FireFox Sync Server

Thursday, November 30. 2017

After years of Chromium as my default browser I've moved to give FF a new go after the release of v57 aka Quantum. Mozilla is still more trustworthy than Google and hey, I prefered Netscape over Mosaic once. Part of the shift was trying out FireFox sync. Since I have not much trust in the cloud unless it is my own server this meant installing Firefox Syncserver on my debian server.

I more or less followed the howto from sathya.de/blog/how-tos/setup-your-own-firefox-1-5-sync-server-on-debian-with-apache2-and-mysql/ , there are links to the mozilla docu included on his site. The basic steps are easy to take, with dns.he.net and letsencrypt with dehydrated setup of a new subdomain with a valid SSL-certificate has gone down to a matter of minutes.

Git clone the server, create a db and db-user, config the virtualhost in the web servers configuration, edit the default syncserver.ini, restart the webserver and then tell the clients in about:config which syncserver to use. Pretty basic, but it still has some potential for confusion and took me two runs to get it running.

the supplied syncserver.ini has an entry   public_url = http://localhost:5000/   which appears to suggest that ports should be defined in the server config, client config. But this is not so, in a production environment with https and a web server non ports are given.

I saw 404 errors in the error_log which stemmed from an error with the client config, I had erased the token/ - ppart of the uri. And I experienced a multitude of 500 server errors with traces in the error_log pointing at a line between Public_url = ... and allow_new_users = ...
The first complained the given secret exceeded the maximum length, while it had been created like the comments advise. Later I saw errors from parsing the sqluri. Many visual checks did not find a problem.

What helped me was a set of voodoo measures including: manually retyping the sqluri line  and  inserting a 'dummy = stupid' line supposed to catch any non-visible carried syntactical elements. Other possible sources of problems here include permissions issues and missing execution flag on the wsgi file.

And then, suddenly, it worked.

 

fail2ban fails to start

Thursday, January 27. 2011

I discovered loads of entries in mail.log logging dicionary attacks on port 110. And, going back in time, the logs showed more than just one dictionary being used, and it had been going for some time. Well, it litters the logs and you don't want to risk that finally one of them gets lucky with a user password so I searched for a way to stop the attacks.
I already used denyhosts against brute force attacks on ssh, which works fine but is limited to ssh. Instead I found out about fail2ban. 

It does what I need now but it took some smoothing of edges till I got there.

debian lenny, python 2.5.2 and fail2ban v 0.8.3 wouldn't play nice together. Fail2ban v0.8.3 apparently doesn't run with python2.5 but needs python2.4 instead

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496633 describes the sort of thing I experienced and I followed the workaround given there:

apt-get install python2.4
apt-get install fail2ban

now edit both /usr/bin/fail2ban-server and /usr/bin/fail2ban-client, first line, to point towards  python2.4 (and not python).

#!/usr/bin/python2.4

Now fail2ban ran but still wouldn't stop the attacks. I followed the howto at http://www.howtoforge.com/fail2ban_debian_etch and while I have found plenty of good advice on that site before and after, this one didn't just work. Additionally to the config described therein a file  filter.d/pop3d.conf was needed (which is easily supplied by 
cp courierlogin.conf pop3d.conf

Further on I had to remove a line from  jail.local until it looked like this:

[pop3d]
enabled = true
port = pop3   
filter = pop3d
logpath = /var/log/mail.log
maxretry = 5

One thing which irritated me debugging the problem was that fail2ban didn't report the errors in the log file even though I had the loglevel set up to 4. To get to see the errors I had to run two shells, running  
/usr/bin/fail2ban-server -x -f
in one of them and then 
/usr/bin/fail2ban-client reload
in the other one.

Update:

Later, I found thousands of log entries re SASL LOGIN:
Feb 10 16:55:42 pipit postfix/smtpd[21738]: warning: unknown[95.62.75.67]: SASL LOGIN authentication failed: authentication failure
Feb 10 16:55:49 pipit postfix/smtpd[21738]: warning: unknown[95.62.75.67]: SASL LOGIN authentication failed: authentication failure
Feb 10 16:55:56 pipit postfix/smtpd[21738]: warning: unknown[95.62.75.67]: SASL LOGIN authentication failed: authentication failure

There was a filter for SASL in the config but it didn't seem to catch them. Google once again found prior art  and the regexp from there did the job:

 failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w

(Page 1 of 1, totaling 2 entries)