Recent Questions - Server Fault

---

• How to block sites such as checkip.amazonaws.com
• Installing fetchmail - Not found in current repositories
• Domain point to different ip dependent on port requested
• Running Paraview using GCP GPU
• Checking HTTPS service using OpenNMS with specific hostname
• Which versions of Ubuntu share /etc/sysctl.conf compatibility?
• Does Linux md-raid store backup metadata anywhere on the disk?
• dns zone transfer timed out. axfr and tcp timed out on ubuntu server
• How to tell Debian to cache USB stick IO more aggressively?
• sftp server throws Permission denied (publickey)
• How to change Samba idmap mathetically for all files and folders in order to keep ACLs and perms?
• AADSTS650052: The app needs access to a service (\"http://rts.powerapps.com\")
• How to configure PAM to authenticate SSH logins with (password & OTP) or (public key & OTP)
• iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT
• Missing package `udunits2` on CentOS
• Enable-Bitlocker -TpmProtector via GPO does not work (0x80070522)
• Apache2 segmentation fault errors after every midnight
• Java Flight Recorder Docker Container
• Install package via apt from a live cd to the real system
• freeradius gives "no shared cipher" for windows 10 client
• URL Redirection in Haproxy.cfg
• Add all network users to local group for specific hosts in CentOS7
• Using CIS Benchmarks with openscap
• Cloning LVM partitions
• Limit Number of TCP connections in Linux Server, to avoid attack
• Apache 2.2.4 Proxy Balancer Extremely Slow When a Balancemember is down
• filezilla ftp file server not working with microsoft azure
• Exim installed, can send mail but not receive any
• Share Exchange Calendar with Company Wide Distribution List
• Cygwin OpenSSH Server Error 1062

How to block sites such as checkip.amazonaws.com Posted: 06 Nov 2021 08:23 PM PDT I'd like to find a way to block websites like https://checkip.amazonaws.com or at least restrict them to the point they can no longer output my server's public IP address. For example, if I do curl https://checkip.amazonaws.com my output would simply be 1.1.1.1 (or in other words, my IP address). Is there a way to have an app that would inspect the output of each website my server tries to connect to and if the output contains a specific string, it automatically blocks it? I know a way to block them one by one, but is it possible to block all similar websites based on their output? But why?! The reason is simple. There are people hosting game servers on a dedicated server. However, with extensions to those servers, people can easily find the public IP of the machine they are on. The public IP is hidden via reverse proxy for network protection. If a user finds the real IP of a machine, they can use it to perform an attack or do other malicious activities. Thanks!

Installing fetchmail - Not found in current repositories Posted: 06 Nov 2021 06:17 PM PDT Background This is probably very basic for someone, but I can not figure this out for the life of me. I wish to simply install fetchmail onto my raspberry pi. Using the command sudo apt-get install fetchmail results in the following: What I have tried I have tried sudo apt-get update which goes through the process of updating, then follow with the install command for fetchmail shown above, but the same result. Per fetchmail's own page it states that the sources are also available at two repositories: https://gitlab.com/fetchmail/fetchmail and https://sourceforge.net/p/fetchmail/git/ I am not very experienced at adding repositories as my attempts have failed. I did take a look at /etc/apt/sources.list and tried to mimic the one found in here but it just results in errors for me. I know this is probably very basic for most, but I really can't figure this out so much appreaciated!

Domain point to different ip dependent on port requested Posted: 06 Nov 2021 08:50 PM PDT I have a domain currently with an A record pointing to an Amazon EC2 instance ip. This works great. I am hosting a Minecraft server on a different network, therefore from a different public ip. Can I make it so that my domain will direct traffic on port 25565 (Minecraft port) to the public ip of the Minecraft server, and direct web traffic (ports 80 and 443) to the EC2 instance public ip?

Running Paraview using GCP GPU Posted: 06 Nov 2021 03:16 PM PDT I have tried many times to use GCP with GPUS for Paraview, a scientific visualization tool: https://www.paraview.org/download/ The hope was that GPU can significantly accelerate the speed. We have be using Remote desktop to access the instance. After many tries (various GPU's, A100, T4, T4 Grid) and with various attempt of different NVIDIA driver installation, it just didn't work. When using nvidia-smi to monitor the utilization -- the GPUs were never being used (no process), and the visualization performance is not as expected. Has anyone had experience in successfully using cloud GPU for rendering/visualization? What are the steps needed?

Checking HTTPS service using OpenNMS with specific hostname Posted: 06 Nov 2021 02:42 PM PDT I'm new to OpenNMS and fresh installed it today in a VM. So far it seems to work fine, however I do have a problem with it monitoring HTTPS services / websites. I created a new "Provisioning Requisition" with two nodes inside. This actually fits the real-worlds representation, since the two nodes are hosted on the same ESXi host. I'd now like to check whether specific websites on them are reachable. The standard HTTPS service however is showing "down" on one of the nodes, since the requests are sent out without the appropriate hostname. I've seen, that I can configure the hostname header for the HTTPS service, but that seems to be for both nodes. I've also tried to add a new service which I've than set the parameter to. But that results in the service "not being monitored" on the host that I add it to. Can someone help me out here? I've already tried digging around but cant seem to find a solution :/ Thanks in advance

Which versions of Ubuntu share /etc/sysctl.conf compatibility? Posted: 06 Nov 2021 02:30 PM PDT I am looking to secure my Ubuntu 18.04 LTS server and have found a nice script but it was designed for Ubuntu 20.04 LTS which includes changes to /etc/sysctl.conf. Which versions of Ubuntu (or linux in general) share /etc/sysctl.conf compatibility? Can I use the script's /etc/sysctl.conf for Ubuntu 20.04 on my Ubuntu 18.04?

