bb2db".
So, to get started I was going to :
1) Disable the 70-persistent-net.rules file
2) Change all occurrences of "eth0" to "enx00163e1bb2db" using :
grep -r eth0 /etc
3) Reboot
Is this correct? Or is their a better way that the Debian 9 to 10 upgrade can cope with (maybe with a nicer interface name)?
Once I am happy all works using this interface name, I can think about the Debian 10 upgrade itself.
Many Thanks,
[1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.e…
--
Alastair Sherringham
http://www.sherringham.net
Hi folks,
My VPS currently has Ubuntu 18.04 installed on it, and since 20.04 has
just been released, I'm considering when and whether to upgrade it.
However, I've also been looking into NixOS recently, and I thought I
might try running it on my server.
--
Josh Holland
Hi,
Does anyone here use Andrews & Arnold with linux PPPoE and has a
working IPv6 configuration?
(Or a better idea on how to get the public IP on to a linux box without
using pppoe? I do not want "dodgy" NAT on proprietary devices)
Yes...totally off topic for this list :)
Conrad
Hi,
If you do not currently pay us by Direct Debit and have no interest
in doing so then you can ignore this email.
== Short version ==
From 27 April 2020 we're introducing a minimum Direct Debit charge
of £5.00. Any time we would charge you less than £5.00, we are going
to charge you £5.00 and credit your account with the difference.
As there is no BitFolk plan that costs less than £6.49+VAT per month
THIS WILL AFFECT ALMOST NO ONE, unless you somehow get a lot of
credit on your account, or order something small (like 5GiB of
storage) and generate a one-off bill.
If you do not like this, I'm afraid we will have to ask you to
cancel your Direct Debit mandate and pay us by some other method.
You can do that from:
https://panel.bitfolk.com/account/billing/
If you are feeling nice you can also set a higher minimum charge,
which saves us giving fees to our payment provider. You can do that
from the link above.
Or you could switch to quarterly or yearly payments. Please contact
support@ to do that.
That's everything you need to know and you can stop reading now if
you like.
Thanks!
== Long version ==
=== What's happening ===
From 27 April 2020 we'll be introducing a minimum charge of £5.00 on
Direct Debit payments.
=== Background ===
Almost half of you currently pay us by Direct Debit. I previously
mentioned that as of March 2020 our Direct Debit payment provider
(GoCardless) was introducing a £0.20 loading on every transaction,
in addition to their usual 1% transaction fee.
The majority of our customers are on the smallest plan, at £7.79 inc
VAT per month. As an example, pre-March the fees for that charge
were £0.08 (1%). Now they are £0.28. Overall, the £0.20 loading has
resulted in an 83% increase in our transaction fees.
For that reason I asked customers to please consider either
switching to quarterly or yearly payments, or else consenting to a
higher minimum charge, with the remainder being credited to the
account.
A fair few of you did switch and one customer increased their
minimum charge. As only one person had switched I did not actually
implement anything except the ability to choose the charge, and we
carried on charging the exact amount.
Today I have noticed that a Direct Debit payment failed to go
through, because we were trying to charge only £0.83. GoCardless
have obviously altered their API to not support such a small charge,
which I suppose makes sense and gives me the motivation needed to do
the same on BitFolk's side, because otherwise this customer's
service can never be marked as paid for.
=== What we're doing ===
If I am going to implement a minimum charge then I don't see the
point of trying to make it as low as it possibly can be, given that
I still have to do all the work and write this email just to tell
you about whatever value it is. It appears that the minimum charge
is £1.00. I've made the decision that our minimum charge will be
£5.00, which is still well below the regular cost of any plan we
sell, so will affect almost no one.
So, we have no choice but to implement a minimum charge. We could
handle it by batching up your invoices until they are >= £5.00 but
that is a lot of work for a situation that is really rare, and I
also don't want to be billing people in arrears. I'm choosing to set
the minimum at £5.00, not £1.00.
=== What you can do ===
If this upsets you and you never want to be charged potentially
£4.99 extra that sits on your account as credit then I'm afraid you
will have to cancel your Direct Debit mandate before 27 April 2020
and start paying us by some other means. You can do that from:
https://panel.bitfolk.com/account/billing/
Otherwise, thank you for your understanding!
Additionally if you want to be nice you could:
- Set a minimum charge that's higher than £5.00. You can do that
from the link above. The excess will sit on your account as
credit, you can have it back at any time, and it will reduce what
we pay out as fees.
- Change to a quarterly or yearly contract. Please contact support@
if you'd like to do that.
=== We still like GoCardless / Direct Debit ===
Obviously I'm not thrilled that fees for anything have gone up by
83%, but I just want to state factually that even so, the fees for
GoCardless are still less than PayPal and Stripe (credit cards).
We are contractually obliged by various merchant contracts to not
place one payment method above another in terms of favour or
prominence, but hopefully just repeating a fact is okay!
=== What about Direct Debit payments from outside the UK? ===
At the moment in order to pay us by Direct Debit you need a bank
account in GBP and a UK postal address¹.
GoCardless recently opened up their service to those in the Single
European Payments Area, USA, Canada, and probably Australia/NZ too.
This would be charged in your local currency and I am still
grappling with the changes needed for that. It will happen at Some
Point.
=== Further questions? ===
If you have any questions please reply; your reply will go to the
users mailing list and I will answer there, or else if you want to
ask in private please send to support@.
Thanks!
Andy
¹ Some financial providers like TransferWise do provide GBP accounts
with a Direct Debit feature and provide a UK address you can use
to set up Direct Debit mandates no matter where in the world you
live. That works. Also if you have a GBP account with a UK bank
but happen to live outside UK, it works right now to provide your
bank's address.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Are there any Slackware users at BitFolk who've built a kernel
recently?
We have a customer who is having problems getting our grub to boot
their kernel from an install roughly following the guide at:
https://tools.bitfolk.com/wiki/Installing_Slackware
…so if I could see your kernel config and bootloader setup that
would be useful.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting