Tag Archives: Debian

Duo Security Duo Unix from Debian Package

Leave a reply

In the last post, I wrote about trying to install Duo-Unix from source and the problems I encountered, which led me to install from the bookworm Duo Security repository, even though I’m running Debian Forky (Testing). During the testing, while writing the post (to get screenshots), I found out that the problem was more on my server side.

However, with Duo needing to be updated by tomorrow (February 2nd) to use the latest CA bundle, I used some workarounds to install the Debian package from their site.

I’ve reset my virtual machine and done a fresh update to get the latest packages. I’m running Debian Forky (current testing).

Returning to the Duo-Unix page, they do have options for installing on different distributions. The page says they tested against Trixy (Debian 13), but the commands are still for Stretch and older. They also don’t include the signing key info in the source list file.

Continue reading

Building from Duo Unix from Source

Leave a reply

Note: In the end, the problem I had building from source appears to have been incomplete / canceled apt upgrades.

As I mentioned earlier this week, I had to upgrade the Duo Security Multifactor Authentication software, known as Duo Unix. This software allows PAM access control with a multifactor authenticator to access my SSH boxes. An interesting aside: the same software is also handling the Web Server traffic for logging in to WordPress.

Note: After doing upgrades to my server, which had problems. I can now get ./configure working, so part of it sounds like my box was the issue due to an incomplete partial update.

Set up note, for this blog, I’m not redoing the work on my server, but running on a fresh install of Debian testing (Forky). I’ve already installed the kernel headers and build-essentials packages for use with the VirtualBox Guest Additions, so I’ll skip that below. If you don’t have those, you should make sure they’re installed. I don’t know if the headers are needed, but I’ve always grabbed those for installing from source.

When I originally built the software, I don’t think Duo Security was providing the Debian .deb packages for installation. Or if they were, they were not the same software revision at the time. For the upgrade, I decided to switch to the Debian package this time. That will be the next blog post. Needless to say, after some time working with their documentation and trying to get the apt command to work, I decided it might be faster to build from source again.

Spoiler alert, it wasn’t.

Continue reading

Issue with the WordPress server.

Leave a reply

Oh hey, look… a post. 🙂

Anyway, a couple of weeks ago, two at the time of this writing, I updated my Debian Gnu\Linux server running this site. It broke things. Instead of showing the site, the Apache server showed the text in index.php.

I was running WordPress 6.2 with PHP 8.2. Those two key points are essential because most of the documentation out there for the problem talks about Old versions of WordPress and Old versions of PHP. Neither of which fit me.

Going through sites, I found the fixes. The first was ensuring that PHP was set up in the Apache modules. The easiest way to set it up was to install Libapache2-mod-php8.2.

 

This command changed the error from the index.php to an error:
Your PHP installation appears to be missing the MySQL extension, which is required by WordPress. Please check that the mysqli PHP extension is installed and enabled.

Again, searching said to update WP and PHP (both were already at the newest), so little help. Luckily I found something pointing to  the WP support forum; someone with WP 6.2 and PHP 8.2 having the same issue. The volunteer support person, Steven Stern (sterndata) (@sterndata), said to check php-mysqlnd. The command he used, for that thread’s OP Centos box.

So one search and installation later, I’m back in business and updated to WP 6.2.2.

Now if I could just find my notes and remember everything, I was writing about CTI in January of 2022.

For those interested in root cause analysis: My last upgrade was for Testing to the newest level. It looks like some things with MySQL and php didn’t get updated right and broke the site. I just didn’t think to check if my site was working after the update.

Hello php8.1, thank you for breaking things.

Leave a reply

This server runs Debian’s Testing release. Yes, Testing changes a lot and is not meant for long-term production servers. But I like to be a little more up-to-date on the software packages, and there are times when Debian Stable is too far out of date for what I need or want to run on this server. I do use it as a shell server too. And yes, I know bastion hosts, one “process” per server. That assumes one has a budget for multiple servers.

Anyway, I updated the server, and it pulled PHP 8.1. Previously I was running PHP7.4. Well, something interesting happened during the upgrade. I rebooted the server to get the new kernel loaded, and when everything came back up, I had the “White Page of Death” on the WordPress page. This is a self-hosted server, no CPanel, phpAdmin, or anything like that. If I have to fix a problem, it’s the command line and me.

Continue reading

Dovecot + Postifx problems.

5 Replies

Over the weekend I updated my mail server. Turns out if you have Dovecot installed and configured with Postfix, and Dovecot fails, Postfix stops working too. When I was trying to fix Dovecot I had mail in my mailbox, I could see it if I ran the mail command on the server. But I couldn’t see the email in my desktop client. After fixing Dovecot, I couldn’t see any new email in either place.

Continue reading

productivity vs tweaking

Leave a reply

I’ve been wanting to switch back to a Linux based system for a while. Main hold up has been school. Recently I  got to rebuild my travel laptop to run Linux.

I started with Debian, but after 2 days and a bunch of tweaking of the system and still not to the point of of actually start working.

So out goes Debian, in moves Xubuntu. A couple of hours later up and running. Disappointed, I’d rather be running Debian. But I really don’t have the time to spend doing endless tweaking. I have several other things to do.

more mailserver fun

Leave a reply

I’m still working through my quarantine folders. There are about 300 emails in each folder, and there are 62 folders. The folders are named 0-9, a-z, and A-Z. I don’t know why SpamAssassin / Amavisd on Debian does it that way, but it does.

Anyway going through them one at time with zless, and then rm was a bit of a pain. So I wrote a quick little one-liner to help:

The problem is, not all of the files are in gzip format, so it didn’t display those. And going in and out of the page system for Less was an annoying flash between the pager system and the normal terminal output.

So I improved it, using zcat, because I had some issues with zgrep not supporting some grep switches, like recursive.

Now it didn’t launch the pager, so no flashing. The second thing it did was give me just the To, From, Subject, and Date fields, and I could decide to delete or not based on block of info provided. Downside was it still didn’t handle the non-gzip files.

So when I got up today, I thought why not create a shell script to do this. And I can add in the feature to release false positives that SpamAssassin put in the folders.

So I now have a Mail Administration script in my DFIR repository on GitHub, that will check if it is gzip or not. Use the right form of grep, show info, and ask what to do with the file, release or delete (or nothing if you don’t use r or d as the answer).

Still some minor issues with the script:

  1. Must be ran as root, or someone else that has access to the virusmail sub-directories. in my case that means root since the mail accounts have /bin/false set up for shells.
  2. To be more portable it has to be called from spam sub-directory. In my case spam is in /var/lib/amavis/virusmails/. Which means I have to go there, and then in to one of the 0-9, a-z, or A-Z directories first. Like so:

     
  3. I still have 300 or so emails in each folder so I’d rather work 1 folder at a time right now to clear them.

Future plans for the script:
Ask the user where their spam folder is, so the script can be called outside of those folders, and enumerate all the sub-folders.

I also have to find out if the 0-9a-zA-Z is the same for all versions of software or if that is just a Debian thing.

SPF, DKIM, DMARC, and ADSP

Leave a reply

For a while now, I’ve been having problems with DKIM. It wasn’t working. My logs always had the same error:

And I’d look for a fix but never find anything useful.

Today I decided to go through my mail quarantine folders. In them I found several emails from a friend who is having problems with spammers using his email address. None of them are going through his mail server, they’re all spoofed. We’ve compared our SPF records and they look right. So I went and looked up why I’m seeing all these mails.

Turns out that not all mail admins have set up their servers right to look at SPF and block. That was my problem.

So I went and found a howto for my operating system to fix SPF with my Mail Transfer Agent (MTA). The document, provided by my VPS hosting provider, had how to set up SPF, how to configure my MTA to quarntine emails that fail SPF, a DKIM walk through, a ADSP howto, and a DMARC howto, all on the same page.

First things first. I fixed the SPF inbound. Now it should do the stuff it needs to. Then I figured since I still had time, I’d go after the DKIM problem.

So I backed up my existing files and followed along. AND NOTHING WORKED!. Still the same problem. Heck even the same error message.

So an

later and I started completely fresh. Nothing old, not even the old backup files.

And it still didn’t work. sysctrl status -l opendkim.service and journalctrl -xe were not much help either. Neither one gave enough information on what was wrong.

I did some searching through the logs, and found that even after changing the port to a local socet for Milter it still couldn’t work. But this time I found that it couldn’t see the files, and searching the directory that local socket should be in, it wasn’t there. After much googling I found an old bug report for Debian (my OS of choice). If the socket and pid files were missing, do this:

And suddenly everything was working. I sent test emails to test services, and they seem to be working. At least they told me that everything works.

Then I went why not and set up the ADSP and DMARC stuff in DNS.

Really just happy to get past the problem where dkim isn’t working. Now to go finish clearing out the quarantine files.

Raspberry Pi WPA_Supplicant setup taking way longer than it should

Leave a reply

—- TL/DR —-
If you want to connect a raspberry pi to a hidden access point your wpa_supplicant.conf needs to have the following in the network statement.

Don’t put a ” or a ) in your ASCII PSK it causes problems. I couldn’t get it to work with the hex psk using wpa_passphrase but I broke the rules of troubleshooting making multiple changes at a time instead of one and resetting it.

—– End TL/DR —-

I got a new phone. Nexus 5x.  But this isn’t what this post is about. My SO got a new phone last August. It was an unplanned by after the last one went for a porta-john swim. Again. not what this is about.

A co-worker suggested setting up a NAS to back up the pictures to. Being a poor college student, yes still grad school isn’t cheap, that really isn’t an option. Then he said well if it’s just the phones, why not use one of your Raspberry Pis?

The problem is getting the wpa_suplicant.conf file talking. It has taken me 2 days. Mainly because I don’t mess with that file much.

it hated my passphrase because of the ” and the ) in the middle example:

I tried wpa_passphrase with the file, but it didn’t like that either. (although I kind of want to go back and test it again, in case I missed something.

Which I couldn’t find out until after I set the AP to broadcast. So after more digging I found that

scan_ssid=1 has to be in the config.

Sigh. This is taking way longer than need be, and I’d just wire it, but it’s going to not be near the cables, because of power.