[BlueOnyx:12665] Re: Auto suspend vhosts
Hey Michael, On 3/29/2013 6:51 PM, Michael Stauber wrote: > Here is a really quick and dirty Perl-Script that can suspend/unsuspend > Vsites: > > It doesn't do much error checking, but gets the job done. > > Command line usage would be: > > Suspend of www.testing.com: > ./vsitesuspend.pl 1 www.testing.com > > Unsuspend of www.testing.com: > ./vsitesuspend.pl 0 www.testing.com You have no idea how timely this is, as we are just starting to put together some automation scripts in a new billing system. Something that has been sorely lacking in BlueOnyx (and it's not BlueOnyx's "fault") is the ability to tie in with billing / customer management automation systems. That keeps it from playing with the big name control panels. There are some older "legacy" billing systems that included some support for Cobalt RaQ, but then when things went belly up, that support started falling away. BlueQuartz kept the code alive and for that we'll be forever grateful. Hopefully now BlueOnyx will carry the torch into new territory. It doesn't have to beat the other panels. It just needs to have a healthy niche. Putting some tools in the drawer is a good step in that direction. -- Chris Gebhardt VIRTBIZ Internet Services Access, Web Hosting, Colocation, Dedicated www.virtbiz.com | toll-free (866) 4 VIRTBIZ ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12664] BlueOnyx: Modern Theme Screenshots
Hi all, Here is a news article on the progress of the "modern theme" for BlueOnyx project: http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=157&cntnt01origid=15&cntnt01pagelimit=4&cntnt01returnid=54 It's slowly coming together. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12663] Re: DNS Spamming
Is this the dns spamming. I have hundreds of email addresses with this ip being blocked. I'm feel inadequate with security configurations today. Warning: Blocking 198.50.140.115 Mar 29 15:48:47 www kernel: IN=eth0 OUT= MAC=00:13:72:9a:1d:1e:94:cc:b9:26:1b:6d:08:00 SRC=198.50.140.115 DST=96.11.87.141 LEN=64 TOS=0x00 PREC=0x00 TTL=231 ID=56837 PROTO=UDP SPT=25345 DPT=53 LEN=44 Mar 29 15:48:47 www kernel: IN=eth0 OUT= MAC=00:13:72:9a:1d:1e:94:cc:b9:26:1b:6d:08:00 SRC=198.50.140.115 DST=96.11.87.141 LEN=64 TOS=0x00 PREC=0x00 TTL=233 ID=15378 PROTO=UDP SPT=25345 DPT=53 LEN=44 Mar 29 15:48:47 www kernel: IN=eth0 OUT= MAC=00:13:72:9a:1d:1e:94:cc:b9:26:1b:6d:08:00 SRC=198.50.140.115 DST=96.11.87.141 LEN=64 TOS=0x00 PREC=0x00 TTL=231 ID=59154 PROTO=UDP SPT=25345 DPT=53 LEN=44 Mar 29 15:48:47 www kernel: IN=eth0 OUT= MAC=00:13:72:9a:1d:1e:94:cc:b9:26:1b:6d:08:00 SRC=198.50.140.115 DST=96.11.87.141 LEN=64 TOS=0x00 PREC=0x00 TTL=231 ID=51984 PROTO=UDP SPT=25345 DPT=53 LEN=44 Mar 29 15:48:47 www kernel: IN=eth0 OUT= MAC=00:13:72:9a:1d:1e:94:cc:b9:26:1b:6d:08:00 SRC=198.50.140.115 DST=96.11.87.141 LEN=64 TOS=0x00 PREC=0x00 TTL=233 ID=58882 ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12662] BlueOnyx: Modern Theme Screenshots
Hi all, Here is a news article on the progress of the "modern theme" for BlueOnyx project: http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=157&cntnt01origid=15&cntnt01pagelimit=4&cntnt01returnid=54 It's slowly coming together. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12661] Re: Auto suspend vhosts
Hi Marcello, > I need to make automatic vhost suspension for customers who does not > pay bills after the expiration date of the domain. > > My idea was to build up a small MySQL DB which stores information about > domains hosted by my BO server and through PHP scripts, CRON and shell > commands I should suspend that vhost. > > I've tried different commands like cmodvsite, but there is no way to set > a host suspended. Yeah. The shell tools are missing that option. > Can i do something via PHP using CCED? Yes, but only from PHP pages within AdmServ. Here is a really quick and dirty Perl-Script that can suspend/unsuspend Vsites: - #!/usr/bin/perl -I/usr/sausalito/perl # $Id: vsitesuspend.pl # Copyright 2006-2013 Solarspeed Limited. All rights reserved. use CCE; $cce = new CCE; @opts = grep /^\w+/, @ARGV; $switch_o = $opts[0]; $switch_n = $opts[1]; print "\n"; print "vsitesuspend.pl\n"; print "==\n\n"; print "Author: Michael Stauber\n\n"; print "This script can suspend/unsuspend Vsites. \n\n"; if ($switch_o eq "" || $switch_n eq "") { print "To use it, run it with the following parameters:\n\n"; print $0 . " [0|1] fqdn\n\n"; exit 1; } elsif (($switch_o == "0") || ($switch_o == "1")) { print "Setting suspend of Vsite $switch_n to $switch_o. \n\n"; $cce->connectuds(); &feedthemonster; $cce->bye('SUCCESS'); exit(0); } else { print "Aborting without doing anything ...\n\n"; exit 1; } sub feedthemonster { (@oids) = $cce->find('Vsite', { 'fqdn' => $switch_n }); if ($#oids == -1) { print "No Vsite named $switch_n could be found.\n\n"; exit(1); } else { for $object (@oids) { ($ok, $rec) = $cce->get($object); ($ok) = $cce->set($object, '',{ 'suspend' => $switch_o }); } } } exit; - It doesn't do much error checking, but gets the job done. Command line usage would be: Suspend of www.testing.com: ./vsitesuspend.pl 1 www.testing.com Unsuspend of www.testing.com: ./vsitesuspend.pl 0 www.testing.com -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12660] US-CERT Alert TA13-088A: DNS Amplification Attacks (fwd)
