白翼的服務器運維博客
a) regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk. [link]
Debian 12 users are advised to upgrade to 1:9.2p1-2+deb12u3 immediately. [link]
b) NGINX PGP Signing Key is updated, all NGINX repository users are required to import the new keys. [link]
自從之前 bgp.he.net 服務變得不穩定以來,我就一直在想自己部署一個簡單的域名 DNS 查詢工具自用。今天終於用 Svelte 和 Github Pages 簡簡單單做了個。
Recommend reading: Why Mailhardener recommends SPF softfail over fail
Just for fun: Now using BigQuery to import my credit card bills and analyze them, lol. (And the higest went to Uber Eats with no competition…)
SELECT
shop,
FORMAT_DATE('%Y-%m', date) ym,
SUM(amount) as `count`
FROM `credit_csvs.utf-8`
GROUP BY ym, shop
ORDER BY count DESC
Replacing my Python analyzing script so I can just focus on adding more complex queries for future uses.
Interesting findings that for emails sent to Proofpoint protected MX, they might get rejected if the source domain has a stronger DMARC policy, e.g. strict DKIM alignment.
It all begins with a DMARC report I received from Outlook…
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
I was then eager to find out why DKIM failed in this case, and did some tests with a domain that has its MX pointed to pphosted servers. In the end, I was able to reproduce the issue with a URL link in my email so that it will be rewritten to URL Defense link, as a result, the email body was modified, and resulted in dkim=fail (body hash did not verify).
Disable the following flags (or search 2023 on flags page for more):
chrome://flags/#chrome-refresh-2023
chrome://flags/#chrome-webui-refresh-2023
Thank you to all the contributors on the CentOS Project. And goodbye Red Hat.
CentOS has been my go-to for the past decades and what got me into the Linux world. Moving on to the next decade with Debian – https://github.com/richardevs/debian12-ansible
With Digicert’s acquisition of DNS Made Easy (DNSME), DNSME has since hiked up their pricing for 25 zones from $75.00 to an astonishing $675 (Annual).
To be fair, existing users (legacy Business plan) only got a small bump from $75.00 to $96.00/yr, but, who knows how long that can last?
Since then I’ve been thinking about where I should migrate my DNS to after my contract with DNSME is due. I thought about building my own DNS clusters but it is just not worth it to spun up VMs around the world myself. Amazon Route 53 has been my first choice but recently I find that ClouDNS is not just a free DNS service as I always thought, they also offer Premium DNS. Duh.
So far, ClouDNS seems to tick all my boxes:
– Anycast DNS, with PoPs in Asia (Hong Kong, Taiwan, Japan)
– Low TTL value (Would love to have as low as 1s, but 60s will do, as most recursive DNS does not respect a value lower than that anyway)
– DNSSEC support (Suck it Digicert DNSME for only providing DNSSEC on their $2100/yr plan)
– Super reasonable pricing (Premium M, 75 zones for only $54.45/yr, that’s a bargain)
– White-label support (Even with an option to upgrade to dedicated IPs and PTRs for only $25/month, damn)
One worry is that I did not find any documents mentioning the DNS propagation speed for ClouDNS’ zone records.
Will definitely be evaluating that and more as soon as I reach my last contracted year with DNSME 🙂
Just laying out a fact.
Alibaba Cloud, a world’s top 4 cloud providers. Simply could not push out a Debian 12 image after the system was released months ago on June 10th, 2023.
To be fair, they have not released any image updates for any systems after June 2023.
Adding that Alibaba Cloud has replied to my feature request for a Debian 12 image – “Alibaba Cloud will release new OS images in a timely fashion after we evaluate market needs and OS release dates.”
Update: 2023/10/29, I am finally able to pick Debian 12.2 as the system image. But this information is not being updated on the doc. The image itself is apparently built on 10/12 (debian_12_2_x64_20G_alibase_20231012.vhd).