Apache or Nginx on debian
Hello list, Though the question is not directly related to debian. But since most of you are sysadmin expects, may I ask that for running a simple web service, should I choose nginx or apache, and why? The service is combined by some php and python scripts, with redis as backend DB. Thanks. Tom -- sent from https://dkinbox.com/
Re: netmask question
> On Tue, May 23, 2023 at 08:24:10AM +0800, Tom Reed wrote: >> Sorry for my newbie question too. >> >> If I know the network addr: 192.168.1.0 >> And know the broadcast addr: 192.168.1.255 >> Then I should have the possibility to cal the netmask addr: >> 255.255.255.0 >> >> Isn't it? > > Not necessarily. PROBABLY yes, but you can't be certain. > > The netmask in this example could be either /23 or /24. > > Why are you asking these questions? What's your ACTUAL issue? > IIRC, last year my ISP gives me 8 IPv4, they said the first is network addr, the last is broadcast addr, then I have to calculate the netmask by myself. regards. -- sent from https://dkinbox.com/
Re: netmask question
> Tom Reed wrote: >> >> > >> > That's right, but then they go 0 .. 2^8 - 1. 2^8 is still 256, Tim >> does >> > have a point there :-) >> > >> >> For a given ipv4, if I know net addr and broadcast addr, how will I >> calculate the netmask? > > > You can't. > Hello Sorry for my newbie question too. If I know the network addr: 192.168.1.0 And know the broadcast addr: 192.168.1.255 Then I should have the possibility to cal the netmask addr: 255.255.255.0 Isn't it? -- sent from https://dkinbox.com/
Re: netmask question
> > That's right, but then they go 0 .. 2^8 - 1. 2^8 is still 256, Tim does > have a point there :-) > For a given ipv4, if I know net addr and broadcast addr, how will I calculate the netmask? -- sent from https://dkinbox.com/
Re: iptables reject with TCP RST
> Hello, > > On Mon, May 15, 2023 at 09:10:24AM +0800, Tom Reed wrote: >> If I clean iptables in the destination host, this telnet will get >> success >> at once. >> >> Any hints? > > Why have you not used "iptables -vL" to show the packet counts of > each rule so you can see which rules the packets match? They are > clearly matching some other earlier rule, and I suggested that in > the email you have replied to for the exact purpose of checking that > out. > Yes after each telnet from client host, the count was increased. 0 0 REJECT tcp -- anyany anywhere anywhere tcp dpt:imaps reject-with tcp-reset 0 0 REJECT tcp -- anyany anywhere anywhere tcp dpt:imap2 reject-with tcp-reset 99 4620 REJECT tcp -- anyany anywhere anywhere tcp dpt:submission reject-with tcp-reset regards -- sent from https://dkinbox.com/
Re: iptables reject with TCP RST
> > so whatever your 193.106.250.x host is, maybe it did indeed block > the packets itself, but would be good to verify. > Hello I have checked for details but didn't get the luck. My destination host does have the rules: REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:993 reject-with tcp-reset REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:143 reject-with tcp-reset REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:587 reject-with tcp-reset And I telnet from two different DCs (one is Dallas, another is LA), both got timeout, rather than the expected disconnection quickly. $ telnet 193.106.250.86 587 Trying 193.106.250.86... telnet: Unable to connect to remote host: Connection timed out If I clean iptables in the destination host, this telnet will get success at once. Any hints? Thanks. -- sent from https://dkinbox.com/
Re: shell script run in backend
stem service as Jeremy Ardley suggests in a different reply. > > Exactly: > > script > /tmp/script.log 2>&1 & > > (adjust paths to taste). For good measure, and if your shell > has job control, it will output the job number and PID, like > so: > > [1] 15211 > > (1 is the job number, 15211 is the PID, actual numbers will > vary). You then issue > > disown %1 > > (assuming bash here), which lets your shell "forget" about job > number 1 and keep it for messing around once you leave your > shell (in some setups, terminating the shell might terminate > the background jobs, but my memory might be fuzzy). > Thanks for all your helps. I know convert it to a perl script and run it under App::Daemon for background jobs. regards Tom -- sent from https://dkinbox.com/
shell script run in backend
Hello list I have a long run shell script with similar content, #!/bin/bash while [ 1 ];do func1() func2() sleep 5 done Currently the script is running in front-end in shell. How can I run it with the backend way? can I register it as a system service? Thanks
Re: iptables reject with TCP RST
> On Sun, May 14, 2023 at 08:36:38AM +0800, Tom Reed wrote: >> tcp0 0 0.0.0.0:587 0.0.0.0:* >> LISTEN >> 32157/master >> >> >> And the telnet results: >> >> $ telnet 193.106.250.xx 587 >> Trying 193.106.250.xx... >> telnet: Unable to connect to remote host: Connection timed out > > So, it looks like it's not a LAN address. It's a mail server on the > public Internet? As in, your telnet client and your server are NOT > talking directly to each other over a straight ethernet connection? > There's routers and stuff in between them? Yes. my mailserver is in NYC DC, and the client host is in Dallas DC. > > You'd need to investigate the possibility of a firewall-equivalent at > each hop along the way. > I may need tcpdump for watching the rst packages. Thank you Tom
Re: iptables reject with TCP RST
> > On 14/5/23 08:28, Tom Reed wrote: >> I telnet to host:587 not the port 23. >> And port 587 already reject access with tcp rst. > -- > > check if you are listening on port 587 > > netstat -tulpnW | grep 587 > > yes it does. tcp0 0 0.0.0.0:587 0.0.0.0:* LISTEN 32157/master And the telnet results: $ telnet 193.106.250.xx 587 Trying 193.106.250.xx... telnet: Unable to connect to remote host: Connection timed out Thanks
Re: iptables reject with TCP RST
> > On 14/5/23 08:14, Tom Reed wrote: >> /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with >> tcp-reset >> /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j REJECT --reject-with >> tcp-reset >> >> When I telnet from another host to the protected port, it gets timeout >> message as follows. >> >> telnet: Unable to connect to remote host: Connection timed out >> >> >> IIRC, timeout should happen for iptables DROP action. Since I am using >> REJECT, why the connect shouldn't get disconnected quickly? > > There may be an earlier rule in your config that stops the REJECT rule > being hit. > > check rule order with > > |iptables -L -n -v The other possibility is you aren't running telnet. > netstat -tulnpW | grep 23 | > -- Hello I telnet to host:587 not the port 23. And port 587 already reject access with tcp rst. REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:993 reject-with tcp-reset REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:143 reject-with tcp-reset REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:587 reject-with tcp-reset So what's the reason? Thank you.
iptables reject with TCP RST
Hello I have these iptables rules which reject tcp connections with tcp rst. /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with tcp-reset /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j REJECT --reject-with tcp-reset When I telnet from another host to the protected port, it gets timeout message as follows. telnet: Unable to connect to remote host: Connection timed out IIRC, timeout should happen for iptables DROP action. Since I am using REJECT, why the connect shouldn't get disconnected quickly? Thank you. Tom
Re: iptables and system reboot
> > On 13/5/23 18:56, Tom Reed wrote: >> for iptables-save, after system rebooting, does it know where to locate >> the file? > > Yes. That's all taken care of by the iptables-persistent package > > Also I made a typo. correction; > > sudo nano /etc/iptables/rules.v4 > > sudo nano /etc/iptables/rules.v6 > That's all right. Thanks for helps. tom.
Re: iptables and system reboot
> > On 13/5/23 18:48, Tom Reed wrote: >> How to recovery iptable rules after system rebooting? >> I know I can put a @reboot crontab for this but there is maybe the >> better >> way. > > > sudo apt install iptables-persistent > > sudo iptables-save > /etc/iptables/rules.v4 > > sudo ip6tables-save > /etc/iptables/rules.v6 > for iptables-save, after system rebooting, does it know where to locate the file? Thanks.
iptables and system reboot
Hello How to recovery iptable rules after system rebooting? I know I can put a @reboot crontab for this but there is maybe the better way. Thanks
Re: sudoers question
> Tom Reed (12023-05-12): >> otherwise every time i have to input password for sudo. > > Yes, that is the point. > > If “every time” is a lot for you, maybe your use habits need to be > reviewed. > that's normal. for example, I have to check every kind of logs (mail, webserver, systems etc). They require sudo then. regards
Re: sudoers question
> On Fri, May 12, 2023 at 07:27:25PM +0800, Tom Reed wrote: >> what's the right way to add an user to run sudo without password? >> I have to edit /etc/sudoers by manual. But I don't think it's a grace >> way. > > *Without password*?? Yes, that will require a manual edit. > > There is no "graceful way" to grant that power to users, because that's > an obscene amount of power without a check. Usually one would only > do this for a non-interactive account (some sort of service/daemon > account that does an automated backup, or something of that nature). > > Hello Greg, for a common account, such as tom, a nopasswd sudo also makes sense? otherwise every time i have to input password for sudo. Thanks
sudoers question
Hello what's the right way to add an user to run sudo without password? I have to edit /etc/sudoers by manual. But I don't think it's a grace way. Thanks. Tom