Just got this. -- Forwarded message -- Date: Fri, 29 Mar 2013 16:23:46 -0400 From: US-CERT Alerts To: technical-ale...@us-cert.gov Subject: US-CERT Alert TA13-088A: DNS Amplification Attacks -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 National Cyber Awareness System TA13-088A: DNS Amplification Attacks Original release date: March 29, 2013 Systems Affected * Domain Name System (DNS) servers Overview A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. Description A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victims address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack. Impact A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack. Solution DETECTION Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers. Open DNS Resolver Project http://openresolverproject.org The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers. The query interface allows network administrators to enter IP ranges in CIDR format [1]. The Measurement Factory http://dns.measurement-factory.com Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2]. In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion. This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3]. Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4]. DNSInspect http://www.dnsinspect.com Another freely available, web-based tool for testing DNS resolvers is DNSInspect. This site is similar to The Measurement Factorys ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5]. Indicators In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21]. The specification does not allow for unsolicited responses. In a DNS amplification attack, the key indicator is a query response without a matching request. MITIGATION Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack. While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, app
[BlueOnyx:12659] Re: DNS Spamming
On Fri, 29 Mar 2013, Colin Jack wrote: > Can I tighten it up? We have 50+ DNS connections from the same IP at the > same time. I would like to limit this to say 2 ;0) Last year, a newly installed BX box was hit within a day of powering it up for configuration and site setups. It was, unfortunately, open by default, and I'd not gotten around to DNS beyond basics when it was found. We noticed this pattern once a machine is tagged as open: - Inbound DNS port traffic was a continuous 1.6Mbps to that machine. - The requests might switch to another IP for a while, but tended to favor only 2 or 3 most of the time. - It was only a total handfull (<15) of different (forged) IP's making the requests. Of course, the first thing was to close the DNS hole, so if the attackers were probing, we looked closed, so they didn't add any new ones. We then just dropped all the offending /24 blocks with iptables. Inbound requests remaind at 1.6 Mbps, but nothing was reaching the DNS server, so outbound traffic was 0. After about a month of packet dropping, the inbound hits stopped. We did see *occasional* short bursts of attempts at the same IPs sent to our known locked-down servers, but those died off within a minute or two. =^_^= Tigerwolf ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12658] Re: DNS Spamming
Why not disable recursion? Do you need to offer full public DNS to the world? (And not just for the Authoritative domains you control?) Sent from my iPhone On Mar 29, 2013, at 5:13 PM, Colin Jack wrote: > Hi Michael, > > On 19 Mar 2013, at 01:05, Michael Stauber wrote: > >> Hi Will, >> >> Check this article on DNS related attacks: >> >> http://www.topology.org/linux/iptables_dns_flood.html >> >> I've had a few clients who were hit by the ANY? queries a lot, so we >> modified the APF firewall (part of the Solarspeed security) with the >> hints and ideas from this article. >> >> In essence there are two ways of doing so. Like Gerald mentioned: You >> can use the IPtables recent module. Which works quite well. But it's >> also possible to use packet inspection and just discard or drop >> excessive ANY? queries from any given source. >> > > I have the Solarspeed Security Suite on all my servers and my APF isn't > blocking these little b* ... > > Can I tighten it up? We have 50+ DNS connections from the same IP at the same > time. I would like to limit this to say 2 ;0) > > Thanks > > Colin > > > > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12657] Re: DNS Spamming
