DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422022-04-19T20:10:01ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Enhancement #770 (Resolved): redmine_dc: delete spam accountshttps://projects.duckcorp.org/issues/7702022-04-19T20:10:01ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>I deleted some redmine accounts (from the redmine DuckCorp instance only), for example those listed by this command:<br /><pre>
wget https://www.stopforumspam.com/downloads/listed_email_365.gz
gunzip listed_email_365.gz
mysql redmine_dc -B -N -s -e "select user_id, address from email_addresses inner join users where email_addresses.user_id = users.id;" | gawk '$1 !~ /^[0-9]+$/{ a[$1] = ""} $2 in a { print $1 " " $2 }' listed_email_365 | wc -l
</pre><br />I also deleted some (3) locked accounts and almost all inactivated accounts.</p> DuckCorp Infrastructure - Enhancement #745 (New): ban IPs that try to authenticate with a nonexis...https://projects.duckcorp.org/issues/7452021-11-24T14:03:15ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Fail2ban should block the following attemps:<br /><pre>
Nov 24 15:06:46 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:00 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:20 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:30 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:44 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:08:04 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
</pre></p>
<p>Some numbers in order to support the new filter (the oldest entry in the journal is 7 days old):<br /><pre>
root@Toushirou:~# # count all entries
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | wc -l
5032
root@Toushirou:~# # check the regex
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr | awk '{print $1}' | paste -sd+ | bc
5029
root@Toushirou:~# # display the most used IPs
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr | awk '{print $1}' | head -n 10
741
566
467
362
307
182
177
174
167
161
# There are 697 different IPs, the twenty most used produce 85% of the login failure.
</pre></p> DuckCorp Infrastructure - Enhancement #732 (Resolved): passenger: a better path for restart.txthttps://projects.duckcorp.org/issues/7322021-09-12T16:55:33ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Following <a class="external" href="https://projects.duckcorp.org/issues/718#note-10">https://projects.duckcorp.org/issues/718#note-10</a>:</p>
<p>Passenger looks for <code>restart.txt</code> below <code>/usr/share/redmine/tmp/</code> directory (thanks <code>strace</code>).</p>
<p>Setting <a href="https://github.com/phusion/passenger/blob/1646e62ddf0c6e9b2e92ad73a6ae50db2be94cf6/src/agent/Core/ApplicationPool/Group/InitializationAndShutdown.cpp#L121-L130" class="external">either <code>PassengerAppRoot</code> or <code>PassengerRestartDir</code></a> would allow to use a better directory something like <code>/var/lib/redmine/dc/tmp/restart.txt</code>.</p> DuckCorp Infrastructure - Tracking #731 (Resolved): redmine: disable usage of non-free gravatar s...https://projects.duckcorp.org/issues/7312021-09-11T23:29:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The <code>projects.duckcorp.org</code> instance of redmine uses the non-free gravatar service.</p>
<p>Usage of the service should be disabled or another instance backed by a free service should be used.</p>
<p>Note that the <a href="https://www.redmine.org/issues/9112" class="external">next release of redmine</a> will allow to choose another instance than gravatar.</p> DuckCorp Infrastructure - Enhancement #719 (Rejected): redmine role depends on unversioned patcheshttps://projects.duckcorp.org/issues/7192021-02-12T00:13:40ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://projects.duckcorp.org/projects/dc-admin/repository/ansible-role-redmine/revisions/master/entry/tasks/plugins.yml#L34" class="external">The plugin patches aren't versioned</a> , they are stored on the filesystem where redmine is installed.</p>
<p>The patches should be moved in the repository where the Ansible inventory is located.</p> DuckCorp Infrastructure - Enhancement #696 (Resolved): New VM for sup/Zabbixhttps://projects.duckcorp.org/issues/6962020-04-26T22:47:32ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Zabbix service is currently hosted on Nicecity but this host doesn't provide the resources (mainly CPU, for example: <code>load average: 8.64, 8.47, 8.08</code>) required for Zabbix.</p>
