Thursday, April 8, 2021

Recent Questions - Server Fault

Recent Questions - Server Fault

Can't access VNC port from local network

Posted: 08 Apr 2021 10:18 PM PDT

I've installed VNC on CentOS and enabled it on port 5901. I made sure that selinux, firewalld and iptables were disabled/stopped on the system for troubleshooting purposes. Now I can successfully test access to port 5901 (using netcat) using localhost, but if I use the IP address, even if connecting locally, I get "connection refused":

# netcat to localhost works  $ nc -vz localhost 5901  Ncat: Version 7.70 ( https://nmap.org/ncat )  Ncat: Connected to ::1:5901.  Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.    # using IP doesn't work  $ nc -vz 192.168.3.57 5901  Ncat: Version 7.70 ( https://nmap.org/ncat )  Ncat: Connection refused.

Needless to say, I can't connect with a VNC client. Does anyone have any idea of what I've missed either in my VNC configuration or firewall settings that could be causing this? Thanks in advance.

Is there any rhyme or reason behind when to use list- and when to use describe- for the AWS CLI?

Posted: 08 Apr 2021 05:53 PM PDT

For the AWS CLI the right command is:

aws ec2 describe-key-pairs

But not:

aws ec2 describe-key-pairs

But there is:

aws ecs list-clusters

My current workflow is:

  1. Guess
  2. Get it wrong
  3. Change
  4. Get it wrong
  5. Look in the help
  6. Realize a made a typo like descrbe
  7. Go back to my first guess

But I wish I knew some reason to help choose between list-foo or describe-foo.

Consul proxy sidecar, peer certificate mismatch

Posted: 08 Apr 2021 03:47 PM PDT

I'm trying to connect two services web and db(mysql) use the tutorial in Secure Service Communication with Consul Service Mesh and Envoy | Consul - HashiCorp Learn as model.

When I try to connect from web into db got this lines on web proxy:

2021-04-07T20:56:29.207Z [ERROR] proxy.upstream: failed to dial: error="peer certificate mismatch got spiffe://b350502d-bd86-a715-6595-9260183bb7c2.consul/ns/default/dc/dc1/svc/web, want spiffe:///ns/default/dc/dc1/svc/db"

and this line on db proxy:

2021-04-07T20:56:36.991Z [ERROR] proxy.inbound: connection failed: error=EOF

I use this line to run the proxy on web:

consul connect proxy -sidecar-for web

And this line for db:

consul connect proxy -sidecar-for db_service

Thanks in advance Nomar

Strange behaviour in CENTOS 7 where binary is not available as root, but is available to user data process

Posted: 08 Apr 2021 03:38 PM PDT

In AWS EC2, I am using Centos 7, I observe strange behaviour where a binary for Hashicorp Vault CLI (/usr/local/bin/vault) is available during boot to commands I run in user data. It is also available for users normally. However, if I run sudo -i it is not available. If I run sudo su - root, then it is available!

Why would a command be available in user data as root, but not if I try to login as root using sudo -i?

Path of connection between two EC2 instances

Posted: 08 Apr 2021 06:58 PM PDT

I have an EC2 instance running in my own VPC. One of my partners also has an EC2 running in their own VPC in AWS. The two instances connect to each other via TCP to exchange data. Connection is made through their DNS address.

I am wondering about two scenarios:

  • The instances are in separate regions
  • The instances are in the same regions

What is the path taken by the TCP connection between the two instances? Does it matter that they both live within AWS? When the instances are in the same region, does the connection ever leave AWS to an external network switch / router?

Putty customization

Posted: 08 Apr 2021 06:06 PM PDT

Advice, please, how to customize Putty, that this window got normal? I mean tables, all this xx qqq and so on. My - is default.

screenshot

Can I get ip lease from DHCP router for linux virtual interface?

Posted: 08 Apr 2021 10:34 PM PDT

I have a mikrotik router that acts as a DHCP server. I created some virtual interface on my raspberry pi using :

 interface eth0:1  static ip_address=192.168.88.5/24  static routers=192.168.88.1  static domain_name_servers=192.168.88.1    interface eth0:2  static ip_address=192.168.88.10/24  static routers=192.168.88.1  static domain_name_servers=192.168.88.1    interface eth0:3  static ip_address=192.168.88.12/24  static routers=192.168.88.1  static domain_name_servers=192.168.88.1    interface eth0:4  static ip_address=192.168.88.13/24  static routers=192.168.88.1  static domain_name_servers=192.168.88.1

Though I can ping them, but they are not visible in my routers DHCP lease list. Can I make them appear as a real device on my router?

ssh port forwarding (tunneling in HPC)

Posted: 08 Apr 2021 06:19 PM PDT

I have an application server that runs on a compute node. The server opens a port (9000) and I then run a command for tunneling between my local machine and the server:

ssh -N -f -L 9000:compute-node:9000 user@myhpc

Once this is done I can essentially use my server's web interface on a browser with localhost:9000

I use ecdsa -b 521 encryption with password-less authentication, the public key has been copied to the HPC. I was told that this command exposes the HPC to the internet and it's not safe. I'm a bit skeptical about this answer and I would like to have opinions on the safety of tunneling in this manner.

