Archive for Uncategorized

IPv6 connection dropping on Debian 7

Jonny Barnes asked:

EDIT: I’ve tried something different based on searching around. This is now my /etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This line makes sure the interface will be brought up during boot
auto eth0
allow-hotplug eth0

# The primary network interface
iface eth0 inet static
    address 85.17.141.27
    netmask 255.255.255.0
    gateway 85.17.141.254
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 85.17.150.123 85.17.96.69 85.17.150.123 62.212.64.122
    dns-search localdomain
    # up commands
    up ip addr add 85.17.141.33/24 dev eth0
    up ip -6 addr add 2001:1af8:4100:a00e:4::1/64 dev eth0
    up ip -6 ro add default via 2001:1af8:4100:a00e::1 dev eth0

Then ip addr show eth0 outputs:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether d4:ae:52:c5:d2:1b brd ff:ff:ff:ff:ff:ff
inet 85.17.141.27/24 brd 85.17.141.255 scope global eth0
inet 85.17.141.33/24 scope global secondary eth0
inet6 2001:1af8:4100:a00e:d6ae:52ff:fec5:d21b/64 scope global dynamic 
   valid_lft 2591870sec preferred_lft 604670sec
inet6 2001:1af8:4100:a00e:4::1/64 scope global 
   valid_lft forever preferred_lft forever
inet6 fe80::d6ae:52ff:fec5:d21b/64 scope link 
   valid_lft forever preferred_lft forever

further ip -6 ro outputs:

2001:1af8:4100:a00e::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
default via 2001:1af8:4100:a00e::1 dev eth0  metric 1024 
default via fe80::2d0:ff:fe9e:1800 dev eth0  proto kernel  metric 1024  expires 1627sec
default via fe80::2d0:2ff:fe33:3c00 dev eth0  proto kernel  metric 1024  expires 1627sec

Eventually the two default proto kernel routes disappear from the output. My IPv6 connection still dropped at some point over night though. Again, simply running sudo service networking stop && sudo service networking start got everything working again. Those two fe80 routes reappeared as well, not surprising. Anyone any ideas?

aside: at no point has any IPv4 connectivity had issues.


I answered:

The correct way to configure IPv6 in Debian’s /etc/network/interfaces file is:

iface eth0 inet6 static
        address 2001:1af8:4100:a00e:4::1
        netmask 64
        gateway 2001:1af8:4100:a00e::1

You should not have any of those extra up statements to configure your IPv6 address.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Server problems, running out of RAM, really high load average

CaptSaltyJack asked:

I desperately need help in figuring out how to troubleshoot this problem I’m having. I run a fairly mission critical web server (Debian 7.5, 512MB RAM, 512MB swap, Apache, MySQL). It runs a couple WordPress sites on it. Today I found the websites responding quite slowly, and ssh’d in to find the load average was just above 10.0, and RAM use was at 100% and swap was close to the 512MB limit.

I have no idea how to figure out what’s going on. Is Apache or MySQL not tuned properly? Maybe someone is attacking the server with repeated hits (how would I know?). I installed htop but even if I saw that Apache or MySQL was eating up a ton of resources, how would I figure out why?

Any points in the right direction would be massively appreciated. I’m at a loss here and I have to keep this server stable.

Side note: The server was up for 30 days, so maybe this was some sort of slow leak. Now that I’ve rebooted, load average is at 0.45 1.10 0.88, RAM is 165/512MB and swap is 68/512MB.

UPDATE: Still having issues. I captured a screenshot of htop below.

enter image description here


I answered:

Congratulations, you’ve managed to use nearly all of your swap space.

The first obvious problem here is that you went very deep into swap. This is probably what’s causing the system to thrash so hard (lots of time spent in system, I/O wait and software interrupts).

First thing to do is to reduce the number of Apache processes that are running. You don’t need that many for a small site, and it’s just going to throw you deep into swap and kill your performance…which is what already happened. I would recommend you start very small and increase when it becomes necessary. An example:

StartServers            1
MinSpareServers         1
MaxSpareServers         2
MaxClients              5

This limits you to only serving 5 simultaneous requests (everyone else has to wait in line). If at this point you get warnings from Apache about running out of servers, and you still have RAM to spare, then you can increase them, but you are eventually going to run into a point where your VPS simply hasn’t got enough RAM to handle all your traffic. At that point you should upgrade the VPS.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

How to point CNAME to Digital Ocean droplet

asgeo1 asked:

Having an issue trying to point a CNAME to my Digital Ocean droplet

I created a CNAME on DNSimple and pointed it to the IP address of my Digital Ocean droplet: ironman4x4.adamgeorge.com

I’ve tested that it exists:

→  ~  host -t cname ironman4x4.adamgeorge.com
ironman4x4.adamgeorge.com is an alias for 128.199.176.45.

