Re: [GTALUG] fail2ban problem

2018-08-29 Thread Michael Galea via talk 

Hi,
Well, named is pretty smart and knew the requests were bogus, as 
indicated by the "denied".  My named is still resolving valid requests 
for my domain.


And fail2ban does support this very circumstance. I had to edit 
fail2ban's built in regex for named before it would work. I am guessing 
that bind added a field into the security.log message that broke the regex.


For any that care, since I use shorewall as my firewall, I also had to 
modify the fail2ban banaction to use shorewall instead of iptables, and 
modify shorewall to dynamic blacklist ALL connections.


After all this is done, my ppp connection sees the bogus requests but 
silently ignores them.


On 08/29/18 23:29, ac via talk wrote:

Hi,

normally, i would not respond to a post like yours :)

when people ask your dns server a question, they are not logging into
your system. - so fail2ban is not the correct tool

the correct answer is any of the below:
you need to write a program or a script
for example on a small single system - one that checks your logs and
then adds an iptables rule to your firewall - larger
systems/clusters simply customize bind or maybe rate limit
connections (check your named.conf - rate limit) and/or a
combination of these things - there are also many other ways to stop
this (for example forward write to your routers (if you have
routers) etc.

hth

Andre

On Wed, 29 Aug 2018 20:40:16 -0400
Michael Galea via talk  wrote:


I am experiencing what I believe is a DNS amplification attack on my
bind9 DNS server.

I'm seeing very of the following on different IPs
20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+
[1au] ANY? USADF.GOV. (38)

My server responds
20:11:53.96 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679
Refused- 0/0/1 (38)

I imagine the IPs are spoofed.
I have installed fail2ban in order to address the problem. Various
howtos detail how to configure bind to log to
/var/log/named/security.log and setup fail2ban.

The security.log is filling nicely with lots of "29-Aug-2018
20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV):
query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating
"Jail 'named-refused' started" but it never actually bans an IP.

2) I used fail2ban-regex to test the security.log line against
fail2bans named-refused regex, but its doesn't match! So I have to
conclude either debian bind9 changed the log output or fail2ban git
it wrong.

I'm using the latest fail2ban from debian. Has anyone else got this
to work?



---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk




--
Michael Galea
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread Howard Gibson via talk 
On Wed, 29 Aug 2018 22:03:52 -0400
Alvin Starr via talk  wrote:
> you could also do the following:
> 
> sudo sysctl net.ipv4.icmp_echo_ignore_all=1

Alvin,

   That's it.  I saw instructions on the internet to update /etc/sysctl.conf, 
but they did it wrong.  Your command line works!

   Thank you. 

   I will be updating my website to show easy install methods for Ubuntu and 
Fedora.

-- 
Howard Gibson 
hgib...@eol.ca
jhowardgib...@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread Jamon Camisso via talk 
On 29/08/18 23:23, Howard Gibson wrote:
>> Try this if you want to go the sudo route:
>>
>> echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
> 
>It works!
> 
>Thank you.  
> 
>Now all I have to do is stick it in a boot script.

As Alvin Starr pointed out, if you want this to persist, the best way
would be via sysctl. Try putting 'net.ipv4.icmp_echo_ignore_all=1' in a
file in /etc/sysctl.d, or in /etc/sysctl.conf itself.

Cheers, Jamon
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Which Distro is Best for Running a ZFS-on-Linux Fileserver.

2018-08-29 Thread Amos H. Weatherill via talk 
Hello All,

Thank you for your Feedback and Discussion.

FreeBSD is a good suggestion but I don't want to wander away from what I know 
and as Scott pointed out, this is a Linux User Group ...

Also, once I get More RAM, I will want to Consolidate Services running on other 
machines on to the NAS.

Currently, I have 8 GB of RAM, which my reading says should be enough to 
support a 4 TB ZFS Pool and the Necessary Samba configuration.

At the moment, my Network copy speed appears to be limited to about 25 MB/s but 
I suspect that this is because my Shares are on a Windows Machine with a PCI 
SATA Card.

So, if the NAS can do better, I'll declare Victory ...

Scott,

My reasoning for / on ZFS is pretty Simple ... the machine that is becoming my 
first NAS only has 4 SATA Ports, so I can't afford to Waste one on a boot drive.

For Distro, I think I'll go with Fedora, as long as the / on ZFS guide is 
sufficiently detailed.

Thank You All,
Amos

Sent from my android device.

-Original Message-
From: Scott Sullivan via talk 
To: talk@gtalug.org
Sent: Tue, 28 Aug 2018 5:19 PM
Subject: Re: [GTALUG] Which Distro is Best for Running a ZFS-on-Linux 
Fileserver.

Having read through the thread to date, I'm actually a little 
disappointed at the number of linux users pushing towards a Solaris or 
BSD for ZFS.

My primary File servers (4 of them) are all using ZFS for their data 
partitions.


Amos,

## Couple of Answers to your questions

A) Disto?

I regularly run ZFS on CentOS and Fedora on a mix of SSDs and HDDs of 
both the internal and external varieties. Fedora has some caveats, only 
in that sometimes the kernel releases get ahead of what the ZFS on linux 
team will support. And it's just a matter of waiting on a working kernel 
zfs combination a week or two for them to catch up.

But frankly, just pick your favorite distro and follow the relevant 
getting started guide.

https://zfsonlinux.org/


B)  Distro with ZFS root support (at install time)?

No distro install supports this yet as I've seen. Although the do it 
yourself ubuntu guide is lengthy, but very well detailed.

https://github.com/zfsonlinux/zfs/wiki/Ubuntu-18.04-Root-on-ZFS

Arch also support ZFS root, but their installation is all largely manual 
to begin with.

https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS


## Couple of my own Questions

1) Why root (/) on ZFS, what is your use case / risk your trying to 
mitigate?


On 2018-08-24 02:26 PM, right.maple.nut via talk wrote:
> 
> Hello All,
> 
> Like the Subject Line says, I'm setting up a ZFS File Server for my Home 
> Network.
> 
> Given that I will have to go to the trouble of setting up the Distro and 
> Migrating the Linux Install to ZFS Root, I don't want to have to do this 
> too many times.
> 
> So, which Distro are the favourite for Running ZFS-on-Linux?
> 
> Also, is there such a thing as a Linux Distro that is smart enough to 
> give you a choice if you are willing to use non-GPL'ed code in the 
> Installer, so that I can just Install Directly on a ZFS Pool?
> 
> Thank You in Advance for your Input.
> 
> Regards,
> Amos
> 
> 
> 
> ---
> Talk Mailing List
> talk@gtalug.org
> https://gtalug.org/mailman/listinfo/talk
> 


-- 
Scott Sullivan
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] fail2ban problem

2018-08-29 Thread ac via talk 
Hi,

normally, i would not respond to a post like yours :)

when people ask your dns server a question, they are not logging into
your system. - so fail2ban is not the correct tool

the correct answer is any of the below:
you need to write a program or a script 
for example on a small single system - one that checks your logs and
then adds an iptables rule to your firewall - larger
systems/clusters simply customize bind or maybe rate limit
connections (check your named.conf - rate limit) and/or a
combination of these things - there are also many other ways to stop
this (for example forward write to your routers (if you have
routers) etc.

hth

Andre

On Wed, 29 Aug 2018 20:40:16 -0400
Michael Galea via talk  wrote:

> I am experiencing what I believe is a DNS amplification attack on my 
> bind9 DNS server.
> 
> I'm seeing very of the following on different IPs
> 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ 
> [1au] ANY? USADF.GOV. (38)
> 
> My server responds
> 20:11:53.96 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 
> Refused- 0/0/1 (38)
> 
> I imagine the IPs are spoofed.
> I have installed fail2ban in order to address the problem. Various 
> howtos detail how to configure bind to log to 
> /var/log/named/security.log and setup fail2ban.
> 
> The security.log is filling nicely with lots of "29-Aug-2018 
> 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): 
> query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating 
> "Jail 'named-refused' started" but it never actually bans an IP.
> 
> 2) I used fail2ban-regex to test the security.log line against
> fail2bans named-refused regex, but its doesn't match! So I have to
> conclude either debian bind9 changed the log output or fail2ban git
> it wrong.
> 
> I'm using the latest fail2ban from debian. Has anyone else got this
> to work?
> 

