Server Administration Archives

ConfigServer’s Login Failure Daemon is Vulnerable to Denial of Service Attacks

Login Failure Daemon (lfd) is a process that monitors the authentication log and matches all its lines against the set of regular expressions to detect login attempts that continually fail within a short period of time. It is often used to detect login failures of SSH connections. However, the regular expressions lfd uses to detect brute force attacks contain severe errors, and an attacker can exploit those bugs to cause a denial of service attack.

How to Delete Old ReplicaSets in Kubernetes

To delete all old ReplicaSets in Kubernetes, you can use the following one-liner:

kubectl get rs -A -o wide | tail -n +2 | awk '{if ($3 + $4 + $5 == 0) print "kubectl delete rs -n "$1, $2 }' | sh

How to Expose Kubernetes Dashboard Over HTTPS

It is not always convenient to manage the cluster from the console; a web dashboard is sometimes much more convenient. In this post we will learn how to set up automatic certificate renewal with cert-manager, expose the Kubernetes Dashboard to a public Ingress over a secure connection, and configure simple basic authentication as an addition security layer.

Alpine 3.11 and Varnish Reload Issue

In Alpine Linux 3.11, there is an issue with Varnish Cache: reload operation always fails. In this post, I try to analyze why this happens, and provide a patch that solves the issue.

How to Run Docker in Alpine Container in LXC/LXD

When experimenting with Docker Swarm, I decided to set up five more nodes on my local computer. I used Alpine images in the LXC, and tried to use Docker in them. Although docker stared successfully, it was impossible to deploy any services to Alpine nodes, deployment failed with “cgroups: cannot find cgroup mount destination: unknown” error message.

Because I dislike when something that should work, does not work the way I expect it to work, I decided to dig deeper and try to fix the problem.

A Simple Script to Create systemd-nspawn Alpine Container

I needed a small container for experiments to run on my systemd-based machine. LXC and LXD were out of the question. However, systemd has systemd-nspawn tool, which I used to build a container.

The size of the resulting rootfs is around 8.7 MB

Ubuntu’s Message of the Day

Looks like some people on Twitter have just discovered update-motd and, in particular, /etc/update-motd.d/50-motd-news.

TL;DR: just run this if you want to disable motd-news:

sudo sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news

ProFTPd: 425 Unable to build data connection: Operation not permitted

Add this to proftpd.conf and restart proftpd: TLSOptions NoSessionReuseRequired

How to Enforce Read-Only Mounting of USB Drives

A Facebook user asked how to forbid write access to an external USB drive, allowing only for read-only access. This article explains how to do that with the help of udev.

How to Make System Logs Append-Only

During an intrusion, an intruder leaves signs of his actions in various system logs. Without reliable logs, it could be very difficult to figure out how the attacker got in, or where the attack came from. This information is crucial in analyzing the incident. It is evident that the logs are a valuable audit trail that should be well protected.

Of course, when an intruder gets in to the system, they will try to remove all traces. So, how can we stop an intruder from removing evidence?

« Previous