/srv/irclogs.ubuntu.com/2008/08/13/#ubuntu-server.txt

kees	kirkland: hurrm. benc and pitti haven't added their updates to the grub bzr tree	00:01
kees	kirkland: or rather, slangasek didn't notice when committing your changes to bzr. I'll go find him	00:03
=== fReAkY[t] is now known as c1\|freaky
kirkland	kees: okay	00:09
kirkland	kees: i am formally baffled/befuddled/bemused by developing on bzr vs. dsc	00:09
kirkland	rather, the inconsistencies among the two	00:10
kees	kirkland: yeah, it's a serious pain currently.	00:11
kirkland	kees: is http://people.ubuntu.com/~kirkland/grub/ what you were asking for, at least?	00:11
kirkland	kees: the changes file therein?	00:11
kees	kirkland: yeah, that's cool.	00:12
nxvl	zul: the evil now is libtool	00:13
nxvl	zul: not php	00:13
* nxvl checks infinity's debdiff		00:13
zul	not its evil	00:13
nxvl	heh, well yes, php is evil, but not as libtool	00:14
kirkland	kees: okay, I'm in a holding pattern then, until i receive further instruction from you or slangasek on what form they want you/he want(s) these changes in	00:20
kees	kirkland: yeah, basically, slangasek and I will clean up bzr and I'll upload the source.changes you put up. sorry for this goofiness.	00:22
kirkland	kees: cool, thanks for the cleanup	00:22
=== dan is now known as dantalizing
=== c1\|freaky is now known as fReAkY[t]
=== fReAkY[t] is now known as freaky[t]
HellMind	I need help to jail users , i tried the stupids guides but isnt work, maybe you know something to doit in ubuntu server, the best, easy, and simple way	02:59
=== PrivateVoid_ is now known as PrivateVoid
HellMind	I want to be a bot	03:16
p4_xxx	hi	03:18
p4_xxx	i have tried to ask Q here but seems nobody answer :-(	03:19
sommer	p4_xxx: what's your question?	03:25
ScottK	foolano: Since dovecot is the standard MDA for Ubuntu, I'm a bit suprised ebox went with courier.	04:40
ScottK	This will pose a problem for getting ebox-mail into Main.	04:40
ScottK	mathiaz: ^^	04:40
mathiaz	ScottK: correct - I think he is working on it	04:40
mathiaz	ScottK: but courier was supported before they moved to ubuntu as their base platform	04:41
ScottK	OK.	04:42
ScottK	mathiaz: Taking a quick look at this one package, I don't think I'd be excited to give them upload rights.	04:42
ScottK	It looks not so good from an FHS perspective and the maintainer scripts are not at all complete.	04:43
emgent	kirkland: ping.	04:53
kirkland	emgent: pong	04:53
ScottK	mathiaz: It's no where near ready for the archive.	04:54
HellMind	help me to jail users	04:56
HellMind	I need something like apt-get install jailpatch	04:57
HellMind	Y	04:57
HellMind	COol :D	04:57
mathiaz	ScottK: hm - could you send an email to foolano with your comments on the package ?	05:09
mathiaz	ScottK: It seems that it may require to get through the sponsoring queue.	05:10
ScottK	mathiaz: I'm not sure I know where to start.	05:14
ScottK	Docs still refer to postfix with VDA patch and it's all very scary.	05:14
ScottK	It's past midnight and I'm trying to relibtoolize courier. My brain cells are all pretty used up.	05:15
mathiaz	ScottK: right - I see what you mean :)	05:15
mathiaz	ScottK: I'll point out your comments to foolano - it may not be the best option to ask for ebox upload privilege for now	05:16
ScottK	That's what I'm thinking.	05:16
ScottK	mathiaz: For that one in particular, I'd suggest that the requirement be lamont is happy.	05:17
lamont	any sentence that includes the word "relibtoolize" is evidence that brain cells are getting burned up	05:25
lamont	or even "libtoolize" for that matter...	05:26
nxvl	lamont: try to build courier without relibtoolize it	05:26
nxvl	(actually if you have a better solution please let me know)	05:27
lamont	nxvl: I assert that it using libtool is evidence that it'd be an uphill battle to have me maintain it	05:27
nxvl	:D	05:29
nxvl	it seems that i'm not the only one that hates libtool	05:29
nxvl	:D	05:29
nxvl	awesome	05:29
ScottK	nxvl: You may have been led astray, but let me look into it some more.	05:32
lukehasnoname	ScottK, your dry, constant, quasi-subtle stabs at LP amuse me.	05:41
ScottK	OK. I didn't think I was being subtle.	05:42
lukehasnoname	It's subtle if the person reading doesn't already know you dislike it. I'm reading the response to the server team meeting.	05:44
nxvl	bed time	05:44
nxvl	read you tomorrow!	05:44
ScottK	OK. Well it turned out to exist, it was just somewhat hidden.	05:47
ScottK	As it goes, Launchpad isn't so bad, but the fact that it's closed really makes it pretty much impossible for an outsider to contribute even ideas.	05:48
ScottK	Getting really outspoken and filing lots of bugs seems to have some effect.	05:48
ScottK	OK. That wasn't it. I'm going to bed.	06:07
p4_xxx	hi, i set up a ubuntu server at home. i have 4 pc that i want them to store and share files. but at the same time i want their own private folder and one folder for shares. i read a data from a link and it worked, but it's just one folder evry one can see all. i ve been reading a lot on samba site but i got confuse, i m new to linux and i would like to know if someone know a site that explain the procces easly tanks	06:22
kraut	moin	07:34
foolano	ScottK: we dont use the VDA patch anymore, unfortunately the doc you read was outdated	07:46
jmazaredo	i have a weird problem i have a router where if i plug my ubuntu server it gives a problem on the network (intermittent connection)	07:47
jmazaredo	i formatted and reinstalled a fresh ubuntu 5 times different hardware different ubuntu dist (desktop/server)	07:49
jmazaredo	any known issue?	07:49
Deeps	dodgy hardware?	07:49
Deeps	network card / cable / switch	07:50
jmazaredo	i used several hardwares	07:50
jmazaredo	all good	07:50
jmazaredo	1 thing fixed it	07:50
jmazaredo	i installed a centos dist and also plugged it in	07:51
jmazaredo	all becomes stable.	07:51
jmazaredo	dunno how that happen	07:52
chmac	Can anyone recommend a slightly more powerful alternative to Firestarter? I want to configure iptables a little more carefully.	08:01
henkjan	chmac: try ufw	08:02
chmac	henkjan: Sweet, thanks, I'll check it out	08:02
ghaleb	hello, when I flush my iptables the firewall blocks everything	08:26
Deeps	ghaleb: iptables -nL \|grep policy	08:27
ghaleb	Deeps, there are no rules	08:27
Deeps	ghaleb: no default policy either?	08:28
ghaleb	Chain INPUT (policy DROP)	08:28
Deeps	there you go, that's why	08:28
ghaleb	I see .. hmm	08:29
ghaleb	so when I flush the iptables .. the firewall drops everything else	08:29
Deeps	if you want to change the default policy, use the -P flag	08:30
Deeps	eg, iptables -P INPUT ACCEPT	08:30
ghaleb	great!	08:31
ghaleb	thank you very much	08:31
ghaleb	to save the config , iptables-save ?	08:32
Deeps	iptables-save will dump it to the screen, you'll want to redirect that to a file	08:34
dusty_	Hrm, I have a default drop all unless i allow it through iptables firewall, i've just noticed that I can make connections to the mysql port, even though i don't allow that in my firewall (only allow 22, 53 and 80). Can anyone see how myslq traffic can get through this: http://rafb.net/p/28mV0w88.html it doesn't make sense ?	10:53
Ontolog	ubuntu-8.04.1-server-amd64.iso is the right distro for a Xeon 3065?	10:53
soren	Ontolog: I imagine so, yes.	10:56
thefish	whois [miles]	10:56
Ontolog	why is it called "amd"?	10:56
thefish	Ontolog: i reckon you want ia64	10:57
soren	dusty_: "iptables -A INPUT -p tcp -m state --state NEW -j ACCEPT" seems like a good guess.	10:57
Ontolog	ia means intel arch?	10:57
soren	Ontolog: Hysterical raisins.	10:57
soren	thefish: ia64 is Itanium.	10:57
Ontolog	Xeon != Itanium?	10:58
* Ontolog is a hardware noob		10:58
thefish	dont reckon you want amd for intel	10:58
soren	dusty_: It's the third rule you apply. It probably somewhat more promiscuous than you want :)	10:58
Ontolog	but that's what ubuntu.com gives me...	10:58
soren	thefish: Yes, he does.	10:58
thefish	ok	10:58
soren	amd64 is for x86_64, be it Intel or AMD.	10:59
dusty_	soren, hrm, what do you mean, that just allows new connections	10:59
soren	dusty_: Yes... Such as connections to your mysql database.	10:59
soren	dusty_: ...which is what you didn't want. correct?	10:59
dusty_	ahh yeah	11:00
dusty_	so	11:00
dusty_	that needs to be appended to the output chain not input	11:00
dusty_	?	11:00
Ontolog	ok if I install the 64-bit version, how does that effect software installs?	11:00
soren	dusty_: I can't say "yes", but it's likelyl.	11:00
soren	dusty_: I don't know the policy for your network.	11:01
Ontolog	for example, can if I want to download Apache source and compile and install will I get any nasty surprises?	11:01
dusty_	ok let me try commenting it out and see if it makes a difference	11:01
soren	Ontolog: Probably.	11:01
soren	Ontolog: Why do you want to do that?	11:01
Ontolog	for my project we are using a custom build of apache	11:02
soren	What's custom about it?	11:02
dusty_	ahh sorry i just re-read it, im trying to figure out a way to log properly so i can run some log analysing software	11:02
dusty_	so i wanted to log all new traffic blocked or unlblocked	11:02
Ontolog	i know where you are going with this	11:02
Ontolog	no i don't want to use ubuntu's apache	11:02
soren	Ah. Then -j LOG rather than -j ACCEPT.	11:02
soren	Ontolog: Then I don't think I understand your question.	11:03
Ontolog	my question was about compiling and install things from source	11:03
soren	And I'm also interested in use cases that our apache packages does not serve.	11:03
Ontolog	well	11:03
Ontolog	in my case, while i love ubuntu, i don't want my project tied to it	11:03
soren	Ontolog: Could you please state it as an actual question?	11:03
dusty_	soren, so just these two rules then : http://rafb.net/p/AgBp1388.html	11:03
Ontolog	all the things directly related to my project are installed under /usr/local from tarballs	11:03
soren	dusty_: You misspelled ACCEPT.	11:04
dusty_	yes sorry i didnt need that rule anyways just hte bottom one	11:05
soren	Ontolog: Well, as long as you're prepared to handle the problems inherent in compiling stuff yourself, there's nothing in particular that should make it more difficult to do so under Ubuntu. In fact, I'd bet it's easier than on most other distro.	11:05
soren	dusty_: Yeah, the last one looks about right (if I understand its purpose correctly, of course).	11:06
Ontolog	thanks my question is not so much about compiling and install from source under ubuntu, i am already doing that, just about the 64-bit OS being a factor	11:06
soren	Ontolog: I see. That was not very obvious :)	11:07
dusty_	soren, log all new connections	11:07
soren	Ontolog: 64-bit Linux installations are so commonplace these days, I wouldn't foresee any problems at all.	11:07
Ontolog	so i can run 32-bit binaries on them?	11:07
soren	Ontolog: In fact, all my systems are 64 bit ones, and I'm perfectly happy with that.	11:07
soren	Ontolog: Yes.	11:07
soren	Ontolog: Let me qualify that a bit, though:	11:08
soren	The kernel and CPU will allow you to do so. However, 32 bit applications need 32 bit supporting libraries.	11:08
soren	Ubuntu provides quite a few 32-bit libraries on 64 bit installations, so it might not be a huge problem, but our Apache's are 64-bit ones, when on 64 bit installations.	11:09
soren	..so we haven't tested (and are not going to, since it's silly) 32 bit Apache on 64 bit Ubuntu.	11:10
soren	Ontolog: Still, I'd very much like to know why our Apache does not serve you.	11:13
ScottK	foolano: The doc I read was the one in the package that according to the minutes you're looking to get sponsored.	12:41
foolano	ScottK: that doc was outdated. we dropped the support for VDA a few months ago. Actually, when I was told by you that there was no way we would package postfix with that patch. I didn't sync the install doc at the time. I've just changed it to avoid problems.	12:44
ScottK	foolano: OK.	12:45
foolano	ScottK: I'm also interested in hearing the packages issues in order to fix them asap	12:45
foolano	s/packages/packaging	12:45
foolano	ScottK: with the FHS issues maybe you were pointing out the /usr/share/ebox/migration stuff?	12:46
ScottK	IIRC the thing that initially suprised me as having your config stuff not in /etc, but I only got about 3 hours sleep last night, so I'm sure I'm not entirely coherent today.	12:47
ScottK	foolano: One thing I remember is that it didn't appear that removing with purge actually removed your conffiles.	12:48
foolano	ScottK: configuration is stored in gconf, so when the packaes is removed debhelper takes care of removing the gconf schemas	12:50
ScottK	OK.	12:50
foolano	ScottK: i gotta go home now, if you fancy talking about this a bit later or when you get some rest it would nice	12:52
foolano	see you later	13:00
* ScottK wonders about the suitability of gconf for server apps.		13:13
Syntux	Good day, Which control panel would you guys recommend for Ubuntu server ? 8.04	13:27
ScottK	Personally I like vim.	13:57
jpds	vim FTW.	13:57
ScottK	kirkland: While asking the user what they want to do when booting degraded makes sense on the desktop, I think it's not very satisfactory for servers.	13:58
kirkland	ScottK: why is that?	13:58
ScottK	Because usually when you reboot a server there's no one looking at any u/i.	13:59
kirkland	ScottK: understood... but if we don't have this prompt, it simply drops you to a busybox prompt	14:00
kirkland	which is no better, or worse, IMHO	14:00
ScottK	Right. I just don't want to preclude the ability to automatically boot degraded is that's how the sysadmin has configured it.	14:01
ScottK	is/if	14:01
kirkland	this patch does not preclude that	14:01
kirkland	ScottK: first, BOOT_DEGRADE is read from an /etc configuration file	14:02
ScottK	kirkland: OK. That's fine then.	14:02
kirkland	ScottK: that can then be overridden or specified on the kernel boot parameters	14:02
ScottK	It just sounded to me like he was proposing that instead of boot degraded.	14:02
kirkland	ScottK: i didn't read it that way	14:02
ScottK	Fair enough.	14:03
cokegen	hi, I'm running a command with cron but it launches an exim process each time is run. What I need to configure to prevent that ? (debian box)	14:26
ScottK	cokegen: Probably a question that should be asked on a Debian channel then.	14:35
thefish	cokegen: i think you can change the MAILTO directive	14:38
thefish	maybe to like /dev/null, not 100% sure	14:38
thefish	but it will try and email each time a cron job is run	14:38
thefish	i need a remote server to open an openvpn tun and reopen if its dropped, any suggestions? want it to start on boot. its so i can always reach it even behind firewalls etc	14:43
_ruben	openvpn has autoreconnect functionality	14:45
thefish	_ruben: cool ill look that up	14:51
thefish	and start it with a rc.x?	14:51
cokegen	ScottK: I will ...	14:52
_ruben	the openvpn debian/ubuntu package has a proper /etc/init.d/ script	14:52
cokegen	thefish: MAILTO directive where ?	14:52
gegema	I am currently mounting a network share using "mount -t cifs -o username=foo,password=bar /mnt" >> I am wanting to add this entry to my fstab, which tab would the username and password belog to?	14:53
gegema	currently I have gotten as far as "//network/share /mountpt cifs "	14:54
thefish	cokegen: in your crontab	15:07
thefish	gegema: my guess is col4 with the options	15:08
sylfire	lo all. anyone here using a xen server? having some issues setting it up, bridged networking	15:18
trakinas	hello all! need some help with cronjob. I created one with root, but it is not being executed.	15:18
sylfire	trakinas: is your cron service running?	15:19
trakinas	sylfire: almost sure it is, but anyways, how can I check?	15:19
sylfire	/etc/init.d/anacron restart, if you're using anacron	15:20
sylfire	no wait, just checked, mine here on a box says cron, so just /etc/init.d/cron restart	15:21
trakinas	sylfire: * Restarting periodic command scheduler crond [ OK ]	15:22
trakinas	so, it was running	15:22
sylfire	do you have the format of your cronjob correct?	15:22
trakinas	i think so. I will pastebin.	15:23
trakinas	sylfire: http://pastebin.us/?show=d3d16bc5d	15:24
sylfire	checking	15:25
sylfire	try converging the output before you say which logfile to write to	15:26
trakinas	I dont have a sendmail running and I dont pretend to configure one (Im leaving this place). so I thought about send them to /dev/null. but I guess I you talking about the log only.	15:29
sylfire	yes, I'm referring to the devnull. Just noted it as "logpath" in my mind, didn't consider the value	15:31
trakinas	hmmm... so, leave it there or should I proper configure one?	15:31
sylfire	make it 2>&1 > /dev/null	15:32
trakinas	like this? http://pastebin.us/?show=m625f672d	15:34
sylfire	/root/mondo-backup.sh 2>&1 > /dev/null	15:35
trakinas	thank you	15:42
Quest_	any replacement for "knemo" . it shows live network trafic chart/graph ... ?	16:27
Quest_	any replacement for "knemo" . it shows "live" network trafic "gui" chart/graph ... ?	16:30
=== Syntux is now known as Guest50231
=== Syntux_ is now known as syntux
uvirtbot`	New bug: #257625 in dovecot (main) "Upgrade to Intrepid : Unknown setting: user_global_uid" [Undecided,New] https://launchpad.net/bugs/257625	16:46
jimcooncat	hi. I'd like a guide or dead-tree book on managing user preferences: establishing sane defaults in /etc/skel, applying a preference to an existing user, migrating between machines, etc.	16:52
jmedina	jimcooncat: what you mean with «applying a preference»?	16:56
jimcooncat	jmedina: let's say I want to remove ipv6 stuff from all my users firefox profiles. Maybe this is a bad example.	16:58
jimcooncat	jmedina: or set default font in gedit for an existing user	16:58
jimcooncat	I'm really looking for an administrators guide that goes deeper than "how to add or delete a user"	16:59
jmedina	well, that depends on the desktok enviroment	17:00
jmedina	not really in the user account	17:01
jmedina	there is a kiosk thing for KDE, you can do stuff like that	17:01
jmedina	but dont know for gnome, I have not used for about 4 years	17:01
jimcooncat	thanks jmedina. I think there's a gnome equivalent in Hardy, and I'll check it out once I get it installed in a couple of machines.	17:03
kraut	wie starte ich das nm-applet?	17:04
jmedina	jimcooncat: maybe that can help you, and yap, I remember a few months ago about that feature in gutsy or somthing	17:04
jmedina	jimcooncat: check this out, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/desktop-guide/s1-ddg-lockdown-other-kiosk-configs.html	17:16
jmedina	there is a lot information about kiosks in gnome	17:16
jimcooncat	that's really good jmedina. thanks	17:18
jmedina	you are welcome,	17:19
jimcooncat	I found sabayon stuff on gnome website, and policykit. I think I can run with it now.	17:22
dusty_	Hey guys I am trying to make a firewall like so: Default deny all unless i specifically allow it. I allow ssh and DNS (as its a nameserver). Everything else gets dropped, how can i log the 'everything else' that gets dropped.. ? my ruleset so far is: http://rafb.net/p/AhSDIF36.html i know i use -j LOG but do i do it on the policy lines or how would i achieve this ?	17:42
ScottK	Did you try ufw? It might be easier to configure that way.	17:43
dusty_	ufw ?	17:43
dusty_	No I have not tried that.	17:43
ScottK	uncomplicate fire wall.	17:43
dusty_	I rather just use plain ole iptables	17:44
ScottK	uncomplicated.	17:44
dusty_	as I only need one rule to log everything that gets dropped	17:44
dusty_	im just not sure how to do it	17:44
jmedina	ScottK: so is there a option for ufw to do that?	17:44
jmedina	never used ufw, but with shorewall it is an easy task	17:44
ScottK	I'm not sure exactly. If one is uncertain with iptables scripts directly, then it's worth looking into.	17:45
jmedina	with shorewall I specify my policy for example traffic from the internet to the firewall	17:45
jmedina	net fw REJECT LOG	17:46
jmedina	what I see with ufw is that there is no way to filter based on the source and destination	17:47
jmedina	they assume all the traffic is comming from the internet	17:47
jmedina	there is where is complicated :P	17:47
jmedina	maybe it is worth for single interface firewalls, of user firewall	17:47
foolano	dusty_: as your rules are pretty simple add a "-j LOG "rule at the end of the each chain	17:48
dusty_	foolano, like iptables -A INPUT -j LOG	17:49
dusty_	iptables -A OUTPUT -j LOG	17:49
dusty_	and same for forward ?	17:49
foolano	dusty_: yep, like that. Just make sure you add them at the end of the chain	17:50
dusty_	what do you mean at the end of the chain ?	17:50
foolano	if a packet reaches the LOG rule it will be logged, and after that it will be rejected for your chain policy	17:50
dusty_	what ?	17:50
foolano	dusty_: run iptables -L	17:51
foolano	and you see how your rules are added to the chains	17:51
dusty_	ah	17:52
dusty_	sweet, thank you for your help.	17:52
foolano	np	17:52
dusty_	one curious question thought, I can nmap my server using the -PN option and it replies the open correct ports, how can i stop this ?	17:55
jmedina	dusty_: could you show us the output of nmap?	17:55
dusty_	ofcourse	17:55
dusty_	http://rafb.net/p/Huc0qU17.html	17:55
foolano	well, that's correct	17:56
foolano	you are allowing access to those ports	17:56
dusty_	hrm	17:56
dusty_	is there a way to filter this ?	17:56
dusty_	or is there a way to foil scanners ?	17:56
foolano	ehh no	17:56
_ruben	opened ports are, well, open ...	17:56
dusty_	heh ok	17:56
dusty_	one last question, is there anything i can do to improve on the script (my firewall one) for added security bearing in mind that server is just a nameserver with 53/22 open	17:59
dusty_	?	17:59
jmedina	dusty, you better improve security on your name and ssh server	18:00
jmedina	this kind of firewall only filters traffic, based on ips and ports, and posibly another tcp/ip flags, but doesnt filter maliciuis packets or attacks specific for your applications	18:00
jmedina	you can use failtoban to protect dictionary attacs for ssh	18:01
jmedina	uses public key autentication	18:01
ScottK	As an example, you can rate limit ssh to a few connections per minute (or use fail2ban)	18:01
dusty_	Yeah i'm looking into fail2ban, so this iptables script is pretty pointless then ?	18:02
jmedina	sad but true	18:03
jimcooncat	port knocking I hear is fun in these situations	18:03
jmedina	that firewall wont protec you agains spoof attacs, for example	18:03
jmedina	I prefere to change the port for ssh	18:04
jmedina	:P and use only public key auth	18:04
dusty_	yeah	18:04
dusty_	thats what i am doing public key auth	18:04
dusty_	i may change the port too	18:04
jmedina	all these robots scanning only use tcp/22 as target	18:04
dusty_	what kinda attacks kind iptables stop then that i can research	18:04
jmedina	dusty_: but then disable password auth	18:04
dusty_	passwd auth is dissabled	18:05
jmedina	that is good	18:05
jmedina	dusty_: check your dns for open relay	18:05
foolano	are you guys having problems to file bugs in launchpad? i'm getting time out error all the time	18:06
jmedina	you can test your dns with http://intodns.com a free and opensource bases dnsreport replacement	18:06