A solution would be to host Zabbix service on a dedicated virtual machine. This VM would be hosted on another server located at Condé.<br />Here is <code>Orthos</code>:
<ul>
<li>CPU: one core of the host (Intel i5-8600T) fully dedicated to this VM</li>
<li>memory: 2Go (can be extended to 4Go)</li>
<li>storage: 40Go</li>
</ul>
Branches:
<ol>
<li>main repository
<ol>
<li><code>add_new_host_zabbix-server</code>: add Orthos to the inventory</li>
<li><code>dependency_and_order</code>: setup <code>buster-backports</code> before using it, install <code>gpg</code> binary</li>
<li><code>mkcert_fix_RANDFILE_and_req_dn</code>: fix name of section in template, unset <code>RANDFILE</code></li>
<li><strong>TODO</strong>: Zabbix server: use Orthos</li>
</ol>
</li>
<li><code>ansible-role-fail2ban</code> repository: <code>buster_ignore_apt-listbugs</code>: force installation of <code>fail2ban</code> package</li>
</ol> DuckCorp Infrastructure - Enhancement #616 (Resolved): Configure /etc/udev/rules.d/70-persistent-...https://projects.duckcorp.org/issues/6162018-04-23T14:42:31ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<pre>
$ cat /etc/udev/rules.d/70-persistent-net.rules
# PCI device 0x8086:0x109a (e1000)
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="00:30:48:8d:9d:65", NAME="eth-sivit"
# PCI device 0x8086:0x108c (e1000)
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="00:30:48:8d:9d:64", NAME="eth-hivane"
</pre> DuckCorp Infrastructure - Enhancement #615 (Rejected): new Toushirou: configuration migrationhttps://projects.duckcorp.org/issues/6152018-04-23T14:41:26ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>This issue regroups tasks related to Toushirou setup.</p> DuckCorp Infrastructure - Enhancement #614 (Resolved): new Toushirou: Install system diskshttps://projects.duckcorp.org/issues/6142018-04-16T23:21:18ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
SSD 550Go system disks:
<ul>
<li>1 partition without LVM/encryption/RAID: <code>/boot</code> (250Mo).</li>
<li>LVM (LVM ~193GB unallocated space) over encrypted over RAID:
<ul>
<li><code>/</code> 15GB</li>
<li><code>swap</code> 2GB</li>
<li><code>/tmp</code> 2GB</li>
<li><code>/home</code> 30GB (because Duck's private backup is taking a lot and would move to <code>/home2</code>)</li>
<li><code>/var</code> 5GB</li>
<li><code>/var/log</code> 15GB</li>
<li><code>/var/lib/mysql</code> 5GB</li>
<li><code>/var/lib/ldap</code> 100MB</li>
<li><code>/var/local/stuffcloud-data</code> 70GB</li>
<li><code>/srv/vcs</code> 3GB</li>
<li><code>/srv/www</code> 150GB</li>
<li><code>/srv/projects</code> 10GB</li>
</ul></li>
</ul> DuckCorp Infrastructure - Bug #606 (Resolved): Bip service unavailable since Oct 15 (Thorfinn)https://projects.duckcorp.org/issues/6062017-10-23T20:21:58ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<pre>
# systemctl status bip
● bip.service - LSB: Bip irc proxy init script
Loaded: loaded (/etc/init.d/bip; generated; vendor preset: enabled)
Active: active (exited) since Wed 2017-07-12 07:37:23 CEST; 3 months 12 days ago
Docs: man:systemd-sysv-generator(8)
Tasks: 0 (limit: 4915)
Memory: 0B
CPU: 0
CGroup: /system.slice/bip.service
</pre>
<pre>
/var/log/kern.log.2.gz:Oct 15 01:50:46 thorfinn kernel: [8186790.310410] bip[754]: segfault at 8 ip 00007f1a72593f60 sp 00007fffe5f65610 error 4 in libc-2.24.so[7f1a7252c000+195000]
</pre>
<pre>
13-10-2017 23:34:20 ERROR: fd 11: Connection error
13-10-2017 23:34:20 ERROR: Error while reading on fd 11
13-10-2017 23:34:20 ERROR: client read_lines error, closing...
15-10-2017 00:25:52 ERROR: fd 15: Connection error
15-10-2017 00:25:52 ERROR: Error while reading on fd 15
15-10-2017 00:25:52 ERROR: client read_lines error, closing...
15-10-2017 00:32:05 ERROR: fd 17: Connection error
15-10-2017 00:32:05 ERROR: Error while reading on fd 17
15-10-2017 00:32:05 ERROR: client read_lines error, closing...
</pre>
<p>Thanks to Gorou for pointing that.</p> DuckCorp Infrastructure - Bug #531 (In Progress): Logcheck on Elwing seems unable to send mailhttps://projects.duckcorp.org/issues/5312017-05-02T15:31:47ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>On <code>Orfeo</code>, in <code>/var/log/mail.log</code><br /><pre>
May 1 12:55:34 orfeo postfix/smtpd[14064]: NOQUEUE: reject: RCPT from unknown[2400:4030:9f9b:e901::1]: 450 4.7.1 Client host rejected: cannot find your hostname, [2400:4030:9f9b:e901::1]; from=<daemon@hq.duckcorp.org> to=<root@hq.duckcorp.org> proto=ESMTP helo=<Elwing.hq.duckcorp.org>
[...]
