Auth SMTP fail2ban

February 28, 2017

I’ve added fail2ban to the SL7 version of our auth smtp service. None of the sendmail filters that come with the fail2ban RPM seemed like they’d do the trick for us, so I’ve just overridden the supplied filter.d/sendmail-auth.conf with a sendmail-auth.local containing just:

[Definition]
failregex = ^%(__prefix_line)s.*AUTH failure.*\[\]( \(may be forged\))?$

Though that isn’t enough to get it to match, as the default log level (9) for sendmail doesn’t log auth failures. So we also have to run at log level 10.

Currently I’m using the local lcfg-hostsdeny and tcpwrappers template like sshd does, but we should probably look at using iptables instead.

In the few days its been running, 21 IP addresses have been banned.


SL7 AFS Server

August 26, 2016

Just a brief update on AFS for SL7.

This week all my changes have made it to stable, and there are now 1.2.x versions of the lcfg-openafs (server only) and lcfg-openafs-client components for SL7.

I spent a bit of time teasing the two components apart, so either can be installed in isolation (or together) on a machine. In hindsight it would have been cleaner to leave behind the “openafs” component in the SL6 world, and created a new openafs-server component like Stephen did for the openafs-client component. It would have made the various header files and schema files a cleaner split, but it’s done now.

Craig, I and the Unit have their AFS volumes on a gresley, a new SL7 AFS server. We need to move some more guinea-pigs, but it all seems fine.


SL7 Waklog

July 22, 2016

Having a look at apacheconf-waklog.h on DICE SL7. This is actually the first SL7 web server stuff I’ve looked at. So first of all I thought I should try getting a minimum SL7 apacheconf.h web server going.

I commandeered circlevm9, a vanilla SL7 server.h VM. And added

#include <dice/options/apacheconf.h>

After the profile pushed, and I ran updaterpms. om apacheconf start didn’t “just work”.

22/07/16 12:17:35: apache configuration has been modified
22/07/16 12:17:35: Syntax OK
22/07/16 12:17:35: Failed to reload httpd.service: Unit httpd.service is mas\
ked.
22/07/16 12:17:35: ** reload httpd: Fail

systemctl gave me a suggestion:


[circlevm9]root: systemctl status httpd
httpd.service
Loaded: masked (/etc/systemd/system/multi-user.target.wants httpd.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Warning: httpd.service changed on disk. Run 'systemctl daemon-reload' to reload units.

So I tried that:

[circlevm9]root: systemctl daemon-reload
[circlevm9]root: systemctl status httpd
httpd.service – The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─waithttpd.conf
Active: inactive (dead)
Docs: man:httpd(8)
man:apachectl(8)

Now, after doing an ‘om apacheconf stop’, ‘om apacheconf start’ worked and left httpd process running with /var/www/html/ as the docroot, but with all access denied. I’m presuming a reboot would have had a similar affect.

I then added a simple vhost to open up access to /var/www/html/ so that I could dump stuff in their and convince myself the basics worked.

!apacheconf.vhosts               mADD(default)
apacheconf.vhostname_default     _default_
apacheconf.vhostdocroot_default  /var/www/html
apacheconf.vhostaccesslog_default   /var/lcfg/log/apacheconf.access
apacheconf.vhosterrorlog_default    /var/lcfg/log/apacheconf.error
!apacheconf.vhostverbatim_default   mADD(stuff)
apacheconf.vhostline_default_stuff  <Directory "<%apacheconf.vhostdocroot_default%>">¶\
  Options Indexes FollowSymLinks¶\
  Require all granted¶\
</Directory>

With that done, I was able to drop files into /var/www/html/ and they would be served. Equally I added some symlinks to other bits of the file system, and they were followed unless file permissions said otherwise. So a symlink to /afs/inf.ed.ac.uk/ showed the contents of publicly accessible stuff, but all other access was denied by ACLs.

So now I know if I add apacheconf-waklog.h and get it working, if they symlinks to AFS show more content, then httpd will have obtained the necessary AFS PTS tokens.

Neil


OpenAFS server

June 27, 2016

The work on the OpenAFS server for SL7 has been a tricky one, and still not fully resolved.

As a bit of background, in SL6 the single component, openafs, did both AFS client and server configuration for a host. With the switch to SL7, the MPU kindly decided to do the work for the AFS client on SL7 (and systemd), but this meant splitting the client side into a new component openafs_client, and some corresponding header files.

When starting work on the server side, I did consider (and indeed started) a new openafs_server component. However, I then decided this was going to lead to a lot of work changing the majority of existing headers and resources to the new named component, so after some discussion with Stephen, decided to make the existing openafs component “server only” for SL7 onwards.

This too has lead to some problems as both SL6 and SL7 machines included the openafs.h headers, but they have different meanings on the different platforms.

Fortunately most of the openafs.h headers just concern themselves with installing the actual openafs RPMs on the system. So some #ifdef guards for SL6 or 7 now make sure the right bits of -client or -server are further included, depending on what is needed for the machine.

There are still problems, such as the lcfg-openafs-client RPM depends on the lcfg-openafs RPM, the shared template file should be split. Also there is a common /etc/sysconfig/openafs file between client and server, both using template toolkit to maintain its content. This also needs to be split so that the client and server use different files. For the moment, we just state that for SL7 a server cannot also be a client. Which also means I need to make sure the localhome stuff works on SL7 servers.