jimcooncat	jmedina: that's what I'm doing. dusty_, changing the port may help a lot for kiddies that are just looking for any open machine. Not if they're targeting YOU, though	18:06
jmedina	jimcooncat: yeap, that when fail2ban enters	18:07
foolano	hey mathiaz, i'm testing the latest slapd and I think I've found an issue with the permissions of /var/run/slapd	18:11
dusty_	jmedina, how can i check if its an open relay /	18:12
dusty_	?	18:12
jmedina	dusty_: intodns can tellyou	18:12
jmedina	scrolll up	18:13
dusty_	what?	18:14
jmedina	that page	18:14
jmedina	http://intodns.com	18:14
dusty_	ah sorry	18:14
jmedina	you can test your domain, and one of the tests is check if your dns server is open relay	18:14
dusty_	wtf	18:17
dusty_	jmedina, check this out: http://www.intodns.com/stoned-hacker.co.uk	18:17
dusty_	it says the glue records are wrong it says my registar reports one ip and the nameserver another, thats in correct. i just checked at the registrar and the glue records are fine ?	18:17
mathiaz	foolano: what's the issue ?	18:17
trakinas	foolano: i liked your nick. haha!	18:17
dusty_	For ns1.stoned-hacker.co.uk the parent reported: ['78.129.229.42'] and your nameservers reported: ['78.129.229.25']	18:18
dusty_	thats intodns	18:18
dusty_	my registrar:	18:18
dusty_	is .25 for the ip	18:18
dusty_	jmedina, im confused and a little worried over this ?	18:19
dusty_	ns1.stoned-hacker.co.uk has 78.129.229.25 on my registrar	18:19
dusty_	where does that site get that info?	18:19
jmedina	directly form the the root servers and your own server	18:20
foolano	mathiaz: the ldapi socket, that's the unix socket where slapd can listen on. It's usually within /var/run/slapd. There's even a link from /var/run/ldapi to /var/run/slapd/ldapi. /var/run/slapd hasn't the right permissions to allow anyone to connect to the socket.	18:20
mathiaz	foolano: https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/114438 ?	18:22
uvirtbot`	Launchpad bug 114438 in openldap2.2 "Permissions for ldapi:// socket are too restrictive" [Undecided,Fix released]	18:22
mathiaz	foolano: that's supposed to be fixed now	18:23
foolano	mathiaz: nope, that's not the same. that's bug is related to the file itself. This problem is with the directory permissions	18:23
foolano	mathiaz: i experienced this issue a couple of days ago. the automatic tests of eBox in intrepid failed. I thought it was just for the new backend but this was a problem too. Unless i'm missing something	18:24
mathiaz	foolano: ok - could you file a bug ?	18:25
mathiaz	foolano: I'll get it fixed later, but the archive is frozen for now as we're preparing for alpha4	18:25
foolano	mathiaz: i'm trying :) but it seems lp is a bit busy :)	18:25
* jmedina rembers foolano is having troubles filing bugs..		18:25
sommer	mathiaz: hello, I also noticed a small issue with "sudo dpkg-reconfigure slapd", if the /etc/ldap/slapd.d directory is already there the reconfigure doesn't work	18:26
foolano	yeo	18:27
foolano	that's the nexxt thing i was going to tell you :)	18:27
sommer	foolano: :-)	18:27
edmoore	hi - I'm running server currently without any flavour of gui. Is it as simple as sudo apt-get install ubuntu-desktop?	18:29
dusty_	jmedina, hrm how do i fix this then ?	18:29
dusty_	jmedina, its reporting the incorrect ip ?	18:30
sommer	!servergui	18:30
ubottu	Ubuntu server does not install a desktop environment or X11 by default in order to enhance security, efficiency and performance. !eBox provides a GUI system management option via a web interface. See https://help.ubuntu.com/community/ServerGUI for more background and options.	18:30
sommer	edmoore: ^^^ that link has instructions	18:30
jmedina	dusty_: why do you have two A recorsd for ns2?	18:30
dusty_	round robin	18:31
edmoore	sommer, many thanks	18:31
dusty_	and that machine has two ips so i thought i would make use of them (it doesn't harm things does it )	18:31
sommer	edmoore: np	18:31
edmoore	sounds like they don't like it	18:33
dusty_	jmedina, what about the wrong ips for the nameservers i cant see how that can be ?	18:34
edmoore	most of the guides I've found on sharing my ethernet over wifi seem to assume I have a desktop environment, and I'm sufficiently green at this that i don't know how to do it just with cli	18:34
jmedina	dusty_: i check it, but probably is getting confues because your round robin	18:34
dusty_	ah	18:34
jmedina	I dont see why the need, maybe for another host but for a NS record,	18:34
dusty_	ok ill kill it for now	18:35
jmedina	you better configure ns3 :)	18:35
jmedina	dusty_: you should change your SOA time record	18:35