My Digital Ocean droplet was created using this guide:

https://www.digitalocean.com/community/tutorials/how-to-use-the-1-click-ruby-on-rails-on-ubuntu-14-04-image

The 1-click install creates a default site here which I tried customising the root and server_name options:

server {
        listen   80;
        root /home/rails/current/public;
        server_name _ ironman4x4.*;
        index index.htm index.html;

        client_max_body_size 5M;

        location / {
                try_files $uri/index.html $uri.html $uri @app;
        }

    location ~* ^.+.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|flv|mpeg|avi)$ {
                        try_files $uri @app;
                }

         location @app {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_pass http://app_server;
    }

}

Not sure why it’s not working.

I can’t SSH onto the server via ssh root@ironman4x4.adamgeorge.com, nor does Nginx respond via http://ironman4x4.adamgeorge.com

Not sure why?

Is there anything else I need to configure for either the DNS or or the droplet to get this to work?


I answered:

You need to be using an A record, not a CNAME.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

encrypted (luks) partition had some damage – any chance?

inger asked:

I was trying to run Debian installer on top of an already luks-encrypted partition (I tried to do use cryptsetup in the console).

I don’t remember ever saying “yes, destroy” data, but what I see now, is that encrypted turned into a PV (LVM).

Do I have any chance to restore the original?

I don’t know the PV format vs the encrypted partition, so wondering if maybe no real damage was done, or if there is way to partially restore anything.


I answered:

Debian still hasn’t fixed this bug? I lost data to this five years ago.

Yes, it’s a bug. No, it isn’t fixed. Yes, you’re going to have to restore from backups, and I hope to Gawd you actually have them.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

How to check whether my server turned into a spamming machine?

tobi85 asked:

I am suspecting something is sending a plenty of mails from my server without my knowledge. I’d like to check whether my machine turned into a spamming server. What is the easiest way to do this?

Related to this, I’d also like to check the CONTENTS of emails sent from my server. Is there such a log and can I turn it on? /var/log/mail.log does not return the content of the emails, and it looks like this:

Oct 23 21:03:26 Ubuntu-1204-precise-64-minimal sendmail[29973]: s9NJ31pS029973: to=root, delay=00:00:19, xdelay=00:00:07, mailer=relay, pri=31367, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s9NJ37kn029974 Message accepted for delivery)
Oct 23 21:03:38 Ubuntu-1204-precise-64-minimal sm-mta[29977]: s9NJ37kn029974: to=<root@Ubuntu-1204-precise-64-minimal>, delay=00:00:19, xdelay=00:00:07, mailer=local, pri=32861, dsn=2.0.0, stat=Sent
Oct 23 21:06:03 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: from=root, size=343, class=0, nrcpts=1, msgid=<201410231906.s9NJ61xZ030011@Ubuntu-1204-precise-64-minimal>, relay=root@localhost
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rW030014: ruleset=check_rcpt, arg1=<root@Ubuntu-1204-precise-64-minimal>, relay=localhost.localdomain [127.0.0.1], reject=553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender address root@Ubuntu-1204-precise-64-minimal does not exist
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: to=root, ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:00, mailer=relay, pri=30343, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.8, stat=User unknown
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rW030014: from=<root@Ubuntu-1204-precise-64-minimal>, size=343, class=0, nrcpts=0, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: s9NJ61xa030011: DSN: User unknown
Oct 23 21:06:12 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rY030014: from=<>, size=2623, class=0, nrcpts=1, msgid=<201410231906.s9NJ61xa030011@Ubuntu-1204-precise-64-minimal>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Oct 23 21:06:13 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xa030011: to=root, delay=00:00:08, xdelay=00:00:02, mailer=relay, pri=31367, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s9NJ65rY030014 Message accepted for delivery)
Oct 23 21:06:17 Ubuntu-1204-precise-64-minimal sm-mta[30024]: s9NJ65rY030014: to=<root@Ubuntu-1204-precise-64-minimal>, delay=00:00:06, xdelay=00:00:01, mailer=local, pri=32861, dsn=2.0.0, stat=Sent
You have new mail in /var/mail/root

As you can see, some strange messages occur from time to time.