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread Howard Gibson via talk 
On Wed, 29 Aug 2018 21:54:15 -0400
Jamon Camisso via talk  wrote:

> On 29/08/18 21:44, Howard Gibson via talk wrote:
> >I am playing with my hack Ubuntu machine, and I am sorting out
> > security. I want to disable ping.  This is a laptop, and I want to
> > document the application of aluminium foil.
> > 
> >The standard ping disabler is the following line...
> > 
> > # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> > 
> >This works fine on my Fedora laptop.  On Ubuntu, I get...
> 
> The # makes me think you are root on the Fedora laptop.

   Yes, I have a Fedora laptop, and that is how I disable ping.

> > $ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> > -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
> 
> That's expected with a sudo echo > redirect invocation. The shell is
> doing redirection. sudo is invoking echo, the output of which is being
> redirected in your normal user's shell to a file that you do not have
> permission to write to.
> 
> Try this if you want to go the sudo route:
> 
> echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

   It works!

   Thank you.  

   Now all I have to do is stick it in a boot script.

-- 
Howard Gibson 
hgib...@eol.ca
jhowardgib...@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread William Park via talk 
On Wed, Aug 29, 2018 at 09:54:15PM -0400, Jamon Camisso via talk wrote:
> On 29/08/18 21:44, Howard Gibson via talk wrote:
> > $ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> > -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

'echo' is run as root, but '/proc/sys/net/ipv4/icmp_echo_ignore_all' is
written to as normal user.  Try
sudo sh -c 'echo 1 > ...'

> echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

I could've used this 'tee' solution today!
-- 
William Park 
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread Alvin Starr via talk 

On 08/29/2018 09:54 PM, Jamon Camisso via talk wrote:

On 29/08/18 21:44, Howard Gibson via talk wrote:

I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping.  This is a laptop, and I want to
document the application of aluminium foil.

The standard ping disabler is the following line...

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

This works fine on my Fedora laptop.  On Ubuntu, I get...

The # makes me think you are root on the Fedora laptop.


$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.

Try this if you want to go the sudo route:

echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

That way tee is invoked with elevated privileges and writes its output
to the file.

Or you can become root like on your Fedora system and use echo 1 >...


you could also do the following:

sudo sysctl net.ipv4.icmp_echo_ignore_all=1

--
Alvin Starr   ||   land:  (905)513-7688
Netvel Inc.   ||   Cell:  (416)806-0133
al...@netvel.net  ||

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread Jamon Camisso via talk 
On 29/08/18 21:44, Howard Gibson via talk wrote:
>I am playing with my hack Ubuntu machine, and I am sorting out
> security. I want to disable ping.  This is a laptop, and I want to
> document the application of aluminium foil.
> 
>The standard ping disabler is the following line...
> 
> # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> 
>This works fine on my Fedora laptop.  On Ubuntu, I get...

The # makes me think you are root on the Fedora laptop.

> $ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

That's expected with a sudo echo > redirect invocation. The shell is
doing redirection. sudo is invoking echo, the output of which is being
redirected in your normal user's shell to a file that you do not have
permission to write to.

Try this if you want to go the sudo route:

echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

That way tee is invoked with elevated privileges and writes its output
to the file.

Or you can become root like on your Fedora system and use echo 1 >...

Cheers, Jamon
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

[GTALUG] Ubuntu -- Disabling Ping

2018-08-29 Thread Howard Gibson via talk 
   I am playing with my hack Ubuntu machine, and I am sorting out
security. I want to disable ping.  This is a laptop, and I want to
document the application of aluminium foil.

   The standard ping disabler is the following line...

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

   This works fine on my Fedora laptop.  On Ubuntu, I get...