Shouldn't this be the other way around? > [ ] Allow Recursion (All below greyed out unless checked) > > [ ] Cache lookups > >Recursion allowed for (greyed unless recursion selected) >these Hosts/netorks: > --- >localhost >localnets< Entry box > > --- Colin On 29 Mar 2013, at 19:32, George F. Nemeyer wrote: > On Fri, 29 Mar 2013, Michael Stauber wrote: > >> The other idea about separating cache and recursion and >> pre-populating "locahost" and "localnet" also makes sense. I haven't yet >> wrapped my mind fully around it and will need to check the Bind >> documentation again. > > If it comports with BIND how bind actually works *now*: > > [ ] Allow Cache lookups (All below greyed out unless checked) > > [ ] Allow recursion > >Recursion allowed for (greyed unless recursion selected) >these Hosts/netorks: > --- >localhost >localnets< Entry box > > --- > > > =^_^= Tigerwolf > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12656] Re: Auto suspend vhosts
On 3/29/2013 1:31 PM, Marcello Torchio wrote: Hi everybody, I go back to a topic discussed and started by me. I need to make automatic vhost suspension for customers who does not pay bills after the expiration date of the domain. My idea was to build up a small MySQL DB which stores information about domains hosted by my BO server and through PHP scripts, CRON and shell commands I should suspend that vhost. I've tried different commands like cmodvsite, but there is no way to set a host suspended. Is it right or i'm missing something? Can i do something via PHP using CCED? For example i can call periodically a shell script using cron. This script can check MySQL DB for expiring domains and send warning mail to customers. For expired ones i can suspend them. Thanks ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx The cmodvsite could just rename the site to suspended.thedomain.com Ken Marcus ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12655] Re: DNS Spamming
I found the three iptables commands worked when I switched it to UDP: /sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW -m recent --set --name DNS --rsource /sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name DNS --rsource -j LOG --log-prefix "Block DNS port UDP 53 Attack " /sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name DNS --rsource -j DROP I didn't bother with the middle rule that logs the activity - it put quite a load on the server. I also installed iptraf (yum install iptraf) and used it to see in outgoing traffic settle down on port 53. Richard - Original Message - From: "Colin Jack" To: "BlueOnyx General Mailing List" Sent: Friday, March 29, 2013 7:21 PM Subject: [BlueOnyx:12651] Re: DNS Spamming > Hi Michael, > >> >> Yeah, that's probably a good idea. I'll look into it see what can be >> done. The other idea about separating cache and recursion and >> pre-populating "locahost" and "localnet" also makes sense. I haven't yet >> wrapped my mind fully around it and will need to check the Bind >> documentation again. >> > > Also maybe grouping and renaming the controls/boxes so that it is more > obvious? > > I tried the suggested iptables addition to limit the number of queries but > it didn't work! Syntax error. > Something else that may be worth putting into the default template or even > into the GUI? > > Hope you are keeping well. > > Regards > > Colin > > > > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12654] Re: DNS Spamming
Hi Michael, On 19 Mar 2013, at 01:05, Michael Stauber wrote: > Hi Will, > > Check this article on DNS related attacks: > > http://www.topology.org/linux/iptables_dns_flood.html > > I've had a few clients who were hit by the ANY? queries a lot, so we > modified the APF firewall (part of the Solarspeed security) with the > hints and ideas from this article. > > In essence there are two ways of doing so. Like Gerald mentioned: You > can use the IPtables recent module. Which works quite well. But it's > also possible to use packet inspection and just discard or drop > excessive ANY? queries from any given source. > I have the Solarspeed Security Suite on all my servers and my APF isn't blocking these little b* ... Can I tighten it up? We have 50+ DNS connections from the same IP at the same time. I would like to limit this to say 2 ;0) Thanks Colin ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12653] Auto suspend vhosts
Hi everybody, I go back to a topic discussed and started by me. I need to make automatic vhost suspension for customers who does not pay bills after the expiration date of the domain. My idea was to build up a small MySQL DB which stores information about domains hosted by my BO server and through PHP scripts, CRON and shell commands I should suspend that vhost. I've tried different commands like cmodvsite, but there is no way to set a host suspended. Is it right or i'm missing something? Can i do something via PHP using CCED? For example i can call periodically a shell script using cron. This script can check MySQL DB for expiring domains and send warning mail to customers. For expired ones i can suspend them. Thanks ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12652] Re: DNS Spamming
On Fri, 29 Mar 2013, Michael Stauber wrote: > The other idea about separating cache and recursion and > pre-populating "locahost" and "localnet" also makes sense. I haven't yet > wrapped my mind fully around it and will need to check the Bind > documentation again. If it comports with BIND how bind actually works *now*: [ ] Allow Cache lookups (All below greyed out unless checked) [ ] Allow recursion Recursion allowed for (greyed unless recursion selected) these Hosts/netorks: --- localhost localnets< Entry box --- =^_^= Tigerwolf ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12651] Re: DNS Spamming
Hi Michael, > > Yeah, that's probably a good idea. I'll look into it see what can be > done. The other idea about separating cache and recursion and > pre-populating "locahost" and "localnet" also makes sense. I haven't yet > wrapped my mind fully around it and will need to check the Bind > documentation again. > Also maybe grouping and renaming the controls/boxes so that it is more obvious? I tried the suggested iptables addition to limit the number of queries but it didn't work! Syntax error. Something else that may be worth putting into the default template or even into the GUI? Hope you are keeping well. Regards Colin ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12650] Re: Yum Errors and or Issues
Michael, Thank you that seem to have worked just fine. No errors or issues. RC ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12649] Re: Yum Errors and or Issues
Hi RC, > Got these errors when yum attempted update on both Aventurine Servers > > Error: Package: libcurl-7.19.7-35.el6.x86_64 (sl) > Requires: libssh2(x86-64) >= 1.4.2 > Installed: libssh2-1.2.7-1.el6.x86_64 > (@anaconda-Aventurin{e}-201209032350.x86_64/6) > libssh2(x86-64) = 1.2.7-1.el6 Yes, SL-6.4 was released, so there are a lot of new updates and there is a new (although small) dependency issue. I just fixed that and loaded an updated libssh2 RPM into the Aventurin{e} YUM repositories. Do a "yum clean all" and "yum update" and it'll go through. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12648] Yum Errors and or Issues
Has anyone else have this error? Got these errors when yum attempted update on both Aventurine Servers Error: Package: libcurl-7.19.7-35.el6.x86_64 (sl) Requires: libssh2(x86-64) >= 1.4.2 Installed: libssh2-1.2.7-1.el6.x86_64 (@anaconda-Aventurin{e}-201209032350.x86_64/6) libssh2(x86-64) = 1.2.7-1.el6 RC ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12647] Re: Urgent Hyper-V problem - please help :-)
Thanks Jason. I found your post already, but I can't boot an old kernel. That was my biggest problem. ;-) Lars Original Message processed by david® [BlueOnyx:12644] Re: Urgent Hyper-V problem - please help :-) (29-Mrz-2013 18:07) From: bluequa...@ozin.com To (2):'BlueOnyx General Mailing List', blueo...@blueonyx.it Kernel 5.9 and 6.4 (2.6.32-358) has proper built in support for Hyper-V All you need to do is: Boot into the old kernel Remove the old Hyper-V components as follows: Execute the following steps in the bash shell. 1. First, execute: rpm qa | grep microsoft Example: On a RHEL 5.8 system, you will see the following: # rpm qa | grep microsoft kmod-microsoft-hyper-v-3.4-1.20120727 microsoft-hyper-v-3.4.20120727 2. Next, execute: rpm e microsoft-hyper-v- kmod-microsoft-hyper-v- Then reboot into the new kernel 2.6.32-358 You can then add a NON-LEGACY network card and have a much faster network stack. Give the new card the same Virtual MAC as the old card and there are no config changes needed either Jason Ozin From: blueonyx-boun...@mail.blueonyx.it [mailto:blueonyx-boun...@mail.blueonyx.it] On Behalf Of blueo...@larsi.de Sent: 29 March 2013 16:52 To: blueo...@blueonyx.it Subject: [BlueOnyx:12643] Urgent Hyper-V problem - please help :-) Hello, I did a yum update on a customers server and after that there is no network connection. I read all the issues with hyper-v and sometime ago Michael noticed a problem with irqbalancing on this server. But this time "service irqbalancing stop" did not change anything. All solutions point me to boot an older kernel, but I can't do this. Everytime I boot the machine, it allways go to the last kernel and changing the grub.conf only results in a broken server, which won't boot anymore. Does anyone has an idea for me? I can boot the server in kernel 2.6.32-279.5.1.el6.i686. Thanks in advance. Lars. ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12646] Re: Urgent Hyper-V problem - please help :-)
