<div dir="ltr"><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif">Michael Stauber: the "reload" command wasn't issued because of a pending reboot, but somehow that was overlooked.</span><br></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif">Issuing the "reload" command yesterday took care of all the ones in the first batch of fifty—except one (</span><span style="font-family:Arial,Helvetica,sans-serif">61.177.172.19), which I've verified as being in (yesterday's) rejection rules, but snuck in overnight, with 180 login attempts, anyway.</span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif">Interestingly, after I set the failed login limit to 5 per hour yesterday, there were 1061 attempts listed in the BlueOnyx "Failed Login History" as having occurred within </span><span style="font-family:Arial,Helvetica,sans-serif">6 minutes this morning, all coming just from </span><span style="font-family:Arial,Helvetica,sans-serif">34.133.32.234. (I filed a report with Google about the abuse, using their online form: that address is a Google Cloud server.)</span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif">There were 36 failed attempts from </span><span style="font-family:Arial,Helvetica,sans-serif">61.177.173.55 (of 228 total reported) during a single minute, too, and lots of other such single-minute attacks from other IPs.</span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif">Does this mean the "failed logins per minute" limit isn't working? The server doesn't need to be rebooted after changing that failed-login limit, does it?</span></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif">Or has the firewall been breached?</span><br></div><div class="gmail_default" style="font-family:georgia,serif"><span style="font-family:Arial,Helvetica,sans-serif"><br></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Nov 11, 2022 at 6:15 AM <<a href="mailto:blueonyx-request@mail.blueonyx.it">blueonyx-request@mail.blueonyx.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg5584941982368378522">Send Blueonyx mailing list submissions to<br>
<a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" rel="noreferrer" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:blueonyx-request@mail.blueonyx.it" target="_blank">blueonyx-request@mail.blueonyx.it</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:blueonyx-owner@mail.blueonyx.it" target="_blank">blueonyx-owner@mail.blueonyx.it</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Blueonyx digest..."<br>
Today's Topics:<br>
<br>
1. [BlueOnyx:25681] login attempts after IP added to firewall<br>
reject list (Ed Qualls)<br>
2. [BlueOnyx:25682] Re: login attempts after IP added to<br>
firewall reject list (Larry Smith)<br>
3. [BlueOnyx:25683] Re: login attempts after IP added to<br>
firewall reject list (Michael Stauber)<br>
4. [BlueOnyx:25684] System fails to start after kernel update<br>
last night. (Ceelie, Arie (VodafoneZiggo))<br>
5. [BlueOnyx:25685] Re: System fails to start after kernel<br>
update last night. (Ceelie, Arie (VodafoneZiggo))<br>
<br><br><br>---------- Forwarded message ----------<br>From: Ed Qualls <<a href="mailto:eduard.qualls@gmail.com" target="_blank">eduard.qualls@gmail.com</a>><br>To: <a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a><br>Cc: <br>Bcc: <br>Date: Thu, 10 Nov 2022 18:13:36 -0600<br>Subject: [BlueOnyx:25681] login attempts after IP added to firewall reject list<br><div dir="ltr"><div class="gmail_default" style="font-family:georgia,serif">As root, I added IP addresses that the firewall should reject immediately. Getting status showed that they had been added to the reject list.</div><div class="gmail_default" style="font-family:georgia,serif">However, they are still showing up in BlueOnyx with attempts to login as root.<br></div><div class="gmail_default"><br><font face="georgia, serif">For example, I used</font><br><p class="MsoNormal" style="margin:0in 0in 1pt"><font face="trebuchet ms, sans-serif">firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
address='61.177.172.191' reject"<br></font><font face="Palatino Linotype, serif">on one IP address, but just today, someone/something on that IP tried to login almost 800 times.</font></p><p class="MsoNormal" style="font-family:"Palatino Linotype",serif;margin:0in 0in 1pt">(That IP is registered in <span style="font-size:9pt">Lianyungang city, </span><span style="font-size:12px">Jiangsu province, Communist China.)</span></p><p class="MsoNormal" style="font-family:"Palatino Linotype",serif;margin:0in 0in 1pt"><br></p><p class="MsoNormal" style="font-family:"Palatino Linotype",serif;margin:0in 0in 1pt">Was that not the correct command to use to force rejection of that IP address in AlmaLinux/BlueOnyx?</p></div><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><font face="georgia, serif">Eduard Qualls</font></div><div><font face="georgia, serif"><i><a href="http://www.eduardqualls.com" target="_blank">www.eduardqualls.com</a></i></font></div><span></span><img src="https://ci3.googleusercontent.com/mail-sig/AIorK4z0oljRVkBvcSDfv067hMZzctSm8q-bW8L9f1JSi0LAdDxNeg6trzzFPKC3niTuUnusjEUTM2Ue2BtyYTAtPr0Df55yMZf-5E7bfl3naQ"><br></div></div></div></div></div></div></div></div></div>
<br><br><br>---------- Forwarded message ----------<br>From: Larry Smith <<a href="mailto:lesmith@ecsis.net" target="_blank">lesmith@ecsis.net</a>><br>To: <a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a><br>Cc: Ed Qualls <<a href="mailto:eduard.qualls@gmail.com" target="_blank">eduard.qualls@gmail.com</a>><br>Bcc: <br>Date: Thu, 10 Nov 2022 19:25:06 -0500<br>Subject: [BlueOnyx:25682] Re: login attempts after IP added to firewall reject list<br>Ed,<br>
<br>
In my small amount of playing with the firewalld<br>
rules I believe that the server uses the zone public<br>
for its primary ruleset. I have added both allow and<br>
deny rules to the zone by editing the <br>
/etc/firewalld/zones/public.xml file and then restarting<br>
firewalld (systemctl restart firewalld) with great success.<br>
My server has nothing under ipsets, policies, services, <br>
icmptypes or helpers.<br>
<br>
-- <br>
Larry Smith<br>
<a href="mailto:lesmith@ecsis.net" target="_blank">lesmith@ecsis.net</a><br>
<br>
On Thu November 10 2022 18:13, Ed Qualls wrote:<br>
> As root, I added IP addresses that the firewall should reject immediately.<br>
> Getting status showed that they had been added to the reject list.<br>
> However, they are still showing up in BlueOnyx with attempts to login as<br>
> root.<br>
><br>
> For example, I used<br>
><br>
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source<br>
> address='61.177.172.191' reject"<br>
> on one IP address, but just today, someone/something on that IP tried to<br>
> login almost 800 times.<br>
><br>
> (That IP is registered in Lianyungang city, Jiangsu province, Communist<br>
> China.)<br>
><br>
><br>
> Was that not the correct command to use to force rejection of that IP<br>
> address in AlmaLinux/BlueOnyx?<br>
<br>
<br><br><br>---------- Forwarded message ----------<br>From: Michael Stauber <<a href="mailto:mstauber@blueonyx.it" target="_blank">mstauber@blueonyx.it</a>><br>To: <a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a><br>Cc: <br>Bcc: <br>Date: Thu, 10 Nov 2022 19:36:14 -0500<br>Subject: [BlueOnyx:25683] Re: login attempts after IP added to firewall reject list<br>Hi Ed,<br>
<br>
> For example, I used<br>
> <br>
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source <br>
> address='61.177.172.191' reject"<br>
> on one IP address, but just today, someone/something on that IP tried to <br>
> login almost 800 times.<br>
> <br>
> (That IP is registered in Lianyungang city, Jiangsu province, Communist <br>
> China.)<br>
> <br>
> Was that not the correct command to use to force rejection of that IP <br>
> address in AlmaLinux/BlueOnyx?<br>
<br>
Did you issue ...<br>
<br>
firewall-cmd --reload<br>
<br>
... after adding the rich-rule?<br>
<br>
Here is a good tutorial that covers all the basics of Firewalld:<br>
<br>
<a href="https://www.computernetworkingnotes.com/linux-tutorials/firewalld-rich-rules-explained-with-examples.html" rel="noreferrer" target="_blank">https://www.computernetworkingnotes.com/linux-tutorials/firewalld-rich-rules-explained-with-examples.html</a><br>
<br>
-- <br>
With best regards<br>
<br>
Michael Stauber<br>
<br>
<br><br><br>---------- Forwarded message ----------<br>From: "Ceelie, Arie (VodafoneZiggo)" <<a href="mailto:arie.ceelie@vodafoneziggo.com" target="_blank">arie.ceelie@vodafoneziggo.com</a>><br>To: BlueOnyx General Mailing List <<a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a>><br>Cc: <br>Bcc: <br>Date: Fri, 11 Nov 2022 11:39:08 +0000<br>Subject: [BlueOnyx:25684] System fails to start after kernel update last night.<br>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hi all,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
this morning the kernel of my almalinux system was updated to vmlinuz-4.18.0-425.3.1. And then it rebooted in rescue mode. I tried both old kernels and still it reboots into rescue mode. </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
When I use grubby to see the kernel index I also get a grub-editenv: error: cannot rename the file /boot/grub2/grubenv.new to /boot/grub/grubenv (no such file or directory)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<ol>
<li><span>IS this error related to the boot failure?</span></li><li><span>What can I do to get the system up and running again?</span></li></ol>
<div><span>Until the kernel update it was working fine, even when rebooting.</span></div>
<div><span><br>
</span></div>
<div><span>Cheers,</span></div>
<div><span><br>
</span></div>
<div><span>Arie</span></div>
<div><span><br>
</span></div>
</div>
<br>
<p style="font-family:"Averta Std Light";font-size:8pt;color:rgb(115,115,115);margin:15pt" align="Left">
C2 VodafoneZiggo Internal<br>
</p>
</div>
<br><br><br>---------- Forwarded message ----------<br>From: "Ceelie, Arie (VodafoneZiggo)" <<a href="mailto:arie.ceelie@vodafoneziggo.com" target="_blank">arie.ceelie@vodafoneziggo.com</a>><br>To: BlueOnyx General Mailing List <<a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a>><br>Cc: <br>Bcc: <br>Date: Fri, 11 Nov 2022 12:13:47 +0000<br>Subject: [BlueOnyx:25685] Re: System fails to start after kernel update last night.<br>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Few errors from journalctl -xb:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
interface rename errors for eth3 and eth1</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
/sbin/mdadm -I /dev/sdc failed with exit code 1 (sdc and sdd are backup disks, not OS disks)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
dev-sde2.device: job /start timed out (missing USB-disk)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
no other errors......</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
I'm lost here.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div id="m_5584941982368378522appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_5584941982368378522divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Blueonyx <<a href="mailto:blueonyx-bounces@mail.blueonyx.it" target="_blank">blueonyx-bounces@mail.blueonyx.it</a>> on behalf of Ceelie, Arie (VodafoneZiggo) <<a href="mailto:arie.ceelie@vodafoneziggo.com" target="_blank">arie.ceelie@vodafoneziggo.com</a>><br>
<b>Sent:</b> Friday, 11 November 2022 12:39<br>
<b>To:</b> BlueOnyx General Mailing List <<a href="mailto:blueonyx@mail.blueonyx.it" target="_blank">blueonyx@mail.blueonyx.it</a>><br>
<b>Subject:</b> [BlueOnyx:25684] System fails to start after kernel update last night.</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hi all,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
this morning the kernel of my almalinux system was updated to vmlinuz-4.18.0-425.3.1. And then it rebooted in rescue mode. I tried both old kernels and still it reboots into rescue mode. </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
When I use grubby to see the kernel index I also get a grub-editenv: error: cannot rename the file /boot/grub2/grubenv.new to /boot/grub/grubenv (no such file or directory)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<ol>
<li><span>IS this error related to the boot failure?</span></li><li><span>What can I do to get the system up and running again?</span></li></ol>
<div><span>Until the kernel update it was working fine, even when rebooting.</span></div>
<div><span><br>
</span></div>
<div><span>Cheers,</span></div>
<div><span><br>
</span></div>
<div><span>Arie</span></div>
<div><span><br>
</span></div>
</div>
<br>
<p align="Left" style="font-family:"Averta Std Light";font-size:8pt;color:rgb(115,115,115);margin:15pt">
C2 VodafoneZiggo Internal<br>
</p>
<br>
<p align="Left" style="font-family:"Averta Std Light";font-size:8pt;color:rgb(115,115,115);margin:15pt">
C2 VodafoneZiggo Internal<br>
</p>
</div>
<br>
<p style="font-family:"Averta Std Light";font-size:8pt;color:rgb(115,115,115);margin:15pt" align="Left">
C2 VodafoneZiggo Internal<br>
</p>
</div>
_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@mail.blueonyx.it" target="_blank">Blueonyx@mail.blueonyx.it</a><br>
<a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" rel="noreferrer" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a><br>
</div></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><font face="georgia, serif">Eduard Qualls</font></div><div><font face="georgia, serif"><i><a href="http://www.eduardqualls.com" target="_blank">www.eduardqualls.com</a></i></font></div><span></span><img src="https://ci3.googleusercontent.com/mail-sig/AIorK4z0oljRVkBvcSDfv067hMZzctSm8q-bW8L9f1JSi0LAdDxNeg6trzzFPKC3niTuUnusjEUTM2Ue2BtyYTAtPr0Df55yMZf-5E7bfl3naQ"><br></div></div></div></div></div></div></div></div>