Original at linux.com.
Original at linux.com.
I bumped into the following cryptic Fail2ban error:
fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q ‘fail2ban-NoScript[ \t]’ returned 100
fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
Cause: a race condition in fail2ban-client.
Solution: add a small amount of sleep.
Open /usr/bin/fail2ban-client and around line 144 add the line “time.sleep(0.1)” right before “beautifier.setInputCmd(c)”. Make sure you use tabs and not spaces! Here is what it should look like:
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
Enjoy all those bans automagically handed out to the bad guys.
Last week I ordered replacement lenses for my Oakley sunglasses. Since it’s 2012 and not 1995 one would expect a thank-you-for-your-order email from Oakley (or any webshop for that matter) followed by shipment updates. Judging from the logs from my Postfix mail server the Oakley sysadmin needs to at least follow best practices in IT (2012 edition) followed by mail server & dns server setup 101 asap. The reason? I never received a single email from Oakley confirming my order or one with shipment updates. Why? From the logs from my Postfix mailserver:
NOQUEUE: reject: RCPT from unknown[126.96.36.199]: 554 5.1.8 <firstname.lastname@example.org>: Sender address rejected: Domain not found; from=<email@example.com> to=<my_special_oakley_email_address> proto=ESMTP helo=<web05.oakley.com>
NOQUEUE: reject: RCPT from unknown[188.8.131.52]: 554 5.7.1 Client host rejected: cannot find your reverse hostname, [184.108.40.206]; from=<firstname.lastname@example.org> to=<my_special_oakley_email_address> proto=ESMTP helo=<226508-endeca.oakley.com>
So let’s do some analysis:
1) Oakley tries to send me an email from IP address 220.127.116.11. This IP address is part of the Rackspace range assigned to Oakley. From the whois information: Rackspace Hosting RSCP-NET-4 (NET-174-143-0-0-1) 18.104.22.168 – 22.214.171.124 Oakley Inc. RACKS-8-1279918324181340 (NET-174-143-198-128-1) 126.96.36.199 – 188.8.131.52. The reverse DNS lookup of 184.108.40.206 results in web05.oakley.com. That’s as expected. Next let’s do a lookup of web05.oakley.com. The result? NXDOMAIN or in plain English a non-existing domain. In other words Oakley’s sysadmin decided to send email from web05.oakley.com but did not have enough of a clue to also make sure that web05.oakley.com has a DNS entry. The lack of a proper DNS record for web05.oakley.com will probably result in many mail servers rejecting these emails from Oakley.
That’s FAIL #1
2) Oakley tries to send me another email from IP address 220.127.116.11. This IP address is also part of the Rackspace range assigned to Oakley. The reverse DNS lookup of 18.104.22.168 results in: NXDOMAIN. Let’s see if the hostname 226508-endeca.oakley.com resolves to something sane. What a surprise. Another NXDOMAIN. So, again, the sysadmin did not bother to add proper DNS records to Oakley’s public authoritative DNS servers.
That’s FAIL #2
Oakley: with the premium price you charge for your products I expect you to at least be able to send me a proper order confirmation and shipment updates. This is 2012, not 1995. It has been best practice for quite some time now that, to prevent FAILS like the ones above, one shall avoid sending email from non-MX hosts. Instead one shall send (order related) email via an authoritative, properly configured MX server (that’s a Mail eXchanger like Postfix) that has proper DNS records.
Thank you for complying at your earliest convenience as I still would like to receive the order confirmation and shipment update emails.