How to hide "Alterative names" SSL certificates (in SSLlabs test)?

Posted: 08 Apr 2021 10:28 PM PDT

when running ssllabs.com's test on my website, the output contains "Certificate #2" for (one of the) other domains hosted on the NGINX web server. It is red and not Trusted but I prefer to simply not have this option, where a program can see which other domains are hosted on this server.enter image description here

SSSD - Server does not see subdomains

Posted: 08 Apr 2021 03:37 PM PDT

Good morning, I have four servers in the same subnet, all running RHEL 7 and using SSSD to authenticate against an Active Directory domain controller. With one (and only one) of them I have an issue where the server isn't able to read the AD global catalog.

The offending server:

[ec2-user@SERVER1 ~]$ sudo sssctl domain-list  subdomain1.domain.org    [ec2-user@SERVER1 ~]$ sudo sssctl domain-status subdomain1.domain.org  Online status: Online  Active servers:  AD Global Catalog: not connected  AD Domain Controller: vaorsubdomain1dc02.subdomain1.domain.org    Discovered AD Global Catalog servers:  None so far.    Discovered AD Domain Controller servers:  - vaorsubdomain1dc02.subdomain1.domain.org  - vaorsubdomain1dc01.subdomain1.domain.org

And its peer:

[me@domain.org@SERVER2 ~]$ sudo sssctl domain-list  subdomain1.domain.org  domain.org  subdomain3.domain.org  subdomain2.domain.org    [me@domain.org@SERVER2 ~]$ sudo sssctl domain-status subdomain1.domain.org  Online status: Online    Active servers:  AD Global Catalog: vaorsubdomain1dc02.subdomain1.domain.org  AD Domain Controller: vaorsubdomain1dc01.subdomain1.domain.org    Discovered AD Global Catalog servers:  - vaorsubdomain1dc02.subdomain1.domain.org  - vaorsubdomain1dc01.subdomain1.domain.org  - vaordc01.domain.org  - vaorsubdomain2dc01.subdomain2.domain.org  - vaordc02.domain.org  - vaorsubdomain3dc01.subdomain3.domain.org    Discovered AD Domain Controller servers:  - vaorsubdomain1dc01.subdomain1.domain.org  - vaorsubdomain1dc02.subdomain1.domain.org

I've turned the logging verbosity up. When I restart SSSD I see this in the logs

(2021-04-02 18:28:08): [be[subdomain1.domain.org]] [sdap_id_op_done] (0x4000): releasing operation connection  (2021-04-02 18:28:08): [be[subdomain1.domain.org]] [dp_req_done] (0x0400): DP Request [Subdomains #25]: Request handler finished [0]: Success  (2021-04-02 18:28:08): [be[subdomain1.domain.org]] [_dp_req_recv] (0x0400): DP Request [Subdomains #25]: Receiving request data.  (2021-04-02 18:28:08): [be[subdomain1.domain.org]] [dp_req_reply_list_success] (0x0400): DP Request [Subdomains #25]: Finished. Success.  (2021-04-02 18:28:08): [be[subdomain1.domain.org]] [dp_req_reply_std] (0x1000): DP Request [Subdomains #25]: Returning [Internal Error]: 3,14,Bad address

The thing that's confusing me is the other machines have the same resolv.conf and host files. Does anyone know what I'm doing wrong?

Additional info:

I explicitly enabled the global catalog in sssd.conf:

ad_enable_gc = True

And I'm now seeing some additional errors in the log:

(2021-04-08 21:56:07): [be[subdomain1.domain.org]] [ads_get_dom_id_ctx] (0x0040): Cannot get the sdom for domain.org!  (2021-04-08 21:59:06): [be[subdomain1.domain.org]] [sss_domain_get_state] (0x1000): Domain domain.org is Disabled  (2021-04-08 21:59:06): [be[subdomain1.domain.org]] [ad_subdom_store] (0x0100): MPG mode of domain.org is true  (2021-04-08 21:59:06): [be[subdomain1.domain.org]] [sss_domain_set_state] (0x1000): Domain domain.org is Disabled

I don't think this is a fix, but it feels like progress.