Does Linux md-raid store backup metadata anywhere on the disk? Posted: 06 Nov 2021 02:37 PM PDT I know that with ext2/3/4 and other filesystems, copies of the superblock are stored throughout the disk in case the primary superblock is corrupted (https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout). With md-raid (software raid), the superblock is stored either at the beginning or end of the disk, depending on which metadata version is used (https://raid.wiki.kernel.org/index.php/RAID_superblock_formats#Sub-versions_of_the_version-1_superblock) Sub-Version Superblock Position on Device 0.9 At the end of the device 1.0 At the end of the device 1.1 At the beginning of the device 1.2 4K from the beginning of the device Suppose there is a disk failure and the md superblock is corrupted. Does md-raid store a backup superblock anywhere on the disk? (My guess would be "no", because this would require cooperation between md-raid and the filesystem. Filesystems have come a long way since raid support was added to Linux, so it seems plausible someone might have come up with a way to make this work).

dns zone transfer timed out. axfr and tcp timed out on ubuntu server Posted: 06 Nov 2021 03:34 PM PDT I had a strange problem on ubuntu server on a vps. I installed Bind9 (using repos , compiling it ) and configured ot as master for zone transfer . Problem : after that I run a slave dns server . and the slave dns server cant forward zone from master after hours of search and trying I found out that the master server wont accept axfr (tcp) requests but it has many website on it that works on http(tcp ofc) and if I shutdown bind9 port 53 the master server will refuse to "DIG @xxx.xxx.xxx.xxx fooo.com" from client but when I run bind9 the udp request are ok and tcp request get timet out . more strange thing is the server accepts tcp (axfr) request from localhost (inside ssh session) but it timeout outside requests. dont tell me about firewall plz . I flushed iptables . disabled ufw and even run a website on port 53 and I got it in client PC with curl even the outcome is diffrent in clinet request when I start bind9 service and stoping it... after that I used tcpdump and saw client request on server . I did tcp reverse proxy using nginx and run bind9 on port 5353 and proxy it to port 53 using nginx but problem stays as hard as he can.(udp ok but tcp(axfr) not I do exact same process on 3 or 4 linux and all of them works great (1 native ubuntu and 2 or 3 wsl) all of them was ok from localhost and internet (wan) I even copied entire (diffrences) sysctl.conf of a native ubuntu to the server but not helpful. I dont know why axfr requests timed out . I used Dig and windows server as clients and they both failed but when I used bind9 in slave dns sever it was ok and succeed to get zone from master ( I think it using ixfr to transfer . I know u guys telling me zone transfer are axfr job but idk how this is even possible) I use "DIG @xxx.xxx.xxx.xxx fooo.com +tcp or axfr " for tcp and "DIG @xxx.xxx.xxx.xxx fooo.com ixfr " for udp requests sry for bad english btw Edit 1: tested OS : ubuntu 20.04 - 21.04 - 21.10 bind9 ver 9.16.8 -9.16.15- 9.17.19 &... Dig Queries : dig @xxx.xxxx.xxx.xxx foooo.com axfr ; <<>> DiG 9.16.1-Ubuntu <<>> @xxx.xxx.xxx.xxx asdsadas.ir axfr ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached ;; Warning, ixfr requires a serial number ; <<>> DiG 9.16.1-Ubuntu <<>> @xxx.xxx.xxx.xxx fooooo.com ixfr ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17353 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: d97fd61b1a8e296f010000006186fc8ddc1e9ada8992bd3f (good) ;; QUESTION SECTION: ;foooo.com. IN A foooo.com. 604800 IN A xxx.xxx.xxx.xxx ;; Query time: 96 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Sun Nov 07 01:45:32 +0330 2021 ;; MSG SIZE rcvd: 80

How to tell Debian to cache USB stick IO more aggressively? Posted: 06 Nov 2021 02:52 PM PDT I'm trying to find a way to speed up my IO to/from a USB stick on my Debian system, maybe with some caching. Background: I've written a script that does debootstrap, i.e. installing a Debian system to some disk. I want to use that mostly for USB sticks. But it's terribly slow (I don't know why, but it's a different topic). I found a way to make it faster by more than a magnitude: Execute the procedure on a loop device instead, backed by some temporary image file on the harddrive. Then dd that image to the usb stick afterwards. My question: Can I make that equally fast (or even faster?) without that temporary image file on the harddrive? It's not trivial to estimate how large it has to be. To me it feels more complicated than it should be. And slower than it has to be. There is enough RAM, and a big swap space. Can I tell the kernel to cache all that more aggressively, when I just run the procedure directly on the USB stick? It could actually do all that in RAM, and just write to the stick in background, as fast as possible, but without blocking my procedure. In the end I would run sync, wait for it, and unplug the stick. Ideally it should be something non-invasive. Custom kernels aren't an option, and I'm not going to reconfigure my global system settings in ways that are problematic (it's my main workstation and I don't want to make it less reliable).