Answering my own post. ;-) It's an irqbalance problem as before, but I used an uncommon solution. ;-) I changed the number of virtual processors from 2 to 1 and everything is fine. In order to avoid further problems with this constellation, I will leave the number of cpus unchanged. Nice easter-days to everyone! Lars. Original Message processed by david® Urgent Hyper-V problem - please help :-) (29-Mrz-2013 17:52) From: blueo...@larsi.de To:BlueOnyx General Mailing List Hello, I did a yum update on a customers server and after that there is no network connection. I read all the issues with hyper-v and sometime ago Michael noticed a problem with irqbalancing on this server. But this time "service irqbalancing stop" did not change anything. All solutions point me to boot an older kernel, but I can't do this. Everytime I boot the machine, it allways go to the last kernel and changing the grub.conf only results in a broken server, which won't boot anymore. Does anyone has an idea for me? I can boot the server in kernel 2.6.32-279.5.1.el6.i686. Thanks in advance. Lars. ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12644] Re: Urgent Hyper-V problem - please help :-)
Kernel 5.9 and 6.4 (2.6.32-358) has proper built in support for Hyper-V All you need to do is: Boot into the old kernel Remove the old Hyper-V components as follows: Execute the following steps in the bash shell. 1. First, execute: rpm -qa | grep microsoft Example: On a RHEL 5.8 system, you will see the following: # rpm -qa | grep microsoft kmod-microsoft-hyper-v-3.4-1.20120727 microsoft-hyper-v-3.4.20120727 2. Next, execute: rpm -e microsoft-hyper-v- kmod-microsoft-hyper-v- Then reboot into the new kernel 2.6.32-358 You can then add a NON-LEGACY network card and have a much faster network stack. Give the new card the same Virtual MAC as the old card and there are no config changes needed either Jason Ozin From: blueonyx-boun...@mail.blueonyx.it [mailto:blueonyx-boun...@mail.blueonyx.it] On Behalf Of blueo...@larsi.de Sent: 29 March 2013 16:52 To: blueo...@blueonyx.it Subject: [BlueOnyx:12643] Urgent Hyper-V problem - please help :-) Hello, I did a yum update on a customers server and after that there is no network connection. I read all the issues with hyper-v and sometime ago Michael noticed a problem with irqbalancing on this server. But this time "service irqbalancing stop" did not change anything. All solutions point me to boot an older kernel, but I can't do this. Everytime I boot the machine, it allways go to the last kernel and changing the grub.conf only results in a broken server, which won't boot anymore. Does anyone has an idea for me? I can boot the server in kernel 2.6.32-279.5.1.el6.i686. Thanks in advance. Lars. ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12643] Urgent Hyper-V problem - please help :-)
Hello, I did a yum update on a customers server and after that there is no network connection. I read all the issues with hyper-v and sometime ago Michael noticed a problem with irqbalancing on this server. But this time "service irqbalancing stop" did not change anything. All solutions point me to boot an older kernel, but I can't do this. Everytime I boot the machine, it allways go to the last kernel and changing the grub.conf only results in a broken server, which won't boot anymore. Does anyone has an idea for me? I can boot the server in kernel 2.6.32-279.5.1.el6.i686. Thanks in advance. Lars. ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12642] Re: DNS Spamming
Hi Colin, > Also - the 'cache lookups' is on by default! > Maybe this should be changed on the ISO and VPS templates? Yeah, that's probably a good idea. I'll look into it see what can be done. The other idea about separating cache and recursion and pre-populating "locahost" and "localnet" also makes sense. I haven't yet wrapped my mind fully around it and will need to check the Bind documentation again. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12641] Re: DNS Spamming