Intermediate CA Certificate Renewal for Direct Access

Posted: 08 Apr 2021 03:56 PM PDT

Background: We have DA, single site config. Enterprise PKI with Offline Root and online Intermediate CA (Intermediate CA used to issue Computer Certs to clients for DA). The Intermediate CA's cert is expiring, and we have issued a new Intermediate Cert. That cert has propagated across the enterprise and is in the trusted intermediate store for all domain joined clients, servers, including DA servers, etc. Both the old and new Intermediate Certs are valid and in clients Intermediate Trusted CA stores.

Problem: Direct Access servers show IPSec error as the configuration still has the old Intermediate CA Certificate in it and needs to be updated.

Question: What is the impact to DA clients once we switch over in that configuration? I understand it will update GPO and clients will get that GPO, but will it immediately break DA clients until they get a GP Update, or will this change not impact client connectivity?

postfix won't send mail via Amazon SES - Host or domain name not found

Posted: 08 Apr 2021 10:05 PM PDT

I have been trying to configure my Amazon EC2 instance (running Ubuntu 20.04) to send mail via Amazon SES. I have various settings I've borrowed from an earlier (successful) configuration to prevent any local mail delivery on this machine and to make sure all outgoing mail is coming from a single sender address. For some reason, postfix refuses to send the mail. The errors always look like this (I have redacted identifiable domains etc):

May 11 21:24:43 ip-172-30-2-193 postfix/pickup[3918]: 256D03EEA0: uid=1001 from=<noreply@mydomain.com>  May 11 21:24:43 ip-172-30-2-193 postfix/cleanup[3928]: 256D03EEA0: message-id=<20200511212443.256D03EEA0@www.mydomain.com>  May 11 21:24:43 ip-172-30-2-193 postfix/qmgr[3919]: 256D03EEA0: from=<noreply@mydomain.com>, size=723, nrcpt=1 (queue active)  May 11 21:24:43 ip-172-30-2-193 postfix/smtp[3921]: 256D03EEA0: to=<example-email@gmail.com>, relay=none, delay=14, delays=14/0/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=email-smtp.us-east-1.amazonaws.com type=A: Host not found, try again)

Here is my postconf:

command_directory = /usr/sbin  compatibility_level = 2  daemon_directory = /usr/lib/postfix/sbin  data_directory = /var/lib/postfix  debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5  html_directory = no  inet_interfaces = loopback-only  inet_protocols = ipv4  local_transport = error:local delivery is disabled  mailq_path = /usr/bin/mailq  manpage_directory = /usr/share/man  masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient  masquerade_domains = $mydomain  mydestination =  mydomain = mydomain.com  myhostname = www.mydomain.com  mynetworks_style = host  myorigin = $mydomain  newaliases_path = /usr/bin/newaliases  readme_directory = /usr/share/doc/postfix  relayhost = [email-smtp.us-east-1.amazonaws.com]:587  sample_directory = /usr/share/doc/postfix/examples  sender_canonical_maps = regexp:/etc/postfix/sender_canonical  sendmail_path = /usr/sbin/sendmail  setgid_group = postdrop  smtp_generic_maps = hash:/etc/postfix/generic  smtp_sasl_auth_enable = yes  smtp_sasl_mechanism_filter = plain  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  smtp_sasl_security_options = noanonymous  smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt  smtp_tls_loglevel = 1  smtp_tls_note_starttls_offer = yes  smtp_tls_security_level = secure  smtpd_banner = $myhostname ESMTP $mail_name  unknown_local_recipient_reject_code = 550

The file /etc/postfix/sasl_passwd file is root:root and 640 and looks like this:

# NOTE: these are credentials for IAM User [REDACTED]  [email-smtp.us-east-1.amazonaws.com]:587 XXXXXXXXXXXXXXXXXXXXX:YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

where the XXX... and YYY... are credentials that currently work from an older server.

I have seen a variety of posts on this forum addressing this type of error, but the solutions they suggest don't solve my problem:

  • network connection problem -- I can telnet without any problem form this server to email-smtp.us-east-1.amazonaws.com on both port 25 and 587
  • attempting ipv6 transport - i specifically set inet_protocols to ipv4.
  • presence/absence of square brackets around email-smtp.us-east-1.amazonaws.com -- I have tried setting relayhost with and without square brackets and have always taken care to re-hash the sasl_passwd file. If I put the brackets in, the error says type=A: Host not found, try again. If I take the brackets out, it says type=MX: Host not found, try again. This is the only difference.
  • DNS not resolving and/or resolv.conf not readable -- A dig email-smtp.us-east-1.amazonaws.com command always yields about half a dozen AWS addresses. The file /etc/resolv.conf is world-readable. I have not tried copying or symlinking this file anywhere.
  • bad relay host or missing credentials - all mail should be routed thru Amazon SES which is what I have relayhost set to and the file /etc/postfix/sasl_passwd is owned/readable by root and the credentials it contains match relayhost in main.cf and also work on another, older server.

