1

Since the last update of my Raspbian "something" is updating my apache ports.conf file by adding these two lines automatically:

Listen 81

And:

<IfModule mod_ssl.c>
Listen 443
</IfModule>

But I need you to listen to the port 4443 because I'm using sslh to listen 443

This is the full ports.conf file

Listen 80
#Listen 10008
Listen 81

<IfModule ssl_module>
        Listen 192.168.21.106:4443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 192.168.21.106:4443
</IfModule>

<IfModule mod_ssl.c>
Listen 443
</IfModule>

Does anyone know what is making this changes?

gokuhs
  • 31
  • 3

2 Answers2

2

After a lot of searching, in my case the cron job task of certbot was modifying the file ports.conf.

I disable this job, and renew my certs with certbot -i apache --webroot and entering the path when request it.

gokuhs
  • 31
  • 3
0

Unless you're using some sort of admin panel such as Webmin or cPanel, or a configuration management tool such as Puppet, Ansible or Salt there should be no changes applied to your server configurations from any other source than Debians package manager (dpkg(1)).

This might happen if you've ran distribution upgrades, or have unattended upgrades enabled in your server. This is generally logged in /var/log/dpkg.log.

You can override this behavior to make sure there is no configuration changes applied to any of your packages by adding following lines to /etc/apt/apt.conf.d/local.conf:

Dpkg::Options { "--force-confdef"; "--force-confold"; }

To give you an overview of these options:

--force-confdef: ask dpkg to decide alone when it can and prompt otherwise. This is the default behavior of dpkg and this option is mainly useful in combination with --force-confold.

--force-confold: do not modify the current configuration file, the new version is installed with a .dpkg-dist suffix. With this option alone, even configuration files that you have not modified are left untouched. You need to combine it with --force-confdef to let dpkg overwrite configuration files that you have not modified.

You can also achieve this with ucf(1) by adding your configuration to /etc/ucf.conf. To be able to detect changes to the file you can use inotify in conjuction with some other commands like lsof. Let me know if you want further help with that.

Hope this helps!

William Sandin
  • 743
  • 5
  • 9
  • No, I don't use any admin panel. Yes I run an a distribution upgrade, and may be dpkg upgrade some configuration in the system. I will try with inotify to locate who is modifying the file, and from there I will make the corrections. Thanks for your help – gokuhs Nov 29 '17 at 15:13
  • That may explain why your configuration is overriden. You can display your current dpkg config with `apt-config dump`. Please accept this as an answer, if this was of any help. Thank you. – William Sandin Nov 29 '17 at 16:02
  • The problem is that the file is modified automatically without having made any upgrade with `apt`. Normally it is at night, when I wake up apache is down because something has changed ports.conf that file and restart apache. (And apache don't start because the port 443 is in use by `sslh`) – gokuhs Nov 30 '17 at 07:23
  • If you want a quick workaround before you manage to track down which file is causing the problems, you could always add an immutable attribute to ports.conf, with `chattr +i ports.conf`. Apart from inotify, you can use `auditd` or sysdig `falco` to monitor filesystem changes. It should be more reliable as it hooks directly into the syscall. – William Sandin Nov 30 '17 at 08:05
  • Thanks for your help William, I FOUND IT! It's the cron job of `certbot` when it try to renew the certificates, overwrite ports.conf adding the SSL port. Now I'm looking for how to disable that – gokuhs Nov 30 '17 at 08:22