Bug#729900: courier-authdaemon: Postfix - SASL authentication failure
I'm sorry the posted script have some mistakes.
Attached is the script /etc/init.d/courier-authdaemon with a better
solution to the reported problem that uses a dedicated function
postfix_check().
Guido Bozzetto.
#! /bin/sh -e
#
### BEGIN INIT INFO
# Provides: courier-authdaemon
# Required-Start:$remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
prefix="/usr"
exec_prefix=${prefix}
sysconfdir="/etc/courier"
sbindir="${exec_prefix}/sbin"
daemonscript="${sbindir}/authdaemond"
rundir_courier="/var/run/courier"
rundir="/var/run/courier/authdaemon"
pidfile="${rundir}/pid"
. /lib/lsb/init-functions
# Check for a leftover init script
if [ ! -x $daemonscript ]; then
exit 0
fi
#== Postfix chrooted ==#+20131117
postfix_check() {
local PFINIT=/etc/init.d/postfix
local PFMASTER=/etc/postfix/master.cf
local PFSMTPD=/etc/postfix/sasl/smtpd.conf
if [ -s $PFINIT ] && [ -s $PFMASTER ] ; then
# Use Postfix
if [ "$(/usr/bin/awk '$1~/^smtp$/ && $8~/smtpd/ {print $5}
' $PFMASTER)0" != "n0" ]
then # chroot: Yes
if [ -s $PFSMTPD ] && [ "0$(/bin/sed -n \
-e '/^authdaemond_path:/s,.\+:\s*,,p' $PFSMTPD)" = "0$rundir/socket" ] &&
[ ! -L $rundir ]
then
/bin/rm -fr $rundir &&
/bin/ln -s /var/spool/postfix/$rundir $rundir_courier
fi
else # chroot: No
if [ -L $rundir ] ;then
/bin/rm -fr $rundir
fi
fi # Postfix chrooted ?
fi # Use Postfix
} # postfix_check()
#-- Postfix chrooted --#
case "$1" in
start)
# Start daemon.
cd /
log_daemon_msg "Starting Courier authentication services" "authdaemond"
if [ ! -d "$rundir_courier" ]; then
mkdir -m 0775 $rundir_courier
chown daemon:daemon $rundir_courier
# set file context for SELinux (#668564)
[ -x /sbin/restorecon ] && /sbin/restorecon $rundir_courier
fi
postfix_check
if [ ! -d "$rundir" ]; then
mkdir -m 0750 $rundir
chown daemon:daemon $rundir
# set file context for SELinux (#668564)
[ -x /sbin/restorecon ] && /sbin/restorecon $rundir
fi
$daemonscript start
log_end_msg 0
;;
stop)
# Stop daemon.
cd /
log_daemon_msg "Stopping Courier authentication services" "authdaemond"
$daemonscript stop
log_end_msg 0
;;
restart|force-reload)
$0 stop
$0 start
;;
status)
status_of_proc -p "$pidfile" "" "authdaemond" && exit 0 || exit $?
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
exit 2
;;
esac
exit 0
Bug#729900: courier-authdaemon: Postfix - SASL authentication failure
Package: courier-authdaemon
Version: 0.63.0-6+b1
Severity: minor
Tags: patch
Dear Maintainer,
with updating system from Debian 6.0.8 to 7.2 the Postfix
authentication don't work. courier-authdaemon authenticate
the system's users that are used to send email from external
on SMTP connections.
The postfix logs reporting:
postfix/smtpd[]: warning: SASL authentication failure: cannot connect to
Courier authdaemond: Connection refused
postfix/smtpd[]: warning: X[Y.Z.J.K]: SASL LOGIN authentication failed: generic
failure
The solution is:
rm -r /var/run/courier/authdaemon
ln -s /var/spool/postfix/var/run/courier/authdaemon /var/run/courier
because postfix, in the standard installation, is in a chroot environment.
I propose a solution that make the job automagically.
Modify the courier-authdaemon start up script in the following manner:
~# diff -c /etc/init.d/courier-authdaemon /etc/init.d/courier-authdaemon_orig
*** /etc/init.d/courier-authdaemon 2013-11-18 18:48:58.868867113 +0100
--- /etc/init.d/courier-authdaemon_orig 2012-06-09 18:45:14.0 +0200
***
*** 35,50
# set file context for SELinux (#668564)
[ -x /sbin/restorecon ] && /sbin/restorecon $rundir_courier
fi
- #== Postfix chroot ==#
- if _PFIX=/etc/postfix/master.cf && [ -s $_PFIX ] &&
- [ "$(/usr/bin/awk '$1~/^smtp$/ && $8~/smtpd/ {print $5}
-' $_PFIX)" != "n" ] &&
- _PFIX=/etc/postfix/sasl/smtpd.conf &&
- [ ! -L $rundir ]
- then
- /bin/ln -s /var/spool/postfix/$rundir $rundir_courier
- fi
- #-- Postfix chroot --#
if [ ! -d "$rundir" ]; then
mkdir -m 0750 $rundir
chown daemon:daemon $rundir
--- 35,40
Thank you, Guido.
-- System Information:
Debian Release: 7.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages courier-authdaemon depends on:
ii courier-authlib 0.63.0-6+b1
ii lsb-base 4.1+Debian8+deb7u1
courier-authdaemon recommends no packages.
courier-authdaemon suggests no packages.
-- Configuration Files:
/etc/courier/authdaemonrc [Errno 13] Permesso negato:
u'/etc/courier/authdaemonrc'
/etc/init.d/courier-authdaemon changed:
prefix="/usr"
exec_prefix=${prefix}
sysconfdir="/etc/courier"
sbindir="${exec_prefix}/sbin"
daemonscript="${sbindir}/authdaemond"
rundir_courier="/var/run/courier"
rundir="/var/run/courier/authdaemon"
pidfile="${rundir}/pid"
. /lib/lsb/init-functions
if [ ! -x $daemonscript ]; then
exit 0
fi
case "$1" in
start)
# Start daemon.
cd /
log_daemon_msg "Starting Courier authentication services" "authdaemond"
if [ ! -d "$rundir_courier" ]; then
mkdir -m 0775 $rundir_courier
chown daemon:daemon $rundir_courier
# set file context for SELinux (#668564)
[ -x /sbin/restorecon ] && /sbin/restorecon $rundir_courier
fi
if _PFIX=/etc/postfix/master.cf && [ -s $_PFIX ] &&
[ "$(/usr/bin/awk '$1~/^smtp$/ && $8~/smtpd/ {print $5}
' $_PFIX)" != "n" ] &&
_PFIX=/etc/postfix/sasl/smtpd.conf &&
[ ! -L $rundir ]
then
/bin/ln -s /var/spool/postfix/$rundir $rundir_courier
fi
if [ ! -d "$rundir" ]; then
mkdir -m 0750 $rundir
chown daemon:daemon $rundir
# set file context for SELinux (#668564)
[ -x /sbin/restorecon ] && /sbin/restorecon $rundir
fi
$daemonscript start
log_end_msg 0
;;
stop)
# Stop daemon.
cd /
log_daemon_msg "Stopping Courier authentication services" "authdaemond"
$daemonscript stop
log_end_msg 0
;;
restart|force-reload)
$0 stop
$0 start
;;
status)
status_of_proc -p "$pidfile" "" "authdaemond" && exit 0 || exit $?
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
exit 2
;;
esac
exit 0
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#612405: aide: Configuration error on bind9 LowLogs
Package: aide
Version: 0.15.1-2
Severity: normal
Tags: patch
On the aide upgrade the package don't work.
The error is:
~# aide.wrapper --verbose=255
...
221:@@ifdef BINDCHROOT
222:Variable substitution
222:Selrule
222:Error in expression:�g
Configuration error
The problem is in the file:
/etc/aide/aide.conf.d/31_aide_bind9
where there is the wrong line:
@@{BINDCHROOT}/dev/log$ LowLogs
while the correct, I suppose, is:
@@{BINDCHROOT}/dev/log$ LowLog
Thank you, Guido Bozzetto.