sftp server throws Permission denied (publickey) Posted: 06 Nov 2021 05:03 PM PDT I'm setting up WordPress site on Apache server with SFTP enabled. After configuring all the necessary in /etc/vsftpd.conf I generated ssh keys with ssh-keygen -t rsa which produced private and public keys. I can confirm sftp server is running by running systemctl status vsftpd: ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-06-03 11:10:44 UTC; 1h 22min ago Main PID: 605 (vsftpd) Tasks: 1 (limit: 4713) Memory: 1.3M CGroup: /system.slice/vsftpd.service └─605 /usr/sbin/vsftpd /etc/vsftpd.conf Jun 03 11:10:44 blog systemd[1]: Starting vsftpd FTP server... Jun 03 11:10:44 blog systemd[1]: Started vsftpd FTP server. sftp -vvv newftpuser@127.0.0.1 returns: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/50-cloudimg-settings.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-cloudimg-settings.conf debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname 127.0.0.1 is address debug2: ssh_connect_direct debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/mark/.ssh/id_rsa type 0 debug1: identity file /home/mark/.ssh/id_rsa-cert type -1 debug1: identity file /home/mark/.ssh/id_dsa type -1 debug1: identity file /home/mark/.ssh/id_dsa-cert type -1 debug1: identity file /home/mark/.ssh/id_ecdsa type -1 debug1: identity file /home/mark/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/mark/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/mark/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/mark/.ssh/id_ed25519 type -1 debug1: identity file /home/mark/.ssh/id_ed25519-cert type -1 debug1: identity file /home/mark/.ssh/id_ed25519_sk type -1 debug1: identity file /home/mark/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/mark/.ssh/id_xmss type -1 debug1: identity file /home/mark/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:22 as 'newftpuser' debug3: hostkeys_foreach: reading file "/home/mark/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/mark/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 127.0.0.1 debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:VoKLp0efIZDYddCrvaGWGxEwjOm/lY8zmZP+7qvBmG0 debug3: hostkeys_foreach: reading file "/home/mark/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/mark/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 127.0.0.1 debug1: Host '127.0.0.1' is known and matches the ECDSA host key. debug1: Found key in /home/mark/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/mark/.ssh/id_rsa RSA SHA256:QUf6bnT6YZ4Q5EWKbfGIo4iTVkb1yMb4MsuDqYe1nos debug1: Will attempt key: /home/mark/.ssh/id_dsa debug1: Will attempt key: /home/mark/.ssh/id_ecdsa debug1: Will attempt key: /home/mark/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/mark/.ssh/id_ed25519 debug1: Will attempt key: /home/mark/.ssh/id_ed25519_sk debug1: Will attempt key: /home/mark/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/mark/.ssh/id_rsa RSA SHA256:QUf6bnT6YZ4Q5EWKbfGIo4iTVkb1yMb4MsuDqYe1nos debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug1: Trying private key: /home/mark/.ssh/id_dsa debug3: no such identity: /home/mark/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/mark/.ssh/id_ecdsa debug3: no such identity: /home/mark/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/mark/.ssh/id_ecdsa_sk debug3: no such identity: /home/mark/.ssh/id_ecdsa_sk: No such file or directory debug1: Trying private key: /home/mark/.ssh/id_ed25519 debug3: no such identity: /home/mark/.ssh/id_ed25519: No such file or directory debug1: Trying private key: /home/mark/.ssh/id_ed25519_sk debug3: no such identity: /home/mark/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /home/mark/.ssh/id_xmss debug3: no such identity: /home/mark/.ssh/id_xmss: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. newftpuser@127.0.0.1: Permission denied (publickey). Connection closed. ls .ssh: authorized_keys id_rsa id_rsa.pub known_hosts I can tell from the output that it finds the ssh key OK but it can't work it. It is the first time I'm experiencing this issue so I would be thankful for any pointers. output from /var/log/auth.log: Jun 3 12:10:36 blog sudo: mark : TTY=pts/0 ; PWD=/home/mark ; USER=root ; COMMAND=/usr/bin/systemctl status vsftpd Jun 3 12:10:36 blog sudo: pam_unix(sudo:session): session opened for user root by mark(uid=0) Jun 3 12:10:36 blog sudo: pam_unix(sudo:session): session closed for user root Jun 3 12:17:01 blog CRON[2039]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 3 12:17:01 blog CRON[2039]: pam_unix(cron:session): session closed for user root Jun 3 12:20:58 blog sshd[2057]: Connection closed by authenticating user newftpuser 127.0.0.1 port 53342 [preauth] Jun 3 12:21:06 blog sshd[2061]: Connection closed by authenticating user newftpuser 127.0.0.1 port 53344 [preauth] Jun 3 12:32:06 blog sshd[2067]: error: kex_exchange_identification: read: Connection reset by peer Jun 3 12:33:40 blog sudo: mark : TTY=pts/0 ; PWD=/home/mark ; USER=root ; COMMAND=/usr/bin/systemctl status vsftpd Jun 3 12:33:40 blog sudo: pam_unix(sudo:session): session opened for user root by mark(uid=0) Jun 3 12:33:40 blog sudo: pam_unix(sudo:session): session closed for user root Jun 3 12:39:01 blog CRON[2074]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 3 12:39:01 blog CRON[2074]: pam_unix(cron:session): session closed for user root Jun 3 12:55:31 blog sshd[2188]: error: kex_exchange_identification: Connection closed by remote host Jun 3 12:55:31 blog sshd[2187]: error: kex_exchange_identification: Connection closed by remote host Jun 3 12:55:31 blog sshd[2189]: error: kex_exchange_identification: Connection closed by remote host Jun 3 12:55:38 blog sshd[2190]: error: kex_exchange_identification: Connection closed by remote host Jun 3 13:00:35 blog sudo: mark : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/usr/bin/systemctl status sftp Jun 3 13:00:35 blog sudo: pam_unix(sudo:session): session opened for user root by mark(uid=0) Jun 3 13:00:35 blog sudo: pam_unix(sudo:session): session closed for user root Jun 3 13:00:39 blog sudo: mark : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/usr/bin/systemctl status sftp-server Jun 3 13:00:39 blog sudo: pam_unix(sudo:session): session opened for user root by mark(uid=0) Jun 3 13:00:39 blog sudo: pam_unix(sudo:session): session closed for user root Jun 3 13:00:47 blog sudo: mark : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/usr/bin/systemctl status vsftpd Jun 3 13:00:47 blog sudo: pam_unix(sudo:session): session opened for user root by mark(uid=0) Jun 3 13:00:47 blog sudo: pam_unix(sudo:session): session closed for user root Jun 3 13:09:01 blog CRON[2300]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 3 13:09:01 blog CRON[2300]: pam_unix(cron:session): session closed for user root Jun 3 13:17:01 blog CRON[2310]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 3 13:17:01 blog CRON[2310]: pam_unix(cron:session): session closed for user root Jun 3 13:25:33 blog sshd[2315]: Invalid user deploy1 from 81.69.190.192 port 54748 Jun 3 13:25:33 blog sshd[2315]: Received disconnect from 81.69.190.192 port 54748:11: Bye Bye [preauth] Jun 3 13:25:33 blog sshd[2315]: Disconnected from invalid user deploy1 81.69.190.192 port 54748 [preauth] Jun 3 13:39:01 blog CRON[2371]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 3 13:39:01 blog CRON[2371]: pam_unix(cron:session): session closed for user root Jun 3 13:40:08 blog sshd[2466]: Invalid user db2inst from 125.213.128.88 port 54260 Jun 3 13:40:09 blog sshd[2466]: Received disconnect from 125.213.128.88 port 54260:11: Bye Bye [preauth] Jun 3 13:40:09 blog sshd[2466]: Disconnected from invalid user db2inst 125.213.128.88 port 54260 [preauth] Jun 3 13:45:07 blog sshd[2470]: Invalid user 6 from 192.241.139.160 port 46130 Jun 3 13:45:07 blog sshd[2470]: Received disconnect from 192.241.139.160 port 46130:11: Bye Bye [preauth] Jun 3 13:45:07 blog sshd[2470]: Disconnected from invalid user 6 192.241.139.160 port 46130 [preauth] Jun 3 13:48:40 blog sshd[2473]: Invalid user x-man from 129.204.131.218 port 56358 Jun 3 13:48:41 blog sshd[2473]: Received disconnect from 129.204.131.218 port 56358:11: Bye Bye [preauth] Jun 3 13:48:41 blog sshd[2473]: Disconnected from invalid user x-man 129.204.131.218 port 56358 [preauth] Jun 3 13:51:20 blog sshd[2476]: Invalid user gmod from 68.183.137.83 port 40424 Jun 3 13:51:20 blog sshd[2476]: Received disconnect from 68.183.137.83 port 40424:11: Bye Bye [preauth] Jun 3 13:51:20 blog sshd[2476]: Disconnected from invalid user gmod 68.183.137.83 port 40424 [preauth]

