Using PowerDNS as internal resolver

Published / by Taco Scheltema / Leave a Comment

Setting up DNS for an internal network can be a bit daunting; To be able to resolve records within your internal zone you will need to configure your computers to use your internal DNS server as resolver but this means it will also need a way to resolve names out on the internet. This means you need to setup an authoritative server as wel as a recursor.

In PowerDNS 4.1 recursion was removed from the authoritative server which means you’ll have to have an authoritative server as well as a recursor. Both can’t be listening on port 53 so how do you go about setting this up? and how would you go about managing your internal zones without having to go into the database and use insert queries?

Managing your records becomes really easy with PowerDNS-Admin, a web based management tool. I’ll describe the installation in a separate post.
To setup an authoritative server with recursing capabilities, also referred to as Split Horizon DNS, we can use DNSDist, a load balancer for DNS. DNSDist also gives us a lot of flexibility to forward queries for certain zones to specific name servers, for instance in a situation where you have multiple office locations interconnected via VPN, each with their own DNS servers.

Continue reading

Can’t send mail with Outlook 2016 for Mac

Published / by Taco Scheltema / Leave a Comment

I recently setup a new email account for a customer who is using Outlook 2016 for Mac OSX. The customer was able to setup the new account in Outlook without any issues but when he tried sending mail he received the following error

Authentication fails with error 17895

After some testing on our end we worked out that our server doesn’t offer a suitable authentication mechanism on SMTP as Outlook doesn’t support the plain mechanism.

The server we use is a Modoboa setup which uses Dovecot. in the file /etc/dovecot/conf.d/10-auth.conf there is an option called auth_mechanisms which lists the authentication mechanisms that the server will offer. Adding ‘login’ as an additional mechanism will allow Outlook to authenticate.

Continue reading

Using ipset with iptables

Published / by Taco Scheltema / Leave a Comment

Some time ago I noticed lots of hacking attempts on some of the servers I manage. Some of them are mail servers where hackers were brute forcing smtp user/password combinations, other servers are web servers with wordpress and magento sites where the logs showed lots of attempts to find vulnerabilities in those sites.

One way of dealing with those is to implement fail2ban which can be efficient if configured right, but I wanted to try and block the majority of those attempts at the firewall. So I started collecting addresses from the logs and started blocking them with normal iptables block rules. This worked for the first 50-60 addresses but soon became unmanageable. Then I found out about publicly available blacklists like blocklist.de and bruteforceblocker so I tried loading block rules based on those lists in the iptables firewalls but that caused iptables to take a few minutes to load(!), it also made the firewalls perform pretty poorly.

So after some investigation I found out about ipset. Ipset allows you to create tables that hold a large amount of ip addresses and or networks (amongst a few other things) that can be queried without a hit on performance.

Continue reading

Vim: Automatic Last Updated tag

Published / by Taco Scheltema / Leave a Comment

Ever wanted to know when a script was last updated and don’t necessarily want to implement a version control tool like subversion? Adding a comment in your script with the date of the last change is a good start but relies on manually updating the comment every time a change is made. Adding the code below to your .vimrc file (and/or in the .vimrc file of the root user) will automate this for you, it will also add the username of the editor. Of course this is no proper way of auditing but it has proven quite useful when working in a team of 3 to 5 system administrators. This also works well for apache vhost files files or DNS zone files for instance.

autocmd BufWritePre /usr/local/bin/*,/usr/local/sbin/*,~/bin/*,*.sh,*.html,*.pl,*/check_* ks|call LastMod()|'s
fun LastMod()
 if line("$") > 20
 let l = 20
 else
 let l = line("$")
 endif
 let editor_name=system('logname')
 exe "1," . l . "g/^# Modified:/s/# Modified:.*/# Modified: " .
 \ strftime("%c") . " by: " . editor_name
endfun

In the first line you can add file extensions or patterns of files you want to use this function for. Then when you create a new file, say for instance test.sh, add the following line:

 # Modified: x

The x is arbitrary, it will be replaced with the current date & time once the file is saved.

The expression to find the ‘# Modified:’ tag could be changed to cater for files that use a different symbol for in-line comments

Redeliver messages from MBOX file

Published / by Taco Scheltema / Leave a Comment

On occasion I encounter a situation where, due to a configuration issue, mail was received on a server and stored in the default MBOX format instead of being delivered to a user account on a real mail server.

the following script will read an mbox file and redeliver them to the original recipient specified in the message or, if specified, a global recipient.

Continue reading

LDAPsearch sanitize output

Published / by Taco Scheltema / Leave a Comment

ldapsearch is a handy command line tool to query a ldap server, it does have some annoying quirks though;

  • The output is wrapped at 80 characters making it difficult to work with
  • Results containing utf8mb4 characters are base64 encoded making it hard to read

An example of the output:

# extended LDIF
#
# LDAPv3
# base <ou=TestGroup,dc=example,dc=com> with scope subtree
# filter: (objectclass=groupOfNames)
# requesting: cn member
# with dereference control
#

# OC_USER, TestGroup, example.com
dn: cn=OC_USER,ou=TestGroup,dc=example,dc=com
member: cn=admin,dc=users,dc=example,dc=com
member: cn=nagios,dc=SYSTEM,dc=users,dc=example,dc=com
member: cn=Test User 1,ou=Developers ICT,dc=example,dc=com
member: cn=Test User 2,dc=users,dc=example,dc=com
member: cn=Test User 3,ou=Developers ICT,dc=example,dc=com
member: cn=John Jason Doe,ou=Project Management & Project Operations,dc=example
,dc=LOCAL
member:: Y249cmVuw6llLnBvaXLDqSxkYz11c2VycyxkYz1leHRlcm5hbCxkYz1MT0NBTA==
cn: OC_USER

# OC_ADMIN, TestGroup, example.com
dn: cn=OC_ADMIN,ou=TestGroup,dc=example,dc=com
cn: OC_ADMIN
member: cn=admin,dc=users,dc=example,dc=com
member: cn=Test User 1,ou=Developers ICT,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

As you can see this can be hard to work with if you have to parse this further.

Continue reading