Latest Server related questions

I setup a PoC for a pull backup with Borg Backup. In this example a client can only reach the backup server behind a proxy server. In this case the server where Borg Backup is running open a temporary ssh tunnel over a proxy server and start the pull backup on the client. After the backup is done, the ssh tunnel will closed. Everything runs in this scenario.

For more security I created for any ac ...

I have created a docker container with the following

OS: Debian 11

WebServer: httpd2.4 (Enabled mpm_event)

Backend: PHP-FPM

Docker is running in EC2 and I have given 10GB RAM and 5CPU for the docker container.

Everything is working on the UI and my application is good. Now I'm looking forward to optimizing the server to increase the simultaneous requests and performance.

So, what I have done is

h ...

I Have apache2 running on Ubuntu 22. My Apache2 often getting killed by OOM. I have tried to get log and its showing something like this

> root@localhost:~# dmesg -e | grep -i kill [Mar15 03:00] shopping_cart
> invoked oom-killer:
> gfp_mask=0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), order=0,
> oom_score_adj=0 [  +0.000004]  oom_kill_process.cold+0xb/0x10 [ 
> +0.000001] oom-kill:co ...

I want to share the following very strange behavior , that for me it's not make sense but its a a fact on our production RHEL 7.2 server

disks are VMDK

from df -h we can see the following:

sdb         /DB_STORAGE_1

and its also defined in /etc/fstab file

/dev/sdb /DB_STORAGE_1                      ext4 defaults,noatime 0 0

but when I run lsblk -f , we can see that FSTYPE not exist on sdb disk , ( and al ...

I would like to limit the usage of my free public customer WiFi network to a certain amount of data (i.e. not a bandwidth limit which seems fairly easy to set), let's say 1 GB (or 10 GB or whatever). Management would like to have a fast WiFi for customers, but prevent people from download huge amounts of data the whole day and so take away performance from others.

We are not yet sure which produc ...

We have a pretty simple setup for the VM on GCP w/o public IP address. To reach the internet, we use cloud NAT (w/ the basic configuration, see attached image):

The problem we have is that the VM loses the internet connection:

1. we can not access it using SSH
2. based on the syslog VM can not access GCE metadata server (OSConfigAgent[514]: 2023-03-10T15:49:41.8034Z OSConfigAgent Error main.go:231: net ...

I have an IP address on my server, say, 192.168.0.3, I want to share in a net namespace, so to run apps there which will only be able to communicate to the internet using that 192.168.0.3.

I can "kind" of get it working with the macvlan device type... except, for having two mac addresses, the gateway will often favor my root or my namespace-bound interface.

Is there a way I could just mirror that ...

I'm trying to make a link to open a browser window using a .desktop file, opening to a webserver on the same box.

I'm currently doing this through:

Exec=browse http://localhost

This seems to work great, except I want to use the box's own hostname; a-la my-box.local, so the url that is shown is applicable to access from other boxes on the same network via mDNS.

I have tried the following, but unsuprigi ...

Question regarding DNSSEC.

I have a internal private TLD eg. corp. Underneath that are multiple subdomains eg. region-a.corp, region-b.corp etc. And possibly underneath the regions, there are further subdomains eg. edge.region-a.corp

Regardless of the number of domains and subdomains - they will be totally private and require no internet access as it's a secure environment. My question is - would  ...

My nginx instance is getting hammered every couple of days by some bad bot using random query parameter values.

/var/log/nginx/access.log:209.107.204.224 - - [14/Mar/2023:16:01:42 +0100] "GET /?ttrp353217=ttrp540516 HTTP/1.1" 501 560 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36"

When it hits, it quickly causes resource starv ...

I've been tasked with setting up DKIM, SPF and DMARC for a business. I come from more of a development background, so as a result, I've been a bit confused on how to interpret the DMARC reports I'm seeing.

I'm using a DMARC report analyzer (DMARCreport), and it's showing some spam-y emails as DKIM aligned and DKIM verdict "pass". I don't understand how these emails are passing DKIM, since the onl ...

I am running a coturn server on my system,and am having trouble accessing it.

The coturn server configuration is provided below. Note that the addresses for the relay-ip and the listenoing-ip are set to localhost (127.0.0.1). Other settings conform to the documentation.

What happens is that any attempts to access the server -- even from localhost (http://127.0.0.1:3478 or turn://127.0.0.1:3478) -- get ...

There is a server on AWS that I do not control that I need as low latency to as possible. I figured I would experimentally measure my latency from different AWS regions to narrow down the lowest latency region for my instance. I have reasons to suspect that there is still large latency gains that can be made.

A traceroute shows that the traffic is going through an Amazon Global Accelerator (AGA), ...

I am trying to set up a VPN connection between our AWS servers and a 3rd party network. The VPN tunnel in itself is active, but network calls are timing out.

The setup:

• EC2 instances in private subnets have their traffic go through a NAT gateway with an Elastic IP (setup already works to reach the internet)
• Default VPC route table targets a transit gateway for the destination IP address e.g. 1.2.3.4
 ...

I am trying to enable my MSSQL database users to BULK INSERT / OPENROWSET() a CSV file that is stored on our DFS/cifs/smb network shares.

