Clodoaldo's questions

Existem regras aplicadas ao firewalld por dois serviços, Fail2ban e Wireguard. Sempre que recarrego o serviço de firewall, as regras são perdidas. Como preservá-las entre as recarregamentos?

# firewall-cmd --get-all-rules --direct
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT
ipv4 filter FORWARD 1 -i wg -o wg -j ACCEPT
ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE

Rocky Linux 9

Estou usando rdiff-backuppara fazer backup de sistemas de arquivos locais para um servidor Hetzner remoto com uma caixa de armazenamento remoto montada. A caixa de armazenamento é montada no servidor remoto como um cifssistema de arquivos. O backup é executado localmente como root e a sshconexão com o servidor remoto também é feita na conta root. O problema que tenho é que o proprietário/grupo dos arquivos originais não são preservados. Tudo passa a ser propriedade do root.

É assim que a caixa de armazenamento é montada /etc/fstab:

//user.your-storagebox.de/backup /storagebox cifs iocharset=utf8,rw,credentials=/etc/backup-credentials.txt,seal,uid=0,gid=0,file_mode=0660,dir_mode=0770 0 0

E o comando local para fazer backup:

rdiff-backup -v4 --api-version 201 backup --print-statistics \
    --include /home/cpn/Documents \
    --include /home/cpn/ProgramasRFB \
    --include /home/cpn/Pictures \
    --include /home/cpn/Videos \
    --include /hd2t/Fotos \
    --include /hd2t/Videos \
    --include /etc \
    --exclude '**' \
    / [email protected]::/storagebox/Backup/ & disown;

Em vez de os arquivos/diretórios pertencerem ao usuário original, todos eles serão propriedade do root na caixa de armazenamento:

# ll
total 0
drwxrwx---. 2 root root 0 May 14 16:58 Documents
drwxrwx---. 2 root root 0 May  1 09:23 Pictures

o que estou perdendo? Meu palpite é que o problema está relacionado acifs

Estes são os únicos acessos oferecidos pela Hetzner para esse dispositivo em nuvem: https://docs.hetzner.com/robot/storage-box/access/access-overview

Eu também tentei SFTP com resultados piores

RockyLinux 9. Na reinicialização, o Apache falha ao iniciar com a mensagem

Jul 21 10:53:13 cl httpd[877]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 1.2.3.4:80
Jul 21 10:53:13 cl httpd[877]: no listening sockets available, shutting down
Jul 21 10:53:13 cl httpd[877]: AH00015: Unable to open logs
Jul 21 10:53:13 cl systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 21 10:53:13 cl systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 21 10:53:13 cl systemd[1]: Failed to start The Apache HTTP Server.

O arquivo de configuração principal o configura para escutar naquele endereço e na porta 80. Mas existem hosts virtuais naquele endereço nas portas 80 e 443

Se eu iniciá-lo manualmente, ele começa a usar esse endereço, mas a porta 443

# systemctl start httpd
Jul 21 10:55:44 cl systemd[1]: Starting The Apache HTTP Server...
Jul 21 10:55:44 cl httpd[2135]: [Fri Jul 21 10:55:44.803045 2023] [so:warn] [pid 2135:tid 2135] AH01574: module wsgi_module is already loaded, skipping
Jul 21 10:55:44 cl httpd[2135]: Server configured, listening on: 1.2.3.4 port 443, ...
Jul 21 10:55:44 cl systemd[1]: Started The Apache HTTP Server.

Alguma ideia?

# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      879/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      1551/postmaster     
tcp        0      0 1.2.3.4:80              0.0.0.0:*               LISTEN      2574/httpd          
tcp        0      0 1.2.3.4:443             0.0.0.0:*               LISTEN      2574/httpd          
tcp6       0      0 :::22                   :::*                    LISTEN      879/sshd: /usr/sbin 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           810/chronyd         
udp6       0      0 ::1:323                 :::*                                810/chronyd         

# cat /etc/NetworkManager/system-connections/System\ enp0s71fa.nmconnection 
[connection]
id=System enp0s71fa
uuid=b5f5eeee-5bd2-c5a6-acb6-f03d5581aca5
type=ethernet
interface-name=enp0s71fa
timestamp=1689890116

[ethernet]

[ipv4]
address1=1.2.3.4/32,1.2.3.6
address2=1.2.3.5/27
dns=5.6.7.1;
method=manual

[ipv6]
address1=2a01:4f8:bbb:aaaa::2/64,fe80::1
dns=2a01:ccc:dddd::add:2;
method=manual

Eu configurei e namedestá chrootfuncionando há alguns dias. Agora ele não encontra o IP de um determinado domínio:

# dig arstechnica.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> arstechnica.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Outros domínios são normalmente descobertos:

# dig serverfault.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> serverfault.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27016
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;serverfault.com.       IN  A

;; ANSWER SECTION:
serverfault.com.    98  IN  A   198.252.206.140

;; AUTHORITY SECTION:
serverfault.com.    172598  IN  NS  cf-dns02.serverfault.com.
serverfault.com.    172598  IN  NS  cf-dns01.serverfault.com.

;; ADDITIONAL SECTION:
cf-dns02.serverfault.com. 172598 IN A   173.245.59.4
cf-dns01.serverfault.com. 172598 IN A   173.245.58.53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 22 11:06:10 2014
;; MSG SIZE  rcvd: 127

named.conf:

# cat /var/named/chroot/var/named/chroot/etc/named.conf 

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Todos os arquivos nesse diretório:

# ll /var/named/chroot/var/named/chroot/etc/
total 16
-rw-r--r--. 1 root root   118 Jul 21  2011 localtime
drwxr-x---. 2 root named 4096 Dec 12 02:25 named
-rw-r-----. 1 root named 1008 Dec 17 20:02 named.conf
-rw-r--r--. 1 root root     0 Dec 22 10:35 named.iscdlv.key
-rw-r--r--. 1 root root     0 Dec 22 10:35 named.rfc1912.zones
-rw-r--r--. 1 root root     0 Dec 22 10:35 named.root.key
drwxr-x---. 3 root named 4096 Dec 17 19:15 pki
-rw-r--r--. 1 root root     0 Dec 22 10:35 rndc.key

o que estou perdendo?

+traceadicionado:

# dig arstechnica.com +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> arstechnica.com +trace
;; global options: +cmd
.           516879  IN  NS  m.root-servers.net.
.           516879  IN  NS  h.root-servers.net.
.           516879  IN  NS  g.root-servers.net.
.           516879  IN  NS  j.root-servers.net.
.           516879  IN  NS  a.root-servers.net.
.           516879  IN  NS  l.root-servers.net.
.           516879  IN  NS  e.root-servers.net.
.           516879  IN  NS  f.root-servers.net.
.           516879  IN  NS  k.root-servers.net.
.           516879  IN  NS  b.root-servers.net.
.           516879  IN  NS  d.root-servers.net.
.           516879  IN  NS  i.root-servers.net.
.           516879  IN  NS  c.root-servers.net.
;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 577 ms

com.            172800  IN  NS  m.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
;; Received 493 bytes from 192.58.128.30#53(192.58.128.30) in 2270 ms

arstechnica.com.    172800  IN  NS  ns1.servercentral.net.
arstechnica.com.    172800  IN  NS  ns2.servercentral.net.
;; Received 118 bytes from 192.12.94.30#53(192.12.94.30) in 579 ms

;; connection timed out; no servers could be reached

cavar no github:

# dig github.com +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> github.com +trace
;; global options: +cmd
.           516495  IN  NS  k.root-servers.net.
.           516495  IN  NS  e.root-servers.net.
.           516495  IN  NS  f.root-servers.net.
.           516495  IN  NS  b.root-servers.net.
.           516495  IN  NS  g.root-servers.net.
.           516495  IN  NS  d.root-servers.net.
.           516495  IN  NS  m.root-servers.net.
.           516495  IN  NS  c.root-servers.net.
.           516495  IN  NS  j.root-servers.net.
.           516495  IN  NS  h.root-servers.net.
.           516495  IN  NS  a.root-servers.net.
.           516495  IN  NS  i.root-servers.net.
.           516495  IN  NS  l.root-servers.net.
;; Received 508 bytes from 127.0.0.1#53(127.0.0.1) in 5 ms

com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
;; Received 488 bytes from 193.0.14.129#53(193.0.14.129) in 74 ms

github.com.     172800  IN  NS  ns1.p16.dynect.net.
github.com.     172800  IN  NS  ns3.p16.dynect.net.
github.com.     172800  IN  NS  ns2.p16.dynect.net.
github.com.     172800  IN  NS  ns4.p16.dynect.net.
;; Received 178 bytes from 192.31.80.30#53(192.31.80.30) in 323 ms

github.com.     30  IN  A   192.30.252.131
github.com.     86400   IN  NS  ns4.p16.dynect.net.
github.com.     86400   IN  NS  ns2.p16.dynect.net.
github.com.     86400   IN  NS  ns1.p16.dynect.net.
github.com.     86400   IN  NS  ns3.p16.dynect.net.
;; Received 130 bytes from 204.13.251.16#53(204.13.251.16) in 10 ms