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (560, 'stable'), (545, 'proposed-updates'), (540, 'stable'),
(460, 'testing'), (445, 'testing-proposed-updates'), (440, 'testing'), (20,
'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages aide depends on:
ii aide-common0.15.1-2 Advanced Intrusion Detection Envir
ii bsd-mailx 8.1.2-0.20100314cvs-1 simple mail user agent
ii liblockfile1 1.08-4NFS-safe locking library, includes
ii ucf3.0025+nmu1 Update Configuration File: preserv
Versions of packages aide recommends:
ii cron 3.0pl1-116 process scheduling daemon
aide suggests no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#600586: open-vm-tools: Solved VMXNET2 network adapter functionality
Package: open-vm-tools Severity: normal With the kernel 2.6.32-5-686 2.6.32-27 the ethernet network adapter VMXNET 2 (Enhanced) work. Thank you. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (560, 'testing'), (545, 'testing-proposed-updates'), (540, 'testing'), (460, 'stable'), (445, 'proposed-updates'), (440, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages open-vm-tools depends on: ii libc6 2.11.2-6+squeeze1 Embedded GNU C Library: Shared lib ii libfuse2 2.8.4-1.1 Filesystem in USErspace library ii libgcc11:4.4.5-4 GCC support library ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libicu44 4.4.1-6 International Components for Unico ii libstdc++6 4.4.5-4 The GNU Standard C++ Library v3 Versions of packages open-vm-tools recommends: ii ethtool 1:2.6.34-3 display or change Ethernet device ii open-vm-source 2010.06.16-268169-3 Source for VMware guest systems dr ii zerofree 1.0.1-2 zero free blocks from ext2/3 file- Versions of packages open-vm-tools suggests: ii open-vm-toolbox 2010.06.16-268169-3 tools and components for VMware gu -- Configuration Files: /etc/vmware-tools/tools.conf changed: -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#600586: open-vm-tools: vmxnet_init_ring alloc_page failed with kernel 2.6.32-25
Package: open-vm-tools Version: 2010.06.16-268169-3 Severity: normal After the last upgrade of the system the network do not start. The error appears in the networking startup script execution is: eth0: vmxnet_init_ring alloc_page failed. SIOCSIFFLAGS: Cannot allocate memory with the old kernel: 2.6.32-23 (linux-image-2.6.32-5-686) the vmxnet module work correctly. I've the "VMXNET 2 (Enhanced)" network adapter configured in the virtual guest. The "Flexible" network adapter, that use the pcnet32 module, work correctly. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (560, 'testing'), (545, 'testing-proposed-updates'), (540, 'testing'), (460, 'stable'), (445, 'proposed-updates'), (440, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages open-vm-tools depends on: ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libfuse2 2.8.4-1.1 Filesystem in USErspace library ii libgcc1 1:4.4.5-2 GCC support library ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libicu44 4.4.1-6International Components for Unico ii libstdc++64.4.5-2The GNU Standard C++ Library v3 Versions of packages open-vm-tools recommends: ii ethtool 1:2.6.34-3 display or change Ethernet device ii open-vm-source 2010.06.16-268169-3 Source for VMware guest systems dr ii zerofree 1.0.1-2 zero free blocks from ext2/3 file- Versions of packages open-vm-tools suggests: ii open-vm-toolbox 2010.06.16-268169-3 tools and components for VMware gu -- Configuration Files: /etc/vmware-tools/tools.conf changed: -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#580868: correct cron.d/mdadm suggest
Package: mdadm Version: 3.0.3-2 Severity: normal I suggest the following line into the /etc/cron.d/mdadm file: 57 0 * * 0 root if [ -x /usr/share/mdadm/checkarray ] && [ $(date +\%d) -le 7 ];then /usr/share/mdadm/checkarray --cron --all --quiet;fi If the test is false the exit status is false (0). -- Package-specific info: WARNING: the following output was not generated by the root user. If you can, please replace the following up until "-- System Information:" with the output of /usr/share/bug/mdadm/script 3>&1 run as root. Thanks! --- mount output /dev/mapper/Cosmo-ROOT on / type ext3 (rw,user_xattr,errors=remount-ro) tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755) proc on /proc type proc (rw,noexec,nosuid,nodev) sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) udev on /dev type tmpfs (rw,mode=0755) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620) /dev/mapper/Cosmo-home on /home type jfs (rw,nosuid,nodev) /dev/mapper/ctmp on /tmp type ext2 (rw,noexec,nosuid,nodev) /dev/mapper/Cosmo-usr on /usr type ext3 (rw) /dev/mapper/Cosmo-var on /var type ext3 (rw,noexec,nosuid,nodev) /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind) fusectl on /sys/fs/fuse/connections type fusectl (rw) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev) /dev/mapper/Crypto-SPACE on /opt/space type jfs (rw,noexec,nosuid,nodev) /dev/mapper/Crypto-uCosmo on /opt/uCosmo type jfs (ro) /dev/md0 on /opt/uCosmo/boot type ext2 (ro,noexec,nosuid,nodev) /tmp on /opt/uCosmo/tmp type none (rw,noexec,nosuid,nodev,bind) /tmp on /opt/uCosmo/var/tmp type none (rw,noexec,nosuid,nodev,bind) proc-uCosmo on /opt/uCosmo/proc type proc (rw) /dev on /opt/uCosmo/dev type none (rw,bind,mode=0755) /dev/pts on /opt/uCosmo/dev/pts type none (rw,noexec,nosuid,bind,gid=5,mode=620) //sys03/Da_stampare on /media/gb/sys03/Da_stampare type cifs (rw,mand,noexec,nosuid,nodev) //dcgc01/inasset on /media/gb/dcgc01/inasset type cifs (rw,mand,noexec,nosuid,nodev) /home/gb/.Private on /home/gb/Private type ecryptfs (ecryptfs_sig=24c920f75c6a4c43,ecryptfs_cipher=aes,ecryptfs_key_bytes=16) --- mdadm.conf # mdadm.conf # # Please refer to mdadm.conf(5) for information about this file. # # by default, scan all partitions (/proc/partitions) for MD superblocks. # alternatively, specify devices to scan, using wildcards if desired. DEVICE partitions # auto-create devices with Debian standard permissions CREATE owner=root group=disk mode=0660 auto=yes # automatically tag new arrays as belonging to the local system HOMEHOST # instruct the monitoring daemon where to send mail alerts MAILADDR root # definitions of existing MD arrays ARRAY /dev/md0 level=raid1 num-devices=2 UUID=77e326dc:6e14c11b:a651d75b:f1f14b73 ARRAY /dev/md1 level=raid1 num-devices=2 UUID=c0c625ce:7ef2335f:3f11248e:bd61a445 ARRAY /dev/md2 level=raid1 num-devices=2 UUID=f79c8b36:3fe6f14a:6a040ff2:21c20a6f # This file was auto-generated on Wed, 30 Jul 2008 11:10:52 + # by mkconf $Id$ --- /proc/mdstat: Personalities : [raid1] md2 : active raid1 sda3[0] sdb3[1] 49705024 blocks [2/2] [UU] md1 : active raid1 sda2[0] sdb2[1] 28314496 blocks [2/2] [UU] md0 : active raid1 sda1[0] sdb1[1] 128384 blocks [2/2] [UU] unused devices: --- /proc/partitions: major minor #blocks name 8 16 78150744 sdb 8 17 128488 sdb1 8 18 28314562 sdb2 8 19 49705110 sdb3 80 78156288 sda 81 128520 sda1 82 28314562 sda2 83 49705110 sda3 84 1 sda4 85 7969 sda5 90 128384 md0 91 28314496 md1 92 49705024 md2 2530 749568 dm-0 25318982528 dm-1 25322097152 dm-2 2533 11972608 dm-3 2534 589824 dm-4 25353919872 dm-5 25363919872 dm-6 2537 589824 dm-7 2538 49703996 dm-8 25396754304 dm-9 253 10 42946560 dm-10 --- initrd.img-2.6.32-5-amd64: 63723 blocks b03f089e64c85ce3e1db4f77c9af2a3b ./etc/mdadm/mdadm.conf 17311b7efaf3bcd78a295df0066ccf10 ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/raid6_pq.ko ad9c9f0bc8b1505d2c9f1649b96874d3 ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/dm-mod.ko 72540066781e37234f9eeedb655b1c80 ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/dm-crypt.ko 7b5f5120b51c864c3acb6c3dd165e63a ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/dm-snapshot.ko 1a410ee1543901e87ed8fb7534ac4d33 ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/dm-log.ko 3a5180278967756089c2c03b0aa7e764 ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/dm-region-hash.ko e497019adf1ad00831a3e0f193590395 ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/dm-mirror.ko b38eb108e73b8e19e422bbe46c43ccfd ./lib/modules/2.6.32-5-amd64/kernel/drivers/md/md-mod.ko 33d4ea150792de2399e676f
Bug#581160: open-vm-source: compile(install) fails on pvscsi.o inexistent file
Package: open-vm-source Version: 2010.04.25-253928-1 Severity: grave Justification: renders package unusable open-vm module compiling fails with: ~# M=open-vm;m-a update;m-a clean $M;m-a prepare $M;m-a -t build $M ... # Installing the modules set -e; for MODULE in pvscsi vmblock vmci vmhgfs vmmemctl vmsync vmxnet vsock; \ do \ install -D -m 0644 modules/linux/$MODULE.o debian/open-vm-modules-2.6.32-3-amd64/lib/modules/2.6.32-3-amd64/misc/$MODULE.ko; \ done install: impossibile eseguire stat di "modules/linux/pvscsi.o": No such file or directory make[1]: *** [binary-modules] Error 1 make[1]: Leaving directory `/usr/src/modules/open-vm' make: *** [kdist_build] Error 2 BUILD FAILED! See /var/cache/modass/open-vm-source.buildlog.2.6.32-3-amd64.1273565546 for details. ~$ tail -n 5 /var/cache/modass/open-vm-source.buildlog.2.6.32-3-amd64.1273565546 done install: impossibile eseguire stat di "modules/linux/pvscsi.o": No such file or directory make[1]: *** [binary-modules] Error 1 make[1]: Leaving directory `/usr/src/modules/open-vm' make: *** [kdist_build] Error 2 Guido. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages open-vm-source depends on: ii bzip2 1.0.5-4high-quality block-sorting file co ii debhelper 7.4.19 helper programs for debian/rules ii make 3.81-8 An utility for Directing compilati ii quilt 0.48-7 Tool to work with series of patche Versions of packages open-vm-source recommends: ii module-assistant 0.11.3 tool to make module package creati ii open-vm-tools2010.04.25-253928-1 tools and components for VMware gu Versions of packages open-vm-source suggests: ii open-vm-toolbox 2010.04.25-253928-1 tools and components for VMware gu -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#577163: Impossible boot ordering info in init.d script
Package: open-vm-tools Version: 2010.03.20-243334-4 Severity: normal The open-vm-tools also load the network kernel module "vmxnet" that is necessary to configure the network so I think that the correct startup is in the S level/directory: # Required-Start: $local_fs # X-Start-Before: $network # X-Stop-After: $network # Default-Start:S Guido Bozzetto -- System Information: Debian Release: squeeze/sid APT prefers testing-proposed-updates APT policy: (990, 'testing-proposed-updates'), (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-3-686 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages open-vm-tools depends on: ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libfuse2 2.8.1-1.2 Filesystem in USErspace library ii libgcc1 1:4.4.2-9 GCC support library ii libglib2.0-0 2.24.0-1 The GLib library of C routines ii libicu42 4.2.1-3International Components for Unico ii libstdc++64.4.2-9The GNU Standard C++ Library v3 Versions of packages open-vm-tools recommends: ii ethtool 1:2.6.33-1 display or change Ethernet device ii open-vm-source 2010.03.20-243334-4 Source for VMware guest systems dr ii zerofree 1.0.1-2 zero free blocks from ext2/3 file- Versions of packages open-vm-tools suggests: pn open-vm-toolbox(no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#574553: PostInst fails (err. 2). "awk: fatal: ( o \(desemparejados: /(md/"
Package: initramfs-tools
Version: 0.93.4
Severity: normal
~# LANG=C dpkg --configure initramfs-tools
update-initramfs: Generating /boot/initrd.img-2.6.32-3-amd64
awk: fatal: Unmatched ( or \(: /(hd/
I've lilo and grub2 together for backup. For me a working solution is
to modify the line 192 from:
&& groot=$(awk '/^set root=/{print substr($2, 7, 3); exit}' \
to:
&& groot=$(awk '/^set root=/{print substr($2, 7, length($2)-7); exit}' \
I do not know if this is correct anyway so the correct part of the
string is interpreted without the final "'":
~# LANG=C dpkg --configure initramfs-tools
update-initramfs: Generating /boot/initrd.img-2.6.32-3-amd64
Warning: '/proc/partitions' does not match '/dev' directory structure.