Ill second that idea. For the good of the Internet now that theses attacks are a daily occurrence now. I'd chalk it up to being a good neighbor/netizen. Windows is the same way. I ended up as a participant in that attack because I forgot to flip that switch. :(. Thank god for bandwidth monitoring and a heads-up networking team. we only participated in it for a couple hours before we realized the issue and plugged the holes. Sent from my iPhone On Mar 29, 2013, at 9:18 AM, Colin Jack wrote: > Also - the 'cache lookups' is on by default! > Maybe this should be changed on the ISO and VPS templates? > > On 20 Mar 2013, at 21:47, Michael Stauber wrote: > >> Hi George, >> >>> You may have been a unwitting part of this: >>> >>> http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho >> >> While this is good advice and should be common practice: It doesn't >> protect against excessive 'ANY?' queries. Just saying. >> >> -- > > Regards > > Colin > > > > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12640] Re: Another Issue
Nope still the same error Error: Package: libcurl-7.19.7-35.el6.x86_64 (sl) Requires: libssh2(x86-64) >= 1.4.2 Installed: libssh2-1.2.7-1.el6.x86_64 (@anaconda-Aventurin{e}-201209032350.x86_64/6) libssh2(x86-64) = 1.2.7-1.el6 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest RC -- +-+ Richard C. Barker Sr. CEO & President 1-800-510-3139 ProBass Networks Inc. http://www.probassnetworks.net http://www.probass.net *** DISCLAIMER : - This e-mail is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. +-+ ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12639] Re: Another Issue
On 29/03/2013 13:01, Richard Barker wrote: > Not using downloaded repomd.xml because it is older than what we have: > Current : Wed Mar 27 15:29:28 2013 > Downloaded: Wed Mar 27 15:26:50 2013 The repomd.xml date issue is caused by Scientific Linux 6.4 shipping last night. In their announcement to their mailing list they advised people to do a `yum clean expire-cache` before upgrading. I wouldn't be surprised if this wasn't a nice hack to stop thousands of servers hitting their repo's at the same time. Dan ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12638] Re: DNS Spamming
Also - the 'cache lookups' is on by default! Maybe this should be changed on the ISO and VPS templates? On 20 Mar 2013, at 21:47, Michael Stauber wrote: > Hi George, > >> You may have been a unwitting part of this: >> >> http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho > > While this is good advice and should be common practice: It doesn't > protect against excessive 'ANY?' queries. Just saying. > > -- Regards Colin ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12637] Re: DNS Spamming
yea I was just reading about that here: http://thehackernews.com/2013/03/worlds-biggest-ddos-attack-that-almost.html - stupid kids. On Mar 29, 2013, at 6:08 AM, Colin Jack wrote: > Thank you ... > > Colin > >> You may have been a unwitting part of this: >> >> http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho >> >> In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's >> a checkbox labeled "Cache Record Lookups". This sounds like it might be a >> good thing, but what it's really doing is telling the DNS server to "Allow >> Recursion" if checked. >> >> Allowing recursion to *anyone* opens the server up to be a prime candidate >> for use in a DNS amplification DDoS attack, precisely what the article >> describes. >> >> To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to >> do recursive lookups for in the box: "Query Request Recursion Access by IP >> Address". >> >> To cloud the issue further, older versions of BIND may be fully open (much >> like being an open mail relay was once consided a Good Thing). In some >> versions, "localhost; localnets" are the default for which recursion is >> allowed. In others, the default means anyone. >> >> Check your BIND version and the actual recursion settings in >> /etc/named.conf. >> >> The iptables count-then-drop solutions mentioned by others here can help >> mitigate an attack on your server once one begins; but the inbound query >> traffic will still reach the server, even though no outbound response to >> it is generated. >> >> The problem with this approach is that a single or infrequent probe test >> DNS query by the attacker will get by the counter; and if recursion is >> allowed to external networks, your server would be seen and flagged as a >> good target. The solution also means that you'd be sending out a few >> 'attack' replies whenever the counter gets reset. But, if recursion is >> denied by proper BIND configuration, then probe tests will fail every >> time, and hopefully the attacker will leave you alone and go looking >> elsewhere for a vulnerable machine. >> >> =^_^= Tigerwolf >> ___ >> Blueonyx mailing list >> Blueonyx@mail.blueonyx.it >> http://mail.blueonyx.it/mailman/listinfo/blueonyx > > > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12636] Re: DNS Spamming