Windows server 2016 Failover Cluster does not complete Forming the cluster

Posted: 08 Apr 2021 04:04 PM PDT

I am trying to set up a 2 Node failover cluster using Windows server 2016. I deployed the servers in AWS. Here are the details.

I used ;

  • 1 server acting as the Domain Controller ( 10.30.10.101 ) installed a domain.(globex.local) 2 servers acting as nodes which are connected to the same domain.(NODE01, NODE02)

  • NODE01 - 10.30.10.102 NODE02 - 10.30.10.103

  • 1 server acting as the iSCSI file server. It also joined in the same domain.

  • I used one AWS region and one subnet (10.30.10.0/24) for deploying
    all my servers

Attaching the iSCSI disks are successful. Cluster Validation is also successful. But when I am going to create the Cluster, it stuck in the FORMING CLUSTER stage for a long time and gives me the following errors. I did a lot of research and I granted the domain administrators' permissions necessary to create cluster resource objects (computers). All the servers are in the same folder. While creating the cluster I can see it creates a computer with the same cluster name I gave. But it does not finish creating the cluster.

I struggled so hard to solve this but still no luck. Seeking for a solution.

I did a lot of research and I granted the domain administrators' permissions necessary to create cluster resource objects (computers). All the servers are in the same folder. While creating the cluster I can see it creates a computer with the same cluster name I gave. But it does not finish creating the cluster.

Specially, I remember when I tried to add NODEs, I only could add the local node by its netbios name. When I use the netbios name for remote node, it gives an error. I used IP addresses and then it worked. But in the tutorial videos I can see they add both NODES with their short netbios name. I am doubting if that is the problem.

I struggled so hard to solve this but still no luck. Seeking for a solution.

    Beginning to configure the cluster Cluster.    Initializing Cluster Cluster.    Validating cluster state on node NODE02.globex.local.    Searching the domain for computer object 'Cluster'.    Find a suitable domain controller for node NODE02.globex.local.    Check whether the computer object Cluster for node NODE02.globex.local exists in the domain. Domain controller \\GRI-DC.globex.local.    Bind to domain controller \\GRI-DC.globex.local.    Check whether the computer object NODE02.globex.local for node NODE02.globex.local exists in the domain. Domain controller \\GRI-DC.globex.local.    Verifying computer object 'Cluster' in the domain.    Checking for account information for the computer object in the 'UserAccountControl' flag for Cluster.    Validating installation of the Network FT Driver on node NODE02.globex.local.    Validating installation of the Cluster Disk Driver on node NODE02.globex.local.    Configuring Cluster Service on node NODE02.globex.local.    Validating installation of the Network FT Driver on node NODE01.globex.local.    Validating installation of the Cluster Disk Driver on node NODE01.globex.local.    Configuring Cluster Service on node NODE01.globex.local.    Waiting for notification that Cluster service on node NODE02.globex.local has started.    Forming cluster 'Cluster'.    Operation failed, attempting cleanup.    An error occurred while creating the cluster and the nodes will be cleaned up. Please wait...    An error occurred while creating the cluster and the nodes will be cleaned up. Please wait...

How to Use Azure Key Vault w/ Web App

Posted: 08 Apr 2021 09:04 PM PDT

I have an Azure Web App for a client project. The project also requires Azure SQL Databases and Blob Storage. All pieces mentioned are up and running but we've been told we can't have any password stored in the web.config or in the azure portal under application settings.

I created my Key Vault and created an access policy for the web app and my user account. If I select "secrets" in the keyvault menu I only see a few of the database connection strings but not all. I also don't see anything about the connection to our blob container.

Where exactly is keyvault pulling this information from - is it from the application settings menu for the web app or in the web.config code? I'd appreciate any clarity or direction somebody can provide.

SuspiciousRemoteServerError what I can do?

Posted: 08 Apr 2021 06:00 PM PDT

from some time i have a problem with send e-mails. I have a Exchange 2013 with SP2, newest CU. When I try to send e-mail with attachment I get a error: I have a kaspersky security 8.0.

SMTPSEND.SuspiciousRemoteServerError; remote server disconnected abruptly; retry will be delayed};{FQDN=};

What i've tried:

  • Update Exchange to SP2 and newest CU21
  • Update Kaspersky to newest update
  • Check SPF with mxtools
  • Add new network interface to VM - Exchange machine is a VM @ Windows 2012
  • We arent on any spam lists
  • Create new send connector: send e-mail by MX record associated with recipient domain, not by any smart host.
  • We have a Cisco Router, but not Firewall like ASA - no fixup protocol smtp 25 is not working, There arent any Firewall
  • In send connectere I apply logging but there isnt any suspisious in logs.