How to change Samba idmap mathetically for all files and folders in order to keep ACLs and perms? Posted: 06 Nov 2021 02:52 PM PDT I've got an old FreeNAS 9.2 system that has a bunch of Windows shares authenticated via Active Directory services. At some point, the IDMAP by default was changed in TrueNAS for Samba/AD integrations, apparently to fix a bug. In the version of FreeNAS I have it's currently thus: and in the new installation of TrueNAS 12, it's thus: I would like to upgrade the system to TrueNAS 12 (and move it to better hardware), but I would also really like to keep all the ACLs and perms in place. Is there a way to mathematically change all the RIDs in the all the files in a share on FreeNAS to bump them up to the new range? Thank you and have a great day.

AADSTS650052: The app needs access to a service (\"http://rts.powerapps.com\") Posted: 06 Nov 2021 06:01 PM PDT I'm trying to debug a RapidCMS site locally. I use AAD to authenticate the user against my domain. For no apparent reason I am now receiving this error when launching my app: Microsoft Sign in Sorry, but we're having trouble signing you in. AADSTS650052: The app needs access to a service (\"http://rts.powerapps.com\") that your organization \"REDACTED\" has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions. I've never done anything with PowerApps and cannot find any reference to it in the code or on my Azure AD applications.

How to configure PAM to authenticate SSH logins with (password & OTP) or (public key & OTP) Posted: 06 Nov 2021 09:06 PM PDT My goal is to develop an ansible playbook to deploy multifactor ssh logins of the type (public key and OTP) or (password and OTP) on Ubuntu Server 18.04 hosts. I followed the guide here and it largely works. The only issue I had was needing to add auth required pam_permit.so to the end of /etc/pam.d/sshd in order to bypass OTP checks for users without a ~/.google_authenticator file. This guide is set up to use AuthenticationMethods publickey,password publickey,keyboard-interactive in /etc/ssh/sshd_config which requires a public key for all logins, while the MFA scheme I am trying to implement would allow a password with OTP. However, any other permutation of AuthenticationMethods seems to break authentication completely. For example, AuthenticationMethods password,keyboard-interface allows users with a ~/.google_authenticator file to login only if they enter in a correct OTP twice in a row, and will allow users without a ~/.google_authenticator file to log in with any string entered as the password. I've played with a ton of options, but I'm starting to think this type of configuration is impossible (see a similar post here). Why is that the case? I'm becoming more convinced that PAM is the culprit here, but I don't understand why AuthenticationMethods publickey,keyboard-interface password,keyboard-interface doesnt work out of the box Here is my /etc/pam.d/sshd: # PAM configuration for the Secure Shell service # Standard Un*x authentication. # Commented out by me @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_s$ # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password ### Added by me ### auth required pam_google_authenticator.so nullok auth required pam_permit.so and my /etc/ssh/sshd_config: # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ### changed by me ###---------------------------------------------------------------- ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes ### Added by me ###------------------------------------------------------------------ AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server PasswordAuthentication yes

iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT Posted: 06 Nov 2021 04:08 PM PDT on debian 10 trying to apply following iptable rules: ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N V2RAY iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p tcp -j RETURN iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A PREROUTING -j V2RAY iptables -t mangle -N V2RAY_MASK iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1 iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -j V2RAY_MASK but error at last: iptables v1.8.2 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT

Missing package `udunits2` on CentOS Posted: 06 Nov 2021 08:03 PM PDT I'd like to use gganimate, but it requires the package sf. I tried to install, but I get this error. configure: error: in `/tmp/RtmpEpee0m/R.INSTALL282e663ea13f/units': configure: error: -------------------------------------------------------------------------------- Configuration failed because libudunits2.so was not found. Try installing: * deb: libudunits2-dev (Debian, Ubuntu, ...) * rpm: udunits2-devel (Fedora, EPEL, ...) * brew: udunits (OSX) If udunits2 is already installed in a non-standard location, use: --configure-args='--with-udunits2-lib=/usr/local/lib' if the library was not found, and/or: --configure-args='--with-udunits2-include=/usr/include/udunits2' if the header was not found, replacing paths with appropriate values. You can alternatively set UDUNITS2_INCLUDE and UDUNITS2_LIBS manually. -------------------------------------------------------------------------------- See `config.log' for more details ERROR: configuration failed for package 'units' * removing '/home/User/R/x86_64-pc-linux-gnu-library/3.5/units' I'm on CentOS hosted on EC2 and I'm unable to install libudunits2.so. I've tried sudo yum install udunits2-dev sudo yum install udunits2-devel sudo yum install udunits2 sudo yum install libcairo2-devel libjpeg8-devel libpango1.0-devel libgif-devel build-essential g++ sudo yum install libcairo2-dev libjpeg8-dev libpango1.0-dev libgif-dev build-essential g++ For each of those commands, I get back No package available