Thank you ... Colin > You may have been a unwitting part of this: > > http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho > > In Blue Quartz/Blue Onyx, under Network Service/DNS/Advanced, there's > a checkbox labeled "Cache Record Lookups". This sounds like it might be a > good thing, but what it's really doing is telling the DNS server to "Allow > Recursion" if checked. > > Allowing recursion to *anyone* opens the server up to be a prime candidate > for use in a DNS amplification DDoS attack, precisely what the article > describes. > > To prevent this, be sure you list *ONLY* IPs/networks the server NEEDS to > do recursive lookups for in the box: "Query Request Recursion Access by IP > Address". > > To cloud the issue further, older versions of BIND may be fully open (much > like being an open mail relay was once consided a Good Thing). In some > versions, "localhost; localnets" are the default for which recursion is > allowed. In others, the default means anyone. > > Check your BIND version and the actual recursion settings in > /etc/named.conf. > > The iptables count-then-drop solutions mentioned by others here can help > mitigate an attack on your server once one begins; but the inbound query > traffic will still reach the server, even though no outbound response to > it is generated. > > The problem with this approach is that a single or infrequent probe test > DNS query by the attacker will get by the counter; and if recursion is > allowed to external networks, your server would be seen and flagged as a > good target. The solution also means that you'd be sending out a few > 'attack' replies whenever the counter gets reset. But, if recursion is > denied by proper BIND configuration, then probe tests will fail every > time, and hopefully the attacker will leave you alone and go looking > elsewhere for a vulnerable machine. > > =^_^= Tigerwolf > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12635] Re: You may have been a unwitting part of this:
On 3/28/2013 8:39 AM, George F. Nemeyer wrote: > It's good time to keep an eye on your networks for unusual traffic. Yeah, no kidding. We took a look at the end of last week after noticing that our outbound peer traffic was around 150Mbps more than what it typically hovers at. Traffic of course has its peaks and valleys but we were seeing a good 150Mbps increase over the prior days with no good explanation. > Just watching the ethernet light if you can physically see your machines > or switches/routers can help spot a machine being exploited, as it will be > on nearly constantly. Yes, or in our case, we do employ extensive historical graphing across all network assets. We spotted a couple of drops to customer equipment that looked especially out of place in terms of the amount of traffic they typically use. In one case, a customer that for 6 years had been running consistently under 1Mbps at 95th percentile was suddenly fully saturating a 100Mbps drop for almost 2 days. We reached out to them and asked them to close up their recursive DNS hole. The traffic dropped back to normal levels. After finding the really obvious ones, we started looking across the entire network and testing for open nameservers and have proactively contacted customers whether they are being exploited (yet) or not. -- Chris Gebhardt VIRTBIZ Internet Services Access, Web Hosting, Colocation, Dedicated www.virtbiz.com | toll-free (866) 4 VIRTBIZ ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12634] Aventurine Errors
Got these errors when yum attempted update on both Aventurine Servers Error: Package: libcurl-7.19.7-35.el6.x86_64 (sl) Requires: libssh2(x86-64) >= 1.4.2 Installed: libssh2-1.2.7-1.el6.x86_64 (@anaconda-Aventurin{e}-201209032350.x86_64/6) libssh2(x86-64) = 1.2.7-1.el6 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Thanks in advance to all or any who may answer RC -- +-+ Richard C. Barker Sr. CEO & President 1-800-510-3139 ProBass Networks Inc. http://www.probassnetworks.net http://www.probass.net *** DISCLAIMER : - This e-mail is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. +-+ ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:12633] Another Issue
Not using downloaded repomd.xml because it is older than what we have: Current : Wed Mar 27 15:29:28 2013 Downloaded: Wed Mar 27 15:26:50 2013 Error: Package: libcurl-7.19.7-35.el6.x86_64 (sl) Requires: libssh2(x86-64) >= 1.4.2 Installed: libssh2-1.2.7-1.el6.x86_64 (@anaconda-Aventurin{e}-201209032350.x86_64/6) libssh2(x86-64) = 1.2.7-1.el6 -- +-+ Richard C. Barker Sr. CEO & President 1-800-510-3139 ProBass Networks Inc. http://www.probassnetworks.net http://www.probass.net *** DISCLAIMER : - This e-mail is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. +-+ ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx