Wrapper scripts for LXC unprivileged containers

December 22, 2022 Roberto Puzzanghera 0 comments

Index


Handling LXC unprivileged containers can be quite annoying. In fact, you have to run each command as the user who owns the container and sometime define the configuration file and other parameters by means of a long command to type and remember. If you have many unprivileged containers and have to perform tasks as start/stop/attach frequently, your patience will come to an end very quickly. This is the reason why at a certain point I started to write my own wrapper scripts for the most common LXC commands. Nothing special but it seems that nobody have published any tools to simplify the LXC common tasks with unprivileged containers, so here is my contribute.

Converting a Linux installation to a Slackware one in an OVH Kimsufi server

November 27, 2022 Roberto Puzzanghera 0 comments

This article explains how to convert a given Linux distribution to a Slackware one in an OVH kimsufi server.

It is based on the Slackware wiki page Install Slackware on an online.net Dedibox BareMetal Server, which explains the same for a Dedibox BareMetal Server on online.net.

The plan is to

  1. install a Linux of your choice
  2. reboot in rescue mode that Linux distro
  3. download the Slackware initrd and prepare the install environment
  4. chroot into the Slackware initrd image and run setup from there
  5. partition and install Slackware over the existing Linux
  6. configure the fresh installed Slackware and reboot

Setting up your firewall with fail2ban

November 20, 2022 Roberto Puzzanghera 19 comments

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

I will show shortly how to install and configure fail2ban to ban malicious IPs, especially those related to the qmail-dnsrbl patch. This will avoid to be banned ourselves by spamhaus, which is free up to 100.000 queries per day.

fail2ban requires that you have a firewall as nftables or iptables active.

Changelog

  • Nov 20, 2022
    - switched all actions to nftables, as it has now replaced iptables and fail2ban has support for it. Just replace "iptables" with "nftables" in your jails.
  • Nov 18, 2022
    - fail2ban upgraded to v. 1.0.2
    - jails now have a different action's declaration (iptables[type=multiport] instead of iptables-multiport[])
    - added a short note on how to configure the server with a network bridge

Roundcube plugins

December 27, 2022 Roberto Puzzanghera 26 comments

My enabled plugins are (at the moment):

  • Password, to change the user's password
  • ManageSieve, which writes sieve scripts to filter the incoming mails (reject, move to specific folders etc.). Note that in order to use it you must have Dovecot managesieve enabled.
  • SpamAssassin User Prefs SQL (sauserprefs), which writes the spamassassin user preferences in the DB. The user will be allowed to create a black/white list, to adjust the required_score and so on.
  • MarkAsJunk. You can add the sender's email address to the blacklist, or run a command such as sa_learn. Requires sauprefs.
  • ContextMenu. Adds context menus to the message list, folder list and address book. Menu includes the abilities mark messages as read/unread, delete, reply and forward.
  • Newmail notifier. can notify new mail focusing browser window and changing favicon, playing a sound and  displaying desktop notification (using webkitNotifications feature).
  • Persistent login, which provides a "Keep me logged in" aka "Remember Me" functionality for Roundcube.
  • ZipDownload, which adds an option to download all attachments to a message in one zip file, when a message has multiple attachments.
  • enigma adds support for viewing and sending of signed and encrypted messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format
  • swipe, which adds left/right/down swipe actions to entries in the the message list on touch devices (tables/phones).

Other plugins that I have used in the past for which the old documentation might not be valid anymore

  • autologon. Autologin from external Site e.g. (CMS, Portal ...)
  • logout redirect. Modified version to only redirect to the homepage (depending on the domain part of the default identity)
  • rcguard. This plugin logs failed login attempts and requires users to go through a reCAPTCHA verification process when the number of failed attempts go too high.
  • carddav. CardDav client. You can sync your addressbook against a CardDav server like nextcloud or SoGO.
  • quickrules (abandoned project). Adds a button to the message list to allow the quick creation of rules in the SieveRules plugin. Information from selected emails is used to prefile the new rule form.