...
7 warnings were issued.
~# dpkg -l initramfs-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Nome Versione Descrizione
+++-==-==-
ii initramfs-tool 0.93.4 tools for generating an initramfs
Thanks, Guido Bozzetto.
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=(hd0,1)/vmlinuz root=UUID=773e7969-3634-4445-98cd-c3aebd7e2784 ro
-- /proc/filesystems
ext4
ext2
ext3
-- lsmod
Module Size Used by
sha256_generic 8644 4
ppdev 5030 0
lp 7462 0
autofs420629 5
nfsd 252838 13
exportfs3122 1 nfsd
nfs 239263 0
lockd 57203 2 nfsd,nfs
fscache29786 1 nfs
nfs_acl 2031 2 nfsd,nfs
auth_rpcgss33444 2 nfsd,nfs
sunrpc159873 13 nfsd,nfs,lockd,nfs_acl,auth_rpcgss
ipt_REDIRECT 17
xt_owner1063 4
ipt_REJECT 1953 3
ipt_LOG 4486 35
xt_limit1782 25
nf_nat_ftp 1919 0
nf_conntrack_ftp5473 1 nf_nat_ftp
xt_state1303 123
xt_tcpudp 2287 431
iptable_mangle 2817 0
iptable_filter 2258 1
iptable_nat 4299 1
ip_tables 13675 3 iptable_mangle,iptable_filter,iptable_nat
nf_nat 13212 3 ipt_REDIRECT,nf_nat_ftp,iptable_nat
x_tables 12653 9
ipt_REDIRECT,xt_owner,ipt_REJECT,ipt_LOG,xt_limit,xt_state,xt_tcpudp,iptable_nat,ip_tables
nf_conntrack_ipv4 9753 126 iptable_nat,nf_nat
nf_conntrack 46295 6
nf_nat_ftp,nf_conntrack_ftp,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 1139 1 nf_conntrack_ipv4
quota_v22637 4
quota_tree 6051 1 quota_v2
ext3 106278 1
jbd36813 1 ext3
ext2 52953 2
cryptd 5286 0
aes_x86_64 7340 7
aes_generic25714 1 aes_x86_64
cbc 2507 5
dm_crypt 10491 5
dm_snapshot18425 0
dm_mirror 10843 0
dm_region_hash 6648 1 dm_mirror
dm_log 7381 2 dm_mirror,dm_region_hash
dm_mod 53306 14 dm_crypt,dm_snapshot,dm_mirror,dm_log
snd_pcsp6579 0
snd_pcm60263 1 snd_pcsp
snd_timer 15406 1 snd_pcm
i2c_piix4 8328 0
serio_raw 3752 0
parport_pc 18855 1
snd45822 3 snd_pcsp,snd_pcm,snd_timer
parport27666 3 ppdev,lp,parport_pc
psmouse49505 0
soundcore 4566 1 snd
container 2389 0
i2c_core 15216 1 i2c_piix4
evdev 7336 0
snd_page_alloc 6169 1 snd_pcm
shpchp 26216 0
processor 30135 0
ac 2192 0
pci_hotplug21171 1 shpchp
ext4 284811 14
mbcache 4970 3 ext3,ext2,ext4
jbd2 66759 1 ext4
crc16 1319 1 ext4
sd_mod 29465 21
crc_t10dif 1276 1 sd_mod
ide_pci_generic 2788 0
ata_generic 2983 0
libata131655 1 ata_generic
mptspi 11185 18
mptscsih 15768 1 mptspi
mptbase48046 2 mptspi,mptscsih
scsi_transport_spi 18566 1 mptspi
piix4568 0
floppy 49087 0
intel_agp 25593 1
ide_core 76578 2 ide_pci_generic,piix
button 4634 0
scsi_mod 121509 5 sd_mod,libata,mptspi,mptscsih,scsi_transport_spi
e1000 85437 0
thermal11610 0
fan
Bug#568480: libpam-cracklib: Solve "libpam.so.0 required by pam_cracklib.so"
Package: libpam-cracklib Severity: normal Restarting cron: /etc/init.d/cron restart solve the problem. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (560, 'testing'), (545, 'testing-proposed-updates'), (540, 'testing'), (460, 'stable'), (445, 'proposed-updates'), (440, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-cracklib depends on: ii cracklib-runtime 2.8.15-6+b1 runtime support for password check ii libc62.10.2-2GNU C Library: Shared libraries ii libcrack22.8.15-6+b1 pro-active password checker librar ii libpam-runtime 1.1.1-1 Runtime support for the PAM librar ii libpam0g 1.1.1-1 Pluggable Authentication Modules l ii witalian [wordlist] 1.7.3-0.1 The Italian dictionary words for / libpam-cracklib recommends no packages. libpam-cracklib suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#564069: open-vm-tools daemon start only on X11
Package: open-vm-tools Version: 2009.12.16-217847-1 Severity: important At system start-up the open-vm-tools daemon don't start while the vm modules are correctly loaded. After some test I observed that without X the open-vm-tools don't work: server:~# /etc/init.d/open-vm-tools restart Stopping open-vm guest daemon: vmtoolsd/etc/init.d/open-vm-tools: line 49: kill: (16571) - No such process . Removing open-vm-tools modules: vmhgfs vmmemctl vmsync. Loading open-vm-tools modules: vmhgfs vmmemctl vmsync. Starting open-vm daemon: vmtoolsd. X11 connection rejected because of wrong authentication. server:~# ps ax|grep vm 21090 ?S< 0:00 [vmmemctl] while with an X11 active environment: server:~# export XAUTHORITY=~user/.Xauthority server:~# /etc/init.d/open-vm-tools restart Stopping open-vm guest daemon: vmtoolsd/etc/init.d/open-vm-tools: line 49: kill: (21099) - No such process . Removing open-vm-tools modules: vmhgfs vmmemctl vmsync. Loading open-vm-tools modules: vmhgfs vmmemctl vmsync. Starting open-vm daemon: vmtoolsd. panama:~# ps ax|grep vm 22697 ?S< 0:00 [vmmemctl] 22706 ?S 0:00 /usr/bin/vmtoolsd --plugin-path /etc/vmware-tools/plugins Obviously when finish the ssh session on server and so close the X11 output on my client machine the vmtoolsd daemon dies :-(( -- System Information: Debian Release: squeeze/sid APT prefers testing-proposed-updates APT policy: (990, 'testing-proposed-updates'), (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.31-1-686 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages open-vm-tools depends on: ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libgcc1 1:4.4.2-8 GCC support library ii libglib2.0-0 2.22.3-1 The GLib library of C routines ii libicu42 4.2.1-3International Components for Unico ii libstdc++64.4.2-8The GNU Standard C++ Library v3 Versions of packages open-vm-tools recommends: ii ethtool 6+20091202-1display or change Ethernet device ii open-vm-source 2009.12.16-217847-1 Source for VMware guest systems dr ii zerofree 1.0.1-2 zero free blocks from ext2/3 file- Versions of packages open-vm-tools suggests: ii open-vm-toolbox 2009.12.16-217847-1 tools and components for VMware gu -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#555322: open-vm-source: Error on compiling: vmmemctl/os.c error expected ... before OS_Identity
Package: open-vm-source Version: 2009.10.15-201664-1 Severity: important Justification: fails to build from source It is not possible to make the modules: # m-a update # m-a clean # m-a a-i open-vm then fails with the following messages: ... make[4]: Entering directory `/usr/src/linux-headers-2.6.30-2-686' CC [M] /usr/src/modules/open-vm/modules/linux/vmmemctl/os.o /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:290: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'OS_Identity' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:356: error: expected ')' before 'handle' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:383: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'OS_ReservedPageAlloc' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:413: error: expected ')' before 'handle' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:439: error: conflicting types for 'OS_TimeStart' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.h:56: error: previous declaration of 'OS_TimeStart' was here /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:604: error: conflicting types for 'OS_Init' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.h:39: error: previous declaration of 'OS_Init' was here /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c: In function 'init_module': /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:677: error: implicit declaration of function 'Baloon_ModuleInit' /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:677: error: 'BALLOON_SUCCESS' undeclared (first use in this function) /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:677: error: (Each undeclared identifier is reported only once /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:677: error: for each function it appears in.) /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c: In function 'cleanup_module': /usr/src/modules/open-vm/modules/linux/vmmemctl/os.c:692: error: implicit declaration of function 'Baloon_ModuleCleanup' *** [/usr/src/modules/open-vm/modules/linux/vmmemctl/os.o] Error 1 *** [_module_/usr/src/modules/open-vm/modules/linux/vmmemctl] Error 2 *** [sub-make] Error 2 *** [all] Error 2 The last working version for me the compiles with 2.6.30-2-686 is the 2009.08.24-187411-1. The last open-vm-modules that I have compiled successfully is: open-vm-modules-2.6.30-2-686_2009.08.24-187411-1+2.6.30-8_i386.deb Thank you, Guido. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (560, 'testing'), (545, 'testing-proposed-updates'), (540, 'testing'), (460, 'stable'), (445, 'proposed-updates'), (440, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages open-vm-source depends on: ii bzip2 1.0.5-3high-quality block-sorting file co ii debhelper 7.4.3 helper programs for debian/rules ii make 3.81-6 An utility for Directing compilati ii quilt 0.48-2 Tool to work with series of patche Versions of packages open-vm-source recommends: ii module-assistant 0.11.1 tool to make module package creati ii open-vm-tools2009.10.15-201664-1 tools and components for VMware gu Versions of packages open-vm-source suggests: ii open-vm-toolbox 2009.10.15-201664-1 tools and components for VMware gu -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#548996: libpam-cracklib: Log message: `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so)
Package: libpam-cracklib Version: 1.1.0-4 Severity: minor After the packages upgrade appears on auth.log file the following messages: Sep 27 04:15:01 debian CRON[30595]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/libpam.so.0: version `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so) Sep 27 04:15:01 debian CRON[30595]: PAM adding faulty module: /lib/security/pam_cracklib.so Sep 27 04:15:01 debian CRON[30594]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/libpam.so.0: version `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so) Sep 27 04:15:01 debian CRON[30594]: PAM adding faulty module: /lib/security/pam_cracklib.so Sep 27 04:15:01 debian CRON[30598]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/libpam.so.0: version `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so) Sep 27 04:15:01 debian CRON[30598]: PAM adding faulty module: /lib/security/pam_cracklib.so Sep 27 04:16:01 debian CRON[30626]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/libpam.so.0: version `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so) Sep 27 04:16:01 debian CRON[30626]: PAM adding faulty module: /lib/security/pam_cracklib.so Sep 27 04:17:01 debian CRON[30649]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/libpam.so.0: version `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so) Sep 27 04:17:01 debian CRON[30649]: PAM adding faulty module: /lib/security/pam_cracklib.so Sep 27 04:18:01 debian CRON[30693]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/libpam.so.0: version `LIBPAM_EXTENSION_1.1' not found (required by /lib/security/pam_cracklib.so) Sep 27 04:18:01 debian CRON[30693]: PAM adding faulty module: /lib/security/pam_cracklib.so in the /etc/pam.d there is: debian:~# grep cracklib /etc/pam.d/* /etc/pam.d/common-password:password requisite pam_cracklib.so retry=3 minlen=8 difok=3 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-cracklib depends on: ii cracklib-runtime 2.8.13-12 runtime support for password check ii libc6 2.9-25 GNU C Library: Shared libraries ii libcrack2 2.8.13-12 pro-active password checker librar ii libpam-runtime1.1.0-4Runtime support for the PAM librar ii libpam0g 1.1.0-4Pluggable Authentication Modules l ii wamerican [wordlist] 6-3American English dictionary words ii witalian [wordlist] 1.7.3-0.1 The Italian dictionary words for / libpam-cracklib recommends no packages. libpam-cracklib suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#485397: ipmasq: hangs on post.inst configure step
Package: ipmasq Version: 4.0.8-5 Severity: minor Tags: patch After package installation/update in the post installation script: /var/lib/dpkg/info/ipmasq.postinst configure the system hangs with: The following partially installed packages will be configured: ipmasq Configuro ipmasq (4.0.8-5) ... "ps axu" show the following problem: root 21948 0.7 2.1 14612 11216 pts/1S+ 10:14 0:00 /usr/bin/perl -w /usr/share/debconf/frontend /var/lib/dpkg/info/ipm root 21957 0.0 0.0 0 0 pts/1Z+ 10:14 0:00 [ipmasq.postinst] The solution is to login into another terminal and manually do: server:~# ipmasq and the installation script correctly finish. Thank you, Guido Bozzetto. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Shell: /bin/sh linked to /bin/bash Versions of packages ipmasq depends on: ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii iptables 1.4.0-4administration tools for packet fi ipmasq recommends no packages. -- debconf information: ipmasq/external-rules-moved: true * ipmasq/start-location: After network interfaces are brought up ipmasq/dpkg-conffiles: * ipmasq/ppp-turn-off: ipmasq/old-ipmasq.conf: true ipmasq/old-rc.boot-file: true * ipmasq/start: true ipmasq/ppp-turn-on: ipmasq/move-ipmasq.rules: true * ipmasq/ppp-recompute: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#483359: spamassassin: Use of uninitialized value $vpopdir
Package: spamassassin
Version: 3.2.4-2
Severity: normal
Tags: patch
With vpopmail configuration (/etc/default/spamassassin):
ENABLED=1
CRON=yes
NICE="--nicelevel 5"
TMPDIR=/var/tmp/spamd
OPTIONS="--nouser-config --create-prefs --max-children=32
--min-children=6 --min-spare=4 --max-spare=8 --syslog-socket=unix"
# Cfr.: /usr/share/doc/spamassassin/README.spamd-vpopmail
OPTIONS="${OPTIONS} -v -u vpopmail"
when arrive a valid message the mail.log reports:
spamd[4943]: spamd: connection from localhost [127.0.0.1] at port 50132
spamd[4943]: Use of uninitialized value $vpopdir in concatenation (.) or
string at /usr/sbin/spamd line 2106, line 2.
spamd[4943]: Can't exec "/bin/vuserinfo": No such file or directory at
/usr/sbin/spamd line 2106, line 2.
spamd[4943]: Use of uninitialized value $vpopdir in concatenation (.) or
string at /usr/sbin/spamd line 2111, line 2.
spamd[4943]: Can't exec "/bin/valias": No such file or directory at
/usr/sbin/spamd line 2111, line 2.
spamd[4943]: Use of uninitialized value $dir in scalar chomp at
/usr/sbin/spamd line 2118, line 2.
the problem is in the subroutine handle_user_set_user_prefs. The working
solution is to check if exist $dir variable:
--- spamd.orig 2008-05-14 03:58:52.0 +0200
+++ spamd 2008-05-28 12:28:53.0 +0200
@@ -2099,6 +2099,7 @@
sub handle_user_set_user_prefs {
my ($dir, $username) = @_;
+if (defined $dir) {#+20080318 <[EMAIL PROTECTED]>
# If vpopmail config enabled then set $dir to virtual homedir
#
if ( $opt{'vpopmail'} ) {
@@ -2117,6 +2118,7 @@
}
chomp($dir);
}
+}
# don't do this if we weren't passed a directory
if ($dir) {
I hope this is usefull.