Edit: I got 200 000 unread emails. Here is the newest email I received:

Return-Path: <MAILER-DAEMON>
Received: from Ubuntu-1204-precise-64-minimal (localhost.localdomain [127.0.0.1]
)
        by fares (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s9NAp3iX021790
        for <root@Ubuntu-1204-precise-64-minimal>; Thu, 23 Oct 2014 12:51:03 +02
00
Received: from localhost (localhost)
        by Ubuntu-1204-precise-64-minimal (8.14.4/8.14.4/Submit) id s9NAp1Xu0217
89;
        Thu, 23 Oct 2014 12:51:03 +0200
Date: Thu, 23 Oct 2014 12:51:03 +0200
From: Mail Delivery Subsystem <MAILER-DAEMON@static.***.clients.***>
Message-Id: <201410231051.s9NAp1Xu021789@Ubuntu-1204-precise-64-minimal>
To: root@Ubuntu-1204-precise-64-minimal
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Status: O
X-UID: 210004

This is a MIME-encapsulated message

--s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal

The original message was received at Thu, 23 Oct 2014 12:51:01 +0200
from root@localhost

   ----- The following addresses had permanent fatal errors -----
root
    (reason: 553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender
 address root@Ubuntu-1204-precise-64-minimal does not exist)
    (expanded from: root)

   ----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender address
root@Ubuntu-1204-precise-64-minimal does not exist
550 5.1.1 root... User unknown
<<< 503 5.0.0 Need RCPT (recipient)

--s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal
Content-Type: message/delivery-status

I answered:

This is just local mail, probably from one of your running services or cron jobs. It’s addressed to root, but the mail server can’t figure out that it’s intended to be local mail, because the hostname Ubuntu-1204-precise-64-minimal can’t be resolved to an address.

To fix this, rename the host to a hostname which resolves to the server’s IP address, or add the IP address and hostname to /etc/hosts.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Tool to show permissions of path in Linux?

Soviero asked:

Is there a tool in Linux that will take a path such as /var/log/httpd/error_log, and print the permission for each branch of the path, i.e.:

/var:                     root:root,         0755
/var/log:                 root:root,         0755
/var/log/httpd:           www-data:root,     0700
/var/log/httpd/error_log: www-data:www-data, 0644

Such a tool would make permission troubleshooting much easier, especially with exceptionally long paths like on file servers and such.


I answered:

You want namei.

# namei -l /var/log/nginx/error.log
f: /var/log/nginx/error.log
drwxr-xr-x root  root  /
drwxr-xr-x root  root  var
drwxr-xr-x root  root  log
drwx------ nginx nginx nginx
-rw-r--r-- nginx nginx error.log

Note that this command is Linux-specific and may not exist on other operating systems. Also do not confuse it with the namei() system call.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

nginx proxy keeps getting bad gateway

Hong Yi asked:

I am running a CentOS7 virtual machine and trying to proxy it to a subsonic server which is running on Windows Server 2012. When I was using apache it was working without issues but I am currently trying to do the same using nginx but I keep getitng 502 bad gateway. I can’t seem to figure what is causing this issue.

My nginx.conf:

server {
listen       80;
server_name  *.example.com;

#charset koi8-r;
#access_log  /var/log/nginx/log/host.access.log  main;

location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ .php$ {
#    proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ .php$ {
#    root           html;
#    fastcgi_pass   127.0.0.1:9000;
#    fastcgi_index  index.php;
#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
#    include        fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
#    deny  all;
#}
}
server {
        listen  80;
        server_name music.exmaple.com;

    location / {
            proxy_pass http://192.168.1.67:6060/;
            proxy_redirect / http://192.168.1.67:6060/;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            client_max_body_size    10m;
            client_body_buffer_size 128k;
            proxy_connect_timeout   90;
            proxy_send_timeout      90;
            proxy_read_timeout      90;
            proxy_buffers           32 4k;


    }

}

On apache:

<VirtualHost *:80>
        ServerName music.example.com
        ServerAlias www.music.example.com
        RewriteEngine on
        RewriteRule ^music/(.*)$ http://192.168.1.67:6060/ [P]
        ProxyPass / http://192.168.1.67:6060/
        ProxyPassReverse / http://192.168.1.67:6060/
</VirtualHost>

Telnet to 192.168.1.67:6060

Trying 192.168.1.67...
Connected to 192.168.1.67.
Escape character is '^]'.
dir
HTTP/1.1 400 Bad Request
Connection: close
Server: Jetty(8.y.z-SNAPSHOT)

Error: 400Connection closed by foreign host.

