[00:01] <kees> kirkland: hurrm.  benc and pitti haven't added their updates to the grub bzr tree
[00:03] <kees> kirkland: or rather, slangasek didn't notice when committing your changes to bzr.  I'll go find him
[00:09] <kirkland> kees: okay
[00:09] <kirkland> kees: i am formally baffled/befuddled/bemused by developing on bzr vs. dsc
[00:10] <kirkland> rather, the inconsistencies among the two
[00:11] <kees> kirkland: yeah, it's a serious pain currently.
[00:11] <kirkland> kees: is http://people.ubuntu.com/~kirkland/grub/ what you were asking for, at least?
[00:11] <kirkland> kees: the changes file therein?
[00:12] <kees> kirkland: yeah, that's cool.
[00:13] <nxvl> zul: the evil now is libtool
[00:13] <nxvl> zul: not php
[00:13]  * nxvl checks infinity's debdiff
[00:13] <zul> not its evil
[00:14] <nxvl> heh, well yes, php is evil, but not as libtool
[00:20] <kirkland> kees: okay, I'm in a holding pattern then, until i receive further instruction from you or slangasek on what form they want you/he want(s) these changes in
[00:22] <kees> kirkland: yeah, basically, slangasek and I will clean up bzr and I'll upload the source.changes you put up.  sorry for this goofiness.
[00:22] <kirkland> kees: cool, thanks for the cleanup
[02:59] <HellMind> I need help to jail users , i tried the stupids guides  but isnt work, maybe you know something to doit in ubuntu server, the best, easy, and simple way
[03:16] <HellMind> I want to be a bot
[03:18] <p4_xxx> hi
[03:19] <p4_xxx> i have tried to ask Q here but seems nobody answer :-(
[03:25] <sommer> p4_xxx: what's your question?
[04:40] <ScottK> foolano: Since dovecot is the standard MDA for Ubuntu, I'm a bit suprised ebox went with courier.
[04:40] <ScottK> This will pose a problem for getting ebox-mail into Main.
[04:40] <ScottK> mathiaz: ^^
[04:40] <mathiaz> ScottK: correct - I think he is working on it
[04:41] <mathiaz> ScottK: but courier was supported before they moved to ubuntu as their base platform
[04:42] <ScottK> OK.
[04:42] <ScottK> mathiaz: Taking a quick look at this one package, I don't think I'd be excited to give them upload rights.
[04:43] <ScottK> It looks not so good from an FHS perspective and the maintainer scripts are not at all complete.
[04:53] <emgent> kirkland: ping.
[04:53] <kirkland> emgent: pong
[04:54] <ScottK> mathiaz: It's no where near ready for the archive.
[04:56] <HellMind> help me to jail users
[04:57] <HellMind> I need something like apt-get install jailpatch
[04:57] <HellMind> Y
[04:57] <HellMind> COol :D
[05:09] <mathiaz> ScottK: hm - could you send an email to foolano with your comments on the package ?
[05:10] <mathiaz> ScottK: It seems that it may require to get through the sponsoring queue.
[05:14] <ScottK> mathiaz: I'm not sure I know where to start.
[05:14] <ScottK> Docs still refer to postfix with VDA patch and it's all very scary.
[05:15] <ScottK> It's past midnight and I'm trying to relibtoolize courier.  My brain cells are all pretty used up.
[05:15] <mathiaz> ScottK: right - I see what you mean :)
[05:16] <mathiaz> ScottK: I'll point out your comments to foolano  - it may not be the best option to ask for ebox upload privilege for now
[05:16] <ScottK> That's what I'm thinking.
[05:17] <ScottK> mathiaz: For that one in particular, I'd suggest that the requirement be lamont is happy.
[05:25] <lamont> any sentence that includes the word "relibtoolize" is evidence that brain cells are getting burned up
[05:26] <lamont> or even "libtoolize" for that matter...
[05:26] <nxvl> lamont: try to build courier without relibtoolize it
[05:27] <nxvl> (actually if you have a better solution please let me know)
[05:27] <lamont> nxvl: I assert that it using libtool is evidence that it'd be an uphill battle to have me maintain it
[05:29] <nxvl> :D
[05:29] <nxvl> it seems that i'm not the only one that hates libtool
[05:29] <nxvl> :D
[05:29] <nxvl> awesome
[05:32] <ScottK> nxvl: You may have been led astray, but let me look into it some more.
[05:41] <lukehasnoname> ScottK, your dry, constant, quasi-subtle stabs at LP amuse me.
[05:42] <ScottK> OK.  I didn't think I was being subtle.
[05:44] <lukehasnoname> It's subtle if the person reading doesn't already know you dislike it. I'm reading the response to the server team meeting.
[05:44] <nxvl> bed time
[05:44] <nxvl> read you tomorrow!
[05:47] <ScottK> OK.  Well it turned out to exist, it was just somewhat hidden.
[05:48] <ScottK> As it goes, Launchpad isn't so bad, but the fact that it's closed really makes it pretty much impossible for an outsider to contribute even ideas.
[05:48] <ScottK> Getting really outspoken and filing lots of bugs seems to have some effect.
[06:07] <ScottK> OK.  That wasn't it.  I'm going to bed.
[06:22] <p4_xxx> hi, i set up a ubuntu server at home. i have 4 pc that i want them to store and share files. but at the same time i want their own private folder and one folder for shares. i read a data from a link and it worked, but it's just one folder evry one can see all. i ve been reading a lot on samba site but i got confuse, i m new to linux and i would like to know if someone know a site that explain the procces easly tanks
[07:34] <kraut> moin
[07:46] <foolano> ScottK: we dont use the VDA patch anymore, unfortunately the doc you read was outdated
[07:47] <jmazaredo> i have a weird problem i have a router where if i plug my ubuntu server it gives a problem on the network (intermittent connection)
[07:49] <jmazaredo> i formatted and reinstalled a fresh ubuntu 5 times different hardware different ubuntu dist (desktop/server)
[07:49] <jmazaredo> any known issue?
[07:49] <Deeps> dodgy hardware?
[07:50] <Deeps> network card / cable / switch
[07:50] <jmazaredo> i used several hardwares
[07:50] <jmazaredo> all good
[07:50] <jmazaredo> 1 thing fixed it
[07:51] <jmazaredo> i installed a centos dist and also plugged it in
[07:51] <jmazaredo> all becomes stable.
[07:52] <jmazaredo> dunno how that happen
[08:01] <chmac> Can anyone recommend a slightly more powerful alternative to Firestarter? I want to configure iptables a little more carefully.
[08:02] <henkjan> chmac: try ufw
[08:02] <chmac> henkjan: Sweet, thanks, I'll check it out
[08:26] <ghaleb> hello, when I flush my iptables the firewall blocks everything
[08:27] <Deeps> ghaleb: iptables -nL |grep policy
[08:27] <ghaleb> Deeps, there are no rules
[08:28] <Deeps> ghaleb: no default policy either?
[08:28] <ghaleb> Chain INPUT (policy DROP)
[08:28] <Deeps> there you go, that's why
[08:29] <ghaleb> I see .. hmm
[08:29] <ghaleb> so when I flush the iptables .. the firewall drops everything else
[08:30] <Deeps> if you want to change the default policy, use the -P flag
[08:30] <Deeps> eg, iptables -P INPUT ACCEPT
[08:31] <ghaleb> great!
[08:31] <ghaleb> thank you very much
[08:32] <ghaleb> to save the config , iptables-save ?
[08:34] <Deeps> iptables-save will dump it to the screen, you'll want to redirect that to a file
[10:53] <dusty_> Hrm, I have a default drop all unless i allow it through iptables firewall, i've just noticed that I can make connections to the mysql port, even though i don't allow that in my firewall (only allow 22, 53 and 80).  Can anyone see how myslq traffic can get through this: http://rafb.net/p/28mV0w88.html it doesn't make sense ?
[10:53] <Ontolog> ubuntu-8.04.1-server-amd64.iso is the right distro for a Xeon 3065?
[10:56] <soren> Ontolog: I imagine so, yes.
[10:56] <thefish> whois [miles]
[10:56] <Ontolog> why is it called "amd"?
[10:57] <thefish> Ontolog: i reckon you want ia64
[10:57] <soren> dusty_: "iptables -A INPUT -p tcp -m state --state NEW -j ACCEPT" seems like a good guess.
[10:57] <Ontolog> ia means intel arch?
[10:57] <soren> Ontolog: Hysterical raisins.
[10:57] <soren> thefish: ia64 is Itanium.
[10:58] <Ontolog> Xeon != Itanium?
[10:58]  * Ontolog is a hardware noob
[10:58] <thefish> dont reckon you want amd for intel
[10:58] <soren> dusty_: It's the third rule you apply. It probably somewhat more promiscuous than you want :)
[10:58] <Ontolog> but that's what ubuntu.com gives me...
[10:58] <soren> thefish: Yes, he does.
[10:58] <thefish> ok
[10:59] <soren> amd64 is for x86_64, be it Intel or AMD.
[10:59] <dusty_> soren, hrm, what do you mean, that just allows new connections
[10:59] <soren> dusty_: Yes... Such as connections to your mysql database.
[10:59] <soren> dusty_: ...which is what you didn't want. correct?
[11:00] <dusty_> ahh yeah
[11:00] <dusty_> so
[11:00] <dusty_> that needs to be appended to the output chain not input
[11:00] <dusty_> ?
[11:00] <Ontolog> ok if I install the 64-bit version, how does that effect software installs?
[11:00] <soren> dusty_: I can't say "yes", but it's likelyl.
[11:01] <soren> dusty_: I don't know the policy for your network.
[11:01] <Ontolog> for example, can if I want to download Apache source and compile and install will I get any nasty surprises?
[11:01] <dusty_> ok let me try commenting it out and see if it makes a difference
[11:01] <soren> Ontolog: Probably.
[11:01] <soren> Ontolog: Why do you want to do that?
[11:02] <Ontolog> for my project we are using a custom build of apache
[11:02] <soren> What's custom about it?
[11:02] <dusty_> ahh sorry i just re-read it, im trying to figure out a way to log properly so i can run some log analysing software
[11:02] <dusty_> so i wanted to log all new  traffic blocked or unlblocked
[11:02] <Ontolog> i know where you are going with this
[11:02] <Ontolog> no i don't want to use ubuntu's apache
[11:02] <soren> Ah. Then -j LOG rather than -j ACCEPT.
[11:03] <soren> Ontolog: Then I don't think I understand your question.
[11:03] <Ontolog> my question was about compiling and install things from source
[11:03] <soren> And I'm also interested in use cases that our apache packages does not serve.
[11:03] <Ontolog> well
[11:03] <Ontolog> in my case, while i love ubuntu, i don't want my project tied to it
[11:03] <soren> Ontolog: Could you please state it as an actual question?
[11:03] <dusty_> soren, so just these two rules then : http://rafb.net/p/AgBp1388.html
[11:03] <Ontolog> all the things directly related to my project are installed under /usr/local from tarballs
[11:04] <soren> dusty_: You misspelled ACCEPT.
[11:05] <dusty_> yes sorry i didnt need that rule anyways just hte bottom one
[11:05] <soren> Ontolog: Well, as long as you're prepared to handle the problems inherent in compiling stuff yourself, there's nothing in particular that should make it more difficult to do so under Ubuntu. In fact, I'd bet it's easier than on most other distro.
[11:06] <soren> dusty_: Yeah, the last one looks about right (if I understand its purpose correctly, of course).
[11:06] <Ontolog> thanks my question is not so much about compiling and install from source under ubuntu, i am already doing that, just about the 64-bit OS being a factor
[11:07] <soren> Ontolog: I see. That was not very obvious :)
[11:07] <dusty_> soren, log all new connections
[11:07] <soren> Ontolog: 64-bit Linux installations are so commonplace these days, I wouldn't foresee any problems at all.
[11:07] <Ontolog> so i can run 32-bit binaries on them?
[11:07] <soren> Ontolog: In fact, *all* my systems are 64 bit ones, and I'm perfectly happy with that.
[11:07] <soren> Ontolog: Yes.
[11:08] <soren> Ontolog: Let me qualify that a bit, though:
[11:08] <soren> The kernel and CPU will allow you to do so. However, 32 bit applications need 32 bit supporting libraries.
[11:09] <soren> Ubuntu provides quite a few 32-bit libraries on 64 bit installations, so it might not be a huge problem, but our Apache's are 64-bit ones, when on 64 bit installations.
[11:10] <soren> ..so we haven't tested (and are not going to, since it's silly) 32 bit Apache on 64 bit Ubuntu.
[11:13] <soren> Ontolog: Still, I'd very much like to know why our Apache does not serve you.
[12:41] <ScottK> foolano: The doc I read was the one in the package that according to the minutes you're looking to get sponsored.
[12:44] <foolano> ScottK: that doc was outdated. we dropped the support for VDA a few months ago. Actually, when I was told by you that there was no way we would package postfix with that patch. I didn't sync the install doc at the time. I've just changed it to avoid problems.
[12:45] <ScottK> foolano: OK.
[12:45] <foolano> ScottK: I'm also interested in hearing the packages issues in order to fix them asap
[12:45] <foolano> s/packages/packaging
[12:46] <foolano> ScottK: with the FHS issues maybe you were pointing out the /usr/share/ebox/migration stuff?
[12:47] <ScottK> IIRC the thing that initially suprised me as having your config stuff not in /etc, but I only got about 3 hours sleep last night, so I'm sure I'm not entirely coherent today.
[12:48] <ScottK> foolano: One thing I remember is that it didn't appear that removing with purge actually removed your conffiles.
[12:50] <foolano> ScottK: configuration is stored in gconf, so when the packaes is removed debhelper takes care of removing the gconf schemas
[12:50] <ScottK> OK.
[12:52] <foolano> ScottK: i gotta go home now, if you fancy talking about this a bit later or when you get some rest it would nice
[13:00] <foolano> see you later
[13:13]  * ScottK wonders about the suitability of gconf for server apps.
[13:27] <Syntux> Good day, Which control panel would you guys recommend for Ubuntu server ? 8.04
[13:57] <ScottK> Personally I like vim.
[13:57] <jpds> vim FTW.
[13:58] <ScottK> kirkland: While asking the user what they want to do when booting degraded makes sense on the desktop, I think it's not very satisfactory for servers.
[13:58] <kirkland> ScottK: why is that?
[13:59] <ScottK> Because usually when you reboot a server there's no one looking at any u/i.
[14:00] <kirkland> ScottK: understood...  but if we don't have this prompt, it simply drops you to a busybox prompt
[14:00] <kirkland> which is no better, or worse, IMHO
[14:01] <ScottK> Right.  I just don't want to preclude the ability to automatically boot degraded is that's how the sysadmin has configured it.
[14:01] <ScottK> is/if
[14:01] <kirkland> this patch does not preclude that
[14:02] <kirkland> ScottK: first, BOOT_DEGRADE is read from an /etc configuration file
[14:02] <ScottK> kirkland: OK.  That's fine then.
[14:02] <kirkland> ScottK: that can then be overridden or specified on the kernel boot parameters
[14:02] <ScottK> It just sounded to me like he was proposing that instead of boot degraded.
[14:02] <kirkland> ScottK: i didn't read it that way
[14:03] <ScottK> Fair enough.