Enable-Bitlocker -TpmProtector via GPO does not work (0x80070522) Posted: 06 Nov 2021 07:02 PM PDT I am trying to automate the bitlocker in our corporate environment. I have written a script which enables the bitlocker and it works fine if I run it manually, but whenever I implement it via GPO (startup script) right after Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector I see in the transcription following error Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522) At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31 + ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal Add-TpmProtectorInternal : A required privilege is not held by the client. (Exception from HRESULT: 0x80070522) At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 char:31 + ... $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], COMException + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal I have tried to wrap the PS script with bat file: powershell.exe -ExecutionPolicy bypass -file "Enable-bitlocker_step2.ps1" Enable-bitlocker_step2.ps1 script body: Start-Process Powershell.exe -ArgumentList '-ExecutionPolicy bypass -File "\\**********\SYSVOL\***********\scripts\Enable Bitlocker.ps1"' -Verb RunAs -ErrorAction SilentlyContinue -WarningAction SilentlyContinue The bitlocker script itself: Start-Transcript -Path \\Melandru\temp\"$env:COMPUTERNAME.txt" #get computer capability $OS_edition = Get-WmiObject -Class win32_operatingSystem $TPM_info = Get-Tpm $bitlocker_status = Get-BitLockerVolume C: $gpo_path = "***********\SYSVOL\***********\Policies\{*******-****-****-****-**********}\" ###Pre-requisites### #if bitlocker is on and encryption method is XtsAes256 - exit, since nothing to do if (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -eq "XtsAes256")){ if ((Get-Content "$($gpo_path)\bitlocker_list.txt") -like "*$($env:COMPUTERNAME)*") {Write-output "Bitlocker key already backed up";exit} else{ $key_protector=(Get-BitLockerVolume C:).keyprotector | ?{$_.KeyProtectorType -eq "Recoverypassword"} | select -expandproperty KeyProtectorId Backup-BitLockerKeyProtector -KeyProtectorId $key_protector -MountPoint C: exit} } #check if encryption/decryption in progress. If so - exit the script elseif (($bitlocker_status.volumestatus -eq "EncryptionInProgress") -or ($bitlocker_status.volumestatus -eq "DecryptionInProgress")) {Write-output "Bitlocker encryption/decryption in progress";exit} ###define bitlocker functions### function remove_old_key_protectors { foreach ($keyprotector in $bitlocker_status.keyprotector){ Remove-BitLockerKeyProtector C: -KeyProtectorId $keyprotector.keyprotectorid Write-Output "Removed $($keyprotector.keyprotectorid)" } Write-Output "Old keys removed" } function enable_bitlocker { #add a new key protector - recovery password Add-BitLockerKeyProtector -MountPoint C:\ -RecoveryPasswordProtector Write-Output "Added password key protector" #enable bitlocker Enable-BitLocker -MountPoint C:\ -EncryptionMethod XtsAes256 -SkipHardwareTest -UsedSpaceOnly -TpmProtector Write-Output "Bitlocker enabled" } #check tpm chip and OS edition if (($OS_edition.caption -notlike "*ent*") -or ($TPM_info.TPMPresent -ne $True)){write-output "Not compatible";exit} #if all checks passed - do the script logic else { #Check if bitlocker is enabled and enryption method is not XtsAes256. If so - disable bitlocker If (($bitlocker_status.protectionstatus -eq "On") -and ($bitlocker_status.EncryptionMethod -ne "XtsAes256")) { Write-Output "Disabling bitlocker" Disable-BitLocker C: } Elseif ($bitlocker_status.protectionstatus -eq "Off"){ #check if there's an old protection key and remove it if ($bitlocker_status.keyprotector -ne $null) { Write-Output "Removing old keys" remove_old_key_protectors } Write-Output "Enabling Bitlocker XtsAes256" enable_bitlocker } } Stop-Transcript -ErrorAction SilentlyContinue The thing is if i simply run bat file manually from a computer - I have bitlocker enabled, but if I add bat script to Computer Configuration->Policies->Windows Settings->Scripts(Startup/Shutdown)->Startup I see the error mentioned above. Also I tried to push the bitlocker script(without any wrappers) via SCCM - it works. I would like to understand what permissions are required and why?

Apache2 segmentation fault errors after every midnight Posted: 06 Nov 2021 06:01 PM PDT I am seeing a strange error with my ubuntu dev machine. It is going on since almost a year. Meanwhile I have reinstalled ubuntu at every release (not just upgraded to the next release). Every day when I turn on my machine I see this errors in apache's error log, and my local websites seems awfully slow: [core:notice] AH00051: child pid 8467 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [core:error] AH00546: no record of generation 0 of exiting child 8467 [core:notice] AH00051: child pid 8469 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [core:error] AH00546: no record of generation 0 of exiting child 8469 [core:notice] AH00051: child pid 8479 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [core:error] AH00546: no record of generation 0 of exiting child 8479 [core:notice] AH00051: child pid 8481 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [core:error] AH00546: no record of generation 0 of exiting child 8481 [core:notice] AH00051: child pid 8482 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [core:error] AH00546: no record of generation 0 of exiting child 8482 [core:notice] AH00051: child pid 8485 exit signal Segmentation fault (11), possible coredump in /etc/apache2 [core:error] AH00546: no record of generation 0 of exiting child 8485 This goes on until I do a sudo service apache2 restart: after this command apache starts normally and everything works. I've said about midnight because it happens every day when I turn on my pc, but because of a huge amout of work I had to work for a few days after midnight, and I have noticed that even with my pc already on, this error comes exactly at midnight. The only thing that comes to my mind is logrotate, which is set to run daily for apache2. I always edit this config file to make the apache's logs user readable and writeable (I need it for a PHP log reader). /var/log/apache2/*.log { daily missingok rotate 14 compress delaycompress notifempty create 777 root adm sharedscripts postrotate if invoke-rc.d apache2 status > /dev/null 2>&1; then \ invoke-rc.d apache2 reload > /dev/null 2>&1; \ fi; endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript } Could this be the reason? The only thing that I have modified is that create 777 root adm line...

