| === coconut__ is now known as coconut | ||
| Aison` | It looks like I have some kind of ddos attack to my DNS servers | 11:36 |
|---|---|---|
| Aison` | both ubuntu bind9 servers keep segfaulting after many thousend of requests | 11:37 |
| Aison` | see here: https://dpaste.org/SX29#L16 | 11:37 |
| Aison` | maybe I can block the IP with fail2ban somehow? | 11:37 |
| Aison` | BIND 9.16.1-Ubuntu (Stable Release) <id:d497c32> | 11:37 |
| sdeziel | Aison`: are you using the latest bind9 version: 1:9.16.1-0ubuntu2.2 | 11:41 |
| Aison` | yes | 11:42 |
| sdeziel | Aison`: OK good. Could you run a tcpdump capture of the traffic leading to a crash? If you could attach it along with the crash dump to a LP bug, I'm sure it could help having the problem fixed | 11:44 |
| Aison` | :( now it stopped crashing | 11:48 |
| sdeziel | https://bind9.readthedocs.io/en/v9_16_5/notes.html#notes-for-bind-9-16-5 show a few assertion failures were fixed since the 9.16.1 release | 11:48 |
| Aison` | I can not reproduce the sefault | 11:55 |
| Aison` | it's just "luck" when it happens | 11:56 |
| RoyK | Aison`: IIRC, installing the -dbg package will allow the crash to be dumped through gdb, but not sure if everyhing is automatic | 12:45 |
| Aison` | RoyK, there is not dbg for bind | 13:30 |
| Aison` | sdeziel, how can I tcpdump the whole udp53 traffic to a file? I can not google it right now ;) | 13:31 |
| RoyK | tshark tshark -f "udp and port 53" | 13:33 |
| RoyK | without the first tshark ;) | 13:34 |
| RoyK | tshark is the new tcpdump | 13:34 |
| sdeziel | Aison`: otherwise: tcpdump -w /tmp/dns.pcap -ni $iface port 53 | 13:35 |
| sdeziel | Aison`: DNS also happens on TCP/53 so I'd capture both | 13:36 |
| Ussat | OK, so this is on Ubuntu 18.04, andone want to take a look and lend a hand with a syslog-ng issue ? https://pastebin.com/EV7km0QW\ | 18:26 |
| oerheks | Page not found. | 18:27 |
| oerheks | use paste.ubuntu.com :-D | 18:27 |
| sarnold | it's https://pastebin.com/EV7km0QW | 18:28 |
| sarnold | and it requires rather more syslog knowledge than I've got | 18:29 |
| oerheks | oh i see, hit the enter+\ | 18:32 |
| sarnold | hehe, yeah, I saw the contents just a few minutes earlier from another shared channel earlier and knew that it worked :) hehe | 18:34 |
| oerheks | i'll remember that .. | 18:34 |
| RoyK | just don't use pastebin dot com - it's a spmmer - there are several places that are better to use. I stick to paste.debian.net, but that's just me | 19:50 |
| Ussat | ...fine whatever | 19:58 |
| Ussat | I have never had an issue with pastebin | 19:58 |
| RoyK | it's just that it sucks and it dumps ads on you if you mention it to a stranger | 20:00 |
| Aison | hello i'm still fighting with my ISC DHCP Server who tries to access LDAP for name resolving | 20:04 |
| Aison | sadly apparmor is blocking this call | 20:05 |
| sarnold | Aison: pastebin your DENIED lines? | 20:05 |
| Aison | this is dmesg: [2946488.790491] audit: type=1400 audit(1597781143.428:28280): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dhcpd" name="run/slapd-inetserv.socket" pid=1121070 comm="isc-worker0000" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=0 | 20:06 |
| sarnold | Aison: you'll need to add 'flags=(attach_disconnected)' to your profile, check /etc/apparmor.d/ for a few examples | 20:07 |
| Aison | here the profile from apparmor dhcp: https://paste.ubuntu.com/p/Gkv4jsxcjx/ | 20:07 |
| Aison | I added lines beginning at 29 | 20:08 |
| Aison | sarnold, ok | 20:08 |
| Aison | and dhcpd tries to access also /proc/sys/net/ipv4/ip_local_port_range? | 20:22 |
| sdeziel | sounds reasonable to me | 20:26 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!