[14:26] <cokegen> hi, I'm running a command with cron but it launches an exim process each time is run. What I need to configure to prevent that ? (debian box)
[14:35] <ScottK> cokegen: Probably a question that should be asked on a Debian channel then.
[14:38] <thefish> cokegen: i think you can change the MAILTO directive
[14:38] <thefish> maybe to like /dev/null, not 100% sure
[14:38] <thefish> but it will try and email each time a cron job is run
[14:43] <thefish> i need a remote server to open an openvpn tun and reopen if its dropped, any suggestions? want it to start on boot. its so i can always reach it even behind firewalls etc
[14:45] <_ruben> openvpn has autoreconnect functionality
[14:51] <thefish> _ruben: cool ill look that up
[14:51] <thefish> and start it with a rc.x?
[14:52] <cokegen> ScottK: I will ...
[14:52] <_ruben> the openvpn debian/ubuntu package has a proper /etc/init.d/ script
[14:52] <cokegen> thefish: MAILTO directive where ?
[14:53] <gegema> I am currently mounting a network share using "mount -t cifs -o username=foo,password=bar /mnt" >> I am wanting to add this entry to my fstab, which tab would the username and password belog to?
[14:54] <gegema> currently I have gotten as far as "//network/share    /mountpt       cifs      "
[15:07] <thefish> cokegen: in your crontab
[15:08] <thefish> gegema: my guess is col4 with the options
[15:18] <sylfire> lo all. anyone here using a xen server? having some issues setting it up, bridged networking
[15:18] <trakinas> hello all! need some help with cronjob. I created one with root, but it is not being executed.
[15:19] <sylfire> trakinas: is your cron service running?
[15:19] <trakinas> sylfire: almost sure it is, but anyways, how can I check?
[15:20] <sylfire>  /etc/init.d/anacron restart, if you're using anacron
[15:21] <sylfire> no wait, just checked, mine here on a box says cron, so just /etc/init.d/cron restart
[15:22] <trakinas> sylfire: * Restarting periodic command scheduler crond                           [ OK ]
[15:22] <trakinas> so, it was running
[15:22] <sylfire> do you have the format of your cronjob correct?
[15:23] <trakinas> i think so. I will pastebin.
[15:24] <trakinas> sylfire: http://pastebin.us/?show=d3d16bc5d
[15:25] <sylfire> checking
[15:26] <sylfire> try converging the output before you say which logfile to write to
[15:29] <trakinas> I dont have a sendmail running and I dont pretend to configure one (Im leaving this place). so I thought about send them to /dev/null. but I guess I you talking about the log only.
[15:31] <sylfire> yes, I'm referring to the devnull. Just noted it as "logpath" in my mind, didn't consider the value
[15:31] <trakinas> hmmm... so, leave it there or should I proper configure one?
[15:32] <sylfire> make it 2>&1 > /dev/null
[15:34] <trakinas> like this? http://pastebin.us/?show=m625f672d
[15:35] <sylfire>  /root/mondo-backup.sh 2>&1 > /dev/null
[15:42] <trakinas> thank you
[16:27] <Quest_> any replacement for "knemo" . it shows live network trafic chart/graph ... ?
[16:30] <Quest_> any replacement for "knemo" . it shows "live" network trafic "gui" chart/graph ... ?
[16:46] <uvirtbot`> New bug: #257625 in dovecot (main) "Upgrade to Intrepid : Unknown setting: user_global_uid" [Undecided,New] https://launchpad.net/bugs/257625
[16:52] <jimcooncat> hi. I'd like a guide or dead-tree book on managing user preferences: establishing sane defaults in /etc/skel, applying a preference to an existing user, migrating between machines, etc.
[16:56] <jmedina> jimcooncat: what you mean with «applying a preference»?
[16:58] <jimcooncat> jmedina: let's say I want to remove ipv6 stuff from all my users firefox profiles. Maybe this is a bad example.
[16:58] <jimcooncat> jmedina: or set default font in gedit for an existing user
[16:59] <jimcooncat> I'm really looking for an administrators guide that goes deeper than "how to add or delete a user"
[17:00] <jmedina> well, that depends on the desktok enviroment
[17:01] <jmedina> not really in the user account
[17:01] <jmedina> there is a kiosk thing for KDE, you can do stuff like that
[17:01] <jmedina> but dont know for gnome, I have not used for about 4 years
[17:03] <jimcooncat> thanks jmedina. I think there's a gnome equivalent in Hardy, and I'll check it out once I get it installed in a couple of machines.
[17:04] <kraut> wie starte ich das nm-applet?
[17:04] <jmedina> jimcooncat: maybe that can help you, and yap, I remember a few months ago about that feature in gutsy or somthing
[17:16] <jmedina> jimcooncat: check this out, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/desktop-guide/s1-ddg-lockdown-other-kiosk-configs.html
[17:16] <jmedina> there is a lot information about kiosks in gnome
[17:18] <jimcooncat> that's really good jmedina. thanks
[17:19] <jmedina> you are welcome,
[17:22] <jimcooncat> I found sabayon stuff on gnome website, and policykit. I think I can run with it now.
