we re facing issue with fail2ban.
Our setup for example:
jail.conf:
[nginx-404]
enabled = true
port = http,https
filter = nginx-404
logpath = /var/log/nginx/*access.log
maxretry = 5
findtime = 300
action = mail
than action:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
actionunban =
After restart service or reboot system. It send immediately all bans which were done before.
Is there any solution to stop sending hundreds notifications after restart ? Thanks for anyadvice.
Is there any solution to stop sending hundreds notifications after restart ?
Yes. Just specify norestored = true in your action. See PR #1669 for more info.
Related
My samba server was working fine until last week. I did a search all over the internet and tried the below and still no go.
My smb.conf:
[global]
workgroup = INET
server string = File on-Line
security = ADS
passdb backend = tdbsam
log level = 3
realm = inet.xyz.com
encrypt passwords = yes
unix extensions = no
wins server = 10.X.X.X 10.X.X.X
netbios name = sharefiles
template shell = /bin/bash
strict locking = no
min protocol = NT1
max protocol = SMB3_11
server signing = mandatory
client signing = mandatory
# I added the below after some Google search
idmap config INET : backend = rid
idmap config INET : base_rid = 0
idmap config INET : range = 10000-20000
================================================
On my windows machine - I do a //sharefiles
It asks me for my login and my login is not accepted.
In /var/log/messages - I get this error:
../../source3/auth/auth_util.c:1889(check_account)
Feb 15 16:31:55 sambaserver smbd[9354]: check_account: Failed to convert SID S-1-5-21-1474414563-1125766349-1731688626-161484 to a UID (dom_user[INET\jean])
Feb 15 16:31:55 sambaserver smbd[9356]: [2022/02/15 16:31:55.498012, 0] ../../source3/auth/auth_util.c:1889(check_account)
Feb 15 16:31:55 sambaserver smbd[9356]: check_account: Failed to convert SID S-1-5-21-1474414563-1125766349-1731688626-161484 to a UID (dom_user[INET\jean])
**SAMBA version:**
Samba version 4.10.16
Anyone seen this before? Thank you in advance!
Your range is too small, 161484 is larger than 20000, add a couple of zeros to 20000. You also need another line:
idmap config * : range = 3000-7999
I'm using Mint distro 18.1.
I configure my laptop to join AD domain on Windows 2008R2 Server.
here my configuration:
/etc/krb5.conf
[libdefaults]
default_realm = ACMEAD.COM
clockskew = 300
ticket_lifetime = 60d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
[realms]
PRIMEURAD.COM = {
kdc = AD.ACME.COM:88
admin_server = AD.ACME.COM:749
default_domain = ACMEAD.COM
ticket_lifetime = 60d
}
[domain_realm]
.kerberos.server = ACMEAD.COM
.acmead.com = ACMEAD.COM
acmead.com = ACMEAD.COM
acmead = ACMEAD.COM
ticket_lifetime = 60d
[appdefaults]
pam = {
ticket_lifetime = 60d
renew_lifetime = 60d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/samba/smb.conf
[global]
workgroup = primeurad
realm = primeurad.com
netbios name = lap-pc-1976
security = ADS
dns forwarder = 172.16.0.3
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind cache time = 300
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
preferred master = no
dns proxy = no
wins server = ad.primeur.com
wins proxy = no
inherit acls = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
/etc/security/pam_winbind.conf
[global]
debug = no
debug_state = no
try_first_pass = yes
krb5_auth = yes
krb5_ccache_type = FILE
cached_login = yes
silent = no
# mkhomedir = yes
I'm able to login and authenticate my self. I add my PC to the domain with no problem. And I'm also able to login when I'm offline, which is what I want most.
I'm trying to increase the ticket lifetime to 60days, now if I type klist this is what I see
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1#ACMEAD.COM
Valid starting Expires Service principal
07/11/2017 12:25:02 07/11/2017 22:25:02 krbtgt/ACMEAD.COM#ACMEAD.COM
renew until 07/18/2017 12:24:59
It seems to me that takes the default of 10h instead of 60 days.