Java Flight Recorder Docker Container Posted: 06 Nov 2021 02:07 PM PDT I want to profile a Java app inside a Docker container with JFR. How do I do so? The application I want to profile is not mine, so I can't alter the Dockerfile or any of the source code. Docker run cmd: docker run -itd --privileged --memory="_g" --cpuset-cpus x-y -p p1:p1 -p p2:p2 -p p3:p3 -p p4:p4 -p p5:p5 --net=host -v <hostDirectory>:<containerDirectory> --name=<containerName> <image>

Install package via apt from a live cd to the real system Posted: 06 Nov 2021 04:53 PM PDT I can only boot via live CD and I need to install the Debian package firmware-linux-nonfree to my server for it to be able to successfully boot. How can I do this? Would chroot help me ?

freeradius gives "no shared cipher" for windows 10 client Posted: 06 Nov 2021 04:08 PM PDT I have a working configuration of 802.1X authentification on my switch. The radius server is a freeradius instance with EAP-TLS configured. Everything works fine on linux (and android devices), but when I try to hook up a windows 10 pc I'm getting a strange error from the freeradius server: <...> Debug: eap_tls: Continuing EAP-TLS Debug: eap_tls: Peer sent flags --L Debug: eap_tls: Peer indicated complete TLS record size will be 174 bytes Debug: eap_tls: Got complete TLS record (174 bytes) Debug: eap_tls: [eaptls verify] = length included Debug: eap_tls: (other): before/accept initialization Debug: eap_tls: TLS_accept: before/accept initialization Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Debug: eap_tls: <<< recv TLS 1.2 [length 00a9] Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Debug: eap_tls: >>> send TLS 1.2 [length 0002] ERROR: eap_tls: TLS Alert write:fatal:handshake failure Error: tls: TLS_accept: Error in error Error: tls: TLS_accept: Error in error ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): s3_srvr.c[1418]:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher ERROR: eap_tls: System call (I/O) error (-1) ERROR: eap_tls: TLS receive handshake failed during operation ERROR: eap_tls: [eaptls process] = fail <...> So, look like no shared cipher. Now, to the strange part. TLSv1.2 is used, when the server replies to a client-hello message, it picks a single cipher suite and other variable configuration parameters. When a linux system is connecting, these parameters are: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null compression, ECDHE curve secp384r1, signature algorithm SHA512+ECDSA. The interesting part is that this configuration is offered/supported by the windows system (in client-hello), but the radius server fails with no shared cipher. Only difference between these hellos are tls extensions: ocsp stampling, session tickets, extended master secret and renegotiation (all from the windows system, see below). Is this possible that some of these extensions causes the freeradius (and openssl) replying with no shared cipher? Here is the client-hello packet from the windows system. Right after this packet the NAS replies with failure. SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 169 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 165 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Oct 12, 2016 22:32:27.000000000 MSK Random Bytes: cfee7182be38061f0202a3b3ec374724eec7a7eea20270ad... Session ID Length: 0 Cipher Suites Length: 60 Cipher Suites (30 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 64 Extension: status_request Type: status_request (0x0005) Length: 5 Certificate Status Type: OCSP (1) Responder ID list Length: 0 Request Extensions Length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: Unknown (0x001d) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 20 Signature Hash Algorithms Length: 18 Signature Hash Algorithms (9 algorithms) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: Extended Master Secret Type: Extended Master Secret (0x0017) Length: 0 Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Here is the client-hello from a linux system (working without problems): SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 293 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 289 Version: TLS 1.2 (0x0303) Random GMT Unix Time: May 18, 2087 18:43:39.000000000 MSK Random Bytes: a8052b4f8ba5439503d03da61ea2eaad449c9c3a3e9f2ac6... Session ID Length: 0 Cipher Suites Length: 172 Cipher Suites (86 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3) Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069) Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037) Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086) Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f) Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031) Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098) Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043) Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010) Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 76 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 28 Elliptic Curves Length: 26 Elliptic curves (13 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp521r1 (0x0019) Elliptic curve: brainpoolP512r1 (0x001c) Elliptic curve: brainpoolP384r1 (0x001b) Elliptic curve: secp384r1 (0x0018) Elliptic curve: brainpoolP256r1 (0x001a) Elliptic curve: secp256k1 (0x0016) Elliptic curve: sect571r1 (0x000e) Elliptic curve: sect571k1 (0x000d) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 32 Signature Hash Algorithms Length: 30 Signature Hash Algorithms (15 algorithms) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0602 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0502 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0302 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) The server-hello for the linux system (with the negotiated parameters): Version: 802.1X-2001 (1) Type: EAP Packet (0) Length: 558 Extensible Authentication Protocol Code: Request (1) Id: 183 Length: 558 Type: TLS EAP (EAP-TLS) (13) EAP-TLS Flags: 0x80 1... .... = Length Included: True .0.. .... = More Fragments: False ..0. .... = Start: False EAP-TLS Length: 1562 [2 EAP-TLS Fragments (1562 bytes): #6(1014), #8(548)] [Frame: 6, payload: 0-1013 (1014 bytes)] [Frame: 8, payload: 1014-1561 (548 bytes)] [Fragment Count: 2] [Reassembled EAP-TLS Length: 1562] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 57 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 53 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Jun 23, 2069 22:43:44.000000000 MSK Random Bytes: f55c140ff16bab468b8f5d2f21e3cc8237090f9eebf23476... Session ID Length: 0 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Compression Method: null (0) Extensions Length: 13 Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 1155 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1151 Certificates Length: 1148 Certificates (1148 bytes) REDACTED TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 247 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 243 EC Diffie-Hellman Server Params Curve Type: named_curve (0x03) Named Curve: secp384r1 (0x0018) Pubkey Length: 97 Pubkey: 0409c1e40a860e38d72cc95fe4bed9bc01b2874f79fa74d3... Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Length: 138 Signature: 30818702414f82bf2dc1f20e19ca281784a1023607d4ae4f... TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 83 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 75 Certificate types count: 3 Certificate types (3 types) Certificate type: RSA Sign (1) Certificate type: DSS Sign (2) Certificate type: ECDSA Sign (64) Signature Hash Algorithms Length: 30 Signature Hash Algorithms (15 algorithms) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0602 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0502 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0302 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Distinguished Names Length: 37 REDACTED Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0