[17:42] <dusty_> Hey guys I am trying to make a firewall like so: Default deny all unless i specifically allow it.  I allow ssh and DNS (as its a nameserver). Everything else gets dropped, how can i log the 'everything else' that gets dropped.. ? my ruleset so far is: http://rafb.net/p/AhSDIF36.html i know i use -j LOG but do i do it on the policy lines or how would i achieve this ?
[17:43] <ScottK> Did you try ufw?  It might be easier to configure that way.
[17:43] <dusty_> ufw ?
[17:43] <dusty_> No I have not tried that.
[17:43] <ScottK> uncomplicate fire wall.
[17:44] <dusty_> I rather just use plain ole iptables
[17:44] <ScottK> uncomplicated.
[17:44] <dusty_> as I only need one rule to log everything that gets dropped
[17:44] <dusty_> im just not sure how to do it
[17:44] <jmedina> ScottK: so is there a option for ufw to do that?
[17:44] <jmedina> never used ufw, but with shorewall it is an easy task
[17:45] <ScottK> I'm not sure exactly.  If one is uncertain with iptables scripts directly, then it's worth looking into.
[17:45] <jmedina> with shorewall I specify my policy for example traffic from the internet to the firewall
[17:46] <jmedina> net    fw     REJECT    LOG
[17:47] <jmedina> what I see with ufw is that there is no way to filter based on the source and destination
[17:47] <jmedina> they assume all the traffic is comming from the internet
[17:47] <jmedina> there is where is complicated :P
[17:47] <jmedina> maybe it is worth for single interface firewalls, of user firewall
[17:48] <foolano> dusty_: as your rules are pretty simple add  a "-j LOG "rule at the end of the each chain
[17:49] <dusty_> foolano, like iptables -A INPUT -j LOG
[17:49] <dusty_> iptables -A OUTPUT -j LOG
[17:49] <dusty_> and same for forward ?
[17:50] <foolano> dusty_: yep, like that. Just make sure you add them at the end of the chain
[17:50] <dusty_> what do you mean at the end of the chain ?
[17:50] <foolano> if a packet reaches the LOG rule it will be logged, and after that it will be rejected for your chain policy
[17:50] <dusty_> what ?
[17:51] <foolano> dusty_: run iptables -L
[17:51] <foolano> and you see how your rules are added to the chains
[17:52] <dusty_> ah
[17:52] <dusty_> sweet, thank you for your help.
[17:52] <foolano> np
[17:55] <dusty_> one curious question thought, I can nmap my server using the -PN option and it replies the open correct ports, how can i stop this ?
[17:55] <jmedina> dusty_: could you show us the output of nmap?
[17:55] <dusty_> ofcourse
[17:55] <dusty_> http://rafb.net/p/Huc0qU17.html
[17:56] <foolano> well, that's correct
[17:56] <foolano> you are allowing access to those ports
[17:56] <dusty_> hrm
[17:56] <dusty_> is there a way to filter this ?
[17:56] <dusty_> or is there a way to foil scanners ?
[17:56] <foolano> ehh no
[17:56] <_ruben> opened ports are, well, open ...
[17:56] <dusty_> heh ok
[17:59] <dusty_> one last question, is there anything i can do to improve on the script (my firewall one) for added security bearing in mind that server is just a nameserver with 53/22 open
[17:59] <dusty_> ?
[18:00] <jmedina> dusty, you better improve security on your name and ssh server
[18:00] <jmedina> this kind of firewall only filters traffic, based on ips and ports, and posibly another tcp/ip flags, but doesnt filter maliciuis packets or attacks specific for your applications
[18:01] <jmedina> you can use failtoban to protect dictionary attacs for ssh
[18:01] <jmedina> uses public key autentication
[18:01] <ScottK> As an example, you can rate limit ssh to a few connections per minute (or use fail2ban)
[18:02] <dusty_> Yeah i'm looking into fail2ban, so this iptables script is pretty pointless then ?
[18:03] <jmedina> sad but true
[18:03] <jimcooncat> port knocking I hear is fun in these situations
[18:03] <jmedina> that firewall wont protec you agains spoof attacs, for example
[18:04] <jmedina> I prefere to change the port for ssh
[18:04] <jmedina> :P and use only public key auth
[18:04] <dusty_> yeah
[18:04] <dusty_> thats what i am doing public key auth
[18:04] <dusty_> i may change the port too
[18:04] <jmedina> all these robots scanning only use tcp/22 as target
[18:04] <dusty_> what kinda attacks kind iptables stop then that i can research
[18:04] <jmedina> dusty_: but then disable password auth
[18:05] <dusty_> passwd auth is dissabled
[18:05] <jmedina> that is good
[18:05] <jmedina> dusty_: check your dns for open relay
[18:06] <foolano> are you guys having problems to file bugs in launchpad? i'm getting time out error all the time
[18:06] <jmedina> you can test your dns with http://intodns.com a free and opensource bases dnsreport replacement
[18:06] <jimcooncat> jmedina: that's what I'm doing. dusty_, changing the port may help a lot for kiddies that are just looking for any open machine. Not if they're targeting YOU, though
[18:07] <jmedina> jimcooncat: yeap, that when fail2ban enters
[18:11] <foolano> hey mathiaz, i'm testing the latest slapd and I think I've found an issue with the permissions of /var/run/slapd
[18:12] <dusty_> jmedina, how can i check if its an open relay /
[18:12] <dusty_> ?