Thank you, Guido Bozzetto.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (560, 'testing'), (550, 'testing'), (540,
'testing-proposed-updates'), (460, 'stable'), (450, 'stable'), (440,
'proposed-updates'), (20, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages spamassassin depends on:
ii libdigest-sha1-perl 2.11-2+b1 NIST SHA-1 message digest algorith
ii libhtml-parser-perl 3.56-1+b1 A collection of modules that parse
ii libnet-dns-perl 0.63-1+b1 Perform DNS queries from a Perl sc
ii libsocket6-perl 0.20-1 Perl extensions for IPv6
ii libsys-hostname-long-perl 1.4-2 Figure out the long (fully-qualifi
ii libwww-perl 5.812-1WWW client/server library for Perl
ii perl 5.10.0-10 Larry Wall's Practical Extraction
ii perl-modules [libarchive-tar- 5.10.0-10 Core Perl modules
Versions of packages spamassassin recommends:
ii gcc 4:4.2.2-2 The GNU C compiler
ii gnupg 1.4.6-2.2 GNU privacy guard - a free PGP rep
ii libc6-dev 2.7-10 GNU C Library: Development Librari
ii libmail-spf-perl 2.005-1Perl implementation of Sender Poli
ii libsys-syslog-perl0.24-1+b1 Perl interface to the UNIX syslog(
ii make 3.81-4 The GNU version of the "make" util
ii re2c 0.13.3-1 tool for generating fast C-based r
ii spamc 3.2.4-2Client for SpamAssassin spam filte
-- debconf information:
spamassassin/upgrade/2.40:
spamassassin/upgrade/2.40w:
spamassassin/upgrade/cancel: Continue
spamassassin/upgrade/2.42m: No
spamassassin/upgrade/2.42u: No
--- spamd.orig 2008-05-14 03:58:52.0 +0200
+++ spamd 2008-05-28 12:28:53.0 +0200
@@ -2099,6 +2099,7 @@
sub handle_user_set_user_prefs {
my ($dir, $username) = @_;
+if (defined $dir) { #+20080318 <[EMAIL PROTECTED]>
# If vpopmail config enabled then set $dir to virtual homedir
#
if ( $opt{'vpopmail'} ) {
@@ -2117,6 +2118,7 @@
}
chomp($dir);
}
+}
# don't do this if we weren't passed a directory
if ($dir) {
Bug#475729: p3scan crash with "nor a good viruscode, but 2"
The simple working solution is to set the sticky bit for the group to directory: /var/spool/p3scan/children ~# chmod g+s /var/spool/p3scan/children My system: ~# id clamav uid=101(clamav) gid=105(clamav) gruppi=105(clamav),106(p3scan) ~# dpkg -l clamav p3scan clamav 0.92.1~dfsg2-1.1 p3scan 2:2.3.2-3 Thanks, Guido Bozzetto. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#475983: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule
On domenica 04 maggio 2008, alle 09:38, Marc Haber wrote:
> tags #475983 wontfix
> thanks
>
> On Mon, Apr 14, 2008 at 11:06:14AM +0200, Guido Bozzetto wrote:
> > I suggest the following changes to the rule 31_aide_bind9 to
> > automatically create the correct rules with bind9 running into a chroot
> > environment.
...
> > correctly initialize the aide's BINDCHROOT variable:
> I currently think that this is driving the magic "too far". If one
> decides to run bind chrooted, that one should also be able to modify
> the aide rules themselves.
OK, it's clear.
I think is usefull to insert something like example:
- directly in commented lines into 31_aide_bind9:
#! /bin/bash
#
# # Automagically extract chroot directory
# . /etc/default/bind9
# set $OPTIONS
# for i in $@;do
# if [ "$1" == "-t" ]
# then echo "@@define BINDCHROOT $2"; break
# else shift
# fi
# done
# # Or manually set chroot directory
# # BINDCHROOT=/var/cache/bind
cat << !EOF
@@ifdef BINDCHROOT
@@{BINDCHROOT}/dev/log$ LowLogs
@@{BINDCHROOT}/dev VarDir
@@endif
@@{BINDCHROOT}/var/cache/bind VarFile
@@{BINDCHROOT}/var/log/bind/queries\.log$ Logs
@@{BINDCHROOT}/var/log/bind/queries\.log\.0$ LoSerMemberLog
@@{BINDCHROOT}/var/log/bind/queries\.log\.[1-8]$ SerMemberLog
@@{BINDCHROOT}/var/log/bind/queries\.log\.9$ HiSerMemberLog
@@{BINDCHROOT}/var/log/bind VarDir
@@{BINDCHROOT}/var/run/bind/run/named\.pid$ VarFile
@@{BINDCHROOT}/var/run/bind/run$ VarDir
!EOF
- Surely is better to divide the proposed 31_aide_bind9 script
in 2 parts like inn2 (cfr.: 30_inn2_vars and 31_aide_inn2) so the
commented part is the 30_bind9_vars script
- Introduce /usr/share/doc/aide-common/examples/30_bind9_vars:
#! /bin/bash
#
# Initilize BINDCHROOT variable for 31_aide_bind9 while bind9 run
# in a chroot environment.
#
# Automagically extract chroot directory
. /etc/default/bind9
set $OPTIONS
for i in $@;do
if [ "$1" == "-t" ]
then echo "@@define BINDCHROOT $2"; break
else shift
fi
done
#
# Manually set chroot directory
#BINDCHROOT=/var/cache/bind
In the aide 0.13.1-10 about the rule 31_aide_bind9 I thing that:
- is misleading the name "BINDCHROOT", if initalized with the chroot
dir of bind9 don't work correctly. If is not defined BINDCHROOT
the rule 31_aide_bind9 work correctly and so is useless the
@@define BINDCHROOT /var
assignment. See the first example in the mail.
- the named.pid file is in /var/run/bind/run and not in the
/var/run/bind directory. See the binary named:
~# strings /usr/sbin/named|grep named\.pid
/var/run/bind/run/named.pid
- in the /etc/bind9/named.conf.options installation file of bind9
there is the directive
directory "/var/cache/bind";
so is usefull to introduce:
@@{BINDCHROOT}/cache/bind VarFile
(I think is better: @@{BINDCHROOT}/var/cache/bind VarFile)
I hope that is usefull, thank you for your attention.
Guido Bozzetto.
--
Guido Bozzetto - Systems & Network Administrator - CCDA
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#475983: Suggestion: bind9 chroot rule
Package: aide
Version: 0.13.1-9
Severity: wishlist
Tags: patch
I suggest the following changes to the rule 31_aide_bind9 to
automatically create the correct rules with bind9 running into a chroot
environment.
I suppose that the changes to bind9 standard installation are into
/etc/default/bind9: at the variable OPTIONS is added "-t " to
permit the use of a previously created chroot environment for bind in
the directory.
The following aide's rule automatically extract the chroot directory,
if bind start with "-t" option, and correctly initialize the aide's
BINDCHROOT variable:
#! /bin/bash
. /etc/default/bind9
set $OPTIONS
for i in $@;do
if [ "$1" == "-t" ]; then
echo "@@define BINDCHROOT $2"
break
else
shift
fi
done
cat << !EOF
@@ifdef BINDCHROOT
@@{BINDCHROOT}/dev/log$ LowLogs
@@{BINDCHROOT}/dev VarDir
@@endif
@@{BINDCHROOT}/var/cache/bind VarFile
@@{BINDCHROOT}/var/log/bind/queries\.log$ Logs
@@{BINDCHROOT}/var/log/bind/queries\.log\.[0-8]$ RotatedLogs
@@{BINDCHROOT}/var/log/bind/queries\.log\.9$ RotatedLogs+ARF
@@{BINDCHROOT}/var/log/bind VarDir
@@{BINDCHROOT}/var/run/bind/run/named\.pid$ VarFile
@@{BINDCHROOT}/var/run/bind/run$ VarDir
!EOF
The changed /etc/default/bind9 is:
OPTIONS="-u bind"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes
OPTIONS="$OPTIONS -t $(grep ^bind: /etc/passwd|cut -f6 -d:)"
The important configuration directives in
~bind/etc/bind/named.conf are:
options {
directory "/var/cache/bind";
};
# logging {
# channel "file-queries" {
# file "/var/log/bind/queries.log" versions 5 size 256m;
# };
# category "queries" {
# "file-queries";
# };
# };
Thank you for your attention,
Guido Bozzetto.
