Debian User Forums

jasonnix

Hello,
I have a Debian virtual machine and I use it as a web server. I need three more web servers and want to clone this virtual machine. I heard that I should use virt-sysprep, but I don't know what to do. Do I need to install virt-sysprep on the virtual machine?

Thank you.

jasonnix

Hello,
I installed resolvconf. I added the following file and put the DNS in it:

Code: Select all

# nano /etc/resolvconf/resolv.conf.d/head
nameserver IP 
nameserver IP

Then:

Code: Select all

# /sbin/resolvconf --enable-updates
# systemctl restart resolvconf
# /sbin/resolvconf -u

After it, I have duplicate address in /etc/resolv.conf file. Why?

Thank you.

jasonnix

Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.

Is it running from the proper directory? It's saying you aren't downloading anything rather creating one.

remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403

I'd check your webserver or give yourself permissions to the git. I've also seen this message when ...

jasonnix

either. you want to keep it simple. if there is no reason for the runner group then eliminate it. You can do just fine with 755 for the gitlab-runner user. the only way you need the group separate is if someone else needs to be in it, but in that case3 you can add them to the gitlab-runner group anyway.

Hi,
Thank you so much.
The permissions are as follows:

$ ls -ls
total 4
4 drwxr-xr-x 4 gitlab-runner runner 4096 Apr 26 23:36 partition

The Git command does not give any error without ...

jasonnix

The only thing you should need to do is give the /mnt/partition folder the proper permissions for the gitrunner user? and it will work. The rest of that stuff is nonsense to me. The global sudo for that program is a very bad idea. Global ALL:ALL nopasswd is never the right answer.

There is no reason that chowning a non system owned data partition will cause problems. What you read is wrong on that one.

Never give something more than the absolute minimum it needs unless you have a very good ...

jasonnix

Hello,
I installed Gitlab Runner and after installation I did the following steps:

$ sudo usermod -aG docker gitlab-runner
$ sudo nano /etc/sudoers
gitlab-runner ALL=(ALL) NOPASSWD: ALL

Containers and source repositories are located in another partition and the directory permission is as follows:

# ls -l
total 20
drwxrwxr-x 5 root root 4096 Apr 22 09:22 partition
drwxrwx--- 2 root root 16384 Apr 9 16:50 lost+found

With this permission the runner cannot work and I have to use the ...

jasonnix

ruwolf wrote: 2024-02-26 16:34 What about findtime? Have you entered wrong passwords 3 times in 10 seconds?

Hello,
Thank you so much for your reply.
Yes.

jasonnix

1- By default, Debian does not allow connecting with the root account via SSH, but the PermitRootLogin no option is disabled in the sshd_config file. How does this happen?

See the header of /etc/ssh/sshd_config
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Therefore, the default option applied is
$> grep ...

jasonnix

Hello,
The SSH part of Fail2ban is as follows:

Code: Select all

[sshd]
enabled = true
port    = 22
logpath = /var/log/ssh-fail2ban.log
backend = %(sshd_backend)s
maxretry  = 2
findtime  = 10
bantime   = 4w

I connected to the host and entered the wrong SSH password a few times, but I was not blocked. Why?

Thank you.

MODERATOR EDIT (aki, Tue Feb 27 08:28:22 CET 2024): added "solved" tag.

jasonnix

Hello,
I commented these two line:

Code: Select all

[sshd]
enabled = true

Then I changed the configuration as below:

Code: Select all

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry  = 2
findtime  = 10
bantime   = 4w

After it, I got the error message Failed during configuration: Have not found any log file for sshd jail.
How to solve it?

jasonnix

Hello,
I installed Fail2Ban.And its service was not running. The service ran successfully when I added the following lines to the beginning of the configuration file:

[sshd]
enabled = true

Now I want to configure Fail2Ban for SSH service and my settings are as follows:

[sshd]
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 2
findtime = 10
bantime = 4w

When I restart the Fail2Ban service, I see the following error message:

[1313]: ERROR Failed during ...

jasonnix

Hello,
I have two questions about SSH service:

1- By default, Debian does not allow connecting with the root account via SSH, but the PermitRootLogin no option is disabled in the sshd_config file. How does this happen?

2- When I connect to a remote server, after a few minutes of not touching the console, SSH is disconnected. I entered the following two options in the sshd_config file, but it has no effect. Why?

Code: Select all

ClientAliveInterval  1200
ClientAliveCountMax 3

Thank you.

jasonnix

Hello. Nothing is wrong here. This is a common occurrence that can happen for differen reasons. Maybe dependencies changed for one of the packages you have installed so that a new package must be installed to perform the upgrade.

If you need that package you can try running

sudo apt-get --with-new-pkgs upgrade <packages>

or simply

sudo apt-get install <packagea>

The former might be the better solution (maybe wait for a second opinion).

I tend to be cautious when this happens. So, do ...

jasonnix

C4H7Cl2O4P wrote: 2024-02-22 14:26
jasonnix wrote: 2024-02-20 06:14 As I said, no one can connect to the server. How can I solve it?
Try to set a rule to ACCEPT connection and move your existing rule to reject after it.

Hi,
Thanks again.
Do you mean something like below?

Code: Select all

# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 2 --connlimit-daddr -j ACCEPT

jasonnix

Hello,
Does anyone have experience with SAR? I installed SAR, then I activated and executed it using the following commands

Code: Select all

# systemctl enable sysstat
#
# systemctl start sysstat

This program created the file /var/log/sysstat/sa21. I want to know if SAR is automatically recording system activities or need to write cron file?

Thank you.

jasonnix

Try this: Allow the two IPs

# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address1> -j ACCEPT
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address2> -j ACCEPT

Only allow two connections to port 1080, reject everything else:

# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 -j REJECT

Hello,
Thank you so much for your your reply.
Your rules don't apply in my scenario because I don't know the IP addresses that are supposed to connect to the server. Also, your ...

jasonnix

# ss -tupln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=495,fd=7))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=494,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=599,fd=3))
tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=604,fd=6))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=599,fd=4))
tcp LISTEN 0 4096 *:7070 *:* users:(("v2ray",pid=683,fd=7 ...

jasonnix

Hello,
I want to update the system, but I get the following message:

# apt update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian-security bookworm-security InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
#
# apt upgrade
Reading package lists... Done
Building ...

jasonnix

2- I also used --connlimit-mask 32 , but the result is the same.

I guess you don't need --connlimit-mask in your rule.

... I think this command is based on session and not IP address. ...

Why do you think so ?

When I change the number 2 to 20 , the client can access the Internet through the proxy.

What does netstat tell you ?

Hello,
I removed --connlimit-mask from my rule:

# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 1 --connlimit-daddr -j ...

jasonnix

C4H7Cl2O4P wrote: 2024-02-14 16:49 1) iptables -L

2) Why do you use "--connlimit-mask 0" ?
https://www.linuxquestions.org/question ... 175538254/

Hi,
Thanks.
1- My only iptables rule is the one I wrote above.

2- I also used --connlimit-mask 32, but the result is the same. I think this command is based on session and not IP address. When I change the number 2 to 20, the client can access the Internet through the proxy.

Debian User Forums

Search found 30 matches

Use virt-sysprep for the virtual machine

How to use resolvconf?

Re: [Software] A question about permission

Re: [Software] A question about permission

Re: [Software] A question about permission

[Solved] A question about permission

Re: Fail2ban does not work

Re: Some questions about SSH

[Solved] Fail2ban does not work

Re: Fail2Ban says: section 'sshd' already exists

[Solved] Fail2Ban says: section 'sshd' already exists

Some questions about SSH

Re: [O/S] What's wrong with the update?

Re: iptables and connection limit

SAR (System Activity Report)

Re: iptables and connection limit

Re: iptables and connection limit

[Solved] What's wrong with the update?

Re: iptables and connection limit

Re: iptables and connection limit