I dont have any more idea what I can do. Ive tried SMTPDiag but everything looks fine.

Help me please...

IIS returning 404 on PDF File

Posted: 08 Apr 2021 10:06 PM PDT

I have a IIS 10.0 server that everything is working fine, with one issue. Any .pdf file returns 404. I know permissions are correct as all the image files in the same folder are working fine.

The PDF mime type exists in both the IIS root and the site and there is no Request filtering set.

Most the results on the web are for an older version of IIS, so I am out of ideas. Anyone else run into this?

Zabbix- agent hostname no dns

Posted: 08 Apr 2021 07:02 PM PDT

I have two windows computers with agents installed. I have setup my host on Zabbix Server. The agents(from home) can communicate with Zabbix server(AWS) via VPN. VPN has been confirmed and is up.

Right now the Zabbix server is failing to communicate with agents due to hostname. From the Zabbix server terminal i cannot resolve the windows hostname due to no DNS. They are both not connected to a DC

However I added the host names with IPs to the servers /etc/hosts. I can now resolve, but Zabbix is still cannot find hostname

Do i really need to make the computers with agents part of domain and use DNS?

Periodic broken connections between Nginx and uWSGI

Posted: 08 Apr 2021 06:00 PM PDT

My Django site is hosted under Nginx/uWSGI. The site becomes unreachable from time to time for a period from few minutes to few hours. It just returns 500 after long waiting.

I can see harakiri messages in uWSGI log when this happens. Requests do not reach Django application (I've tried debugging). Instead I'm getting errors in Nginx log:

2016/12/03 01:18:40 [error] 1330#0: *363441461 upstream timed out (110: Connection timed out) while reading response header from upstream, client: <ip address>, server: site.com, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///var/run/uwsgi/app/site/socket", host: "site.com", referrer: "<page url>"  2016/12/03 01:19:27 [error] 1330#0: *363441461 upstream timed out (110: Connection timed out) while reading response header from upstream, client: <ip address>, server: site.com, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///var/run/uwsgi/app/site/socket", host: "site.com", referrer: "<page url>"  2016/12/03 01:20:15 [error] 1330#0: *363441461 upstream prematurely closed connection while reading response header from upstream, client: <ip address>, server: site.com, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///var/run/uwsgi/app/site/socket:", host: "site.com", referrer: "<page url>"

In uWSGI logs I see this kind of messages:

Sat Dec  3 01:19:00 2016 - HARAKIRI [core 2] <ip address> - GET / since 1480727890  Sat Dec  3 01:20:15 2016 - HARAKIRI [core 2] <ip address> - GET / since 1480727999  Sat Dec  3 01:20:32 2016 - HARAKIRI [core 0] <ip address> - GET / since 1480727937    Sat Dec  3 05:04:15 2016 - uwsgi_response_write_headers_do(): Broken pipe [core/writer.c line 238] during GET / (<ip address>)

It seems the uwsgi messages depend on harakiri value. I can't be sure because the problem is on the heavy loaded production server and I can't do enough experiments. I've set harakiri 15 the last time this pappened, and now I can't return previous value 40 because the site hangs up again.

Nginx settings:

uwsgi_read_timeout 30;  limit_conn addr 100;    location ^~ / {      limit_conn session 5;      limit_req zone=session_req burst=5;        proxy_set_header X-Forwarded-Proto $scheme;      uwsgi_pass unix:///var/run/uwsgi/app/site/socket;      include uwsgi_params;      uwsgi_param UWSGI_SCHEME $scheme;  }

uWSGI settings:

module = deploy.wsgi:application  master  processes = 10  threads = 5  listen = 3072  thunder-lock  cpu-affinity = 1    reload-on-rss = 200  harakiri = 15  reload-mercy = 20  py-autoreload = 0  vacuum

What is the problem and how do I fix this?

<IfModule prefork> in Apache 2.4 (Amazon) is not in httpd.conf

Posted: 08 Apr 2021 07:02 PM PDT

I am running an AWS EC2 instance with LAMP (apache 2.4 (amazon). I am trying to tune the prefork module but I can't find it.

I have checked the httpd.conf file and it is not in there. I have confirmed that it is running prefork mpm.

I am looking for the somthing similar to the following: 

<IfModule prefork.c>  StartServers       8  MinSpareServers    5  MaxSpareServers   20  ServerLimit      256  MaxClients       256  MaxRequestsPerChild  4000  

# Example:  # LoadModule foo_module modules/mod_foo.so  # LoadModule auth_basic_module modules/mod_auth_basic.so  LoadModule auth_digest_module modules/mod_auth_digest.so  LoadModule authn_file_module modules/mod_authn_file.so  LoadModule authn_alias_module modules/mod_authn_alias.so

Does anyone know where those files are located?