-- System Information:
Debian Release: lenny/sid
APT prefers stable
APT policy: (560, 'stable'), (545, 'proposed-updates'), (540, 'stable'),
(460, 'testing'), (445, 'testing-proposed-updates'), (440, 'testing'), (20,
'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=it_IT, LC_CTYPE=it_IT (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages aide depends on:
ii aide-common0.13.1-9 Advanced Intrusion Detection Envir
ii bsd-mailx [mailx] 8.1.2-0.20071201cvs-2 A simple mail user agent
ii liblockfile1 1.06.1NFS-safe locking library, includes
ii mailx 1:20071201-2 Transitional package for mailx ren
ii ucf3.006 Update Configuration File: preserv
Versions of packages aide recommends:
ii cron 3.0pl1-100 management of regular background p
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#464503: linux-image-2.6.24-1-amd64: Hangs on boot with SCSI/blkdev probing "comm: scsi_scan_0"
On domenica 10 febbraio 2008, alle 22:33, maximilian attems wrote: > > http://charm.itp.tuwien.ac.at/~mattems/git15/ > currently building git22, let me know on aboves. OK, now the system boot correctly with: http://charm.itp.tuwien.ac.at/~mattems/git15/linux-image-2.6.24-trunk-amd64_2.6.24-trunk1_i386.deb astro:~$ uname -a Linux astro 2.6.24-trunk-amd64 #1 SMP Fri Feb 8 15:55:21 CET 2008 x86_64 GNU/Linux astro:~$ uptime 11:01:48 up 8 min, 2 users, load average: 0.14, 0.33, 0.26 Thank you, Guido Bozzetto. -- Guido Bozzetto - Systems & Network Administrator - CCDA GTN S.P.A. - Viale Tricesimo 181 - I-33100 Udine (UD) - Italy http://www.gtngroup.it/ - Ph./Fax: +39 0432 499311/45366 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#464503: linux-image-2.6.24-1-amd64: Hangs on boot with SCSI/blkdev probing "comm: scsi_scan_0"
On giovedì 07 febbraio 2008, alle 15:11, maximilian attems wrote:
> On Thu, Feb 07, 2008 at 03:05:35PM +0100, Guido Bozzetto wrote:
> > linux-image-2.6.24-trunk-amd64_2.6.24-trunk1~snapshot.10302_i386.deb
>
> thanks for your quick tests, have git15 build from yesterday
> http://photon.itp.tuwien.ac.at/~mattems/linux-image-2.6.24-trunk-amd64_2.6.24-trunk1_amd64.deb
> check
> http://photon.itp.tuwien.ac.at/~mattems/linux-image-2.6.24-trunk-amd64_2.6.24-trunk1_amd64.deb.sha1sum
>
> that is fixed in newer linus, so please give aboves a shot,
> too bad kernel buildserver isn't up..
The sistem is i386 archicture and not amd64. Please can you make a
_i386.deb ?
Thank you, Guido Bozzetto.
--
Guido Bozzetto - http://E-Company.it/gb/
GTN S.P.A. - http://www.gtngroup.it/
Viale Tricesimo 181 - Ph.: +39 0432 499311
I-33100 Udine (UD) - Fax: +39 0432 45366
Italy - Systems & Network Administrator - CCDA
Key fingerprint = 4C26 1DE5 78BD 7ACB FBD2 DB50 740D D6E3 BFF3 B080
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#464503: linux-image-2.6.24-1-amd64: Hangs on boot with SCSI/blkdev probing "comm: scsi_scan_0"
On giovedì 07 febbraio 2008, alle 14:40, maximilian attems wrote:
> [ please keep bug report on cc, cool thanks :) ]
>
> On Thu, Feb 07, 2008 at 02:16:44PM +0100, Guido Bozzetto wrote:
> > On giovedì 07 febbraio 2008, alle 11:16, maximilian attems wrote:
> [..]
> > > can you please try?
> > > linux-image-2.6.24-1-amd64 2.6.24-3
> >
> > The problem is the same :-(
>
> you please just try out latest 2.6.24-trunk-amd64
> that has latest linus git10 or such.
> http://kernel-archive.buildserver.net/pool/main/l/linux-2.6/linux-image-2.6.24-trunk-amd64_2.6.24-trunk1~snapshot.10365_amd64.deb
I tested the last for i386 arch:
linux-image-2.6.24-trunk-amd64_2.6.24-trunk1~snapshot.10302_i386.deb
Don't boot, the system write on console:
kernel BUG at drivers/ide/ide-cd.c:1726!
invalid opcopde: [1]SMP
CPU 1
Modules linked in: ide_cd cdrom ata_generic libata generic usbhid hid sg
sd_mod piix ips scsi_mod ide_core floppy ehci_hcd tg3 uhci_hcd thermal
processor fan
Pid: 0, comm: swapper Not tainted 2.6.24-trunk-amd64 #1
RIP: 0010:...
Guido Bozzetto.
--
Guido Bozzetto - http://E-Company.it/gb/
GTN S.P.A. - http://www.gtngroup.it/
Viale Tricesimo 181 - Ph.: +39 0432 499311
I-33100 Udine (UD) - Fax: +39 0432 45366
Italy - Systems & Network Administrator - CCDA
Key fingerprint = 4C26 1DE5 78BD 7ACB FBD2 DB50 740D D6E3 BFF3 B080
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#464503: linux-image-2.6.24-1-amd64: Hangs on boot with SCSI/blkdev probing "comm: scsi_scan_0"
Package: linux-image-2.6.24-1-amd64 Version: 2.6.24-2 Severity: important The system boot correctly with: linux-image-2.6.22-3-amd64 2.6.22-6 linux-image-2.6.24-1-686 2.6.24-2 while with: linux-image-2.6.24-1-amd64 2.6.24-2 the system don't boot with registers dump. The system have e IBM ServerRaid 7k with BIOS/Firmware Version 7.12.02: scsi0 : IBM PCI ServeRAID 7.12.05 Build 761 sd 0:0:0:0: [sda] 72744960 512-byte hardware sectors (37245 MB) sd 0:0:0:0: [sda] Assuming Write Enabled sd 0:0:0:0: [sda] Assuming drive cache: write through sd 0:0:0:0: [sda] 72744960 512-byte hardware sectors (37245 MB) sd 0:0:0:0: [sda] Assuming Write Enabled sd 0:0:0:0: [sda] Assuming drive cache: write through sda: sda1 sda2 sda3 sda4 < sda5 sda6 sda7 sda8 sda9 sda10 sda11 sda12 sda13 sda14 > sd 0:0:0:0: [sda] Attached SCSI disk sd 0:0:1:0: [sdb] 500748288 512-byte hardware sectors (256383 MB) sd 0:0:1:0: [sdb] Assuming Write Enabled sd 0:0:1:0: [sdb] Assuming drive cache: write through sd 0:0:1:0: [sdb] 500748288 512-byte hardware sectors (256383 MB) sd 0:0:1:0: [sdb] Assuming Write Enabled sd 0:0:1:0: [sdb] Assuming drive cache: write through sdb: sdb1 sdb2 sdb3 sdb4 < sdb5 sdb6 sdb7 sdb8 sdb9 sdb10 sdb11 sdb12 sdb13 sdb14 sdb15 > sd 0:0:1:0: [sdb] Attached SCSI disk The message, after the registers dump, is about the following: Modules linked in: generic usbhid hid ips floppy scsi_mod piix ide_core ehci_hcd uhci_hcd tg3 thermal processor fan Pid: 964, comm: scsi_scan_0 Not tainted 2.6.24-1-amd64 #1 RIP: Thank you for your attention, Guido Bozzetto. -- Package-specific info: ** Version: Linux version 2.6.24-1-686 (Debian 2.6.24-2) ([EMAIL PROTECTED]) (gcc version 4.1.3 20080114 (prerelease) (Debian 4.1.2-19)) #1 SMP Thu Jan 31 20:35:50 UTC 2008 ** Command line: auto BOOT_IMAGE=Linux-686 ro root=802 ** Not tainted ** Kernel log: ** Loaded modules: Module Size Used by nfsd 203984 13 auth_rpcgss39744 1 nfsd exportfs4736 1 nfsd ppdev 8804 0 parport_pc 33668 0 lp 11076 0 parport34280 3 ppdev,parport_pc,lp autofs420644 5 nfs 228168 1 lockd 60744 3 nfsd,nfs nfs_acl 3520 2 nfsd,nfs sunrpc170780 14 nfsd,auth_rpcgss,nfs,lockd,nfs_acl ipt_MASQUERADE 3776 1 ipt_REDIRECT2080 10 ipt_owner 1984 4 ipt_REJECT 4480 3 ipt_LOG 5952 42 xt_limit2656 29 nf_nat_ftp 3296 0 nf_conntrack_ftp8896 1 nf_nat_ftp xt_state2464 132 xt_tcpudp 3136 419 iptable_mangle 2784 0 iptable_filter 2976 1 iptable_nat 6916 1 ip_tables 13188 3 iptable_mangle,iptable_filter,iptable_nat nf_nat 18316 4 ipt_MASQUERADE,ipt_REDIRECT,nf_nat_ftp,iptable_nat x_tables 14244 10 ipt_MASQUERADE,ipt_REDIRECT,ipt_owner,ipt_REJECT,ipt_LOG,xt_limit,xt_state,xt_tcpudp,iptable_nat,ip_tables nf_conntrack_ipv4 17352 134 iptable_nat nf_conntrack 62240 7 ipt_MASQUERADE,nf_nat_ftp,nf_conntrack_ftp,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 ipv6 240772 44 quota_v28992 6 reiserfs 210976 1 ext2 65608 2 dm_snapshot16964 0 dm_mirror 21600 0 dm_mod 55812 2 dm_snapshot,dm_mirror pcspkr 3200 0 rtc13052 0 serio_raw 6660 0 psmouse36464 0 button 8432 0 i2c_i8019232 0 i2c_core 22432 1 i2c_i801 iTCO_wdt 11268 0 e752x_edac 11304 0 edac_core 42060 1 e752x_edac shpchp 31028 0 pci_hotplug27712 1 shpchp evdev 11104 0 ext3 122920 21 jbd43732 1 ext3 mbcache 8288 2 ext2,ext3 sd_mod 27104 27 sg 33264 0 ide_cd 36224 0 cdrom 32512 1 ide_cd ata_generic 7428 0 usbhid 28096 0 libata144464 1 ata_generic hid34272 1 usbhid generic 4388 0 [permanent] floppy 54628 0 ips40892 25 scsi_mod 141196 4 sd_mod,sg,libata,ips ehci_hcd 32524 0 uhci_hcd 23376 0 piix7492 0 [permanent] ide_core 108292 3 ide_cd,generic,piix usbcore 132940 4 usbhid,ehci_hcd,uhci_hcd tg388964 0 thermal16028 0 processor 36520 1 thermal fan 4772 0 ** PCI devi