[18:12] <jmedina> dusty_: intodns can tellyou
[18:13] <jmedina> scrolll up
[18:14] <dusty_> what?
[18:14] <jmedina> that page
[18:14] <jmedina> http://intodns.com
[18:14] <dusty_> ah sorry
[18:14] <jmedina> you can test your domain, and one of the tests is check if your dns server is open relay
[18:17] <dusty_> wtf
[18:17] <dusty_> jmedina, check this out: http://www.intodns.com/stoned-hacker.co.uk
[18:17] <dusty_> it says the glue records are wrong it says my registar reports one ip and the nameserver another, thats in correct. i just checked at the registrar and the glue records are fine ?
[18:17] <mathiaz> foolano: what's the issue ?
[18:17] <trakinas> foolano: i liked your nick. haha!
[18:18] <dusty_> For ns1.stoned-hacker.co.uk the parent reported: ['78.129.229.42'] and your nameservers reported: ['78.129.229.25']
[18:18] <dusty_> thats intodns
[18:18] <dusty_> my registrar:
[18:18] <dusty_> is .25 for the ip
[18:19] <dusty_> jmedina, im confused and a little worried over this  ?
[18:19] <dusty_> ns1.stoned-hacker.co.uk has 78.129.229.25 on my registrar
[18:19] <dusty_> where does that site get that info?
[18:20] <jmedina> directly form the the root servers and your own server
[18:20] <foolano> mathiaz: the ldapi socket, that's the unix socket where slapd can listen on. It's usually within /var/run/slapd. There's even a link from /var/run/ldapi to /var/run/slapd/ldapi. /var/run/slapd hasn't the right permissions to allow anyone to connect to the socket.
[18:22] <mathiaz> foolano: https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/114438 ?
[18:22] <uvirtbot`> Launchpad bug 114438 in openldap2.2 "Permissions for ldapi:// socket are too restrictive" [Undecided,Fix released]
[18:23] <mathiaz> foolano: that's supposed to be fixed now
[18:23] <foolano> mathiaz: nope, that's not the same. that's bug is related to the file itself. This problem is with the directory permissions
[18:24] <foolano> mathiaz: i experienced this issue a couple of days ago. the automatic tests of eBox in intrepid failed. I thought it was just for the new backend but this was a problem too. Unless i'm missing something
[18:25] <mathiaz> foolano: ok - could you file a bug ?
[18:25] <mathiaz> foolano: I'll get it fixed later, but the archive is frozen for now as we're preparing for alpha4
[18:25] <foolano> mathiaz: i'm trying :) but it seems lp is a bit busy :)
[18:25]  * jmedina rembers foolano is having troubles filing bugs..
[18:26] <sommer> mathiaz: hello, I also noticed a small issue with "sudo dpkg-reconfigure slapd", if the /etc/ldap/slapd.d directory is already there the reconfigure doesn't work
[18:27] <foolano> yeo
[18:27] <foolano> that's the nexxt thing i was going to tell you :)
[18:27] <sommer> foolano: :-)
[18:29] <edmoore> hi - I'm running server currently without any flavour of gui. Is it as simple as sudo apt-get install ubuntu-desktop?
[18:29] <dusty_> jmedina, hrm how do i fix this then ?
[18:30] <dusty_> jmedina, its reporting the incorrect ip ?
[18:30] <sommer> !servergui
[18:30] <sommer> edmoore: ^^^ that link has instructions
[18:30] <jmedina> dusty_: why do you have two A recorsd for ns2?
[18:31] <dusty_> round robin
[18:31] <edmoore> sommer, many thanks
[18:31] <dusty_> and that machine has two ips so i thought i would make use of them (it doesn't harm things does it )
[18:31] <sommer> edmoore: np
[18:33] <edmoore> sounds like they don't like it
[18:34] <dusty_> jmedina, what about the wrong ips for the nameservers i cant see how that can be ?
[18:34] <edmoore> most of the guides I've found on sharing my ethernet over wifi seem to assume I have a desktop environment, and I'm sufficiently green at this that i don't know how to do it just with cli
[18:34] <jmedina> dusty_: i check it, but probably is getting confues because your round robin
[18:34] <dusty_> ah
[18:34] <jmedina> I dont see why the need, maybe for another host but for a NS record,
[18:35] <dusty_> ok ill kill it for now
[18:35] <jmedina> you better configure ns3 :)
[18:35] <jmedina> dusty_: you should change your SOA time record
[18:35] <dusty_> what ya mean ?
[18:36] <jmedina> the SOA retry,, refresh,  expire values
[18:36] <jmedina> http://verde.e-compugraf.com/jm-confs/bind9/db.ejemplo.com.zone-SIMPLE.txt
[18:36] <dusty_> dusty@delerious:~$ host ns2.stoned-hacker.co.uk
[18:36] <dusty_> ns2.stoned-hacker.co.uk has address 78.129.229.42
[18:36] <dusty_> dusty@delerious:~$
[18:36] <jmedina> that template pass all the checks and works good
[18:36] <dusty_> i removed it, looks like its just reading a cached entry
[18:36] <Mez> dusty_, 2 IPs for an NS?