Skype for Business/Lync 2013 - Wrong Display Names

Posted: 08 Apr 2021 04:04 PM PDT

Recently we've been noticing an issue where when searching for a user in Skype For Business/Lync 2013, a different user will show up in the search results. Doing some research, this seems to be related to "proxy addresses" as I notice the user that shows up incorrectly in place of the actual user (we're searching for) has their email address added as an alias (smtp) address in Exchange. So we search for user A, but User B's name shows up. User B's email address (an ex-employee that isn't in Exchange anymore) is added as an alias (smtp) address as part of User A's email addresses in Exchange.

The link below seems to describe our issue, but we're running Lync server 2013 and not 2010. Is there anyway to fix this issue for Lync Server 2013?

http://www.markc.me.uk/markc/Blog/Entries/2012/8/8_Lync_showing_wrong_name_for_a_user.html

Receiving multicast traffic on host-only interface

Posted: 08 Apr 2021 05:01 PM PDT

I have a VirtualBox host (linux) with a Windows 8.1 guest. The virtual network configuration for that guest:

enter image description here

After disabling auto metric on the host-only Adapter2 (in the guest OS) and fixing it to either 1 or 800 (i.e. it doesn't matter if it is higher or lower than the metrics of Adapter1), I could send multicast traffic (via tcpreplay) from the host to the paravirtualized interface (eth0), and an app on the guest can receive it on Adapter1.

When sending the same data to host-only adapter (vboxnet0) though, I cannot receive it in the guest on Adapter2. Although wireshark does capture the packets:

enter image description here

This looks similar to when I try to receive packets that arrive on the NIC, without joining the multicast groups, i.e. it looks like the network stack discarding packets because the app has not joined for those multicast addresses.

So how is it possible to receive multicast data on a host-only adapter?

How do I connect a SoftEther bridge to a server without getting an authentication error?

Posted: 08 Apr 2021 09:04 PM PDT

I've been playing around with SoftEther, and I'm trying to use the VPNCMD utility to create a site to site VPN. However, when I try to get the Cascade connection up between the bridge and the server, I get a user authentication error. Which is weird, because the user doesn't even have a password set on it. These are all in VM's that have no trouble pinging each other. Here's my code on the bridge side:

VPN Server/BRIDGE> BridgeCreate BRIDGE /Device:eth0 /TAP:no  VPN Server/BRIDGE> CascadeCreate TestCascade /SERVER:192.168.1.12:5555 /HUB:TestHub /USERNAME:Test  VPN Server/BRIDGE> CascadeOnline TestCascade  VPN Server/BRIDGE> CascadeList

All of the settings are correct to what's set up on the cluster controller. However, we get an error:

Status | Error 9: User Authentication Failed

Any ideas?

Proxmox vps container connection problems

Posted: 08 Apr 2021 08:02 PM PDT

I have Proxmox on my node server which have ip:5.189.190.* and I created openvz container on an ip : 213.136.87.* and installed centos 6 on it

The problem: Cann't connect to container ssh directly Can't open apache server centos welcome page When I enter container from the node can't ping any sites or wget any url but I can connect 127.0.0.1 and the main node ip

My Configuration: container /etc/resolv.conf

nameserver 8.8.8.8  nameserver 8.8.4.4

container /etc/sysconfig/network-scripts/ifcfg-venet0

DEVICE=venet0  BOOTPROTO=static  ONBOOT=yes  IPADDR=213.136.87.*  NETMASK=255.255.255.0  BROADCAST=213.136.87.*  IPV6INIT="yes"

container /etc/sysconfig/network-scripts/ifcfg-venet0

DEVICE=venet0:0  ONBOOT=yes  IPADDR=213.136.87.*  NETMASK=255.255.255.0

node /etc/network/interfaces

# network interface settings  auto lo  iface lo inet loopback    auto eth0  iface eth0 inet manual    auto vmbr0  iface vmbr0 inet static          address  5.189.190.*          netmask  255.255.255.0          gateway  5.189.190.*          bridge_ports eth0          bridge_stp off          bridge_fd 0

node /etc/resolv.conf having DC nameservers correctly

container ping result:

# ping google.com -c 3  ping: unknown host google.com

container traceroute result:

# traceroute google.com  google.com: Temporary failure in name resolution  Cannot handle "host" cmdline arg `google.com' on position 1 (argc 1)

node ping result:

# ping google.com -c 3  PING google.com (74.125.29.139) 56(84) bytes of data.  64 bytes from qg-in-f139.1e100.net (74.125.29.139): icmp_req=1 ttl=41 time=110 ms  64 bytes from qg-in-f139.1e100.net (74.125.29.139): icmp_req=2 ttl=41 time=110 ms  64 bytes from qg-in-f139.1e100.net (74.125.29.139): icmp_req=3 ttl=41 time=110 ms    --- google.com ping statistics ---  3 packets transmitted, 3 received, 0% packet loss, time 2000ms  rtt min/avg/max/mdev = 110.450/110.462/110.474/0.383 ms

node traceroute result:

# traceroute google.com  traceroute to google.com (74.125.29.139), 30 hops max, 60 byte packets   1  ip-1-90-136-213.static.contabo.net (213.136.90.1)  0.506 ms  0.517 ms  0.513 ms   2  ffm-b11-link.telia.net (62.115.36.237)  0.493 ms  0.491 ms  0.484 ms   3  hbg-b1-link.telia.net (62.115.139.164)  15.379 ms  15.393 ms  15.384 ms   4  hbg-bb4-link.telia.net (213.155.135.88)  16.048 ms hbg-bb4-link.telia.net (213.155.135.86)  15.419 ms hbg-bb4-link.telia.net (213.155.135.84)  15.456 ms   5  nyk-bb1-link.telia.net (80.91.247.127)  96.568 ms nyk-bb2-link.telia.net (80.91.247.123)  107.638 ms nyk-bb1-link.telia.net (80.91.247.129)  96.582 ms   6  nyk-b6-link.telia.net (213.155.130.251)  105.478 ms  105.470 ms nyk-b6-link.telia.net (80.91.254.32)  101.005 ms   7  google-ic-303645-nyk-b6.c.telia.net (213.248.78.250)  101.235 ms  105.746 ms  105.719 ms   8  209.85.248.242 (209.85.248.242)  101.694 ms  106.213 ms  106.250 ms   9  209.85.249.212 (209.85.249.212)  101.225 ms 209.85.246.4 (209.85.246.4)  101.597 ms 209.85.252.242 (209.85.252.242)  101.179 ms  10  209.85.249.11 (209.85.249.11)  102.247 ms  112.917 ms 72.14.239.93 (72.14.239.93)  97.931 ms  11  64.233.174.9 (64.233.174.9)  104.733 ms 66.249.95.229 (66.249.95.229)  109.232 ms 66.249.95.231 (66.249.95.231)  106.086 ms  12  72.14.234.53 (72.14.234.53)  106.179 ms 72.14.238.73 (72.14.238.73)  110.471 ms 72.14.234.53 (72.14.234.53)  106.170 ms  13  * * *  14  qg-in-f139.1e100.net (74.125.29.139)  110.479 ms  110.656 ms  106.154 ms

Any ideas will be welcomed

Thanks

2-way SSL with apache forward proxy

Posted: 08 Apr 2021 10:06 PM PDT

I'm working to set up Apache as a forward proxy with a client that uses 2-way SSL. The basic flow is myApplication --via http--> Apache proxy --via 2 way SSL--> client. After setting everything up, when I try to start Apache, I'm getting a "incomplete client cert configured for SSL proxy (missing or encrypted private key?)" error. What I can't figure out is that the client cert I'm using in the SSLProxyMachineCertificateFile directive has both the unencrypted private key and the public cert already. Any suggestions on what I'm missing and/or anything else I can try? Does the all-in-one machine cert need to have the chain in it as well?

Here's what my vhost looks like.

<VirtualHost *:8082>      ServerName my.domain.com        ProxyRequests On      SSLProxyEngine On        SSLProxyMachineCertificateFile /etc/httpd/keys/machine.pem      SSLProxyCACertificateFile /etc/httpd/keys/machine.chain.crt        ProxyPass / https://target.client.com/      ProxyPassReverse / https://target.client.com/        <Proxy *>              Order deny,allow              Allow from all      </Proxy>  </VirtualHost>

EDIT: I updated the basic flow to clarify what kind of connection I'm trying to use between the application, apache, and the client.

Debugging Gunicorn + Nginx + Django

Posted: 08 Apr 2021 05:01 PM PDT

I'm trying to deploy a readthedocs instance on my own server. The recommended way to deploy is using Gunicorn + nginx with postgres. Because there's basically no documentation on how to do this (except from their fabfiles which of course, only works on their server), I've been trying to setup my own server, manually.

