I need to script this one day: [WayBack] How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
–jeroen
Archive for the ‘Internet protocol suite’ Category
How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
Posted by jpluimers on 2018/11/07
Posted in *nix, Awk, bash, Communications Development, Development, Internet protocol suite, Power User, Scripting, Software Development, SSH, TCP | Leave a Comment »
How to configure Nginx SSL/TLS passthrough with TCP load balancing – nixCraft
Posted by jpluimers on 2018/10/17
Explains how to configure Nginx with SSL Passthrough on Linux or Unix-like system to encrypt traffic on all backends.
Uses the stream module ngx_stream_core_module.
Source: [WayBack] How to configure Nginx SSL/TLS passthrough with TCP load balancing – nixCraft
via: [WayBack] Learn how to setup TCP load balancing with Nginx and configure SSL Passthrough on Linux/Unix. – nixCraft – Google+
–jeroen
Share this:
Posted in Communications Development, Development, HTTP, Internet protocol suite, TCP, TLS | Leave a Comment »
The part before the @ in email addresses is case sensitive
Posted by jpluimers on 2018/10/16
At [WayBack] Error when trying to signup using an email address with uppercase letters (#27898) · Issues · GitLab.org / GitLab Community Edition · GitLab, I commented this:
Both the
:email_confirmationfields should get the same case processing treatment.That treatment should consist of this:
- The part before the @ should be treated as case sensitive
- The part after the @ should be treated as case insensitive
This means that:
Foo@Example.OrgandFoo@example.orgare the sameFoo@example.organdfoo@example.orgare differentThe main reason is that there are email systems expecting case sensitivity in the part before the @ sign.
I think excluding those users from being able to use GitLab is a bad idea.
See especially the comments at the Stack Overflow answer to Are email addresses case sensitive?
Relevant RFC 5321: Simple Mail Transfer Protocol sections:
Important comments:
I work at a large company and there is another person with the same first and last name. I discovered today that his local-part differs from mine only in capitalization. This has been working properly, so I was surprised to see “no widely used mail systems distinguish different addresses based on case”. We use MS Exchange which I would call “widely used”. – Matthew James Briggs Nov 24 ’15 at 20:14
RFC 5321 2.4. General Syntax Principles and Transaction Model – SMTP implementations MUST take care to preserve the case of mailbox local-parts. In particular, for some hosts, the user “smith” is different from the user “Smith”. Mailbox domains follow normal DNS rules and are hence not case sensitive. – Adam111p Apr 27 ’16 at 10:02
Most important parts of the answer:
From RFC 5321, section-2.3.11:
The standard mailbox naming convention is defined to be “local-part@domaiN“; contemporary usage permits a much broader set of applications than simple “user names”. Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.
So yes, the part before the “@” could be case-sensitive, since it is entirely under the control of the host system. In practice though, no widely used mail systems distinguish different addresses based on case.
The part after the @ sign however is the domain and according to RFC 1035, section 3.1,
“Name servers and resolvers must compare [domains] in a case-insensitive manner”
–jeroen
Share this:
Posted in Communications Development, Development, Internet protocol suite, SMTP, Software Development | Leave a Comment »
tcp – How can I trigger a script when a certain port becomes available for requests? – Unix & Linux Stack Exchange
Posted by jpluimers on 2018/10/09
Netcat to the rescue waiting for a Windows 10 upgrade to finish (which can take hours):
while ! nc -z 172.22.0.67 3389; do echo "sleeping"; sleep 10; done; echo 'The server is up!'
Via: [WayBack] tcp – How can I trigger a script when a certain port becomes available for requests? – Unix & Linux Stack Exchange, quoting from the answer:
ncis Netcat, “the Swiss-army knife for TCP/IP”,-zmeans: do not send any data, just check if the port is open,while ! nc -z …; do sleep 0.1; done: keep checking and sleeping for one tenth of a second until the port opens up, i.e. Netcat returns with a zero (success) status.
–jeroen
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, TCP, Windows | Leave a Comment »
Steve Losh on Twitter: “HTTP status ranges in a nutshell: 1xx: hold on 2xx: here you go 3xx: go away 4xx: you fucked up 5xx: I fucked up”
Posted by jpluimers on 2018/08/17
[WayBack] Steve Losh on Twitter:
“HTTP status ranges in a nutshell:
- 1xx: hold on
- 2xx: here you go
- 3xx: go away
- 4xx: you fucked up
- 5xx: I fucked up”
–jeroen
via: [WayBack] HTTP status ranges in a nutshell… – This is why I Code – Google+
Share this:
Posted in Communications Development, Development, HTTP, Internet protocol suite, Power User, TCP | Leave a Comment »
TIME_WAIT and MaxUserPort – what it is, what it does, when it’s important – Blog du Tristank
Posted by jpluimers on 2018/08/01
Despite many posts saying you can use it on other than outbound connections, lets quote that it doesn’t:
MaxUserPort controls “outbound” TCP connections
[WayBack] MaxUserPort is used to limit the number of dynamic ports available to TCP/IP applications.
…
It’s never going to be an issue affecting inbound connections.
MaxUserPort is not the right answer if you think you have an inbound connection problem.
Source: [WayBack] MaxUserPort – what it is, what it does, when it’s important – Blog du Tristank
The side of the TCP connection that closes is gets the TIME_WAIT state, which means you should avoid your server to terminate connections because it then will run out of available ports. Clients should disconnect when done (or when done for the foreseeable future) otherwise the server gets the 2MSL TIME_WAIT penalty as for instance explained by [WayBack] TIME_WAIT and its design implications for protocols and scalable client server systems – AsynchronousEvents.
The solution for inbound connections is that your TCP based protocol should enforce either the client to close the connection, or to use some form of client pooling so there is no need for many connection setup/teardowns of short lived connections.
TIME_WAIT can last for about ~10 minutes if you are unlucky.
More recommended reading:
- [WayBack] TIME_WAIT and its design implications for protocols and scalable client server systems – AsynchronousEvents
- [WayBack] TcpTimedWaitDelay
- [WayBack] draft-faber-time-wait-avoidance-00 – Avoiding the TCP TIME_WAIT state at Busy Servers
- [WayBack] Indy: IdTCPClient leaves connection in status TIME_WAIT
- [WayBack] Large number of TCP connections with Time_Wait status – Remoting SDK – RemObjects Talk
- [WayBack] sockets – TCP option SO_LINGER (zero) – when it’s required – Stack Overflow
- [WayBack] delphi – Force Http 1.0 idHttpServer and TIME_WAIT – Stack Overflow
- [WayBack] Transmission Control Protocol – Wikipedia
- Diagrams:
- [WayBack] TCP states – explained – Apigee Community
–jeroen
Share this:
Posted in Communications Development, Development, Internet protocol suite, Software Development, TCP | Leave a Comment »
Restrict SSH User Access to Certain Directory Using Chrooted Jail
Posted by jpluimers on 2018/06/11
In this article, we will explain you how to restrict a SSH user access to a specific directory using chrooted jail in Linux systems.
Source: [WayBack] Restrict SSH User Access to Certain Directory Using Chrooted Jail
via: [WayBack] Restrict #SSH User Access to Certain Directory Using Chrooted Jail #Linux – Linux Inside – Google+
–jeroen
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, TCP | Leave a Comment »
Interesting ways to obtain MTU and MSS sizes – via Troubleshooting Bitbucket Cloud MTU/MSS issues – Atlassian Documentation
Posted by jpluimers on 2018/03/29
I will probably need the netstat/tcpdump/wireshark tricks here in the future: [WayBack] Troubleshooting Bitbucket Cloud MTU/MSS issues – Atlassian Documentation
via: [WayBack] Atlassian Bitbucket Status – Network maintenance; MTU/MSS changes coming
–jeroen
Share this:
Posted in Communications Development, Development, Internet protocol suite, Network-and-equipment, Power User, TCP | Leave a Comment »
Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL
Posted by jpluimers on 2018/03/07
It was fitting to bump into [WayBack] Packet Sender is a good tool when debugging protocols…” Written by Dan Nagle… – Lars Fosdal – Google+ on the day presenting [WayBack] Conferences/Network-Protocol-Security.rst at master · jpluimers/Conferences · GitHub
It also means that libssh2-delphi is getting a bit more love soon and will move to github as well after a conversion from mercurial.
Some of the things I learned or got confirmed teaching the session (I love learning by teaching):
- Automate the heck out of your job and new work finds you
- There is great integration for [WayBack] Bot Users | Slack which can hugely help you in status monitoring
- If you manage many domains, which might be troublesome to the default “
certbotclient”, so you might want to look into different [WayBack] ACME Client Implementations – Let’s Encrypt – Free SSL/TLS Certificates especially if you run nginx on Alpine Linux (but note you then need [WayBack] license_update.patch\acme-client\community – aports – Main aports tree to avoid [Archive.is] [400] does not match current agreement URL – Help – Let’s Encrypt Community Support)
Here is some more info:
- Blurb: “[a] free utility to send & receive network packets. TCP, UDP, SSL.”
- [WayBack] Packet Sender – Free utility to for sending / receiving of network packets. TCP, UDP, SSL.
- [WayBack] The latest Tweets from Dan Nagle (@NagleCode). Principal SW Engineer @HARMAN_Pro. Speaker. Author packetsender.com, paydowncalc.com, cryptoknife.com, github.com/dannagle . Huntsville, AL,
- [WayBack] Packet Sender – Send / Receive TCP / UDP – Android Apps on Google Play
- [WayBack] dannagle (Dan Nagle) · GitHub dannagle has 23 repositories available. Follow their code on GitHub.
–jeroen
Share this:
Posted in Communications Development, Delphi, Development, Encryption, Hardware, Harman Kardon, Home Audio/Video, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), OpenSSL, Power User, Security, Software Development, TCP, TLS | Leave a Comment »
openSUSE – Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*) – be sure to review your openssh config!
Posted by jpluimers on 2018/01/20
Before upgrading Tumbleweed this week, you need to review your openssh config.
This is not mentioned in Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*), but very important.
So be sure to read these before upgrading:
- [WayBack] OpenSSH 7.5 has just been released… Future deprecation notice … Potentially-incompatible changes
- [WayBack] OpenSSH 7.6 has just been released… Potentially-incompatible changes
If you forget to review /etc/ssh/sshd_config, you get this in journalctl if you have specified your own MACs for instance when hardening according to [WayBack including rimemd160] Secure Secure Shell:
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, TCP | Leave a Comment »
The Wiert Corner - irregular stream of stuff 