dusty_	what ya mean ?	18:35
jmedina	the SOA retry,, refresh, expire values	18:36
jmedina	http://verde.e-compugraf.com/jm-confs/bind9/db.ejemplo.com.zone-SIMPLE.txt	18:36
dusty_	dusty@delerious:~$ host ns2.stoned-hacker.co.uk	18:36
dusty_	ns2.stoned-hacker.co.uk has address 78.129.229.42	18:36
dusty_	dusty@delerious:~$	18:36
jmedina	that template pass all the checks and works good	18:36
dusty_	i removed it, looks like its just reading a cached entry	18:36
Mez	dusty_, 2 IPs for an NS?	18:36
jmedina	Mez: that is what intodns says...	18:36
jmedina	:P	18:36
jmedina	so do I	18:36
Mez	that's not supported in the root servers is it ?	18:37
dusty_	jmedina, what is wrong with the times i have ?	18:37
jmedina	they are to small	18:37
dusty_	jmazaredo, ok i fixed a couple things: http://www.intodns.com/stoned-hacker.co.uk	18:37
dusty_	see :)	18:37
dusty_	just got the other issues to fix now	18:38
jmedina	dusty_: there is no need to use a RETRY value to small, why send retry each minute?	18:38
jmedina	when the server is up is up, and more retrys wont put it up	18:39
Mez	last time I ran a check like that jmedina, it moaned at me cause it couldn't handle the fact I had/have 6 nameservers	18:39
jmedina	mez, well you are not normal	18:40
Mez	http://www.intodns.com/sourceguru.net	18:40
jmedina	for a simple setup it works good, afaik intodns is free, so you can contribute and make it work with 6 nameservers	18:41
Mez	jmedina, it wasnt intodns that moaned	18:41
Mez	it was something else	18:41
Mez	though it did just flag up something I should check	18:42
jmedina	good	18:42
jmedina	ìntodns is good not too descriptive as dns reports but works fine, I remember dnsreorts tells you why the retry value is considerd bad, and gives you the reference to RFCs	18:43
Mez	it flagged up bullshit about it not having glue :(	18:43
Fenix\|work	Greetings... quick question... any particular reason as to why these four packages are being kept back when doing an upgrade? bind9-host dnsutils libbind9-30 libisccfg30	18:43
Mez	!ohmy \| Mez	18:44
ubottu	Mez, please see my private message	18:44
Mez	Fenix\|work, packages are kept back when the introduce new packages, or remove packages	18:44
Mez	do a	18:44
Mez	sudo apt-get dist-upgrade	18:44
jmedina	or you can install them by hand	18:45
jmedina	yum install	18:45
jmedina	:O	18:45
jmedina	damn	18:45
jmedina	aptitude install bind9-host	18:45
Fenix\|work	packages are kept back when they introduce new packages?	18:45
Fenix\|work	(or remove packages)	18:45
Mez	Fenix\|work, yeah...	18:45
Fenix\|work	any idea on how to discover which packages they introduce or remove?	18:46
Mez	Fenix\|work, sudo apt-get -s dist-upgrade	18:46
Fenix\|work	libdns35 is new	18:46
Fenix\|work	okie dokie, thanks for the info	18:47
Mez	Fenix\|work, yeah, that'll be the new libversion for the fix	18:47
Mez	np, glad to help Fenix\|work	18:47
Fenix\|work	ok... back to overhauling some PHP code...	18:48
Fenix\|work	hey Mez, you over in ##php?	18:48
Mez	yep	18:48
Fenix\|work	Mez, ok, I'll bug ya there	18:49
dusty_	jmedina, what do you think now of the new soa times, that ok ?	19:07
dusty_	http://www.intodns.com/stoned-hacker.co.uk	19:07
jmedina	dusty_: I always use http://verde.e-compugraf.com/jm-confs/bind9/db.ejemplo.com.zone-EXTENDIDA.txt	19:08
dusty_	thats what i used	19:08
dusty_	by the way, what does this mean : Different autonomous systems WARNING: Single point of failure	19:08
jmedina	because probably your nameservers are in the same location	19:08
jmedina	same link, same power	19:09
dusty_	jmedina, also the last blue icon on the output of intodns.com what does that mean, about the www record, why is that bad?	19:09
jmedina	there is a single point of failure	19:09
dusty_	what about the www record ?	19:10
jmedina	dusty_: it is not bad	19:10
jmedina	it justs informative	19:10
dusty_	thanks	19:11
dusty_	thanks very very much for the help	19:11
jmedina	dusty_: good	19:13
Mez	SPoF==bad	19:23
dusty_	Oh yeah, before I go any last suggestions/advice ? (i'm lookin into the rate limiting of connections to ssh, change default port, fail2ban/denyhosts), checked dns config ?	19:24
Mez	dusty_, "rate limiting"?	19:26
uvirtbot`	New bug: #257667 in openldap (main) "wrong permissions to access ldapi" [Undecided,New] https://launchpad.net/bugs/257667	19:26
Mez	dusty_, f2b works well for what you're on about... and changing the default port	19:26
Mez	if you REALLY wanna be uber though - look into port knocking	19:26
dusty_	Yeah i've seen that, its not practical, as I access the server from many places and I sometime access it from window environment, with no permission to install software (Work) so i wouldn't be able to install the software required to send the special packet to open to port.	19:28