Bug#462060: fail2ban: log dropped packets with netfilter
Package: fail2ban Version: 0.8.1-3 Severity: wishlist Tags: patch The iptables actions don't log the dropped packets. It is important to know the dropped packets. To log packets without adding to iptables new matches I added a new chain that log the packets before discarding them. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip ii python2.4.4-6An interactive high-level object-o ii python-central0.5.15-0.1 register and build utility for Pyt Versions of packages fail2ban recommends: ii iptables1.3.8.0debian1-1 administration tools for packet fi -- no debconf information iptables-logmultiport.local Description: application/not-regular-file
Bug#461890: ipmasq: integration with portsentry
Package: ipmasq Version: 4.0.8-4 Severity: wishlist Tags: patch With portsentry package installed and with portsentry daemon running with ipfwadm/ipchains/iptables KILL_ROUTE commands if you restart ipmasq the rules created by portsentry are dropped without update the blocked IP list. The attached file (ipmasq rule) solve the problem. Thank you, Guido Bozzetto. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Shell: /bin/sh linked to /bin/bash Versions of packages ipmasq depends on: ii debconf [debconf-2.0] 1.5.18 Debian configuration management sy ii iptables1.3.8.0debian1-1 administration tools for packet fi ipmasq recommends no packages. -- debconf information: ipmasq/external-rules-moved: true * ipmasq/start-location: After network interfaces are brought up ipmasq/dpkg-conffiles: * ipmasq/ppp-turn-off: ipmasq/old-ipmasq.conf: true ipmasq/old-rc.boot-file: true * ipmasq/start: true ipmasq/ppp-turn-on: ipmasq/move-ipmasq.rules: true * ipmasq/ppp-recompute: true ZZZzzz|portsentry.rul Description: application/not-regular-file
Bug#461861: ipmasq: rule to work with ipac or ipac-ng packages
Package: ipmasq Version: 4.0.8-4 Severity: wishlist Tags: patch The example rule to make ipmasq working with IP-ACcountig, ipac or ipac-ng, is dated. In attachment there is the updated solution. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Shell: /bin/sh linked to /bin/bash Versions of packages ipmasq depends on: ii debconf [debconf-2.0] 1.5.18 Debian configuration management sy ii iptables1.3.8.0debian1-1 administration tools for packet fi ipmasq recommends no packages. -- debconf information: ipmasq/external-rules-moved: true * ipmasq/start-location: After network interfaces are brought up ipmasq/dpkg-conffiles: * ipmasq/ppp-turn-off: ipmasq/old-ipmasq.conf: true ipmasq/old-rc.boot-file: true * ipmasq/start: true ipmasq/ppp-turn-on: ipmasq/move-ipmasq.rules: true * ipmasq/ppp-recompute: true ZZZzzz|ipac-ng.rul Description: application/shellscript
Bug#461426: fail2ban: xinetd FAIL
Package: fail2ban
Version: 0.8.1-3
Severity: wishlist
The xinetd daemon recognize some wrong conditions:
- deny_from and only_from directives to limit source IP
- tcp wrappers limitations
so is simply to recognize attacks on the host.
The attached files are:
jail.local= jail configuration
xinetd-fail.local = the filter file: match the FAIL status
iptables-nat-logdropall.local = the action file: LOG and DROP anything
from the bad IP in the PREROUTING chain of the nat table. Is simple to
block anything with raw table so also the tracked connections are
dropped.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (560, 'testing'), (550, 'testing'), (540,
'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240,
'proposed-updates'), (50, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1)
(ignored: LC_ALL set to it_IT)
Shell: /bin/sh linked to /bin/bash
Versions of packages fail2ban depends on:
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii python2.4.4-6An interactive high-level object-o
ii python-central0.5.15 register and build utility for Pyt
Versions of packages fail2ban recommends:
ii iptables1.3.8.0debian1-1 administration tools for packet fi
-- no debconf information
[xinetd-fail]
enabled = true
filter= xinetd-fail
port = all
banaction = iptables-nat-logdropall
logpath = /var/log/daemon.log
maxretry = 1
# /etc/fail2ban/filter.d/xinetd.local
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
# Cfr.: /var/log/(daemon\.|sys)log
# libwrap => tcp wrappers: hosts.(allow|deny)
# address => xinetd: deny_from|only_from
# load => xinetd: max_load (temporary problem)
failregex = xinetd(?:\[\d{1,5}\])?: FAIL: \S+ address from=$
xinetd(?:\[\d{1,5}\])?: FAIL: \S+ libwrap from=$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# fail2ban/action.d/iptables-nat-logdropall.local
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = /sbin/iptables -t nat -N fail2ban-
/sbin/iptables -t nat -A fail2ban- -j LOG --log-prefix
"$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit
--limit 6/m --limit-burst 2
/sbin/iptables -t nat -A fail2ban- -j DROP
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = /sbin/iptables -t nat -F fail2ban-
/sbin/iptables -t nat -X fail2ban-
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = /sbin/iptables -t nat -n -L fail2ban- >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
#number of failures
#unix timestamp of the ban time
# Values: CMD
#
actionban = /sbin/iptables -t nat -I PREROUTING 1 -s -j fail2ban-
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
#number of failures
#unix timestamp of the ban time
# Values: CMD
#
actionunban = /sbin/iptables -t nat -D PREROUTING -s -j fail2ban-
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = anyport
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = all
Bug#461417: fail2ban: integration with ipmasq
Package: fail2ban Version: 0.8.1-3 Severity: normal Tags: patch The ipmasq package can destroy all the chains. When shutdown ipmasq the netfilter rules are dropped. The proposed rule for ipmasq restart fail2ban when the ipmasq start if the fail2ban is running. The rule is a file named" /etc/ipmasq/rules/ZZZzzz|fail2ban.rul". -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip ii python2.4.4-6An interactive high-level object-o ii python-central0.5.15 register and build utility for Pyt Versions of packages fail2ban recommends: ii iptables1.3.8.0debian1-1 administration tools for packet fi -- no debconf information ZZZzzz|fail2ban.rul Description: application/not-regular-file
Bug#461412: fail2ban: proftpd filter wrong failregex.
Package: fail2ban Version: 0.8.1-3 Severity: normal Tags: patch The failregex don't match the incorrect password event ": USER ... (Login failed)". Also the failregex don't math the root login attempts "SECURITY VIOLATION". I also added a general proftpd's authentication error "Maximum login attempts". I suggest the following failregex for the rule /etc/fail2ban/filter.d/proftpd.conf: failregex = \(\S+\[\]\): USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ \(\S+\[\]\): USER \S+ \(Login failed\): Incorrect password\.$ \(\S+\[\]\): SECURITY VIOLATION: \S+ login attempted\.$ \(\S+\[\]\): Maximum login attempts \(\d+\) exceeded$ -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (550, 'testing'), (540, 'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip ii python2.4.4-6An interactive high-level object-o ii python-central0.5.15 register and build utility for Pyt Versions of packages fail2ban recommends: ii iptables1.3.8.0debian1-1 administration tools for packet fi -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#438580: ipmasq: Whishlist A03flush.def delete user-defined chains
Package: ipmasq
Version: 4.0.8-4
Followup-For: Bug #438580
The proposed scripts for netfilter:
/etc/ipmasq/rules/A03flush.rul
/etc/ipmasq/ipmasq-down/A03flush.rul
are wrong in the sense that flush and set default policy on all
available tables and not only on kernel's loaded tables.
The side effect of this is that if a table are unused, for example
"raw", then the relative kernel module is loaded also if useless.
