serverfault.com

I am looking to restrict which client can send mail to which domain (i.e., use my postfix server as a relay), and am struggling to figure it out. This needs to work on multiple OS and postfix versions (all modern, 3.5 or higher, on EL8 and Ubuntu 22.04 or later). My clients are identified by either host name (or corresponding IP address, of course), or by subdomain. Here is, simplified, what I'd like to accomplish: host1.example.com 192.168.10.5 host2.example.com 172.18.5.18 192.168.12.0/24 --> can send emails anywhere. host3.example.com 192.168.10.6 host4.example.com 172.18.5.19 *.printers.example.com --> can send emails only to @example.com Bonus (I can live without this for now, but anticipate a future need): host5.example.com 192.168.10.7 host6.example.com 172.18.5.20 --> can send emails only to @example.net Anything not listed --> cannot use this server to relay em

I'm having a high volume of traffic blocking my apache web server due reaching of MaxRequest of the MPM. In access log I found an huge numbers of request 90% of that are unique IPs from 34.0.0.0 to 223.255.255.255. Each request is received from an IP of each subnet from that range. I tried to find a logic, an user agent or something other to trigger a fail2ban filter, but without success. I can't block all the IP ranges because also legit IP are inside this big range. Any suggestion on how to handle this type of attack ?

The command lxc-enter-namespace don't work Distribution: Debian 13 Type of container: unprivileged (same error if run privileged) Run with: libvirt As root virsh -c lxc:///system lxc-enter-namespace node3 --noseclabel --cmd ls libvirt: Cgroup error : Unable to write to '/sys/fs/cgroup/machine.slice/machine-lxc\x2d84518\x2dnode3.scope/cgroup.procs': Device or resource busy error: internal error: Child process (310154) unexpected exit status 125 As unprivileged user (same who run container) virsh -c lxc:///system lxc-enter-namespace node3 --noseclabel --cmd ls libvirt: Cgroup error : Unable to write to '/sys/fs/cgroup/machine.slice/machine-lxc\x2d84518\x2dnode3.scope/cgroup.procs': Permission denied error: internal error: Child process (310299) unexpected exit status 125 Any idea about those errors?

I know the commonly used type1 vs type2 definition, and I also know that this definition is not clear-cut, and that the relevance of that definition is disputed by some. Still, I have some technical questions with the actual differences on how the inner works (mostly about the trap-and-emulate mechanism) between the most common definition of "hosted" and "baremetal" hypervisors: From my experience, the most common definition is something that sounds like this: List item Type 1 "interacts directly with the hardware" (whatever it means) "manages the hardware directly" Type 2 negotiates with the OS to obtain the underlying resources. Let's not consider hardware-assisted virtualization for this question. Both type 1 and type 2 run unprivileged instructions of the guests OS on the CPU without any form of emulation in-between¹. In both cases, Guests aren't run

NGINX doesn’t do Apache-style redirects. We want to replace these three URL queries "/grid/grid.html", "grid/grid.html", "grid.html" with just "/grid/". We have separate domain-specific config files inside "/etc/nginx/sites-available", and use CertBot for SSL. The RegEx in the examples below captures all the URL variations listed above. But which of these two is best practice: a location block inside the existing server block: server { ... location ~ ^(((/?)grid/)?grid.html) { return 301 $scheme://grid/; # OR https://grid/; } ... } add a rewrite block inside the existing server block, using the site root: server { ... rewrite ^(((/?)grid/)?grid.html) /grid/ last; return 403; ... } When updating the cert, Certbot writes to the existing

I'm trying to limit the access of IPs to my Docker service with iptables. Let's say my public IP is 1.2.3.4 and the range of IPs that I want to allow is 5.6.7.224/28. I don't want any other range accessing the service. My hostname is hello.com DOCKER-USER iptables: sudo iptables -L DOCKER-USER --line-numbers Chain DOCKER-USER (1 references) num target prot opt source destination 1 ACCEPT tcp -- hello.com/28 anywhere tcp dpt:8008 2 DROP tcp -- anywhere anywhere tcp dpt:8008 Docker container info 758e3dac5b23 vshiny "shiny run --host 0.…" 3 days ago Up 3 days 8008/tcp, 1.2.3.4:8008->8000/tcp This configuration prevents any IP from being allowed to enter the service, even the ones which are in the range I specified to be allowed (5.6.7.224/28

I'm planning to move my work machines (a Mac Studio and a Windows PC) from my studio to a rack room to reduce noise in my workspace. The idea is to use a silent client (fanless or similar) next to the monitor, speakers, keyboard, and mouse, and access the machines via remote desktop software. I'm considering Parsec and have some specific questions, especially about the free version: For daily intensive use with AutoCAD, is the free version sufficient or is the paid license required? I'd like to avoid software that behaves like some programs (e.g., Supremo Control) which stop working after a trial period. With two monitors connected to the host PC, does the free version block access or simply not project one of the displays? Same question for a MacBook Air M1 (2020) with an additional external monitor. Is it true that the free version limits color depth, making professional Photoshop work difficult? With a graphics tablet sensitive to pr

i am currently working on ubuntu 22.04 with openSSH, i made SFTP server for users so they can connect to their projects/bots/servers etc. So far, most things are working as they should, but i have a problem with one thing. My path is looking like this .../bots/botX/data. When i logged in my SFTP using FileZilla, on this tree with all layers of folders i see / is my main folder, like home, but i cant create anything there. folder botX is CHROOT, and thats why i cant do anything there, and only folder data is assigned for user. I'm sorry for writing this way, but its hard for me to describe it. So when i get into this SFTP server as user, in this tree i see /, and under / i see folder Data, and its the only way it works, in / i cannot create anything, in Data i can, when i assign BotX for CHROOT and user, SFTP doesnt start. Sorry, now lets get to the question. I saw on

I am running a Linux system that is frequently powered-on with a single SSD disk. I would like to protect both the system and the data on this disk from bit rot without resorting to Btrfs, which doesn't seem to be stable enough, or out-of-tree filesystems like ZFS (OpenZFS). My first question here is whether additional measures are even required, given that all modern SSDs seem to have ECC and powering them on for a sufficient amount of time frequently enough allows the controller to do maintenance and bit rot prevention. So far my best idea is to make use of LVM RAID5 with integrity, and create a logical volume with relatively high amount of stripes (10-15) and allocation option that would allow the stripes to be on the same physical volume: lvcreate --type raid5 --raindintegrity y -i $N_STRIPES --alloc anywhere ... The way I understand this configuration is that the integrity layer provided by dm-integrity and managed by LVM will raise

The setup - Windows 10 LTSC 2022, the system in on the C: drive with NTFS journal enabled and 'write range tracking' disabled. Enabled write tracking via fstuil usn enablerangetracking c: Confirmed that it was enabled with fsutil usn queryjournal c:, the Chunk size is 16K and the file size threshold is 1M. Noted the Start Usn value from the above command. Ran echo 123 >> C:\Temp\file, where file is ~11MB in size. Listed records with fsutil usn readjournal c: startusn=... using Start Usn from above. ... and: There were no V4 records for the file, only V3 ones ! There were however V4 records for other files, e.g. some internal Windows logs. There clearly should've been a V4 like this : Usn : 5356784 Reason