jmedina	what about a PHPSHELL? jeje just kidding	19:30
kirkland	kees: ping	19:35
Fenix\|work	Where do I find the mysql error logs? /var/log/messages?	19:43
jmedina	mysql.err	19:44
jmedina	/varlog/mysql.err	19:44
Fenix\|work	/var/log/mysql.err is empty	19:44
jmedina	then mysqld is not configured to log	19:44
Fenix\|work	yet mysql won't start	19:44
jmedina	where you got more info	19:45
jmedina	http://dev.mysql.com/doc/refman/5.0/en/log-files.html	19:45
jmedina	mmm	19:45
jmedina	why dont you start it by hand?	19:45
Fenix\|work	ok, I rebooted and it started	19:45
poningru	...	19:45
poningru	Fenix\|work, /etc/init.d/mysqld restart	19:45
poningru	in linux you dont reboot	19:46
jmedina	only when compiz crash your system	19:46
jmedina	;P	19:46
Fenix\|work	poningru, I'd love to say something derogatory and somewhat funny but I'll refrain :)	19:46
poningru	in soviet russia linux reboots you?	19:46
Fenix\|work	/etc/init.d /mysql restart didn't work at all, kept dying... hence the reboot trick which incidentally worked.	19:46
poningru	wtf weird	19:47
poningru	what did it say?	19:47
poningru	it should have said why it was dying	19:47
Fenix\|work	besides fail, nothing	19:47
Fenix\|work	I was getting a kernel message about mysqld.sock ... but nothing from mysql	19:48
poningru	what did that say?	19:49
poningru	was there a socket creation error?	19:49
Fenix\|work	poningru, kernel: [1053396.176660] audit(1218651725.013:10): type=1503 operation="inode_mknod" requested_mask="w::" denied_mask="w::" name="/var/chroot/var/run/mysqld/mysqld.sock" pid=8013 profile="/usr/sbin/mysqld" namespace="default"	19:50
poningru	huh that is odd	19:50
jmedina	Fenix\|work: apparmor running?	19:51
jmedina	or selinux?	19:51
jmedina	Fenix\|work: did you chrooted mysqld by hand?	19:52
Fenix\|work	I'm chrooting my entire apache environment and I did it by hand	19:52
jmedina	what about selinux/apparmor	19:53
Fenix\|work	neither	19:53
jmedina	mmm	19:53
Fenix\|work	Hmmm... if I connect using the loopback address I can eliminate the need to have the socket available through the jail root	19:55
Fenix\|work	that saves a headache	19:56
jmedina	yeap that is much better	19:58
jmedina	and my.cnf by default binds to 127.0.0.1	19:58
uvirtbot`	New bug: #257682 in bind9 (main) "dig compiled without -DDIG_SIGCHASE!" [Undecided,New] https://launchpad.net/bugs/257682	20:07
dusty_	hey jmedina http://rafb.net/p/FucSMY32.html what do you think about those ?	20:48
* sommer wants a stock ticker displayed when logging into servers... heeeh		20:55
dusty_	anyone good with iptables ?	21:00
dusty_	Could you check out: http://rafb.net/p/FucSMY32.html and give me opinions/comments/advice ?	21:01
jmedina	I always put my OUTPUT to REJECT and INPUT	21:01
jmedina	and open only the ports I want to reach	21:02
jmedina	my policy is REJECTo DROP, and then the exceptions (rules) open ports I the server needs	21:02
dusty_	yeah i know that, what do you think to my ruleset though, specifically /	21:04
dusty_	?	21:04
dusty_	i only interested in 22 53	21:04
jmedina	I would open udp/53 only to your slave servers, or user allow-transfers { ip.slave.server}; in you zone definition	21:05
jmedina	I meant TCP/53	21:05
jmedina	udp open for any	21:06
_ruben	tcp/53 is also used for 'normal' dns stuff	21:08
_ruben	large answers will use tcp instead of udp	21:08
jmedina	_ruben: any reference for that?	21:09
dusty_	jmedina, i do have allow-transfers, but if i restrict port 53 udp to my slaves then queries wouldnt get through ?	21:11
_ruben	jmedina: nothing concrete from top of my head .. do have a book on dns/bind at work .. afaik any dns packet above a specific given type will be tcp instead of udp	21:12
=== PrivateVoid is now known as PV_Away
kirkland	kees: would you review/sponsor the patch attached to https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/257568 when you get a chance?	22:08
uvirtbot`	Launchpad bug 257568 in mdadm "degraded raid boot process should interactively prompt user before dropping to recovery shell" [Wishlist,In progress]	22:08
ScottK	kirkland: Don't forget Main is frozen until after the Alpha release (plus kees is at Debconf).	22:13
kirkland	ScottK: understood on both counts; however, kees has been helping/sponsoring these grub issues.	22:15
ScottK	Right, just wanted to make sure you had reasonable expectations.	22:15
dusty_	http://rafb.net/p/61SvtD29.html Is that the correct way to log using iotables ?	23:20
jmedina	dusty_: yeap	23:22

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!