Latest Server related questions

I'm running Arch Linux and referring to Simple stateful firewall - ArchWiki.

I have two different bash scripts for creating my iptables rules: one for IPv4 and another for IPv6. Each creates one or more ipset hash lists (sets) using the appropriate family: inet or inet6.

That approach is supported by this answer, "You need to have two different sets: one for IPv4 and another for IPv6."

I use the syste ...

I am running Unbound 1.9.0 as a recursive caching DNS server for a small branch office. It recurses over TLS towards cloudflare only and it has a typetransparent local-zone (example.com) overriding some of the public records from the public authoritative servers.

I am deploying SSHFP records across my organization and since unbound is not setting the AD flag (DNSSEC) the SSH client says "Matching ...

We have a problem where we set up a server running a service and it is capable of hundreds of simultaneous connections on port 3535 (arbitrarily assigned for this application). We have firewalld running on this near-end-host allowing connections from the far-end host and that is all working fine. The problem we ran into is the far-end-host is only able to establish a few connections at a time and it i ...

Current State

Given is a host with a couple of IPv4 addresses and HTTP & FTP access for each address; each vhost has access to a PostgreSQL database. Web- and ftp-authentication is done against the respective database; for proftpd I use this setup for each IP-Address/vhost ($VALUES are no variables but hide real values):

SQLConnectInfo $VHOST@localhost $SQLUSER $SQLPASS
SQLUserInfo login Login Passwo ...

It's a bit unclear, by available instructions and forum posts, how to deal with the three files you'll get from Godaddy when purchasing a SSL Certificate from them. Godaddy isn't very forthright explaining it. In hindsight, now when knowing how to do it, one might think it is unwise of them not to detail this in instruction attached to the purchase; as it is not trivial to get it working.

When pu ...

Here is an /etc/fstab record example of one of the mounts as per x-systemd.automount and other goodies:

UUID=XXXX-XXXX /media/XXXX-XXXX auto noauto,nofail,nouser,uid=root,gid=users,umask=007,X-mount.mkdir,x-systemd.automount,x-systemd.device-timeout=1,x-systemd.idle-timeout=60 0 2

Currently this external exFAT-formatted drive is physically disconnected from the PC, but I still get the following  ...

I followed this openldap guide

https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/

Got it all working up until I try to id the user on the client (following this guide: https://kifarunix.com/configure-sssd-for-ldap-authentication-on-rocky-linux-8/)

I get a message about "no such user"

The openldap tutorial lists the objectClass for users.ldif

dn: uid=johndoe,ou=people,dc=ldapmaster,dc=ki ...

I have an existing O365 tenant with a custom domain name.

I also have a couple of VM's running in Azure and for all sorts of reasons I would like to add Azure Active Directory Domain Services.

Where it comes to chosing the domain name, the Azure Portal UI is defaulting to the existing O365 custom domain name.

I am a little unlcear as to whether I should choose this option, or change it to some other do ...

I have tried the steps mentioned in the link.

Here, instead of local MDT deployment share, configured IIS to access it through HTTP/HTTPS. But it is not still linked to unc path, which can't be accessible over the internet.

After configuring the IIS as per the steps you mentioned.

The deployment share in the Listtouch iso is still trying to access the UNC path.

Because of this, the internet deploymen ...

So basically I want to get a more secure way to ssh into my server, because it is located in a very big LAN. I tried using firewall to only allow certain IP's into it, it works, but someone could manually change the IP to the one that is allowed un the UFW.

What I want is that if someone wants to log in the SSH I, as a server, will have to manually input the client's key into the server.

So I have a python script that I compile with pyinstaller to a single file. at the time of running, by default, the script will unbundle the modules in /tmp/ also you can change the default TMPDIR at the time of compilation.

PROBLEM: As you might know, this is a common security practice that you mount /tmp/ or /var/tmp/ as a noexec. the problem is that my script can't execute the modules from /tmp ...

I'm trying to set up a Matrix Synapse server using Docker and a Traefik v2 reverse proxy.

My setup works if I define a single network in my docker-compose file and have Traefik, Synapse and postgres all use that network.

However, based on what I've learnt about Docker so far, I should put postgres on a separate network (backed) than Traefik (web). Synapse will then be on both networks. However, when I d ...

I am new to Docker and I need a php:8.0-apache container with mysqli installed. Just mentioning mysqli on a raw image causes an error:

Fatal error: Uncaught Error: Class "mysqli" not found

I tried to use such command in docker-comose.yml:

command: ["docker-php-ext-install", "mysqli"]
# Or
command: docker-php-ext-install mysqli

As a result, the container exits with code 0 for some reason. Full logs of t ...

We have created GKE cluster and we are getting errors from gke-metrics-agent. The errors shows up every cca 30 minutes. It's always the same 62 errors.

All the errors have label k8s-pod/k8s-app: "gke-metrics-agent".

First error is:

error   exporterhelper/queued_retry.go:245  Exporting failed. Try enabling retry_on_failure config option.  {"kind": "exporter", "name": "googlecloud", "error": "rpc error: cod ...

I can't configure ssh key on my Synology NAS. File ~/.ssh/authorized_keys is not created or not updated.

On remote machine (NAS):

$ cd
$ chmod 700 .
$ chmod 700 .ssh
$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys

I updated /etc/ssh/sshd_config to uncomment lines:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

I restarted sshd:

$ sudo synoservicectl --reload sshd ...