May 1 12:55:34 orfeo postfix/smtpd[19450]: NOQUEUE: reject: RCPT from unknown[2400:4030:9f9b:e901::1]: 450 4.7.1 Client host rejected: cannot find your hostname, [2400:4030:9f9b:e901::1]; from=<duck@hq.duckcorp.org> to=<duck@hq.duckcorp.org> proto=ESMTP helo=<Elwing.hq.duckcorp.org>
</pre></p> DuckCorp Infrastructure - Bug #465 (Resolved): qwebirc: use SSLhttps://projects.duckcorp.org/issues/4652015-07-17T12:33:49ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The qwebirc instance (available on <a class="external" href="https://irconweb.milkypond.org">https://irconweb.milkypond.org</a>) should use SSL while connecting to irc.milkypond.org</p> DuckCorp Infrastructure - Enhancement #460 (Resolved): SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/4602015-07-09T00:02:15ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
Checks:
<ul>
<li>NULL,EXPORT,LOW,3DES,aNULL must be disabled</li>
<li>RC4 must be disabled</li>
<li>SSLv2,SSLv3 must be disabled</li>
<li>TLSv1.1,TLSv1.2 must be enabled</li>
<li>PFS must be enabled</li>
</ul>
<ul>
<li>SSL Compression must be disabled</li>
</ul>
Configuration updates needed:
<ul>
<li>Postgresql (default conf used <code>HIGH:MEDIUM:+3DES:!aNULL</code>)</li>
<li>Apache (<code>RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW</code>)</li>
</ul>
<ul>
<li>References
<ul>
<li><a class="external" href="https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher">https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher</a></li>
<li><a class="external" href="https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/">https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/</a></li>
<li><a class="external" href="http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html">http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html</a></li>
<li><a class="external" href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations</a></li>
<li><a class="external" href="https://github.com/ioerror/duraconf">https://github.com/ioerror/duraconf</a></li>
</ul>
</li>
<li>Tools:
<ul>
<li><a class="external" href="https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh">https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh</a></li>
</ul></li>
</ul> DuckCorp Infrastructure - Bug #444 (Resolved): Owncould: documents shared by links are unavailabl...https://projects.duckcorp.org/issues/4442015-02-26T00:15:13ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Owncould: documents shared by links are unavailable for 'logged-but-not-administrator' users, an error message is displayed:<br /><pre>
Unable to generate a URL for the named route "ocsms.sms.index" as such route does not exist.
</pre></p>
Logs checked:
<ul>
<li>/var/log/owncloud.log contains the error displayed to the end-user:<br /><pre>
{"app":"remote","message":"Unable to generate a URL for the named route \"ocsms.sms.index\" as such route does not exist.","level":4,"time":"2015-02-26T00:13:12+00:00"}
</pre></li>
<li>/var/log/apache2/milkypond/error.log</li>
<li>/var/log/apache2/error.log</li>
</ul>
<p>This backtrace is displayed when <code>/etc/owncloud/config.php</code> contains <code>define( "DEBUG", 1);</code>:<br /><pre>
Unable to generate a URL for the named route "ocsms.sms.index" as such route does not exist.
#0 /usr/share/owncloud/lib/private/route/router.php(258): Symfony\Component\Routing\Generator\UrlGenerator->generate('ocsms.sms.index', Array, false)
#1 /usr/share/owncloud/lib/private/route/cachingrouter.php(39): OC\Route\Router->generate('ocsms.sms.index', Array, false)
#2 /usr/share/owncloud/lib/private/urlgenerator.php(41): OC\Route\CachingRouter->generate('ocsms.sms.index', Array)
#3 /usr/share/owncloud/lib/private/helper.php(44): OC\URLGenerator->linkToRoute('ocsms.sms.index', Array)
#4 /usr/share/owncloud/lib/public/util.php(221): OC_Helper::linkToRoute('ocsms.sms.index', Array)
#5 /usr/share/owncloud/apps/ocsms/appinfo/app.php(24): OCP\Util::linkToRoute('ocsms.sms.index')
#6 /usr/share/owncloud/lib/private/app.php(113): require_once('/usr/share/ownc...')
#7 /usr/share/owncloud/lib/private/app.php(95): OC_App::requireAppFile('ocsms')
#8 /usr/share/owncloud/lib/private/app.php(75): OC_App::loadApp('ocsms')
#9 /usr/share/owncloud/apps/files_sharing/public.php(5): OC_App::loadApps()
#10 /usr/share/owncloud/public.php(46): require_once('/usr/share/ownc...')
#11 {main}
</pre></p> DuckCorp Infrastructure - Bug #443 (New): clamav@hq.duckcorp.org: User unknown in virtual alias t...https://projects.duckcorp.org/issues/4432015-02-24T00:30:17ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>On orfeo, <code>/var/log/mail.log</code> contains, the following error:<br /><pre>
Feb 22 09:50:31 orfeo postfix/smtpd[15387]: NOQUEUE: reject: RCPT from ppp0-dsl-elwing.hq.duckcorp.org[193.17.192.249]:
550 5.1.1 <clamav@hq.duckcorp.org>: Recipient address rejected: User unknown in virtual alias table;
from=<> to=<clamav@hq.duckcorp.org> proto=ESMTP helo=<Elwing.hq.duckcorp.org>
</pre></p>