How can I increase it?
The Active Directory domain defaults take precedence here.
Best Practice would be to let the Maximum lifetime for Kerberos service ticket remain at the default of 10 hours. In various technical guides and Active Directory Group Policy, you will see that value written out as 600 minutes which is 10 hours, but shown as 600 minutes instead. I've never known why they did this. If you want to change the value, you will have to open up the Active Directory domain Group Policy Management Console tool (GPMC.msc) and edit the "Default Domain Policy" Group Policy Object. Once that GPO is opened, navigate to the following path, and change 600 minutes to its 60 day equivalent which would be 86400.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for service ticket
Reference: Maximum lifetime for service ticket
Note that changing this this would considered a security risk, as it gives potential hackers that much more time to potentially decrypt the service ticket and use for themselves. Just google "silver ticket attack". This is why why 10 hours is set as the default. It is also the default for all major Identity Management implementations using Kerberos, not just Active Directory. It is considered a trade-off between security and usability. You also asked "I see I have to increase also the kerberos principal but not sure how to do it". What did you mean by that? Did you mean "service principal name"? Or the Ticket Granting Ticket? Or the user account? What do you mean by "increasing it?" If you meant about increasing other Kerberos ticket lifetimes, such as the Ticket Granting Ticket, AKA "user ticket", then you can also modify them in the same area of the GPO mentioned above. In that GPO, the Ticket Granting Ticket (TGT), is written as "user ticket". It has the same lifetime of 10 hours. The screenshot below is from my lab, showing everything at the defaults:
EDIT/UPDATE:
To allow for offline logins to an AD domain-joined Windows PC when it is not connected to the network, or in case a domain controller is not available, you will have to allow for what is known as "cached credentials". This allows for the PC to re-use the service ticket and not be prompted to go get a new one. You can either do this on a one-off basis for a single machine, or domain-wide via a GPO. Both methods are described below:
For a single machine, just edit the Registry
For a domain-wide method, use a GPO
Note to the above: This setting would be ignored on a Linux OS joined to AD, since there is no Registry on Linux. In short, you cannot allow for cached (offline) logon to an AD domain for Linux laptops - that is a Windows OS-only feature.
I have a recurring problem with postfix (on Debian Squeeze, amavisd-new and fail2ban are also installed) : All of a sudden, often at night (but not always), mail stop being delivered and the queue fulls up. Log shows a bunch of entries of this style :
May 18 19:54:16 ks4000003 postfix/error[6889]: 376352016039: to=<info#xxxxxxx>, relay=none, delay=0.62, delays=0.58/0.01/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Once I reboot the server, it then works (and the queue is all cleared). It remains without any problem until the next time (usally once every 1-2 weeks but recently every morning I have to reboot the server).
Any idea on this would be very appreciated. I should mention I'm really a newbie in server management; I searched for similar problems on google/stackoverflow and couldn't find a real similar one.
My postfix conf :
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_add_missing_headers = yes
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = ks4000003.ip-198-245-60.net, localhost, localhost.localdomain
myhostname = ks4000003.ip-198-245-60.net
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_destination_concurrency_limit = 5
smtp_destination_rate_delay = 1s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_error_sleep_time = 0
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/rbl_whitelist, permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain, reject_unauth_destination, reject_unverified_sender, reject_unauth_destination,reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client truncate.gbudb.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access mysql:/etc/postfix/mysql-virtual_sender.cf reject_non_fqdn_sender reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
First to the amavis problem:
According to you pastebin: qmgr requests something from amavis and gets a response it does not understand. I assume that qmgr send a mail to amavis that should be checked. Either amavis is down or the mail causes amavis to produce a corrupt response. But how can you check this?
The best method is to stop the amavis service and start it from a console with
# amavisd debug
Then amavis will output to the console.
