It’s been a while since my last post, but I believe this comprehensive guide will be valuable for anyone looking to transport VLANs from point A to point B using VXLAN. This article compares three setups—Plain VXLAN, VXLAN with WireGuard, and VXLAN with IPsec—covering configurations, performance results, and recommendations for secure and efficient VLAN transport. Whether you’re in a lab or a production environment, this guide has you covered.

Table of Contents

• Overview and Performance Results
• Setup 1: Plain VXLAN (No Encryption)
• Setup 2: VXLAN + WireGuard
• Setup 3: VXLAN + IPsec (StrongSwan)
• Conclusion and Recommendations

Overview and Performance Results

I tested three VXLAN configurations to transport a VLAN between two points, evaluating throughput, retransmissions, and security. Below is a summary of the setups and their performance.

Tested Configurations

• Plain VXLAN: Fastest but unsecure, ideal for private networks.
• VXLAN + WireGuard: Lightweight encryption with moderate performance overhead.
• VXLAN + IPsec: Robust encryption with near-plain performance due to hardware acceleration.

Performance Summary

Key Observations

1. Encryption Overhead
   • WireGuard: CPU-intensive due to AES + UDP encapsulation.
   • IPsec VTI: Lower overhead with kernel crypto and AES-NI hardware acceleration.
2. UDP vs. ESP
   • WireGuard: UDP-based, leading to some packet loss and more retransmissions.
   • IPsec ESP (L3 tunnel): Minimal packet loss, near-plain VXLAN throughput.
3. Plain VXLAN
   • Fastest but unsecure, with low latency and maximum throughput.
   • Vulnerable to sniffing or traffic injection on public networks.

Setup 1: Plain VXLAN (No Encryption)

Plain VXLAN offers the highest throughput but lacks encryption, making it suitable for private networks or lab environments.

Server A Configuration

# Bring up the network interface
ip link set ens192 up

# Create a bridge
sudo ip link add name br800 type bridge
sudo ip link set br800 up

# Create VXLAN tunnel
sudo ip link add vxlan800 type vxlan id 800 \
    local ip_public_serverA remote ip_public_serverB \
    dstport 4789 nolearning
sudo ip link set vxlan800 up

# Add interfaces to the bridge
sudo ip link set ens192 master br800
sudo ip link set vxlan800 master br800

Server B Configuration

Server B is behind NAT, so we use a dummy interface and connect to Server A’s public IP.

# Load dummy module
sudo modprobe dummy

# Create dummy interface
sudo ip link add name dummy800 type dummy
sudo ip link set dummy800 up

# Create a bridge
sudo ip link add name br800 type bridge
sudo ip link set br800 up

# Create VXLAN tunnel to Server A's public IP
sudo ip link add vxlan800 type vxlan id 800 \
    local ip_private_serverB remote ip_public_serverA \
    dstport 4789 nolearning
sudo ip link set vxlan800 up

# Add interfaces to the bridge
sudo ip link set dummy800 master br800
sudo ip link set vxlan800 master br800
sudo ip addr add 10.10.10.98/24 dev br800

Testing Plain VXLAN

# Test connectivity
ping -I br800 10.10.10.1

# Start iperf3 server
iperf3 -s -B 10.10.10.1  # On remote server ( you can consider it Server C )

# Run iperf3 client
iperf3 -c 10.10.10.1 -B 10.10.10.98 -P 4 -t 30

Sample iperf3 Output:

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.00  sec  19.5 MBytes  5.45 Mbits/sec  186             sender
[  5]   0.00-30.04  sec  19.0 MBytes  5.30 Mbits/sec                  receiver
[  7]   0.00-30.00  sec  17.9 MBytes  5.01 Mbits/sec  118             sender
[  7]   0.00-30.04  sec  17.7 MBytes  4.94 Mbits/sec                  receiver
[  9]   0.00-30.00  sec  18.6 MBytes  5.20 Mbits/sec  119             sender
[  9]   0.00-30.04  sec  18.4 MBytes  5.13 Mbits/sec                  receiver
[ 11]   0.00-30.00  sec  19.1 MBytes  5.34 Mbits/sec  147             sender
[ 11]   0.00-30.04  sec  18.8 MBytes  5.26 Mbits/sec                  receiver
[SUM]   0.00-30.00  sec  75.1 MBytes  21.0 Mbits/sec  570             sender
[SUM]   0.00-30.04  sec  73.8 MBytes  20.6 Mbits/sec                  receiver

Performance: Plain VXLAN achieved 20.6–21.0 Mbit/s with 570 retransmissions, offering maximum throughput but no security.

Setup 2: VXLAN + WireGuard

This setup adds lightweight encryption with WireGuard, suitable for secure VLAN transport with a moderate performance hit (~10–15% lower throughput).

Step 1: Install WireGuard

sudo apt update
sudo apt install wireguard iproute2 -y

Step 2: Generate WireGuard Keys

wg genkey | tee privatekey | wg pubkey > publickey

Step 3: Configure WireGuard

Server A (/etc/wireguard/wg0.conf):

[Interface]
Address = 100.64.0.1/30
PrivateKey = <ServerA_privatekey>
ListenPort = 51820

[Peer]
PublicKey = <ServerB_publickey>
AllowedIPs = 100.64.0.2/32
Endpoint = server_B_external_ip:51820
PersistentKeepalive = 25

Server B (/etc/wireguard/wg0.conf):

[Interface]
Address = 100.64.0.2/30
PrivateKey = <ServerB_privatekey>
ListenPort = 51820

[Peer]
PublicKey = <ServerA_publickey>
AllowedIPs = 100.64.0.1/32
Endpoint = Server_A_external_ip:51820
PersistentKeepalive = 25

Step 4: Enable WireGuard

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

# Verify connectivity
ping -c 2 100.64.0.2  # From Server A
ping -c 2 100.64.0.1  # From Server B

Step 5: Configure VXLAN

Server A:

sudo ip link add vxlan800 type vxlan id 800 local 100.64.0.1 remote 100.64.0.2 dstport 4789 nolearning
sudo ip link set vxlan800 up

sudo ip link add name br800 type bridge
sudo ip link set br800 up
sudo ip link set vxlan800 master br800
sudo ip link set ens192 master br800

Server B:

sudo ip link add vxlan800 type vxlan id 800 local 100.64.0.2 remote 100.64.0.1 dstport 4789 nolearning
sudo ip link set vxlan800 up

sudo ip link add name br800 type bridge
sudo ip link set br800 up
sudo ip link set vxlan800 master br800
sudo ip link add name dummy800 type dummy
sudo ip link set dummy800 up
sudo ip link set dummy800 master br800
sudo ip addr add 10.10.10.98/24 dev br800

Step 6: Testing VXLAN + WireGuard

# Test connectivity
ping -I br800 10.10.10.1

# Start iperf3 server
iperf3 -s -B 10.10.10.1  # On remote server ( you can consider it Server C )

# Run iperf3 client
iperf3 -c 10.10.10.1 -B 10.10.10.98 -P 4 -t 30

Sample iperf3 Output:

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.00  sec  15.9 MBytes  4.45 Mbits/sec  137             sender
[  5]   0.00-30.04  sec  15.6 MBytes  4.36 Mbits/sec                  receiver
[  7]   0.00-30.00  sec  16.2 MBytes  4.53 Mbits/sec  127             sender
[  7]   0.00-30.04  sec  15.9 MBytes  4.44 Mbits/sec                  receiver
[  9]   0.00-30.00  sec  15.5 MBytes  4.33 Mbits/sec  113             sender
[  9]   0.00-30.04  sec  15.3 MBytes  4.26 Mbits/sec                  receiver
[ 11]   0.00-30.00  sec  17.8 MBytes  4.99 Mbits/sec  150             sender
[ 11]   0.00-30.04  sec  17.5 MBytes  4.90 Mbits/sec                  receiver
[SUM]   0.00-30.00  sec  65.4 MBytes  18.3 Mbits/sec  527             sender
[SUM]   0.00-30.04  sec  64.3 MBytes  18.0 Mbits/sec                  receiver

Performance: VXLAN + WireGuard achieved 18.0–18.3 Mbit/s with 527 retransmissions, showing a ~10–15% performance drop due to CPU-based encryption.

Setup 3: VXLAN + IPsec (StrongSwan)

VXLAN over IPsec provides robust encryption with minimal performance overhead, leveraging VTI and AES-NI hardware acceleration.

Step 1: Install StrongSwan

apt install strongswan

Server A Configuration

Step 2: Configure IPsec

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
    uniqueids = no

conn %default
    keyexchange=ikev2
    ike=aes128-sha256-modp2048
    esp=aes256-sha256
    dpdaction=clear
    dpddelay=300s
    fragmentation=yes

conn vxlan-ipsec
    left=ip_public_serverA
    leftid=ip_public_serverA
    leftsubnet=0.0.0.0/0
    leftupdown=/etc/strongswan.d/updown-vxlan.sh
    right=ip_public_serverB
    rightid=ip_private_serverB
    rightsubnet=0.0.0.0/0
    type=tunnel
    auto=start
    keyingtries=%forever
    authby=psk
    mark=10

Step 3: Configure IPsec Secrets

# /etc/ipsec.secrets
ip_private_serverB ip_public_serverA : PSK "putsomething"

Step 4: Create Up/Down Script

# /etc/strongswan.d/updown-vxlan.sh
#!/bin/bash
# Simple up/down script for VTI + VXLAN
case "$PLUTO_VERB" in
    up-client|up-host|up)
        logger "[$PLUTO_CONNECTION] VPN UP: creating interfaces"
        /usr/local/bin/create_vxlan.sh
        ;;
    down-client|down-host|down)
        logger "[$PLUTO_CONNECTION] VPN DOWN: deleting interfaces"
        /usr/local/bin/destroy_vxlan.sh
        ;;
esac

Step 5: Create VXLAN Setup Script

# /usr/local/bin/create_vxlan.sh
sudo ip link add ipsec0 type vti local ip_public_serverA remote ip_public_serverB key 10
sudo ip addr add 100.64.0.1/30 dev ipsec0
sudo ip link set ipsec0 up

sudo ip link add vxlan800 type vxlan id 800 local 100.64.0.1 remote 100.64.0.2 dstport 4789 nolearning
sudo ip link set vxlan800 up

sudo ip link add name br800 type bridge
sudo ip link set br800 up
sudo ip link set vxlan800 master br800
sudo ip link set ens192 master br800

sudo ip route del default table 220

Step 6: Create VXLAN Teardown Script

# /usr/local/bin/destroy_vxlan.sh
# Delete IPsec VTI
ip link del ipsec0

# Remove interfaces from bridge
sudo ip link set vxlan800 nomaster 2>/dev/null
sudo ip link set ens192.800 nomaster 2>/dev/null
sudo ip link set ens192 nomaster 2>/dev/null

# Delete bridge and VXLAN
sudo ip link del vxlan800 2>/dev/null
sudo ip link del br800 2>/dev/null

# Delete VLAN subinterface if created
sudo ip link del ens192.800 2>/dev/null

Server B Configuration

Step 1: Configure IPsec

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
    uniqueids = no

conn %default
    keyexchange=ikev2
    ike=aes128-sha256-modp2048
    esp=aes256-sha256
    dpdaction=clear
    dpddelay=300s
    fragmentation=yes

conn vxlan-ipsec
    left=ip_private_serverB
    leftid=ip_private_serverB
    leftsubnet=0.0.0.0/0
    leftupdown=/etc/strongswan.d/updown-vxlan.sh
    right=ip_public_serverA
    rightid=ip_public_serverA
    rightsubnet=0.0.0.0/0
    type=tunnel
    auto=start
    keyingtries=%forever
    authby=psk
    mark=10

Step 2: Configure IPsec Secrets

# /etc/ipsec.secrets
ip_private_serverB ip_public_serverA : PSK "putsomething"

Step 9: Create Up/Down Script

# /etc/strongswan.d/updown-vxlan.sh
#!/bin/bash
# Simple up/down script for VTI + VXLAN
case "$PLUTO_VERB" in
    up-client|up-host|up)
        logger "[$PLUTO_CONNECTION] VPN UP: creating interfaces"
        /usr/local/bin/create_vxlan.sh
        ;;
    down-client|down-host|down)
        logger "[$PLUTO_CONNECTION] VPN DOWN: deleting interfaces"
        /usr/local/bin/destroy_vxlan.sh
        ;;
esac

Step 3: Create VXLAN Setup Script

# /usr/local/bin/create_vxlan.sh
sudo ip link add ipsec0 type vti local ip_private_serverB remote ip_public_serverA key 10
sudo ip addr add 100.64.0.2/30 dev ipsec0
sudo ip link set ipsec0 up

sudo ip link add vxlan800 type vxlan id 800 local 100.64.0.2 remote 100.64.0.1 dstport 4789 nolearning
sudo ip link set vxlan800 up

sudo ip link add name br800 type bridge
sudo ip link set br800 up
sudo ip link add name dummy800 type dummy
sudo ip link set dummy800 up
sudo ip link set vxlan800 master br800
sudo ip link set dummy800 master br800

sudo ip addr add 10.10.10.98/24 dev br800

sudo ip route del default table 220

Step 4: Create VXLAN Teardown Script

# /usr/local/bin/destroy_vxlan.sh
# Delete IPsec VTI
ip link del ipsec0

# Remove interfaces from bridge
sudo ip link set vxlan800 nomaster 2>/dev/null
sudo ip link set dummy800 nomaster 2>/dev/null

# Delete VXLAN, dummy, and bridge
sudo ip link del vxlan800 2>/dev/null
sudo ip link del dummy800 2>/dev/null
sudo ip link del br800 2>/dev/null

Testing VXLAN + IPsec

# Test connectivity
ping -I br800 10.10.10.1

# Start iperf3 server
iperf3 -s -B 10.10.10.1

# Run iperf3 client
iperf3 -c 10.10.10.1 -B 10.10.10.98 -P 4 -t 30

Sample iperf3 Output:

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.00  sec  20.7 MBytes  5.80 Mbits/sec  117             sender
[  5]   0.00-30.04  sec  20.4 MBytes  5.71 Mbits/sec                  receiver
[  7]   0.00-30.00  sec  17.0 MBytes  4.74 Mbits/sec  116             sender
[  7]   0.00-30.04  sec  16.7 MBytes  4.66 Mbits/sec                  receiver
[  9]   0.00-30.00  sec  18.8 MBytes  5.25 Mbits/sec  115             sender
[  9]   0.00-30.04  sec  18.5 MBytes  5.15 Mbits/sec                  receiver
[ 11]   0.00-30.00  sec  16.7 MBytes  4.67 Mbits/sec  116             sender
[ 11]   0.00-30.04  sec  16.5 MBytes  4.59 Mbits/sec                  receiver
[SUM]   0.00-30.00  sec  73.2 MBytes  20.5 Mbits/sec  464             sender
[SUM]   0.00-30.04  sec  72.0 MBytes  20.1 Mbits/sec                  receiver

Performance: VXLAN + IPsec achieved 20.1–20.5 Mbit/s with 464 retransmissions, nearly matching plain VXLAN due to VTI and AES-NI acceleration.

Conclusion and Recommendations

• Public Internet: Use VXLAN + IPsec for robust security and near-plain performance, or VXLAN + WireGuard for lightweight encryption.
• Private Networks/Labs: Plain VXLAN offers maximum throughput but no security.
• Performance: IPsec’s kernel-mode crypto and AES-NI support make it slightly faster than WireGuard in this setup.

For detailed networking guides, explore our Networking Tutorials.

The post VXLAN ipsec or wireguard appeared first on Random thoughts.

To put things into perspective, I remembered how, back in the day, setting up a LAMP stack (Apache, MySQL, PHP) could easily take an entire day—especially if you were dealing with more challenging Linux distributions like Gentoo. Fast forward to today: thanks to tools like Terraform and platforms like AWS, that same setup can now be done in mere minutes.

But enough theory—let’s get practical. Below is the code that demonstrates the power of automation. This script will:

1. Create a VPC
2. Set up subnets
3. Add an Internet Gateway (IGW)
4. Configure security groups
5. Provision an RDS instance
6. Deploy an Ubuntu VM and configure it to present data from a database on a simple webpage.

The speed and reliability that automation brings not only save time but also redefine how teams approach infrastructure and operations.

Please note this is a simple demo and does not goes in depth with security or containers. ( maybe in another episode)
NB: for obvious reasons please use more complex passwords

resource "aws_vpc" "demo_vpc" {
  cidr_block = "10.100.0.0/16"
}

resource "aws_subnet" "demo_subnet_a" {
  vpc_id            = aws_vpc.demo_vpc.id
  cidr_block        = "10.100.1.0/24"
  availability_zone = "eu-central-1a"
  map_public_ip_on_launch = true
}

resource "aws_subnet" "demo_subnet_b" {
  vpc_id            = aws_vpc.demo_vpc.id
  cidr_block        = "10.100.2.0/24"
  availability_zone = "eu-central-1b"
  map_public_ip_on_launch = true
}

resource "aws_security_group" "demo_sg" {
  vpc_id = aws_vpc.demo_vpc.id

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

    ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["10.100.0.0/16"] # Allow DB access from within the VPC
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_db_subnet_group" "demo_subnet_group" {
  name       = "demo-subnet-group"
  subnet_ids = [
    aws_subnet.demo_subnet_a.id,
    aws_subnet.demo_subnet_b.id
  ]
}


# Create an Internet Gateway
resource "aws_internet_gateway" "demo_igw" {
  vpc_id = aws_vpc.demo_vpc.id
}

# Create a Route Table for the VPC
resource "aws_route_table" "demo_route_table" {
  vpc_id = aws_vpc.demo_vpc.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.demo_igw.id
  }
}

# Associate the Route Table with the Subnets
resource "aws_route_table_association" "demo_subnet_a" {
  subnet_id      = aws_subnet.demo_subnet_a.id
  route_table_id = aws_route_table.demo_route_table.id
}

resource "aws_route_table_association" "demo_subnet_b" {
  subnet_id      = aws_subnet.demo_subnet_b.id
  route_table_id = aws_route_table.demo_route_table.id
}

resource "aws_db_instance" "demo_rds" {
  allocated_storage    = 20
  engine               = "mysql"
  engine_version       = "8.0.39" # Replace with a supported version
  instance_class       = "db.t3.micro" # Use a valid instance class
  username             = "root"
  password             = "password123"
  publicly_accessible  = false
  vpc_security_group_ids = [aws_security_group.demo_sg.id]
  db_subnet_group_name = aws_db_subnet_group.demo_subnet_group.name
  skip_final_snapshot  = true
}

resource "aws_instance" "demo_vm" {
  ami           = "ami-0745b7d4092315796" # Ubuntu 22.04 AMI for us-east-1
  instance_type = "t2.micro"
  subnet_id     = aws_subnet.demo_subnet_a.id
  vpc_security_group_ids = [aws_security_group.demo_sg.id]
  associate_public_ip_address = true

  user_data = <<-EOF
    #!/bin/bash
    # Update package lists and install necessary packages
    apt-get update -y
    apt-get install -y apache2 php mysql-client php-mysql
    RDS_HOST="`echo ${aws_db_instance.demo_rds.endpoint} | cut -d ':' -f 1`"

    # Enable and start Apache
    systemctl enable apache2
    systemctl start apache2

    # Create and populate the table
    mysql -h "$RDS_HOST" -u root -p'password123' -e "
    CREATE DATABASE demo_db;
    USE demo_db;
    CREATE TABLE demo_table (id INT AUTO_INCREMENT PRIMARY KEY, value VARCHAR(255));
    INSERT INTO demo_table (value) VALUES ('-- World --');
    "

    # Create sample PHP application
    cat < /var/www/html/index.php
    <!--?php \$conn = new mysqli('${aws_db_instance.demo_rds.endpoint}', 'root', 'password123', 'demo_db'); if (\$conn->connect_error) { die('Connection failed: ' . \$conn->connect_error); }
    \$result = \$conn->query('SELECT value FROM demo_table LIMIT 1');
    if (\$result->num_rows > 0) {
      while(\$row = \$result->fetch_assoc()) { echo '</p>
<h2><center>Hello ' . \$row['value']; echo '</h2>
<p></center>'; }
    } else { echo 'No data found'; }
    \$conn->close();
    ?-->
    EOT

    # Adjust permissions
    chown -R www-data:www-data /var/www/html
    chmod -R 755 /var/www/html
    rm /var/www/html/index.html
  EOF

  tags = {
    Name = "Demo-VM"
  }
}

output "ec2_public_ip" {
  value = aws_instance.demo_vm.public_ip
}

output "rds_endpoint" {
  value = aws_db_instance.demo_rds.endpoint
}

The post Power of Terraform appeared first on Random thoughts.

It has been a while since i have written here and lately i was kinda struggling to import and have meaningful modsecurity data in ELK.
Long story short the easiest way is to convince Modsecurity to write the data in json format. In this way all the “parsing” and importing becomes more easier. Otherwise regexp and grok might be your friend.
But step by step.

1. Let compile Modsecurity , Nginx module and do the necessaries.


cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity
sudo git submodule init
sudo git submodule update
sudo ./build.sh
sudo ./configure
The most important thing is to have lib-yajl installed otherwise logs cannot be created in json format.


sudo make
sudo make install

2. Download Modsecurity-nginx Connector

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

3. Check Nginx version , download nginx and compile the mod-security module.

nginx -v
nginx version: nginx/1.26.2

cd /opt && sudo wget http://nginx.org/download/nginx-1.26.2.tar.gz
sudo tar -xzvf nginx-1.26.2.tar.gz
cd nginx-1.26.2
sudo ./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx

sudo make
sudo make modules

Let’s copy the modules and the configurations
sudo mkdir -p /etc/nginx/modules-enabled/
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules-enabled/
sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

Add some configuration in Nginx and the vhost that you want to monitor.

nano /etc/nginx/nginx.conf
Add the fallowing line:
load_module /etc/nginx/modules-enabled/ngx_http_modsecurity_module.so;

In the desired vhost add:

server {
........
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;
}


For the moment we will leave the SecRuleEngine DetectionOnly from /etc/nginx/modsecurity.conf as is.
Basically this will only logging and not rejecting once problem is found and we want this due to many false positive that we will have in the beginning. We’ll talk later(or in a different chapter is this become too long) about this subject.

4. Install core rule set (CRS)

There are two versions  which can be installed when i am writing this article: 3.3.7 or 4.8.0 . Up to you which flavor.

cd /etc/nginx/
sudo wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.8.0.zip
sudo wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.7.zip
sudo unzip v3.3.7.zip
sudo mv coreruleset-3.3.7 owasp-crs
mv owasp-crs/crs-setup.conf.example owasp-crs/crs-setup.conf

Add CRS to modsecurity

sudo nano /etc/nginx/modsecurity.conf
Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf


Almost done. Now we should modify the modsecurity.conf file to have logs in json format.
Add the fallowing(preferably in # — Audit log configuration section ). In this section comment the present settings related to the same topic.

SecAuditEngine On
SecAuditLogParts ABDEFHIJZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.json
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"


Check nginx configuration: nginx -t and restart the daemon.

If all the settings have been done correctly, you should already see logs coming in.

tail -f /var/log/modsec_audit.json | jq


5. Sending data to elastic search.

There are many ways to do it. Deploying a fleet of Elastic Agents or if not possible using filebeat.
Elastic agent are very powerful but if you have exotic Linux SO you are forced to running those in a dockerized environment and if you have restrictions regarding docker&co than filebeat is your friend.

a. Install filebeat from repo ( most of the Linux OS has it included). I will not insist in this step.

b. Configure filebeat in this way:

On /etc/filebeat/filebeat.yml on the filebeat.inputs: add the fallowing:

- type: log
enabled: true
paths:
- /var/log/modsec_audit.json
json.keys_under_root: true
encoding: utf-8
document_type: mod_security
close_eof: true
scan_frequency: 5s
clean_*: true


In the same file on Elasticsearch Output section add the fallowing:

output.elasticsearch:
# Array of hosts to connect to.
hosts: ["your_ip:9200"]

# Protocol - either `http` (default) or `https`.
protocol: "https"

# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "your_password"

And restart filebeat

Logs should start to become visible in elasticsearch and as you can see above we have 128 fields for which we can do log manipulation and create proper dashboards.

The post Nginx, Modsecurity and ELK stack appeared first on Random thoughts.

• A lot of packages are not maintained or things are maintained by different group of people who don’t use the same patches as you.
• It’s becoming really hard to keep track when you install a new server which patch to apply and at which step(for example i used tap patch but this is rarely used).
• Often you need to understand and adapt the patches to your situation because some might include(partially or fully) other patches that you need also to apply. Basically in the end you start to write your own set of patches which obviously contains pieces of code from there of there. If you forgot something it might break or not work as intended.
• Quite often as well you need support for new technologies and there fewer and fewer people who want to support this.
  For example: if you want ipv6 there is a way via fehQlibs, ucspi-tcp6 and ucspi-ssl but there is no clear indication this will work as intended from the beginning with your own version(i mean your own set of patches) since the owner has his own Qmail version named s/qmail.
• After a long ride with qmail-scanner i went to simscan. This one can support only spamassassin and clamav.(or you start coding at it as well). For most of you it will be enough but if you want better antivirus(yes, commercial) than you’re out of luck. Yes, clamav-unofficial-sigs might give you  a great boost but it might not be sufficient if your client wants the best.

Why Exim ?

Simply because is highly configurable, is popular and you find tons of information. This flexibility might come with a price but at least those are “hopefully” treated fast.
For example i really liked qmail-spp patch and i heavily used(unfortunately this patch is again not included to a lot of different qmail projects available on the market) with a lot of perl scripts and the same principals can be used in exim acl which is great.

Learning curve to exim might be hard. Because of that I’ve encourage you to use in the beginning and old but good ecosystem named exim4u.
You will definitely need to add/modify ACL protections, to change the behavior of the DKIM for forwarded messages(because the default exim4u install want to sign also the forwarded messages which is wrong) and things that you will “learn by doing it”. Again, it’s far from perfect but it’s a great start and i recommend it.

Things not to miss on your migration:

– Compile exim with the support for maildir. In this way you can keep the same structure that you had with vpopmail.(keep in mind that exim4u for you use Maildir instead of .maildir directory so you need to tune a little bit the php files if you use the GUI to create domains/emails/etc.)
– Migrate the users from vpopmail database to exim4u database – i suggest to make your own scripts to do this. Doing it manually it’s taking too much time.
– Don’t forget about greylist db ; exim4u use sqlite3 in /var/spool/exim/db/greylist.db. You need to create the file and the tables.
– Don’t forget to change in dovecot(or the IMAP app used) to use the new database
– If you are using an webmail adapt it and his plugins(for example: if you are using Roundcubemail with password plugin you need to change to reflect the new sql/db)
– If older clamav version is used you might need to use AllowSupplementaryGroups but this should not be case for version above 0.100.(they just announced version 0.103 RC)
– migrate the TLS (server.cert, server.pem)
– migrate the DKIM certifications
– as I’ve already mentioned several times above, exim4u is far from perfect but from my point of view it has a really nasty bug IF you are (still ???) using not encrypted passwords. Please check how eq and crypteq are used in server_condition. More info on the exim manual.

The post qmail to exim migration (thoughts and not commands) appeared first on Random thoughts.

During my search around this topic i’ve also found allow_nets which is a nice feature but it only allows you to restrict per user / per ip or net. Plus the wiki tutorial for this feature is not showing a nice way to integrate with dovecot-sql. My approach was to create another field in the mysql table(in my case vpopmail) and when password_query is formed to request also this field. In short words my current sql lookups are like:

user_query = SELECT pw_dir as home, 89 AS uid, 89 AS gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

password_query = select pw_clear_passwd as password, allow_nets FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and ( !(pw_gid & 8)
and ('%r'!='127.0.0.1' or !(pw_gid & 4)) and ( '%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1);

Why so big ? Simply because i wanted also the support for vmoduser features which are also a nice set to restrict behaviour per user/domain. For more info about dovecot and vpopmail sql auth you can read on dovecot wiki.

As i said in the beginning of the article i was also search for ways to block user(s)/country. Apparently it is possible via dovecot authentication policy but i’ve found it quite painful. You can read more about this method here.

My method is base on ip2location which has also also to possibility to download the geographical IP data in CSV. Starting from this data you can easily create a database and import the CVS into it.

CREATE DATABASE ip2location;
USE ip2location;
CREATE TABLE `ip2location_db1`(
`ip_from` INT(10) UNSIGNED,
`ip_to` INT(10) UNSIGNED,
`country_code` CHAR(2),
`country_name` VARCHAR(64),
PRIMARY KEY (`ip_to`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

LOAD DATA LOCAL
INFILE 'IPCountry.CSV'
INTO TABLE
`ip2location_db1`
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\r\n';

You can find more about how to manipulate data from ip2location on their site.

In this moment you will have a database with IPs and their location. Using the dovecot variable %r ( remote ip ) we can pass this to the sql query when searching for username/password. For more about dovecot variables i recommend reading their site.

I though that will be easy but i didn’t expect the query to became so long. To be honest i’ve tried also with sql variables and stored procedures but i didn’t found a way to properly set it into dovecot. If you find it please leave me a comment.

In this moment my username query is looking like this. Please have in mind that allow_country is another field in vpopmail database(or sql db used for authentication) and this will contain data in the fallowing format: RO,DE,NL (example for: Romania, Germany, Netherlands)

user_query = SELECT pw_dir as home, 89 AS uid, 89 AS gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' and allow_country like CONCAT('%%',(select country_code from ip2location.ip2location_db1 where ip_from <= INET_ATON('%r') and ip_to >= INET_ATON('%r')),'%%')

This is all, hope that it was instructive.

The post dovecot block login per country / ip2location / geoip appeared first on Random thoughts.

Until you understand the essence please also be very conservative about the policies that you apply. The example of deployment found it on google it provides the way you should do it as well. More exactly:

1. p=none pct=100
2. p=quarantine pct=1
3. p=quarantine pct=5
4. p=quarantine pct=10
5. p=quarantine pct=25
6. p=quarantine pct=50
7. p=quarantine pct=100
8. p=reject pct=1
9. p=reject pct=5
10. p=reject pct=10
11. p=reject pct=25
12. p=reject pct=50
13. p=reject pct=100

Now that you already implemented it you might receive reports(if you provided rua/ruf) about what is happening with your domains.

But what about implementing DMARC in your MTA? Usually the straight answer will be opendmarc but depending your MTA the installation will not be very  easy. Since here we will talk about Qmail the solutions found by me in this moment are:

1) Qpsmtpd and opendmarc. Please also see.

2) A perl plugin written for spam-assassin.

3) Using AskDNS plugin already available in spamassasin like this:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif

Obviously edit the scores according to you needs.

4) After this article was written I’ve found out from here (btw great blog about qmail)  there is another tool to use it. You can find it here.

So, what was your solution for Qmail and DMARC ? What do you use ? How do you use it ?

Later edit(17/09/2020): A plugin for spamassassin was created. This is maintained and i believe it will introduced in core in the next releases. You can find references here and here.

The post DMARC / Spamassassin / Qmail appeared first on Random thoughts.

On a busy server with lots of scripts and programs installed this task might become quite hard since you don’t know from where the problems can appear. If you look on the official documentation you will find that in order to upgrade perl-core you should upgrade the @world.(all packages).

To be honest i never upgraded the @world for the same reason. I prefer to upgrade the packages that i need ( ex: apache, php,etc ) and when the times comes(once in a while) i usually upgrade the @system. It’s easier to keep an eye on what happened with only one application instead on finding yourself in the situation that everything is down(for example you can have both email and web downtime in the same time).

But enough with this story, let’s go to perl.

If you do emerge -pv dev-lang/perl it’s simply not going to work because of the nightmare of dependencies. One package refers to another and that to another and you will a lot have conflicts. As i said before the official way is to upgrade the @world but there is ANOTHER WAY.

echo "=app-admin/gentoo-perl-helpers-0.3.1-r1 ~amd64" >> /etc/portage/package.accept_keywords
emerge gentoo-perl-helpers

This is a tool that constructs a list of perl packages that need to be upgraded plus their direct dependencies ( ex: net-snmp if you compiled with perl module, spamassassin, etc) and of-course  perl-core.

It’s quite simple to use it. For example if you want to upgrade from perl 5.24 to 5.28 you simply do:

# gentoo-perl gen-upgrade-sets 5.24 5.28
* [gentoo-perl > gen-upgrade-sets] Generating /etc/portage/sets/perl-cleanup
* [...ch-atom-blacklisted > list-blacklisted-for] No blacklist entries for dev-lang/perl:0/5.28
* [gentoo-perl > gen-upgrade-sets] ... Done /etc/portage/sets/perl-cleanup
* [gentoo-perl > gen-upgrade-sets] Generating /etc/portage/sets/perl-upgrade
* [...perl-subslot-rebuild > installed-deps-atom] revdep DEPEND scanning for dev-lang/perl(|-5\.[^: ]+):0/(5\.26|5\.24|5\.22|5\.20|5\.18|5\.16)=
* [...perl-subslot-rebuild > installed-deps-atom] revdep RDEPEND scanning for dev-lang/perl(|-5\.[^: ]+):0/(5\.26|5\.24|5\.22|5\.20|5\.18|5\.16)=
* [...perl-subslot-rebuild > installed-deps-atom] revdep PDEPEND scanning for dev-lang/perl(|-5\.[^: ]+):0/(5\.26|5\.24|5\.22|5\.20|5\.18|5\.16)=
* [...perl-subslot-rebuild > installed-deps-atom] No matches in PDEPEND
* [gentoo-perl > gen-upgrade-sets] ... Done /etc/portage/sets/perl-upgrade
* [gentoo-perl > gen-upgrade-sets] Created set @perl-cleanup in /etc/portage/sets/perl-cleanup
* [gentoo-perl > gen-upgrade-sets] Created set @perl-upgrade in /etc/portage/sets/perl-upgrade
* [gentoo-perl > gen-upgrade-sets]
* [gentoo-perl > gen-upgrade-sets] Assuming both of those were in /etc/portage/sets you can now do
* [gentoo-perl > gen-upgrade-sets] emerge -va1 -k n @perl-upgrade
* [gentoo-perl > gen-upgrade-sets] And if this exhibits confusing blockers that only refer to perl-core
* [gentoo-perl > gen-upgrade-sets] emerge -C -va @perl-cleanup
* [gentoo-perl > gen-upgrade-sets] Should help pave the way forward
* [gentoo-perl > gen-upgrade-sets]
* [gentoo-perl > gen-upgrade-sets] If portage crashes mid-way through an upgrade, after any relevant issues
* [gentoo-perl > gen-upgrade-sets] Re-run this tool to regenerate the sets before proceeding

After that you should run …. but wait a minute and read below the command and not hurry to press YES.

emerge --oneshot --ask @perl-upgrade

Now comes the tricky part. It might be that the packages that you upgrade will not have the same USE definition as before. Pay a lot of attention to this subject because it might break the usability of a certain package. My approach was to look on the packages that will be installed and where necessary to add in /etc/portage/package.use the correct USE elements. For example for net-snmp i have:

# cat /etc/portage/package.use/net-snmp
net-analyzer/net-snmp perl tcpd

Once you are sure that all the packages are having the correct USE elements you should do the upgrade.

Once the upgrade is done you should all do :

perl-cleaner -all

You might also need to do emerge -cvap and look for(if) something that you can uninistall in order not to create confusion for the next upgrade. Also emerge revdep-rebuild might be needed after this step but this is totally dependent to your system.

The post Gentoo and upgrading perl core appeared first on Random thoughts.

In order to use the above for spamassassin you will install only the client version ( you don’t need server version as long your email server will not go above 100.000 emails per day)

Pyzor:

Unfortunately pyzor is the only one which is up-to-date in gentoo portage.

emerge  pyzor

After installing you can start reading some good documentation which can be found on the official site.

The important commands are:

Check if you have connectivity with pyzor server: pyzor ping

Check if message is spam: pyzor check < message.eml

Report message as spam: pyzor report < message.eml

Let’s see if it’s working.

Uncomment “loadplugin Mail::SpamAssassin::Plugin::Pyzor” from spamassassin config file.

Check configuration(you shoul not see any message returned) : spamassassin –lint

Restart spamassassin: /etc/init.d/spamd restart

Test if pyzor is active:

# spamassassin 2>&1 -D -t < /msg.1563818007.667538.23924 | grep -i pyzor 
Jul 30 11:01:55.813 [5386] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 
Jul 30 11:01:55.817 [5386] dbg: pyzor: network tests on, attempting Pyzor 
Jul 30 11:01:56.614 [5386] dbg: config: fixed relative path: /var/lib/spamassassin/3.004002/updates_spamassassin_org/25_pyzor.cf 
Jul 30 11:01:56.614 [5386] dbg: config: using "/var/lib/spamassassin/3.004002/updates_spamassassin_org/25_pyzor.cf" for included file 
Jul 30 11:01:56.614 [5386] dbg: config: read file /var/lib/spamassassin/3.004002/updates_spamassassin_org/25_pyzor.cf 
Jul 30 11:02:00.057 [5386] dbg: util: executable for pyzor was found at /usr/bin/pyzor 
Jul 30 11:02:00.057 [5386] dbg: pyzor: pyzor is available: /usr/bin/pyzor 
Jul 30 11:02:00.057 [5386] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin5386ua5Fe1tmp 
Jul 30 11:02:00.230 [5386] dbg: pyzor: [5390] finished: exit 1 
Jul 30 11:02:00.231 [5386] dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 0 0 
Jul 30 11:02:00.232 [5386] dbg: check: tagrun - tag PYZOR is now ready, value: Reported 0 times. 

Razor:

Unfortunately is not in the portage anymore so you need to download and install it manually.

Official documentation can be found here.

# perl Makefile.PL

Checking if your kit is complete...
Looks good
Warning: NAME must be a package name
Checking if your kit is complete...
Looks good
Generating a Unix-style Makefile
Writing Makefile for Razor2::Preproc::deHTMLxs
Writing MYMETA.yml and MYMETA.json
Generating a Unix-style Makefile
Writing Makefile for razor-agents
Writing MYMETA.yml and MYMETA.json

make && make install

Let’s create the razor account:

# razor-admin -create
# razor-admin -discover
# razor-admin -register
Register successful. Identity stored in /root/.razor/identity-ruSiVo2Viv

As before let’s start and test this.

Uncomment loadplugin Mail::SpamAssassin::Plugin::Razor2 from spamssassin config.

# spamassasin --lint
# spamassassin 2>&1 -D -t < /1564471708.7590.message\,S\=1553\:2\, | grep -i razor
Jul 30 11:54:58.359 [18439] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
Jul 30 11:54:58.441 [18439] dbg: razor2: razor2 is available, version 2.84
Jul 30 11:54:58.814 [18439] dbg: config: fixed relative path: /var/lib/spamassassin/3.004002/updates_spamassassin_org/25_razor2.cf
Jul 30 11:54:58.814 [18439] dbg: config: using "/var/lib/spamassassin/3.004002/updates_spamassassin_org/25_razor2.cf" for included file
Jul 30 11:54:58.814 [18439] dbg: config: read file /var/lib/spamassassin/3.004002/updates_spamassassin_org/25_razor2.cf
Jul 30 11:55:03.396 [18439] dbg: razor2: part=0 engine=8 contested=0 confidence=0
Jul 30 11:55:03.397 [18439] dbg: razor2: results: spam? 0
Jul 30 11:55:03.397 [18439] dbg: razor2: results: engine 4, highest cf score: 0
Jul 30 11:55:03.397 [18439] dbg: razor2: results: engine 8, highest cf score: 0
Jul 30 11:55:03.741 [18439] dbg: timing: total 5413 ms - init: 2619 (48.4%), b_tie_ro: 13 (0.2%), parse: 0.86 (0.0%), extract_message_metadata: 36 (0.7%), get_uri_detail_list: 3.0 (0.1%), tests_pri_-1000: 37 (0.7%), compile_gen: 350 (6.5%), compile_eval: 31 (0.6%), tests_pri_-950: 4.3 (0.1%), tests_pri_-900: 5 (0.1%), tests_pri_-90: 15 (0.3%), check_bayes: 8 (0.2%), b_tokenize: 3.7 (0.1%), b_tok_get_all: 1.25 (0.0%), b_comp_prob: 0.59 (0.0%), b_tok_touch_all: 0.36 (0.0%), b_finish: 1.16 (0.0%), tests_pri_0: 625 (11.6%), dkim_load_modules: 24 (0.4%), check_dkim_signature: 0.49 (0.0%), check_spf: 65 (1.2%), poll_dns_idle: 1.51 (0.0%), check_dkim_adsp: 3.3 (0.1%), tests_pri_20: 1715 (31.7%), check_razor2: 1709 (31.6%), tests_pri_30: 197 (3.6%), check_pyzor: 188 (3.5%), tests_pri_500: 141 (2.6%)

DCC

There is a version of DCC in the portage but is quite old. I installed it and i found that is working ok so you have two choices:

1) either install dcc-1.3.158 from portage

echo ">=mail-filter/dcc-1.3.158 DCC" > /etc/portage/package.license
emerge dcc

2) or the latest version(now is 2.3.167)

wget http://www.dcc-servers.net/dcc/source/dcc-dccproc.tar.Z
tar xfvz dcc-dccproc.tar.Z  
cd dcc-dccproc-*
./configure && make && make install

Test the DCC connection:

# cdcc info
# 07/30/19 12:39:59 EEST /var/dcc/map
# Re-resolve names after 14:38:10 Check RTTs after 12:53:14
# 1250.76 ms threshold, 1247.20 ms average 12 total, 10 working servers
IPv6 off version=3

dcc1.dcc-servers.net,- RTT+1000 ms anon
# 74.92.232.243,-
# not answering
# 209.169.14.29,- x.dcc-servers ID 104
# 100% of 1 requests ok 252.40+1000 ms RTT 100 ms queue wait
# 209.169.14.30,- x.dcc-servers ID 104
# 100% of 1 requests ok 254.31+1000 ms RTT 100 ms queue wait

dcc2.dcc-servers.net,- RTT+1000 ms anon
# *136.199.199.160,- URT ID 1060
# 100% of 1 requests ok 147.20+1000 ms RTT 100 ms queue wait
# 157.131.0.46,- sonic ID 1255
# 100% of 1 requests ok 284.97+1000 ms RTT 100 ms queue wait
# 192.84.137.21,- INFN-TO ID 1233
# 100% of 1 requests ok 151.33+1000 ms RTT 100 ms queue wait

dcc3.dcc-servers.net,- RTT+1000 ms anon
# 184.23.168.46,- sonic ID 1254
# 100% of 1 requests ok 279.82+1000 ms RTT 100 ms queue wait
# 212.223.102.90,- ID 1480
# 100% of 1 requests ok 150.76+1000 ms RTT 100 ms queue wait

dcc4.dcc-servers.net,- RTT+1000 ms anon
# 192.135.10.194,- debian ID 1169
# 100% of 1 requests ok 163.44+1000 ms RTT 100 ms queue wait

dcc5.dcc-servers.net,- RTT+1000 ms anon
# 204.90.71.235,- MGTINTERNET ID 1170
# 100% of 1 requests ok 216.45+1000 ms RTT 100 ms queue wait
# 209.169.14.26,- x.dcc-servers ID 104
# 100% of 1 requests ok 254.30+1000 ms RTT 100 ms queue wait

@,- RTT-1000 ms 32768 secret11589268638y1057
# 127.0.0.1,-
# not answering

################
# 07/30/19 12:39:59 EEST greylist /var/dcc/map
# Re-resolve names after 14:38:14 Check RTTs after 12:53:24
# 1 total, 0 working servers

@,- Greylist 32768 secret11589268638y1057
# *127.0.0.1,6276
# not answering

Sometimes cdcc info may not return any server. Run cdcc RTT . If you still don’t have any luck check your firewalls.

Edit whiteclnt and whitecommon and add your own IP as “trusted”.

# List statically allocated IP addresses that you trust to never send
# or forward unsolicited bulk email
#ok ip 10.1.2.0/24

Uncomment loadplugin Mail::SpamAssassin::Plugin::DCC from the config file and let’s check it.

# spamassassin 2>&1 -D -t </1563847269.8759.sphere\,S\=1032387\:2\,S | grep -i DCC
Jul 30 13:13:41.829 [17645] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC
Jul 30 13:13:41.841 [17645] dbg: dcc: network tests on, registering DCC
Jul 30 13:13:42.290 [17645] dbg: config: fixed relative path: /var/lib/spamassassin/3.004002/updates_spamassassin_org/25_dcc.cf
Jul 30 13:13:42.290 [17645] dbg: config: using "/var/lib/spamassassin/3.004002/updates_spamassassin_org/25_dcc.cf" for included file
Jul 30 13:13:42.290 [17645] dbg: config: read file /var/lib/spamassassin/3.004002/updates_spamassassin_org/25_dcc.cf
Jul 30 13:13:46.406 [17645] dbg: util: executable for cdcc was found at /usr/bin/cdcc
Jul 30 13:13:46.406 [17645] dbg: dcc: dcc_pgm_path, found cdcc in env.path: /usr/bin/cdcc
Jul 30 13:13:46.414 [17645] dbg: dcc: `/usr/bin/cdcc -qV homedir libexecdir` reports '1.3.158 homedir=/var/dcc libexecdir=/usr/sbin '
Jul 30 13:13:46.414 [17645] dbg: dcc: use 'dcc_libexec /usr/sbin' from cdcc
Jul 30 13:13:46.414 [17645] dbg: dcc: use 'dcc_home /var/dcc' from cdcc
Jul 30 13:13:46.414 [17645] dbg: dcc: dccifd is not available; no r/w socket at /var/dcc/dccifd
Jul 30 13:13:46.414 [17645] dbg: util: executable for dccproc was found at /usr/bin/dccproc
Jul 30 13:13:46.414 [17645] dbg: dcc: dcc_pgm_path, found dccproc in env.path: /usr/bin/dccproc
Jul 30 13:13:46.414 [17645] dbg: dcc: /usr/bin/dccproc is available
Jul 30 13:13:46.416 [17645] dbg: dcc: opening pipe to /usr/bin/dccproc -C -x 0 -h /var/dcc -a 5.189.178.220 -w whiteclnt </tmp/.spamassassin17645LOazawtmp
Jul 30 13:13:46.573 [17645] dbg: dcc: dccproc responded with 'X-DCC-EATSERVER-Metrics: sphere 1166; Body=1 Fuz1=28 Fuz2=many'
Jul 30 13:13:46.574 [17645] dbg: check: tagrun - tag DCCB is now ready, value: EATSERVER
Jul 30 13:13:46.575 [17645] dbg: check: tagrun - tag DCCR is now ready, value: sphere 1166; Body=1 Fuz1=28 Fuz2=many
Jul 30 13:13:46.575 [17645] dbg: dcc: listed: BODY=1/999999 FUZ1=28/999999 FUZ2=999999/999999 REP=0/90
Jul 30 13:13:46.576 [17645] dbg: rules: ran eval rule DCC_CHECK ======> got hit (1)
Jul 30 13:13:48.992 [17645] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55db68f00d38) implements 'check_post_learn', priority 0
Jul 30 13:13:48.993 [17645] dbg: dcc: DCC learning not enabled by dcc_learn_score
Jul 30 13:13:48.994 [17645] dbg: check: tests=BAYES_50,DCC_CHECK,FSL_BULK_SIG,HTML_IMAGE_ONLY_32,HTML_MESSAGE,RDNS_NONE,SPF_FAIL,SPF_HELO_PASS

Now restart your spamd daemon and that’s it.

TIPS:

• Most probably you will ask soon how you report a spam message towards pyzor, razor, dcc. Simple answer is spamassassin –report < message.
• Are those effective? I didn’t though so but it seems even if people are using all of them and new spams are reported quite fast. The simple answer is YES, use them.

The post Gentoo – spamassassin with pyzor, razor and dcc appeared first on Random thoughts.

If you want to delete all the files between 2018-06-01 and 2019-01-01 you need to:

1) create two files with these dates

touch -amt 201806010000 ref1

touch -amt 201901010000 ref2

2) perform the find and list / delete / move

find . -type f -newer ref1 -a ! -newer ref2 -ls

find . -type f -newer ref1 -a ! -newer ref2 -print0 | xargs -r0 rm

find . -type f -newer ref1 -a ! -newer ref2 -print0 | xargs -r0 mv -t 2018/

The post Different types of find between dates and list / delete / move appeared first on Random thoughts.

What you need to know that is not impossible and fairly easy (once you get it done).

Here the steps:

1) Download VMware-vSphere-Perl-SDK-6.5.0-xxxx.x86_64.tar.gz from VMware site.

2) Once you untar it you will have a perl script named vmware-install.pl which you can run but since it was not created for Gentoo it check prerequisite that you cannot form

Ex:

Creating a new vSphere CLI installer database using the tar4 format.

Installing vSphere CLI 6.5.0 build-4566394 for Linux.

You must read and accept the vSphere CLI End User License Agreement to
continue.
Press enter to display it.

Do you accept? (yes/no) yes

Thank you.

Openssl-devel is not installed on the system.
openssl-devel 0.9.7 is required for encrypted connections.
Please install openssl-devel version 0.9.7 or greater.

e2fsprogs is not installed on the system

e2fsprogs 1.38 is required for UUID.
Please install e2fsprogs 1.38 or greater.

3) So you will need to compile the whole thing manually, using perl Makefile.PL

4) It will give you a set of dependencies which will be needed, such:

perl Makefile.PL
Warning: prerequisite Class::MethodMaker 2.08 not found.
Warning: prerequisite Crypt::SSLeay 0.51 not found.
Warning: prerequisite SOAP::Lite 0.67 not found.
Warning: prerequisite UUID 0.03 not found.
Warning: prerequisite XML::LibXML 1.58 not found.
Generating a Unix-style Makefile
Writing Makefile for VIPerlToolkit
Writing MYMETA.yml and MYMETA.json

5) You will need:

emerge -pv dev-perl/Crypt-SSLeay dev-perl/Class-MethodMaker dev-perl/SOAP-Lite dev-perl/UUID app-text/xml2 dev-libs/libxml2 dev-perl/XML-LibXML dev-perl/libxml-perl

6) You might get errors when you compile dev-perl/XML-LibXML

Here is the trick:

You need to have dev-libs/libxml2, app-text/xml2 AND probably the most important one is net-libs/libnsl. Without the last one dev-perl/XML-LibXML will not be able be able to pass the prerequisite for xml2 :

"Checking for ability to link against xml2...yes"

7) Once all the perl modules are installed just compile the VMware-vSphere-Perl-SDK with perl Makefile.PL and make

8) Symlink or copy the VMware directory that was just created in /usr/local/lib64/perl5

9) You are ready to use the perl scripts present in SDK, in theory :))

10) In practice you might have self signed certificates and you need to tweak again some things.

The error :

apps/general/connect.pl --server 1.1.1.1 --username root --password xxxxx
Server version unavailable at 'https://1.1.1.1:443/sdk/vimService.wsdl' at /usr/local/lib64/perl5/VMware/VICommon.pm line 735.

To find the real reason you can add before line 735 something like:

die $response->content . "\n";

Now the error will be :

Can't connect to 89.34.110.253:443 (certificate verify failed)

SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/lib64/perl5/vendor_perl/5.24.1/LWP/Protocol/http.pm line 49.

You will find on internet different solution like adding the fallowing:

$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = 'Net::SSL'; 
$ENV{'PERL_LWP_SSL_VERIFY_HOSTNAME'} = 0;

The problem with these commands is that either don’t work or are exposing you to man-in-the-middle attack.

A better solution is to download the certificates from the vCenter and use them. More exactly on the initial page of vCenter you have a link named: Download trusted root CA certificates. Download, unzip it and copy it to /etc/ssl/certs/.

An even better solution is to have/buy certificates but this will not be fallowed here. You can find plenty of tutorials on internet for this.

11) Finally we made it.

apps/general/connect.pl --server 1.1.1.1 --username root --password xxxxx

Connection Successful
Server Time : 2019-06-07T11:20:28.101016Z

The post Nagios, VMware/vSphere, VMware Perl SDK 6.5 on Gentoo Linux appeared first on Random thoughts.