[18:36] <jmedina> Mez: that is what intodns says...
[18:36] <jmedina> :P
[18:36] <jmedina> so do I
[18:37] <Mez> that's not supported in the root servers is it ?
[18:37] <dusty_> jmedina, what is wrong with the times i have ?
[18:37] <jmedina> they are to small
[18:37] <dusty_> jmazaredo, ok i fixed a couple things: http://www.intodns.com/stoned-hacker.co.uk
[18:37] <dusty_> see :)
[18:38] <dusty_> just got the other issues to fix now
[18:38] <jmedina> dusty_: there is no need to use a RETRY value to small, why send retry each minute?
[18:39] <jmedina> when the server is up is up, and more retrys wont put it up
[18:39] <Mez> last time I ran a check like that jmedina, it moaned at me cause it couldn't handle the fact I had/have 6 nameservers
[18:40] <jmedina> mez, well you are not normal
[18:40] <Mez> http://www.intodns.com/sourceguru.net
[18:41] <jmedina> for a simple setup it works good, afaik intodns is free, so you can contribute and make it work with 6 nameservers
[18:41] <Mez> jmedina, it wasnt intodns that moaned
[18:41] <Mez> it was something else
[18:42] <Mez> though it did just flag up something I should check
[18:42] <jmedina> good
[18:43] <jmedina> ìntodns is good not too descriptive as dns reports but works fine, I remember dnsreorts tells you why the retry value is considerd bad, and gives you the reference to RFCs
[18:43] <Mez> it flagged up bullshit about it not having glue :(
[18:43] <Fenix|work> Greetings... quick question... any particular reason as to why these four packages are being kept back when doing an upgrade?         bind9-host dnsutils libbind9-30 libisccfg30
[18:44] <Mez> !ohmy | Mez
[18:44] <Mez> Fenix|work, packages are kept back when the introduce new packages, or remove packages
[18:44] <Mez> do a
[18:44] <Mez> sudo apt-get dist-upgrade
[18:45] <jmedina> or you can install them by hand
[18:45] <jmedina> yum install
[18:45] <jmedina> :O
[18:45] <jmedina> damn
[18:45] <jmedina> aptitude install bind9-host
[18:45] <Fenix|work> packages are kept back when they introduce new packages?
[18:45] <Fenix|work> (or remove packages)
[18:45] <Mez> Fenix|work, yeah...
[18:46] <Fenix|work> any idea on how to discover which packages they introduce or remove?
[18:46] <Mez> Fenix|work, sudo apt-get -s dist-upgrade
[18:46] <Fenix|work> libdns35 is new
[18:47] <Fenix|work> okie dokie, thanks for the info
[18:47] <Mez> Fenix|work, yeah, that'll be the new libversion for the fix
[18:47] <Mez> np, glad to help Fenix|work
[18:48] <Fenix|work> ok... back to overhauling some PHP code...
[18:48] <Fenix|work> hey Mez, you over in ##php?
[18:48] <Mez> yep
[18:49] <Fenix|work> Mez, ok, I'll bug ya there
[19:07] <dusty_> jmedina, what do you think now of the new soa times, that ok ?
[19:07] <dusty_> http://www.intodns.com/stoned-hacker.co.uk
[19:08] <jmedina> dusty_: I always use http://verde.e-compugraf.com/jm-confs/bind9/db.ejemplo.com.zone-EXTENDIDA.txt
[19:08] <dusty_> thats what i used
[19:08] <dusty_> by the way, what does this mean : Different autonomous systems  	WARNING: Single point of failure
[19:08] <jmedina> because probably your nameservers are in the same location
[19:09] <jmedina> same link, same power
[19:09] <dusty_> jmedina, also the last blue icon on the output of intodns.com what does that mean, about the www record, why is that bad?
[19:09] <jmedina> there is a single point of failure
[19:10] <dusty_> what about the www record ?
[19:10] <jmedina> dusty_: it is not bad
[19:10] <jmedina> it justs informative
[19:11] <dusty_> thanks
[19:11] <dusty_> thanks very very much for the help
[19:13] <jmedina> dusty_: good
[19:23] <Mez> SPoF==bad
[19:24] <dusty_> Oh yeah, before I go any last suggestions/advice ? (i'm lookin into the rate limiting of connections to ssh, change default port, fail2ban/denyhosts), checked dns config ?
[19:26] <Mez> dusty_, "rate limiting"?
[19:26] <uvirtbot`> New bug: #257667 in openldap (main) "wrong permissions to access ldapi" [Undecided,New] https://launchpad.net/bugs/257667
[19:26] <Mez> dusty_, f2b works well for what you're on about... and changing the default port
[19:26] <Mez> if you REALLY wanna be uber though - look into port knocking
[19:28] <dusty_> Yeah i've seen that, its not practical, as I access the server from many places and I sometime access it from window environment, with no permission to install software (Work) so i wouldn't be able to install the software required to send the special packet to open to port.
[19:30] <jmedina> what about a PHPSHELL? jeje just kidding
[19:35] <kirkland> kees: ping
[19:43] <Fenix|work> Where do I find the mysql error logs?  /var/log/messages?
[19:44] <jmedina> mysql.err
[19:44] <jmedina>  /varlog/mysql.err
[19:44] <Fenix|work> /var/log/mysql.err is empty
[19:44] <jmedina> then mysqld is not configured to log
[19:44] <Fenix|work> yet mysql won't start
[19:45] <jmedina> where you got more info
[19:45] <jmedina> http://dev.mysql.com/doc/refman/5.0/en/log-files.html
[19:45] <jmedina> mmm
[19:45] <jmedina> why dont you start it by hand?
[19:45] <Fenix|work> ok, I rebooted and it started
[19:45] <poningru> ...
[19:45] <poningru> Fenix|work, /etc/init.d/mysqld restart
[19:46] <poningru> in linux you dont reboot
[19:46] <jmedina> only when compiz crash your system
[19:46] <jmedina> ;P
[19:46] <Fenix|work> poningru, I'd love to say something derogatory and somewhat funny but I'll refrain :)
[19:46] <poningru> in soviet russia linux reboots you?
[19:46] <Fenix|work> /etc/init.d /mysql restart didn't work at all, kept dying... hence the reboot trick which incidentally worked.
[19:47] <poningru> wtf weird
[19:47] <poningru> what did it say?
[19:47] <poningru> it should have said why it was dying
[19:47] <Fenix|work> besides fail, nothing
[19:48] <Fenix|work> I was getting a kernel message about mysqld.sock ... but nothing from mysql
[19:49] <poningru> what did that say?
[19:49] <poningru> was there a socket creation error?
[19:50] <Fenix|work> poningru,  kernel: [1053396.176660] audit(1218651725.013:10): type=1503 operation="inode_mknod" requested_mask="w::" denied_mask="w::" name="/var/chroot/var/run/mysqld/mysqld.sock" pid=8013 profile="/usr/sbin/mysqld" namespace="default"
[19:50] <poningru> huh that is odd
[19:51] <jmedina> Fenix|work: apparmor running?
[19:51] <jmedina> or selinux?
[19:52] <jmedina> Fenix|work: did you chrooted mysqld by hand?
[19:52] <Fenix|work> I'm chrooting my entire apache environment and I did it by hand
[19:53] <jmedina> what about selinux/apparmor
[19:53] <Fenix|work> neither
[19:53] <jmedina> mmm
[19:55] <Fenix|work> Hmmm... if I connect using the loopback address I can eliminate the need to have the socket available through the jail root
[19:56] <Fenix|work> that saves a headache
[19:58] <jmedina> yeap that is much better
[19:58] <jmedina> and my.cnf by default binds to 127.0.0.1
[20:07] <uvirtbot`> New bug: #257682 in bind9 (main) "dig compiled without -DDIG_SIGCHASE!" [Undecided,New] https://launchpad.net/bugs/257682
[20:48] <dusty_> hey jmedina http://rafb.net/p/FucSMY32.html what do you think about those ?
[20:55]  * sommer wants a stock ticker displayed when logging into servers... heeeh
[21:00] <dusty_> anyone good with iptables ?
[21:01] <dusty_> Could you check out: http://rafb.net/p/FucSMY32.html and give me opinions/comments/advice ?
[21:01] <jmedina> I always put my OUTPUT to REJECT and INPUT
[21:02] <jmedina> and open only the ports I want to reach
[21:02] <jmedina> my policy is REJECTo DROP, and then the exceptions (rules) open ports I the server needs
[21:04] <dusty_> yeah i know that, what do you think to my ruleset though, specifically /
[21:04] <dusty_> ?
[21:04] <dusty_> i only interested in 22 53
[21:05] <jmedina> I would open udp/53 only to your slave servers, or user allow-transfers { ip.slave.server}; in you zone definition
[21:05] <jmedina> I meant TCP/53
[21:06] <jmedina> udp open for any
[21:08] <_ruben> tcp/53 is also used for 'normal' dns stuff
[21:08] <_ruben> large answers will use tcp instead of udp
[21:09] <jmedina> _ruben: any reference for that?
[21:11] <dusty_> jmedina, i do have allow-transfers, but if i restrict port 53 udp to my slaves then queries wouldnt get through ?
[21:12] <_ruben> jmedina: nothing concrete from top of my head .. do have a book on dns/bind at work .. afaik any dns packet above a specific given type will be tcp instead of udp
[22:08] <kirkland> kees: would you review/sponsor the patch attached to https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/257568 when you get a chance?
[22:08] <uvirtbot`> Launchpad bug 257568 in mdadm "degraded raid boot process should interactively prompt user before dropping to recovery shell" [Wishlist,In progress]
[22:13] <ScottK> kirkland: Don't forget Main is frozen until after the Alpha release (plus kees is at Debconf).
[22:15] <kirkland> ScottK: understood on both counts; however, kees has been helping/sponsoring these grub issues.
[22:15] <ScottK> Right, just wanted to make sure you had reasonable expectations.
[23:20] <dusty_> http://rafb.net/p/61SvtD29.html Is that the correct way to log using iotables ?
[23:22] <jmedina> dusty_: yeap