Error log:

2014/10/23 16:51:21 [crit] 11191#0: *1 connect() to 192.168.1.67:6060 failed (13: Permission denied) while connecting to upstream, client: 192.168.1.1, server: music.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.67:6060/favicon.ico", host: "music.example.com"

Any help appreciated. Thanks in advance.


I answered:

By default SELinux prevents the web server from making outbound connections to foreign hosts.

You can change this and allow outgoing connections by setting the httpd_can_network_connect boolean.

setsebool -P httpd_can_network_connect 1

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Enabling cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) on Windows Server 2003+ISA 2006

Vesper asked:

I have been given a task to disable all “weak” ciphers/protocols on our very old ISA server based on Windows Server 2003. I have disabled all protocols but TLS1.0, and all ciphers but RC2/128, RC4/128 and Triple DES 168/168. But Qualys SSL Labs test utility does not display me that I have a 3DES encryption available on my ISA server. The only cipher suites listed are:

TLS_RSA_WITH_RC4_128_MD5 (0x4)  
TLS_RSA_WITH_RC4_128_SHA (0x5) 

This KB says that when Triple DES 168 cipher is enabled, the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite is available. However, it is not. We need this cipher suite to allow a Windows 8.1 Phone connecting to ActiveSync published by this ISA. What could be the reason of 3DES encryption to be unavailable in this configuration, and what should we do in order to allow the connection for a Windows 8.1 phone without being vulnerable to POODLE?

EDIT: There was apparently a server-side malfunction of some sort, a reboot fixed 3DES availability, although the same KB states that registry change should have worked at once. I’ve got another server with the same problem, got it fixed with registry modification only, though.


I answered:

If your registry change didn’t take effect immediately, then just restart your computer.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

No package php5-intl available RHEL

eisaacson asked:

I’m trying to install php5-intl on Red Hat but cannot seem to find the package. I run yum install php5-install and get the error No package php5-intl available. Is there a different repository I need? I haven’t done much with repositories so I’m pretty unfamiliar with all of that.


I answered:

The package name is php-intl, not php5-intl.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

How to install Foreman on Centos 6?

utrecht asked:

Attempt

According to this documentation, Puppet should be installed before installing Foreman.

Puppet

sudo rpm -ivh http://yum.puppetlabs.com/el/6.4/products/x86_64/puppetlabs-release-6-11.noarch.rpm
sudo yum -y install puppet

[vagrant@localhost ~]$ puppet --version
3.7.1

Foreman

sudo yum -y install http://yum.theforeman.org/releases/1.1/el6/x86_64/foreman-release.rpm
sudo yum -y install foreman-installer

Result

--> Finished Dependency Resolution
Error: Package: rubygem-apipie-bindings-0.0.8-4.el6.noarch (foreman)
           Requires: rubygem(mime-types) < 2.0.0
Error: Package: rubygem-rest-client-1.6.7-2.el6.noarch (foreman)
           Requires: rubygem(mime-types) >= 1.16
Error: Package: rubygem-apipie-bindings-0.0.8-4.el6.noarch (foreman)
           Requires: rubygem(fastercsv)
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

Attempt Two

Checking the error message, the idea was to try to fix the dependency issues by trying to install the following packages:

rubygem mime-types < 2.0.0
rubygem mime-types >= 1.16
rubygem fastercsv

by issuing the following commands:

sudo gem install mime-types -v 1.25.1
sudo gem install gem install fastercsv

Result Two

mime-types

[vagrant@localhost ~]$ sudo gem install mime-types -v 1.25.1
Successfully installed mime-types-1.25.1
1 gem installed

fastercsv

[vagrant@localhost ~]$ sudo gem install gem install fastercsv
ERROR:  Could not find a valid gem 'gem' (>= 0) in any repository
ERROR:  Could not find a valid gem 'install' (>= 0) in any repository
Successfully installed fastercsv-1.5.5
1 gem installed
Installing ri documentation for fastercsv-1.5.5...
Installing RDoc documentation for fastercsv-1.5.5...

Foreman

sudo yum -y install foreman-installer

Although the missing packages were installed using gem install the issue persists.


I answered:

You forgot to install and enable the EPEL repository. Do that, and then try the Foreman installation again.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.