URL Redirection in Haproxy.cfg Posted: 06 Nov 2021 03:03 PM PDT I am trying to redirect a URL in my haproxy.cfg file and not sure where to start. What my goal is whenever I go to https://website/text it gets redirected to https://website/#/text/conversation and same thing with voice. How exactly can I do this? I am using HAProxy version 1.5.14. Below is what I have (tried), but it's not working as I want it to. frontend HTTPS_IN acl host_connect hdr(host) -i website.com acl path_voice path_beg -i /voice redirect location https://website/#/voice/voicemail if path_voice acl path_text path_beg -i /text redirect location https://website/#/text/conversation if path_text use_backend voice if path_voice use backend voice if host_connect use_backend text if path_text Am I on the right path at all? If not, can you guys please help me out? Thanks!

Add all network users to local group for specific hosts in CentOS7 Posted: 06 Nov 2021 08:03 PM PDT How would I add a network (sssd-ldap) user to a local group? More specifically, how can I add all network users who log into a system to a local group? It doesn't look like authconfig has a setting to add pam_group (unlike pam_access) and pam_group isn't there by default. I can edit the various pam files by hand, but if authconfig is run again, this is liable to lead to trouble. In a sense I'm looking for the inverse of this question, though I'm using rfc2703bis schema (not that that should make a difference). Unlike this question, I'm looking to add the users to pre-existing local groups, e.g. libvirt or tcpdump. I'm aware that I can edit /etc/group for each new user, but I'm looking for something more robust. Making sure the pam stack includes pam_group would be less problematic than that. This is actually what I'm doing already, but having to re-run the ansible play to do this every time a user is added or removed from the directory is a bit much. Using group: files [SUCCESS=merge] sss doesn't seem to be an option yet as it was added in glibc 2.24, while CentOS7 uses glibc-2.17-106.el7_2.8 and I can't find any back port notes for this feature. It's still not an idle option though.

Using CIS Benchmarks with openscap Posted: 06 Nov 2021 06:34 PM PDT I am trying to get CIS Centos 6 benchmarks running with openscap. But it does not work. I am calling it like this: oscap oval eval /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml which produces tons of output like File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8464: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10389'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8470: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10391'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8476: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10391'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8482: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10393'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8488: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10393'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8494: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10395'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8500: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10395'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'. OpenSCAP Error: Invalid OVAL Definition (5.11) content in /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml. [oscap_source.c:268] I tried getting around this with the --skip-valid, but that does not help either: oscap oval eval --skip-valid /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml OpenSCAP Error: Unknown test type oval:org.cisecurity.benchmarks.o_centos_centos:tst:10003. [oval_test.c:402] Failed to import the OVAL Definitions from '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml'. [oval_session.c:238] Has anyone experience running CIS benchmarks with openscap, and if so, how does this work?

Cloning LVM partitions Posted: 06 Nov 2021 09:58 PM PDT I need to clone a CentOS installation from a 1TB disk partitioned with LVM, to several identical machines. The disk is mostly empty since only the operating system and some software are installed and configured. Without LVM I would copy the entire partition table, and then I would clone the partitions one by one using partclone: sfdisk -d /dev/sda | sed -e 's/sda/sdb/' | sfdisk /dev/sdb partclone.ext4 -c -s /dev/sda# -o - | partclone.ext4 -r -s - -o /dev/sdb# However I think it will not work with LVM. Of course I could just use dd to clone the whole disk: dd if=/dev/sda of=/dev/sdb but it takes too much time compared to partclone. Is there a way to clone the LVM partitions faster? I think one possible solution is to clone the LVM partitions to regular partitions in another disk using dd, and then clone the new disk to the other machines using partclone. But I do not know if something like this will work: dd if=/dev/mapper/vg_node07-lv_root of=/dev/sdb1 Can it work? Can you tell me other solutions?

Limit Number of TCP connections in Linux Server, to avoid attack Posted: 06 Nov 2021 10:01 PM PDT I want to limit the number of TCP connections in Linux server, I have used the following command. iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 --connlimit-mask 32 -j REJECT --reject-with tcp-reset It seems like, something is wrong and desired results are not coming. I get the number of active connections using the following command netstat -n | grep ':80' | awk -F' ' '{print $5}' | awk -F':' '{print$1}' | sort | uniq -c | sort -n Now, When I type the above command, I get the following results. 44 122.179.103.8 45 107.167.107.123 46 120.60.76.201 48 122.162.172.182 49 183.87.48.105 51 122.161.241.33 71 198.72.112.97 98 122.168.167.114 103 122.177.169.21 134 106.51.130.193 137 122.165.226.196 As you can see there are more active tcp connections than allowed limit of 25. Can someone please help me with correct command , or What is going wrong in this ?

