Re: [GTALUG] Ubuntu -- Disabling Ping

[Howard Gibson via talk]

On Wed, 29 Aug 2018 22:03:52 -0400
Alvin Starr via talk  wrote:
> you could also do the following:
> 
> sudo sysctl net.ipv4.icmp_echo_ignore_all=1

Alvin,

   That's it.  I saw instructions on the internet to update /etc/sysctl.conf, 
but they did it wrong.  Your command line works!

   Thank you. 

   I will be updating my website to show easy install methods for Ubuntu and 
Fedora.

-- 
Howard Gibson 
hgib...@eol.ca
jhowardgib...@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Which Distro is Best for Running a ZFS-on-Linux Fileserver.

[Amos H. Weatherill via talk]

Hello All,

Thank you for your Feedback and Discussion.

FreeBSD is a good suggestion but I don't want to wander away from what I know 
and as Scott pointed out, this is a Linux User Group ...

Also, once I get More RAM, I will want to Consolidate Services running on other 
machines on to the NAS.

Currently, I have 8 GB of RAM, which my reading says should be enough to 
support a 4 TB ZFS Pool and the Necessary Samba configuration.

At the moment, my Network copy speed appears to be limited to about 25 MB/s but 
I suspect that this is because my Shares are on a Windows Machine with a PCI 
SATA Card.

So, if the NAS can do better, I'll declare Victory ...

Scott,

My reasoning for / on ZFS is pretty Simple ... the machine that is becoming my 
first NAS only has 4 SATA Ports, so I can't afford to Waste one on a boot drive.

For Distro, I think I'll go with Fedora, as long as the / on ZFS guide is 
sufficiently detailed.

Thank You All,
Amos

Sent from my android device.

-Original Message-
From: Scott Sullivan via talk 
To: talk@gtalug.org
Sent: Tue, 28 Aug 2018 5:19 PM
Subject: Re: [GTALUG] Which Distro is Best for Running a ZFS-on-Linux 
Fileserver.

Having read through the thread to date, I'm actually a little 
disappointed at the number of linux users pushing towards a Solaris or 
BSD for ZFS.

My primary File servers (4 of them) are all using ZFS for their data 
partitions.


Amos,

## Couple of Answers to your questions

A) Disto?

I regularly run ZFS on CentOS and Fedora on a mix of SSDs and HDDs of 
both the internal and external varieties. Fedora has some caveats, only 
in that sometimes the kernel releases get ahead of what the ZFS on linux 
team will support. And it's just a matter of waiting on a working kernel 
zfs combination a week or two for them to catch up.

But frankly, just pick your favorite distro and follow the relevant 
getting started guide.

https://zfsonlinux.org/


B)  Distro with ZFS root support (at install time)?

No distro install supports this yet as I've seen. Although the do it 
yourself ubuntu guide is lengthy, but very well detailed.

https://github.com/zfsonlinux/zfs/wiki/Ubuntu-18.04-Root-on-ZFS

Arch also support ZFS root, but their installation is all largely manual 
to begin with.

https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS


## Couple of my own Questions

1) Why root (/) on ZFS, what is your use case / risk your trying to 
mitigate?


On 2018-08-24 02:26 PM, right.maple.nut via talk wrote:
> 
> Hello All,
> 
> Like the Subject Line says, I'm setting up a ZFS File Server for my Home 
> Network.
> 
> Given that I will have to go to the trouble of setting up the Distro and 
> Migrating the Linux Install to ZFS Root, I don't want to have to do this 
> too many times.
> 
> So, which Distro are the favourite for Running ZFS-on-Linux?
> 
> Also, is there such a thing as a Linux Distro that is smart enough to 
> give you a choice if you are willing to use non-GPL'ed code in the 
> Installer, so that I can just Install Directly on a ZFS Pool?
> 
> Thank You in Advance for your Input.
> 
> Regards,
> Amos
> 
> 
> 
> ---
> Talk Mailing List
> talk@gtalug.org
> https://gtalug.org/mailman/listinfo/talk
> 


-- 
Scott Sullivan
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] fail2ban problem

[ac via talk]

Hi,

normally, i would not respond to a post like yours :)

when people ask your dns server a question, they are not logging into
your system. - so fail2ban is not the correct tool

the correct answer is any of the below:
you need to write a program or a script 
for example on a small single system - one that checks your logs and
then adds an iptables rule to your firewall - larger
systems/clusters simply customize bind or maybe rate limit
connections (check your named.conf - rate limit) and/or a
combination of these things - there are also many other ways to stop
this (for example forward write to your routers (if you have
routers) etc.

hth

Andre

On Wed, 29 Aug 2018 20:40:16 -0400
Michael Galea via talk  wrote:

> I am experiencing what I believe is a DNS amplification attack on my 
> bind9 DNS server.
> 
> I'm seeing very of the following on different IPs
> 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ 
> [1au] ANY? USADF.GOV. (38)
> 
> My server responds
> 20:11:53.96 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 
> Refused- 0/0/1 (38)
> 
> I imagine the IPs are spoofed.
> I have installed fail2ban in order to address the problem. Various 
> howtos detail how to configure bind to log to 
> /var/log/named/security.log and setup fail2ban.
> 
> The security.log is filling nicely with lots of "29-Aug-2018 
> 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): 
> query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating 
> "Jail 'named-refused' started" but it never actually bans an IP.
> 
> 2) I used fail2ban-regex to test the security.log line against
> fail2bans named-refused regex, but its doesn't match! So I have to
> conclude either debian bind9 changed the log output or fail2ban git
> it wrong.
> 
> I'm using the latest fail2ban from debian. Has anyone else got this
> to work?
> 

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

[William Park via talk]

On Wed, Aug 29, 2018 at 09:54:15PM -0400, Jamon Camisso via talk wrote:
> On 29/08/18 21:44, Howard Gibson via talk wrote:
> > $ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> > -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

'echo' is run as root, but '/proc/sys/net/ipv4/icmp_echo_ignore_all' is
written to as normal user.  Try
sudo sh -c 'echo 1 > ...'

> echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

I could've used this 'tee' solution today!
-- 
William Park 
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

[Alvin Starr via talk]

On 08/29/2018 09:54 PM, Jamon Camisso via talk wrote:

On 29/08/18 21:44, Howard Gibson via talk wrote:

I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping.  This is a laptop, and I want to
document the application of aluminium foil.

The standard ping disabler is the following line...

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

This works fine on my Fedora laptop.  On Ubuntu, I get...

The # makes me think you are root on the Fedora laptop.


$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.

Try this if you want to go the sudo route:

echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

That way tee is invoked with elevated privileges and writes its output
to the file.

Or you can become root like on your Fedora system and use echo 1 >...


you could also do the following:

sudo sysctl net.ipv4.icmp_echo_ignore_all=1

--
Alvin Starr   ||   land:  (905)513-7688
Netvel Inc.   ||   Cell:  (416)806-0133
al...@netvel.net  ||

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

[Jamon Camisso via talk]

On 29/08/18 21:44, Howard Gibson via talk wrote:
>I am playing with my hack Ubuntu machine, and I am sorting out
> security. I want to disable ping.  This is a laptop, and I want to
> document the application of aluminium foil.
> 
>The standard ping disabler is the following line...
> 
> # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> 
>This works fine on my Fedora laptop.  On Ubuntu, I get...

The # makes me think you are root on the Fedora laptop.

> $ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.

Try this if you want to go the sudo route:

echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

That way tee is invoked with elevated privileges and writes its output
to the file.

Or you can become root like on your Fedora system and use echo 1 >...

Cheers, Jamon
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

[GTALUG] Ubuntu -- Disabling Ping

[Howard Gibson via talk]

   I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping.  This is a laptop, and I want to
document the application of aluminium foil.

   The standard ping disabler is the following line...

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

   This works fine on my Fedora laptop.  On Ubuntu, I get...

$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

   The file exists.  I can print it with "cat" (it prints "0".  Why can
I not change it?  

-- 
Howard Gibson 
hgib...@eol.ca
jhowardgib...@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

[GTALUG] fail2ban problem

[Michael Galea via talk]

I am experiencing what I believe is a DNS amplification attack on my 
bind9 DNS server.


I'm seeing very of the following on different IPs
20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ 
[1au] ANY? USADF.GOV. (38)


My server responds
20:11:53.96 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 
Refused- 0/0/1 (38)


I imagine the IPs are spoofed.
I have installed fail2ban in order to address the problem. Various 
howtos detail how to configure bind to log to 
/var/log/named/security.log and setup fail2ban.


The security.log is filling nicely with lots of "29-Aug-2018 
20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): 
query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating 
"Jail 'named-refused' started" but it never actually bans an IP.


2) I used fail2ban-regex to test the security.log line against fail2bans 
named-refused regex, but its doesn't match! So I have to conclude either 
debian bind9 changed the log output or fail2ban git it wrong.


I'm using the latest fail2ban from debian. Has anyone else got this to 
work?


--
Michael Galea
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Any good analog phone?

[John Moniz via talk]

I second that, nothing beats a Nortel phone. If you can find a used/refurbished one that has the features you want, get it.John.On Aug 28, 2018 10:09 PM, Don Tai via talk  wrote:We have a couple of high quality analog/digital phones in the house. I prefer old Nortel Cntempra or Nortel Aastra M8003 phones. Solid as a rock, great sound quality, no batteries required. They come with a digitalanalog switch.https://usedphones.com/nortel-aastra-m8003-nt2n26aa211.htmli have seen them at refurbish stores in Scarborough, or even at garage sales.DonOn Tue, 28 Aug 2018 at 22:02, William Park via talk  wrote:Hi all,

Do you know where I can buy a good quality analog phone, with
    - corded (no battery)
    - caller id
    - voicemail not required

CanadaComputers has only VTech brand, which is what I have now and what
I want to replace.  I'm not too keen on Panasonic brand, from past
experience.
-- 
William Park 
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk