[04:04] <ToadZzZztool> before I go to bed I'd like to join Ubuntu Server Team 'cause I'm a sys&net admin in a little network (only 500 hosts and 12 servers) and a student in network engineering... are there any requirements?
[04:06] <ToadZzZztool> anyhow, good night here too ;)
[10:22] <allee> Hi, I had a look at ServerTestingTeam.  Looks like no ServerTestingTeamTemplate yet. :(
[10:27] <allee> Is it okay to add something like ServerHardware/SunGalaxy ServerHardware/SunGalaxy/X4100  ServerHardware/SunGalaxy/X4200  ditto for DellPowerEdge  that are more like a linux on laptop pages? I.e. a page that contain known issue.  tools, tips links to other links pages in Web?
[01:27] <spike> 'lo ubijtsa
[01:48] <ubijtsa> lo spike
[01:48] <spike> how do you do man?
[01:49] <ubijtsa> not bad.. WFH today, and trying to do some of the stuff remotely is a pain
[01:51] <spike> ubijtsa: like?
[01:52] <ubijtsa> running mozilla over a reverse ssh tunnel
[01:53] <spike> no vpn/vnc?
[01:53] <ubijtsa> nope
[01:54] <ubijtsa> not to the network I need to access
[03:39] <thefish> ubijtsa: reverse ssh tunnel?
[04:09] <ubijtsa> thefish: yeah, you ssh from box1 to box2 with something like "while true; do ssh box2 -R 2222:localhost:22 'while true; do echo -n . ; sleep 60; done'; done"
[04:10] <ubijtsa> on box2 you can then do 'ssh -p 2222 localhost' and connect back through the ssh tunnel to box1's ssh port
[04:11] <ubijtsa> poor mans vpn like :)
[04:11] <spike> speaking of, what's going on with openssh vpn?
[04:11] <thefish> what benefit does it give over just normal ssh?
[04:12] <thefish> to run moz, i would just ssh -X box2
[04:12] <spike> there's been much rumor about it, but I've never seen anybody actually doing it
[04:12] <spike> thefish: firewall filtering on port 22?
[04:12] <ubijtsa> thefish: if box1 is masqueraded, you can't get to it directly
[04:12] <spike> ;)
[04:12] <thefish> ssh -X -p2222 box2
[04:13] <thefish> mkay
[04:13] <ubijtsa> in my case, box1 is at work, and box2 is at home.
[04:14] <spike> apparently with openssh 4.x you can do real vpns, but I couldnt find much about it :/
[04:14] <ubijtsa> I can't ssh into box1 from the net, as it is behind firewalls and NAT, but I can ssh from box1 to box2 :)
[04:14] <morrow> one more reason to block outgoing/incoming ssh connections. :/
[04:15] <ubijtsa> morrow: hence why my sshd don't run on standard port
[04:15] <morrow> ubijtsa: if you have the money you can also check port 80/443 connects and break the ssl stream. :)
[04:15] <spike> uh?
[04:16] <ubijtsa> morrow: that's the type product I do QA on
[04:16] <spike> how would you do that without mouting a MITM attack?
[04:16] <morrow> ubijtsa: which one? tommy ssl?
[04:16] <morrow> spike: it is a MITM attack, your clients need the CA of your SSL Proxy
[04:16] <ubijtsa> spike: transparent proxying/routing/bridging
[04:17] <morrow> some companies are willing to go this way
[04:17] <ubijtsa> morrow: McAfee SCM
[04:17] <morrow> ubijtsa: Ahh
[04:17] <spike> morrow: that was the point, if client isnt cluesless it'll spot the MITM
[04:17] <spike> ubijtsa: uh, how? I dont see how that's gonna prevent that
[04:17] <ubijtsa> spike: when you as an employee get told that all traffic is intercepted, what choice you have?
[04:17] <spike> and I think this has been debated beyond the flame limits on any sec list :)
[04:17] <morrow> spike: well.. if your clients are not within your adminstration you shouldn't do such bad things. :)
[04:18] <spike> as in, you either enforce it with policies or nothing, technically u cant stop it
[04:18] <ubijtsa> one way of preventing IM on a corporate lan is to forbid CONNECT through proxies on http traffic
[04:19] <spike> ubijtsa: yes, but then employers wont be able to use any https, and that's not reasonable for quite a few places
[04:19] <spike> even for work purposes, as in they need to access customers' stuff and so on
[04:20] <ubijtsa> spike: that is where URL filtering comes in
[04:20] <ubijtsa> spike: trust me, there has been *loads* of work gone in to these products, and they mostly work so well you don't know they are in the way
[04:20] <spike> ubijtsa: ok, so you basically restrict connect to a few websites
[04:21] <ubijtsa> spike: or allow and log
[04:21] <spike> ubijtsa: I do believe you, I'm just curious :)
[04:21] <ubijtsa> then when you have stats, you start blocking or coaching
[04:21] <spike> sure sure, again, I thought you could "technically" stop it, which is something I was pretty sure you couldnt do
[04:22] <morrow> not without breaking the ssl streams...
[04:22] <spike> without stuff like the aforementioned MITM like setup, which a smart employer would detect
[04:22] <spike> as a non smart one isnt gonna ssh tunnel home imho
[04:23] <ubijtsa> one way to detect if your traffic is filtered is for downloads..
[04:23] <ubijtsa> the larger the download, the longer it takes before you get any data at all, as the AV scanners need big blocks (or whole file) to work with
[04:38] <morrow> ubijtsa: if you work for mcafee, how about asking some developers to relase a daemon version of uvscan? :)
[04:39] <ubijtsa> hehe.. I could ask.. :)
[04:39] <ubijtsa> I sit not far from the guys that wrote LinuxScan
[04:40] <ubijtsa> but that project been idle/dead for ages
[04:40] <morrow> hmm :/
[04:41] <ubijtsa> there is *some* scanner available for linux, but I have to check who is writing it, so I direct feature requests to the right people
[04:41] <ubijtsa> I can do that on monday
[04:42] <morrow> well currently its uvscan. but this is only a command line scanner without daemon option
[04:43] <morrow> ubijtsa: that would be great, please keep me posted. :)
[04:44] <ubijtsa> morrow: I'll have a chat with them. I can see the usefullness of it (clamav/ clamsmtpd) so I'll see what I can do.
[04:46] <morrow> it could be a political thing... because the uvscan is licensed based on servers, smtp scanning usualy is per user
[04:47] <morrow> had this issue this week with sophos and kaspersky... even if you use the filescanber you have to licence it as SMTP gateway. :/
[04:47] <morrow> filescanner..
[04:48] <ubijtsa> aye..
[04:48] <ubijtsa> right, have to change a nappy now
[08:49] <spike> ubijtsa: hey, you around?
[08:51] <ubijtsa> spike: in a fashion
[08:52] <ubijtsa> why?
[08:54] <spike> ubijtsa: I'm trying to work out a way to get to birmingham that wont cost me a fortune...
[08:54] <ubijtsa> where from?
[08:54] <spike> tmoz I wanted to go to some place.. took it easy... it turned out that sing was gonna cost me 100 pound... couldnt believe it
[08:54] <spike> brighton
[08:55] <spike> I'm not gonna go of course... I cant affor 200 pound for a 2 days thingie...
[08:55] <ubijtsa> brighton to brum, cheapest way ought to be train..
[08:55] <spike> I'm fskcing astonished... it's not even a long route... damn, by car it's something shouldnt take u more than 4 hrs and, uhm, 70 quid roundtrip?
[08:56] <ubijtsa> spike: I can do it for about that round trip yeah
[08:56] <ubijtsa> but that pre-supposes you have a car :)
[08:56] <spike> so wtf it's gonna take 6 hrs and 200 quid round trip!? grrrr
[08:57] <spike> 6hrs one way, tho, so was for 4 above
[08:57] <spike> damn
[08:57] <ubijtsa> public transport in UK is a joke.. everyone knows that :)
[08:57] <spike> do u know liftshare.com?
[08:58] <spike> hitchhiking a ride might be the only solution... I really cant spend that amount of money...
[08:58] <spike> from liverpool it's "only" 30 quid... was looking if there was any way to fly cheaply from gatwick, but apparently there isnt :/
[08:59] <ubijtsa> nah.. car-share, hiking with lorries etc is cheaper, but not as safe
[09:01] <ubijtsa> right, I have a few things to test.. so will be offline for a while..
[09:01] <spike> k, ta, c ya
[09:11] <neuralis> Toadstool: the requirements for joining the team are a reasonably consistent history of contribution to the project.
[09:11] <neuralis> Toadstool: things like help with bugs, release testing, or helping out here and on the ML.
[09:48] <Toadstool> neuralis: ok no prob', i'll try to do my best :)
[09:48] <neuralis> Toadstool: great, look forward to having you join soon!