Initial Setup

I have the MSSQL service set to run as a domain user account, EXAMPLE\svc_mssql, and have added that user to a security group that has read access to the relevant DFS share (eg. \\example.org\myshare\data\path\to\mydata.csv). This allows users connecti ...

I want to find an adaptor that will allow me to read my old Laptop harddrive. Can someone help me find the right adaptor for this?

I trying to install Docker on my server I was try install on new system via

$ curl -sSL https://get.docker.com | sh
$ sudo usermod -aG docker $(whoami)

I was try this tutorial after adding non-root user

Result is the same: after logout i can’t ssh connect to server and get kex_exchange_identification: read: Connection reset by peer

ssh -Tv gives:

OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar  ...

In the process of configuring the IIS Management Service (to get the web deploy functionality working), I've somehow put it in a weird state where it thinks an IP address and port are already in use:

I'm not sure what I did, in traditional fashion it's actually kind of complicated to get the web deploy stuff working and one of the steps in the un-install/re-install/repair loop did something.

I know the ...

I am running an Amazon EC2 Ubuntu 22.04 Instance, which is acting as a Wireguard server. I have a Wireguard client machine (also running Ubuntu 22.04) connecting to the EC2 WG Server instance successfully. The VPN Tunnel is on the 10.10.10.0 network. So the tunnel IP address of the VPN server is 10.10.10.1 and the tunnel IP address of the VPN Client is 10.10.10.2. When the VPN client connects to the serv ...

I'm trying to install sudo to allow users (like Ansible) to access the machine with sudo privileges though SSH. So far, I'm blocked with errors like this :

"Impossible d'initialiser la connexion à ftp.fr.debian.org: 80 (2a01:e0c:1:1598::2). - connect (101: Le réseau n'est pas accessible) Connexion à ftp.fr.debian.org: 80 (212.27.32.66) impossible, délai de connexion dépassé"

Translated from  ...

For historical reasons my e-mail address uses a subdomain: [email protected].

My sending (and receiving) servers are completely different from those of the top-level example.com itself. Recently, the top-level domain added an SPF-record and now GMail, for example, rejects my e-mails -- because my sending IP-address is not listed in the SPF-record.

Are Google mistaken -- rejecting e-mails from a sub ...

I've been trying to follow the ArchWiki instructions on hardening Fail2Ban:

https://wiki.archlinux.org/title/Fail2ban#Service_hardening

Specifically I've created a drop-in file as described and started the service. The issue is that I see log entries like:

fail2ban.actions        [1500]: NOTICE  [sshd] Ban xxx.xxx.xxx.xxx
fail2ban.utils          [1500]: ERROR   7f76a9d13550 -- exec: { iptables -w - ...

I’m self-hosting a Nextcloud instance. I updated this for years and was always very happy with it. I don’t use docker but hosting bare metal on a Debian 11 Bullseye system. For SSL, I use Let’s Encrypt, Webserver is NGINX. Hardware is quite good, 16 GB RAM, Xeon Dual Core, SSD.

I found out, that always the first connection attempt is veryyy slow. Afterwards, things getting better. But after ...

I have a windows service and it's running a bit problematic. Sometimes it crashes or sometimes connection to the server is lost but it does nothing for it. Therefore, I have to check the logs of the service (log names change every day, like the date of that day) and restart the service with PowerShell scripts if it doesn't change in a while (eg 1 minute). How can I do this with PowerShell scripts.

I have AD CS which automatically provisions and renews machine certificates for servers bound to the directory. (There is a certificate template which controls this auto-issuance.)

I have an IIS server bound to the directory which serves some websites which I want to secure with AD CS-issued certs. These sites will only be accessible to clients which will trust the AD CS root certificate.

I know I c ...

I want to setup a webserver, where every HTTP request is directly redirected to a nearby mirror. So far we used the unfortunately no longer supported Perl module Apache2::Geo::IP together with Apache's mod_perl and the legacy Geo::IP from MaxMind Inc.

The mirror list will change from time to time and uses the simple association between URL and the country of this server:

https://www1.crest.fr/archive/  ...

I'm a little confused, because I can't find a solution to the problem with simple methods or tools.

Situation: I need to identify the disk-device (not a partition) where the system is booted from (or the disk-device (not a partition) where there is a partition with the flag EFI from which the OS is booted).

It would be great if you could do this in grub Or how to pinpoint the partition the OS was bo ...

I have the following SSH config:

Host work.github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/work
    IdentitiesOnly yes

Host *
    IdentityFile ~/.ssh/personal

Where I want to use a work SSH key for a single repository by setting it's host to ssh://[email protected]:...

But what I think is happening is that the work SSH key is applied and host changed, but then the config is  ...

I need to unenroll every server in FreeIPA and in order to due so I want a way to list every instance that is enrolled either using CLI or API. Is this possible?

I am running a linux Desktop, for virtualization I am using QEMU/KVM. In order to properly test my ansible Scripts I would like to create a virtual lab environment on my Desktop, that behaves like the production network.

Since our network setup involves VLANS and DHCP I would like to run a virtual pfSense instance that mimics our router and link others VMs to it. Here is an illustration of what I ...