Apache 2.2.4 Proxy Balancer Extremely Slow When a Balancemember is down Posted: 06 Nov 2021 03:03 PM PDT I am using apache 2.2.4 as a reverse proxy server in my DMZ. The Proxy Balancer appears to work great when the two BalancerMember servers are up. But if I shut one down, It takes roughly 30-45 seconds to get anything to load on my site every time I load a page. Here is my configuration: ServerName mywebsite.com ProxyRequests Off <Proxy *> Order deny, allow Allow from all </Proxy> <Proxy balancer://mycluster> BalancerMember http://10.10.10.10:80/outside loadfactor=1 retry=60 BalancerMember http://10.10.10.11:80/outside loadfactor=1 retry=60 </Proxy> ProxyPass /outside balancer://mycluster/ ProxyPassReverse /outside balancer://mycluster/ ProxyPass /balancer-manager ! <Location /balancer-manager> SetHandler balancer-manager </Location> The server acts as a reverse proxy for REST services that sit behind it. When I load the web application, it calls the REST services multiple times, so I don't know if that could also be causing the slowness, as the Proxy is getting hit with many requests at once.

filezilla ftp file server not working with microsoft azure Posted: 06 Nov 2021 05:03 PM PDT I have installed Filezilla FTP on (Windows 2012 R2 server). When I try to connect FTP through my local IP (ftp://localhost) it asks for login credentials. Once I enter credentials it connects without any issues but when I try to connect through my domain(ftp://alagu.in) it asks for login credentials. Once I enter credentials it throws an error 425 Can't open data connection for transfer of "/" Things that I have tried to solve this problem but failed listed below changing active mode to passive mode adding range of local ports to ports inbound and outbound rules what am I missing here server logs (000157)11/21/2014 11:46:17 AM - (not logged in) (1xx.xx.xx.xxx)> Connected on port 21, sending welcome message... (000157)11/21/2014 11:46:26 AM - (not logged in) (1xx.xx.xx.xxx)> USER raj (000157)11/21/2014 11:46:26 AM - (not logged in) (1xx.xx.xx.xxx)> 331 Password required for raj (000157)11/21/2014 11:46:26 AM - (not logged in) (1xx.xx.xx.xxx)> PASS ***** (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 230 Logged on (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> SYST (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 215 UNIX emulated by FileZilla (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> FEAT (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> OPTS UTF8 ON (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 202 UTF8 mode is always enabled. No need to send this command. (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> PWD (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 257 "/" is current directory. (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> TYPE I (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 200 Type set to I (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> PASV (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 227 Entering Passive Mode (100,76,138,36,195,87) (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> CWD / (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> 250 CWD successful. "/" is current directory. (000157)11/21/2014 11:46:26 AM - raj (1xx.xx.xx.xxx)> LIST (000157)11/21/2014 11:46:36 AM - raj (1xx.xx.xx.xxx)> 425 Can't open data connection for transfer of "/" (000157)11/21/2014 11:46:37 AM - raj (1xx.xx.xx.xxx)> disconnected.

Exim installed, can send mail but not receive any Posted: 06 Nov 2021 07:02 PM PDT I am trying to set up the mail service on my server. I installed exim4 and configured it. I can send emails to any email address, send one from a user to another but not receive any. When I try to send one from gmail I get a mail from gmail daemon with the subject: Delivery Status Notification (Failure) stating Recipient address rejected: User unknown in relay recipient table The user exists for sure because I replied to the mail I first sent from my server. My MX lookup: example.org mail is handled by 10 mx2.example.org example.org mail is handled by 10 mx1.example.org Any idea on what is going wrong? Thank you in advance

Share Exchange Calendar with Company Wide Distribution List Posted: 06 Nov 2021 09:06 PM PDT I have just created a user/calendar in Exchange 2010 for "Team Lunches." All employees should have editing capabilities to this calendar in order to schedule lunches with their team and for everyone to see when each team is meeting for lunch during the month. I want to add the distribution list for all company employees as the "-User" to be granted 'Owner' Access Rights. How do I do this in Exchange Management Shell? (without having to run a command for each employee individually or logging into a thin client and manually adding each employee to the permission list in the team lunch calendar via Outlook?) Due to new user restrictions, I can't post images. My command line looks like: Add-MailboxFolderPermission -Identity teamlunch@DOMAIN.com:\calendar -User AllEmployees@DOMAIN.com -AccessRights Owner Error looks like: The user "AllEmployees@DOMAIN.com" is either not valid SMTP address, or there is no matching information. +CategoryInfo : NotSpecified: (0:Int32) [Add-MailboxFolderPermission], InvalidExternalUserIDException +FullyQualifiedErrorId : BFAE0537,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission Do I need to make adjustments in command line or with the distribution list in exchange management console? Any help would be much appreciated. Thanks!

Cygwin OpenSSH Server Error 1062 Posted: 06 Nov 2021 10:01 PM PDT I tried to setup an OpenSSH Server on my Windows machine. I installed cygwin and the openssh package. Then configured "ssh-host-conf" an *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes *** Info: Creating default /etc/ssh_config file *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes *** Info: Creating default /etc/sshd_config file *** Info: Privilege separation is set to yes by default since OpenSSH 3.3. *** Info: However, this requires a non-privileged account called 'sshd'. *** Info: For more info on privilege separation read /usr/share /doc/openssh/READ ME.privsep. *** Query: Should privilege separation be used? (yes/no) yes *** Info: Updating /etc/sshd_config file *** Query: Do you want to install sshd as a service? *** Query: (Say "no" if it is already installed as a service) (yes/no) yes *** Query: Enter the value of CYGWIN for the daemon: [] ntsec *** Info: On Windows Server 2003, Windows Vista, and above, the *** Info: SYSTEM account cannot setuid to other users -- a capability *** Info: sshd requires. You need to have or to create a privileged *** Info: account. This script will help you do so. *** Info: You appear to be running Windows XP 64bit, Windows 2003 Server, *** Info: or later. On these systems, it's not possible to use the LocalSystem *** Info: account for services that can change the user id without an *** Info: explicit password (such as passwordless logins [e.g. public key *** Info: authentication] via sshd). *** Info: If you want to enable that functionality, it's required to create *** Info: a new account with special privileges (unless a similar account *** Info: already exists). This account is then used to run these special *** Info: servers. *** Info: Note that creating a new user requires that the current account *** Info: have Administrator privileges itself. *** Info: The following privileged accounts were found: 'cyg_server' . *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no) no *** Query: Please enter the password for user 'cyg_server': *** Query: Reenter: *** Info: The sshd service has been installed under the 'cyg_server' *** Info: account. To start the service now, call `net start sshd' or *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically *** Info: after the next reboot. *** Info: Host configuration finished. Have fun! When I try to start the sshd Daemon I get an 1062 Error: $ cygrunsrv.exe -S sshd cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062: The service has not been started. Thanks for your help!

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States