$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
-bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied

   The file exists.  I can print it with "cat" (it prints "0".  Why can
I not change it?  

-- 
Howard Gibson 
hgib...@eol.ca
jhowardgib...@gmail.com
http://home.eol.ca/~hgibson
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

[GTALUG] fail2ban problem

2018-08-29 Thread Michael Galea via talk 
I am experiencing what I believe is a DNS amplification attack on my 
bind9 DNS server.


I'm seeing very of the following on different IPs
20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ 
[1au] ANY? USADF.GOV. (38)


My server responds
20:11:53.96 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 
Refused- 0/0/1 (38)


I imagine the IPs are spoofed.
I have installed fail2ban in order to address the problem. Various 
howtos detail how to configure bind to log to 
/var/log/named/security.log and setup fail2ban.


The security.log is filling nicely with lots of "29-Aug-2018 
20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): 
query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating 
"Jail 'named-refused' started" but it never actually bans an IP.


2) I used fail2ban-regex to test the security.log line against fail2bans 
named-refused regex, but its doesn't match! So I have to conclude either 
debian bind9 changed the log output or fail2ban git it wrong.


I'm using the latest fail2ban from debian. Has anyone else got this to 
work?


--
Michael Galea
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Lenovo ThinkPad Compact Bluetooth Keyboard with TrackPoint

2018-08-29 Thread Scott Sullivan via talk 
For the battery, I've never put it through heavy enough use to test that claim.

The bluetooth model can't dual mode, the usb port is for charging only.


On August 28, 2018 10:18:19 PM EDT, William Park via talk  
wrote:
>Thanks for the links.  For the bluetooth model, 
>- does the battery really last 1 month?  
>- is it bluetooth only, or can you use USB on it?
>
>I'm looking for something I can carry between work and home, and
>use for laptop and desktop.
>-- 
>
>On Tue, Aug 28, 2018 at 06:35:42PM -0400, Scott Sullivan via talk
>wrote:
>> I've had a number of folks express interest after seeing me use mine.
>> So I'm just going to drop the links here for general reference.
>> 
>> Lenovo ThinkPad Compact Bluetooth Keyboard with TrackPoint
>> 
>> https://www.newegg.ca/Product/Product.aspx?Item=N82E16823218058CVF
>>
>https://www.lenovo.com/ca/en/accessories-and-monitors/keyboards-and-mice/keyboards/KEYBOARD-US-English/p/0B47189
>> 
>> The also make a USB only version, which I have two of as daily
>drivers for
>> at home and work.
>>
>https://www.lenovo.com/ca/en/accessories-and-monitors/keyboards-and-mice/keyboards/KEYBOARD-US-English/p/0B47190
>> 
>> -- 
>> Scott Sullivan
>> ---
>> Talk Mailing List
>> talk@gtalug.org
>> https://gtalug.org/mailman/listinfo/talk
>
>-- 
>William Park 
>---
>Talk Mailing List
>talk@gtalug.org
>https://gtalug.org/mailman/listinfo/talk

-- 
Scott Sullivan---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] Any good analog phone?

2018-08-29 Thread John Moniz via talk 
I second that, nothing beats a Nortel phone. If you can find a used/refurbished one that has the features you want, get it.John.On Aug 28, 2018 10:09 PM, Don Tai via talk  wrote:We have a couple of high quality analog/digital phones in the house. I prefer old Nortel Cntempra or Nortel Aastra M8003 phones. Solid as a rock, great sound quality, no batteries required. They come with a digitalanalog switch.https://usedphones.com/nortel-aastra-m8003-nt2n26aa211.htmli have seen them at refurbish stores in Scarborough, or even at garage sales.DonOn Tue, 28 Aug 2018 at 22:02, William Park via talk  wrote:Hi all,

Do you know where I can buy a good quality analog phone, with
    - corded (no battery)
    - caller id
    - voicemail not required

CanadaComputers has only VTech brand, which is what I have now and what
I want to replace.  I'm not too keen on Panasonic brand, from past
experience.
-- 
William Park 
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk