Posts

I ran into a problem with NGINX failing to start on boot/reboot on my Debian 8 (Jessie) server. After reviewing what seemed like a hundred sites to try to find a fix, I stumbled across one solution that worked, but was incredibly inelegant. This was to add:

RestartSec=30s
Restart=on-failure

to nginx.service in the [Service] section using the override.conf. It worked but didn’t fix the underlying problem.

A quick look using journalctl -u nginx showed that the service was failing because the IPv6 address hadn’t been assigned to the network adaptor yet. This caused nginx to fail because it couldn’t bind to the IPv6 port. Here are the log lines:

merge-ngx-conf.pl is a perl script used to assemble a set of nginx configuration files for one site. It has a number of options. See the bitbucket page or the help documentation in the script itself.

In its simplest form, it’s called by issuing this command:

merge-ngx-conf.pl /path/sites-available/filename

The output is an assembled nginx configuration file with all the includes inserted. Using nginx.conf and domain.conf (or just domain.conf depending on the options selected), the script iterates through the include directives in the files and inserts the text from the referenced file. The script handles wildcard masks and follows include directives down multiple levels (i.e. nested levels). It will also follow referenced files in directories external to the nginx configuration directory.

Here’s a perl script I put together that uses Email::Simple to extract the headers from a message. See link below.

I’m using it to examine spam. It parses all the headers, with a focus on the Received headers. It should be easy to alter it to examine any header you want. As it is currently written, it:

1. finds all the Received headers
2. finds the first Received header that was added to the mail (presumably the header added by the first MTA that received it)
3. extracts the IP from that header
4. does an rDNS lookup
5. if there’s a hostname, it looks up the nameservers for the base domain.

By “base domain” I mean that if the rDNS returns a hostname like “1234.my.example.domain.com”, the base domain would be “domain.com”.

I’ve read a number of articles over the past few days about the possible Android botnet and Yahoo! mail. No consensus yet but that’s not necessary to stop the spam at the server level, at least in my case. Of the spam I received so far, these characteristics stand out:

1. Only one of my mail accounts is receiving the spam. It’s not an account that usually receives spam. My long-time mail addresses that seem to have made it to most of the spam lists don’t get this spam. Makes me wonder where they picked up this address from.

Geez.

I’m feeling somewhat frustrated in dealing with an ISP that has a clearly compromised IP. I’ve been getting dictionary attacks on my mailserver for the past four days from the same IP. It’s assigned to a domain name. So I did what I normally do at first - let CSF (ConfigServer Security & Firewall - a fantastic free piece of software) handle it. The IP gets blocked for an hour. Usually, that’s all it takes for the attacker to go away and generally not come back. Not in this case. Four days into it, I decide to do an IP lookup and find out who it belongs to. So I find out the website URL and head over to it to see if I can find any contact information. I find a webmaster address, compose my e-mail telling them to check their server, that it’s probably compromised and that I’m blocking the IP permanently in my firewall. E-mail bounces - unknown address. So then I go to the contact form, fill that out and press send - page not found. Find another address and send an e-mail off to that address. Success. Notice that the web site doesn’t seem to have been updated since 2008 so I decide to do a whois and find out who the isp is. Send a message to the NOC. They send a message back and say report it to abuse. I forward my message to abuse and get the standard reply that you seem to get from abuse addresses - Sorry, but we get so much mail at abuse@whoever that we can’t respond personally to each one. If you’re writing about spam…blah, blah, blah.