The lines:
ls -1 /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_*.ko |
sed -n -e 's,^.*/iptable_\([^/]\+\)\.ko$,\1,p'
are wrong, the correct form is:
lsmod | sed -n -e '/^iptable_/s,^iptable_\(\S\+\)\>.*,\1,p'
To better understand my whishlist I attach the two proposed scripts for
ipmasq start and stop (only netfilter section):
/etc/ipmasq/rules/A03flush.rul:
#: Flush all and set default policy of deny.
case $MASQMETHOD in
netfilter)
for table in $(
lsmod | sed -n -e '/^iptable_/s,^iptable_\(\S\+\)\>.*,\1,p' )
do
unset userchain
for chain_polref in $( iptables -t $table -nL |
sed -n '/^Chain \S\+ (/s/^Chain \(\S\+\) (\(\S\+\) .*/\1:\2/p' )
do
chain="${chain_polref%:*}"
if [ "${chain_polref##*:}" == "policy" ];then
if [ "$table" == filter ]
then $IPTABLES -t $table -P $chain DROP
else $IPTABLES -t $table -P $chain ACCEPT
fi
$IPTABLES -t $table -F $chain
else
$IPTABLES -t $table -F $chain
userchain="$chain $userchain"
fi
done
for chain in $userchain ; do
$IPTABLES -t $table -X $chain 2>/dev/null ||
echo "Error: deleting user-defined chain $chain on table $table" >&2
done
done
;;
esac
/etc/ipmasq/ipmasq-down/A03flush.rul:
#: Flush all and set default policy of deny on forward, and accept input
#: and output.
case $MASQMETHOD in
netfilter)
for table in $(
lsmod | sed -n -e '/^iptable_/s,^iptable_\(\S\+\)\>.*,\1,p' )
do
unset userchain
for chain_polref in $( iptables -t $table -nL |
sed -n '/^Chain \S\+ (/s/^Chain \(\S\+\) (\(\S\+\) .*/\1:\2/p' )
do
chain="${chain_polref%:*}"
if [ "${chain_polref##*:}" == "policy" ];then
if [ "$table" == filter ] && [ $chain == FORWARD ]
then $IPTABLES -t $table -P $chain DROP
else $IPTABLES -t $table -P $chain ACCEPT
fi
$IPTABLES -t $table -F $chain
else
$IPTABLES -t $table -F $chain
userchain="$chain $userchain"
fi
done
for chain in $userchain ; do
$IPTABLES -t $table -X $chain 2>/dev/null ||
echo "Error: deleting user-defined chain $chain on table $table" >&2
done
done
;;
esac
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (560, 'testing'), (550, 'testing'), (540,
'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240,
'proposed-updates'), (50, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1)
(ignored: LC_ALL set to it_IT)
Shell: /bin/sh linked to /bin/bash
Versions of packages ipmasq depends on:
ii debconf [debconf-2.0] 1.5.16 Debian configuration management sy
ii iptables1.3.8.0debian1-1 administration tools for packet fi
ipmasq recommends no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#451093: fail2ban: SSH refused connect from @::ffff:X.Y.Z.W
Package: fail2ban Version: 0.8.1-2 Severity: wishlist The filters: /etc/fail2ban/filter.d/sshd.conf /etc/fail2ban/filter.d/sshd-ddos.conf don't trigger the IP addresses blocked by the /etc/hosts.deny file. I think is desirable that fail2ban identify these attempts. I've added the following line to sshd.conf failregex = refused connect from \s that correctly work with: Nov 13 03:42:11 Server sshd[4240]: refused connect from :::210.21.243.47 (:::210.21.243.47) but don't work with the following line, from my auth.log: Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@:::218.249.210.161 (:::218.249.210.161) the error on fail2ban.log file is: 2007-11-12 14:16:33,923 fail2ban.filter : WARNING Unable to find a corresponding IP address for _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@:::218.249.210.161 I think that "" macro on filters is bad. I also tried with "" but without any success. My configuration files are: jail.local: [ssh] maxretry = 2 protocol = tcp sshd.local: [Definition] failregex = (?:error: PAM: )?Authentication failure for .* from \s*$ Failed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ROOT LOGIN REFUSED.* FROM \s*$ [iI](?:llegal|nvalid) user .* from \s*$ User .+ from not allowed because not listed in AllowUsers\s*$ User .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ refused connect from \s ignoreregex = Thank you for your attention and thank you for package maintaining. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (560, 'testing'), (545, 'testing-proposed-updates'), (540, 'testing'), (460, 'stable'), (445, 'proposed-updates'), (440, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-2-686 (SMP w/1 CPU core) Locale: LANG=it_IT, LC_CTYPE=it_IT (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii iptables1.3.8.0debian1-1 administration tools for packet fi ii lsb-base3.1-24 Linux Standard Base 3.1 init scrip ii python 2.4.4-6 An interactive high-level object-o ii python-central 0.5.15 register and build utility for Pyt fail2ban recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#420958: ipac-ng: Couldn't load match ... undefined symbol: parse_port
Package: ipac-ng Version: 1.31-4+b1 Followup-For: Bug #420958 I confirm that also on unstable package there is the problem with UDP or TCP protocol specification. Correctly work the following: Incoming Total System|ipac~o|eth0|all ICMP Incoming Total System|ipac~o|eth0|icmp while don't work: TCP Incoming Total System|ipac~o|eth0|tcp UDP Incoming Total System|ipac~o|eth0|udp with the message: # /etc/init.d/ipac-ng start Starting IP Accounting: Couldn't load match `tcp':/lib/iptables/libipt_tcp.so: undefined symbol: parse_port or Starting IP Accounting: Couldn't load match `udp':/lib/iptables/libipt_udp.so: undefined symbol: parse_port Thank you for attention. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (550, 'testing'), (540, 'testing-proposed-updates'), (250, 'stable'), (240, 'proposed-updates'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.21-2-686 (SMP w/1 CPU core) Locale: LANG=it_IT, LC_CTYPE=it_IT (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages ipac-ng depends on: ii cron3.0pl1-100 management of regular background p ii iptables1.3.6.0debian1-5 administration tools for packet fi ii libc6 2.6-2GNU C Library: Shared libraries ii libgdbm31.8.3-3 GNU dbm database routines (runtime ii libpq5 8.2.4-2 PostgreSQL C client library ii libsqlite0 2.8.17-2 SQLite shared library ii netbase 4.29 Basic TCP/IP networking system ii perl5.8.8-7 Larry Wall's Practical Extraction Versions of packages ipac-ng recommends: ii libgd-gd2-perl1:2.34-1 Perl module wrapper for libgd - gd -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#363391: fail2ban: LC_ALL temporary solution
Package: fail2ban Version: 0.6.1-1 Followup-For: Bug #363391 A working solution is to add LC_ALL=C to /etc/default/fail2ban configuration file: echo "LC_ALL=C" >> /etc/default/fail2ban -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (150, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.15-1-686-smp Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1) (ignored: LC_ALL set to it_IT) Versions of packages fail2ban depends on: ii iptables 1.2.11-10 Linux kernel 2.4+ iptables adminis ii python2.3.5-2An interactive high-level object-o -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#327344: ipac-ng: Error in config file near line 8: syntax error
Package: ipac-ng Version: 1.31-1 Severity: important The configuration files supplied with the package are wrong. At the startup and every 10 minutes there is the following message: admin:~# /etc/init.d/ipac-ng start Starting IP Accounting: Error in config file near line 8: syntax error admin:~# /usr/bin/nice /usr/sbin/fetchipac Error in config file near line 8: syntax error The directive "classic mode =" is now obsolete and should not be in the ipac.conf file because version 1.31 only supports classic mode. The syntax of rules.conf file also is changed and now there is a called field "extension". The attachments are the sample configuration files from source with storage changed from PostgreSQL to Files (that is not recommended !!!). -- System Information: Debian Release: testing/unstable APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ipac-ng depends on: ii cron 3.0pl1-91 management of regular background p ii iptables 1.2.11-10 Linux kernel 2.4+ iptables adminis ii libc6 2.3.5-6GNU C Library: Shared libraries an ii libgdbm3 1.8.3-2GNU dbm database routines (runtime ii netbase 4.21 Basic TCP/IP networking system ii perl 5.8.7-3Larry Wall's Practical Extraction Versions of packages ipac-ng recommends: ii libgd-perl1.41-13Perl module wrapper for libgd -- no debconf information # This is the main ipac-ng configuration file. It contains the # configuration directives that give the ipac-ng its instructions. # Install as /etc/ipac-ng/ipac.conf ## accouting agent. iptables and ipchains available now. account agent = iptables ## storage. gdbm, postgre and files supported. (files is not recommended) #=20050909 <[EMAIL PROTECTED]> storage = postgre #=20050909 <[EMAIL PROTECTED]> storage = gdbm storage = plain-file ## rules file rules file = /etc/ipac-ng/rules.conf # dont store lines contains only zeroes to speedup processing and to save space drop zero lines = yes ## This parameters controls database location ## 'db host', 'db port' can be left blank for a local database ## as now, both databasess (access and storage) configured by these parameters #db host = localhost #db port = 5432 ## ATTENTION: no underscore '_' in the following parameters allowed! db name = ipac db user = ipac db pass = "" # Example config file with accounting rules for iptables # Install as /etc/ipac-ng/rules.conf # # Format: # Name of rule|direction|interface|protocol|source|destination|extension| # WARNING spaces are not allowed before and after '|'. # # where # Name of rule Any string to identify this rule # direction ipac~fi - forward in # ipac~fo - forward out # ipac~i - outgoing from machine with ipac-ng to other host(/net) # (or incoming to otherhost) # ipac~o - incoming to machine with ipac-ng # (or outgoing from otherhost) # # interface interface name, '+' means all interfaces (dont try to use ip numbers here!) # protocol tcp | udp | icmp | all # source\ # destination both as described in ipfwadm(8), or empty # # #W A R N I N G ! ! ! # # Don't use symbols other than '0-9A-z[space]' in rules names. You may encounter # some strange troubles. Incoming Total System|ipac~o|eth0|all Incoming Total System|ipac~fi|eth0|all Outgoing Total System|ipac~i|eth0|all Outgoing Total System|ipac~fo|eth0|all