Here's my nginx.conf:

server {      listen 80 default;      server_name mysite.com;      access_log /var/log/nginx/mysite.access.log;      error_log /var/log/nginx/mysite.error.log;        location /favicon.ico {          root /home/mysite/Code/checkout/readthedocs.org/media/images;          break;      }        location robots.txt {          root /home/mysite/Code/checkout/readthedocs.org/media;          break;      }        location /static/ {          alias /home/mysite/Code/checkout/readthedocs.org/media/;          expires 30d;          break;      }        location /media/ {          alias /home/mysite/Code/checkout/readthedocs.org/media/;          expires 30d;          break;      }        location / {          proxy_pass_header Server;          proxy_set_header Host $http_host;          proxy_redirect off;          proxy_set_header X-Forwarded-For $remote_addr;          proxy_set_header X-Scheme $scheme;          proxy_connect_timeout 10;          proxy_read_timeout 10;          proxy_pass http://127.0.0.1:8888;      }  }

The settings.py for django configuration can be found here. The only thing I changed on settings.py is I add gunicorn on INSTALLED_APPS so I can run gunicorn with it.

The command I use to run the gunicorn server is:

./manage.py run_gunicorn -b 127.0.0.1:8888

Then if I try to access 127.0.0.1 from a local browser, it would work, but always show a 404 page, no matter what URL I entered. Running ./manage.py runserver will run everything correctly.

Now I am not a sysadmin, and have basically 0 experience with django, gunicorn, or nginx before. I've been googling and playing around the configuration for weeks, with 0 result. My question is:

  1. How do I know which django's route called by gunicorn? Can I debug this? All log files that I can find didn't show this.
  2. Do you see anything wrong with my configuration file? If so, could you please tell me what's wrong?

Thank you very much.

Why is pfSense blocking multicast traffic when it is explicitly enabled?

Posted: 08 Apr 2021 07:19 PM PDT

I have a pair of pfSense firewall/routers set up in CARP/XML Config cluster. On the LAN side, the switch also has a pair of servers running corosync/pacemaker/drbd. These are on a different ip network, but still generate multicast packets.

For the life of me, I cannot get pfSense to allow the packets. I tried using the easy rule button, but that failed. I also added a rule that allows all ports, all addresses with a destination of the multicast address, and enabled "allowopts" and "nostate"; all to no avail. The traffic is still stopped by the default rule. Any idea what I might be doing wrong?

Here is a shot of the rules (and yes, they've been reloaded a few times: Firewall Rules screenshot

I've also tried "no state." The rule under the title there is the Easy-Rule, and it chose the 239 address for both the source and destination; the src port is * and the dest port is 5405.

Here is the log showing the rejection by the default rule: Firewall Log screenshot

It's worth noting that it originally showed the scrubbing rule was also blocking, so I disabled the packet fragment scrubbing.

Stop nginx from trimming file name in directory list?

Posted: 08 Apr 2021 05:54 PM PDT

Just a quick question:

How can I prevent nginx from trimming file name with ... in listing directory?

GPO Comparison Tool

Posted: 08 Apr 2021 06:09 PM PDT

Does anyone know of a GPO comparison tool, preferably free (or cheap).

I need to compare settings from two GPOs to see what's missing in the target GPO.

edit: just to clarify, I need a tool which can compare the settings for me. I can do it manually, but it is cumbersome and also has the potential for me making mistakes.

IIS7 hundreds of connections in CLOSE_WAIT

Posted: 08 Apr 2021 05:14 PM PDT

I have a .Net application on my IIS7 server it was working fine until I had to move it to another server.

I moved the exact same code to the new server and I noticed that after some hours the website stopped responding to remote requests but if I did remote desktop to the server it responded to the request done to localhost. If I stop the website and the application pool it started working fine again.

I was able to track the problem to hundreds of requests left in CLOSE_WAIT state to the http port that are never closed (I waited a few hours and they remain the same).

Any ideias?

Setting up PerformancePoint Services on Sharepoint 2010: connection errors

Posted: 08 Apr 2021 08:02 PM PDT

I have tried to setup PerformancePoint Services on SharePoint 2010, but every time I try to use the dashboard designer, I get this error:

"An error has occurred attempting to contact the specified SharePoint site"

I have tried these steps but it hasn't helped. Any ideas?

The event log gives the following information:

WebHost failed to process a request. Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/24724999 Exception: System.ServiceModel.ServiceActivationException: The service '/_vti_bin/client.svc' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item. ---> System.ArgumentException: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item
at System.ServiceModel.UriSchemeKeyedCollection.InsertItem(Int32 index, Uri item) at System.Collections.Generic.SynchronizedCollection`1.Add(T item) at System.ServiceModel.UriSchemeKeyedCollection..ctor(Uri[] addresses) at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(Type serviceType, Uri[] baseAddresses)
at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(String constructorString, Uri[] baseAddresses) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) --- End of inner exception stack trace --- at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath) Process Name: w3wp Process ID: 2576
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)