Problems and Bugs

Thanatermesis · July 13, 2018, 2:13pm

Write here all the problems or bugs that you can see on this website, if any! We need to know them to make the website correctly working for when we open it public-massively

Thanatermesis · July 13, 2018, 3:47pm

There was a rare problem with the urls with double slashes like: https://forum.elivelinux.org// , giving a blank page

Now it is FIXED by removing all double slashes from any url formation (this could lead to other bugs, but is not common to use // , so please report any broken url :))

Thanatermesis · July 14, 2018, 4:05am

@subrms are you familiar with iptables? seems like the server is blocking some connections by the forum

Thanatermesis · July 14, 2018, 1:42pm

There was a problem with the email server, seems to be working now!

Make sure that you are subscribed to this thread: @yoda

subrms · July 17, 2018, 7:50am

Excuse me for the delayed answer. Yes i can help for the iptables

Thanatermesis · July 17, 2018, 10:03am

These are some messages that i see in the logs for the localhost ip:

Jul 17 09:53:31 hostdo2 kernel: [48374.397423] iptables denied: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60229 DF PROTO=TCP SPT=53680 DPT=25 WINDOW=43690 RES=0x00 SYN URGP=0
Jul 17 09:55:31 hostdo2 kernel: [48494.406997] iptables denied: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34326 DF PROTO=TCP SPT=54032 DPT=25 WINDOW=43690 RES=0x00 SYN URGP=0

and these for the ip of the container of this forum:

Jul 17 01:31:51 hostdo2 kernel: [18274.790246] iptables denied: IN=docker0 OUT= PHYSIN=veth9d774a2 MAC=02:42:c8:d1:75:5a:02:66:a2:94:39:bd:08:00 SRC=172.17.0.2 DST=138.68.75.234 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34769 DF PROTO=TCP SPT=38682 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
Jul 17 09:30:21 hostdo2 kernel: [46984.984094] iptables denied: IN=docker0 OUT= PHYSIN=veth037e8a5 MAC=02:42:c8:d1:75:5a:02:66:a2:94:39:bd:08:00 SRC=172.17.0.2 DST=138.68.75.234 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12698 DF PROTO=TCP SPT=36680 DPT=587 WINDOW=29200 RES=0x00 SYN URGP=0
Jul 17 10:04:55 hostdo2 kernel: [49058.674660] iptables denied: IN=docker0 OUT= PHYSIN=veth037e8a5 MAC=02:42:c8:d1:75:5a:02:66:a2:94:39:bd:08:00 SRC=172.17.0.2 DST=138.68.75.234 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51819 DF PROTO=TCP SPT=40204 DPT=587 WINDOW=29200 RES=0x00 SYN URGP=0

And this is the iptables configurations made for the server:

enable all outgoing traffic

iptables -P OUTPUT ACCEPT

disable ipv6 ssh' attempts, important

ip6tables -t filter -A INPUT -p tcp --dport 22 -j DROP

block null packets

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

reject syn-flood attack

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

reject x-mas packets

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

accept needed services

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

discourse (docker container) uses this ip: 172.17.0.2

iptables -A INPUT -p tcp -s 172.17.0.2 -j ACCEPT
iptables -A INPUT -p tcp -s 172.17.0.2 --dport 587 -j ACCEPT
#iptables -A INPUT -p tcp -s 172.17.0.0/16 -j ACCEPT

these are ports specific for nginx reverse proxy & ssl configurations

iptables -A INPUT -p tcp -m tcp --dport 25654 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25655 -j ACCEPT

allow all communication with the docker:

iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

send dropped packets to syslog

iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

only give access to mysql from localhost (already configured default debian aparently)

#iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

allow pings

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

accept all packet who come from "lo", lo is always localhost

iptables -A INPUT -i lo -j ACCEPT

we need to add one more rule that will allow us to use outgoing connections (ie. ping from VPS or run software updates);

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

Finally, there's also the fail2ban daemon, which adds iptables rules (maybe you need to see a dump of the running iptables rules?), but it should not block anything by default unless there has been failed attempts IMHO

Thanatermesis · July 17, 2018, 11:06pm

@yoda whisper test 2

Thanatermesis · July 17, 2018, 11:29pm

Emails reconfigurations topic:

Now the email can receive, so the website can listen “everything”
this is good because bounces can be tracked (admin -> emails -> bouncing) and admins can have a notification in case of errors (must!)
optionally we can answer via email, the option is enabled but better to not use it since includes extra quoted previous contents

yoda · July 18, 2018, 2:04am

whisper test @Thanatermesis and @grottem