Here is a link that might help: http://www.amavis.org/#faq
Then the database issues:
According to your pastebin: dovecot and postfix try to connect to the mysql database. postfix uses a tcp socket with the adress localhost or 127.0.0.1, dovecot uses a unix socket. If you did not change the configuration for the mysql port there should be a listening socket at the address 127.0.0.1:3306.
It is possible that the listening adress is an IPv6 address like ::1:3306
you can verify that with: netstat -ltn
If you configered a different port, this port must be shown in the netstat ouput. You might have configured your mysql to your outgoing ip address. Then you find something like 198.245.60.7:3306. Access to 127.0.0.1:3306 will not work in this case.
The "postfix" error message says that there is no listener at that port or you don't have access.
The "dovecot" message says you provided none or a wrong password to the mysql server, so it does not authenticate dovecot. Please check the configurations.
I am working with Windows Azure Websites and Web Jobs.
I have a console application that I use to download an FTP file nightly. They recently switch from passive to active FTP. I do not have any control over this.
The code attached was working for passive and works for active on my computer. However, it does not work when I add it to a webjob on Azure.
In this code I am able to get the content length, so I am logging in correctly and I have the correct URL.
Dim request As FtpWebRequest = DirectCast(FtpWebRequest.Create(strTempFTPUrl), FtpWebRequest)
request.Method = WebRequestMethods.Ftp.GetFileSize
Dim nc As New NetworkCredential(FTPUserName, FTPPassword)
request.Credentials = nc
request.UseBinary = True
request.UsePassive = False
request.KeepAlive = True
request.Proxy = Nothing
' Get the result (size)
Dim resp As FtpWebResponse = DirectCast(request.GetResponse(), FtpWebResponse)
Dim contLen As Int64 = resp.ContentLength
' and now download the file
request = DirectCast(FtpWebRequest.Create(strTempFTPUrl), FtpWebRequest)
request.Method = WebRequestMethods.Ftp.DownloadFile
request.Credentials = nc
request.UseBinary = True
request.UsePassive = False
request.KeepAlive = True
request.Proxy = Nothing
resp = DirectCast(request.GetResponse(), FtpWebResponse)
The error that I receive is this:
The underlying connection was closed: An unexpected error occurred on a receive. This happens on the second "resp = DirectCast(request.GetResponse(), FtpWebResponse)"
Does anyone have any suggestions on what I can do?
Edit: This is not a VM so as far as I know I do not have control over the firewall. This is a standard website.
Thank you very much!
I was with this same problem, I was able to solve by increasing the connection limit per point. By default it comes set to 2 I increased to 10
req.ServicePoint.ConnectionLimit = 10;
If you have timeout problem, also change the properties timeout and readwritetimeout.
Below is the link for a case similar to ours.
How can I programmatically remove the 2 connection limit in WebClient
I'm trying to configure the Real Time Monitoring Tool (RTMT) from Cisco against the Postfix mail server in Ubuntu. I have already configured the mail server option in RTMT with the IP address of Postfix and created an alert to send email to a particular address in RTMT.
The aim of this is that I want to get an email everytime that the alarm rises.
I'm able to send mails using the mailutils command, but not able to get work the communication between RTMT and Postfix.
Any ideas?
Here is the main.cf file from post fix.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = nagiosgp3-desktop
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = zenossfg3.com, nagiosfg3-desktop, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-dovecot-postfix.conf -n -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
With the current Postfix setup, you should be able to send an email to user#nagiosfg3-desktop and read email with an client when logged in as user. But I understand that is not your aim.
You have to setup Postfix as simple satellite thanks to a relayhost and SMTP protocol. You should use your company SMTP server if there is one.
As you mention a gmail destination, you can also use Google SMTP server as relay, thanks to SASL authentication documentation. As Google requires TLS/SSL to connect to its service, this documentation must be used too:
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
In /etc/postfix/sasl_passwd, you will set your gmail account username and password so that Google allows your Postfix to use its service as relay:
[smtp.gmail.com] username#gmail.com:yourpassword
And the file /etc/postfix/tls_policy to contain:
[smtp.gmail.com]:587 encrypt protocols=TLSv1 ciphers=high