/srv/irclogs.ubuntu.com/2009/01/25/#ubuntu-server.txt

=== macd_ is now known as macd
pteagueis there any way i can fix the fact that i seem to keep getting error messages about stale nfs file handles?00:44
uvirtbotNew bug: #320988 in samba (main) "error in libnss_wins.so causes NetBeans 6.5 to crash" [Undecided,New] https://launchpad.net/bugs/32098800:45
HellsheepHey04:33
HellsheepHow do i use the Samba file server?04:34
methodshow do i install vim without adding gnome support etc... ?05:33
rdw200169methods, i think it's vim-nox package05:35
rdw200169methods, i.e. vim No X05:35
methodscool05:35
rdw200169methods, so it doesn't require ubuntu-desktop, etc...05:35
methodsyea i was about to say....05:35
methodsso basically instead of having diff repos etc.. they just have diff packages ?05:36
rdw200169what do you mean?05:36
ScottKThe vim package doesn't require X05:36
methodsi mean like in gentoo you have diff profiles05:36
methodsbut here you simply have diff versions of packages05:37
rdw200169methods, ah, yes, debian package management is different05:37
rdw200169methods, while vim-full has gvim, and X Server dependencies, vim-nox does not05:37
ScottKNeither does the vim package.05:38
ScottKsudo apt-get install vim is all you need to do.05:39
rdw200169ah yeah, i missed that, there is a 'just vim' package05:39
methodswhy would "swapon /swap" tell me it's not permitted ?05:53
ScottKBecause your doing it with insufficient permissions maybe?05:58
methodsno05:59
=== picturesque is now known as domas
diggernetanyone around with RAID experience?07:47
domasghm07:48
domasyeah07:48
domasdepends on what kind of RAID07:48
domasright08:05
=== picturesque is now known as domas
* [gnubie] waves..08:57
[gnubie]is the sysklogd and klogd == syslogd ?08:59
domasno09:01
domasklogd intercepts kernel messages and logs them somewhere (probably to syslog then)09:01
[gnubie]domas: i installed a base ubuntu-server 8.0.4.2 lts and there is no syslogd but there was klogd and sysklogd.. what happened to syslogd?09:09
domasergh, sorry, sysklogd package provides you syslogd09:10
domasklogd package provides you klogd09:10
[gnubie]domas: if i am going to replace the old syslog way with syslog-ng, does it mean that i only have to remove the sysklogd?09:18
domastry installing it09:18
domas:)09:18
[gnubie]any cares to package the latest syslog-ng <http://www.balabit.com/downloads/files/syslog-ng/sources/3.0.1/source/> to ubuntu 8.0.4.2?09:45
domaswell, 2.0 is packaged09:49
[gnubie]yes10:05
domas\o/ I FOUND MY PROBLEM10:15
domas"Under sustained, heavy disk and network I/O, Sun Fire X4140/X4240 servers might fail with a “soft lockup” displayed on the console or by hanging. The root cause is traced to the Nvidia ’forcedeth’ Ethernet driver. This problem might occur with the LSI HBA controller, but could also affect other disk controllers. This problem might occur with Red Hat Enterprise Linux version 5, but might also affect other implementations and vers10:15
domasions of Linux."10:15
Nafallosunfail10:16
domasthese boxes are awesome, if not this problem10:17
domasnow that I know at least two workarounds...10:17
domasheh, product notes are awesome10:22
domas"Sun Fire X4240/X4440 Quad-Core Systems Have Hypertransport Sync Flood Error Under High IO Load "10:22
maswanhas anyone ever had anything nice to say about forcedeth? :)10:25
domashehehe10:25
* domas is all ecstatic atm10:25
quizmehey can somebody go to www.fuseme.com?  What do you see?  "Please come back soon? "  Or an apache error page ?10:54
hadsatelnet: Unable to connect to remote host: Connection refused10:56
domas<3 cutting branch you're sitting on: http://p.defau.lt/?iznLpg0WfyDqq_BxsQ4BNw10:59
krautmoin11:04
domasmoinmoin11:04
DawnLightLVM on intrepid question: i'm on a custom kernel that my xen host provided me with that has dm_mod as a module which i load via /etc/modules. the /dev/{volume group} files don't get created. help?12:11
JessicaParkerif it an easy job to make the ubutu server secure ?12:34
Deepsfrom a fresh install it is secure12:35
Deepsit's what you do afterwards that makes it potentially insecure12:35
JessicaParkerok ive got a few books on this topic as well so if i follow through these procedures i should be ok ?12:36
JessicaParkerim neither a linux nor apache expert12:36
ivoksJessicaParker: define 'secure'12:36
domasJessicaParker: read up on AppArmor, you can make your server really really secure within a days work or so12:36
domas=)12:36
JessicaParkerdont have credit card information on the server nor any personal damaging personal details12:36
Jeeves_you can turn it off, that's secure :)12:37
ivoksJessicaParker: that depends on application12:37
ivoksnot the server12:37
domasI find AppArmor incredibly useful for running any untrusted code12:37
ivoksi agree12:37
ivoksthere's also mod_security for apache12:38
ivoks(not in ubuntu; license issues)12:38
domasthere's mod_apparmor too12:38
JessicaParkerim going to be running drupal12:38
JessicaParkerwhich is relatively secure12:38
ivoksmod_apparmor?12:38
domasrun mediawiki!12:38
domasivoks: ye, it allows changing hats based on URIs, etc12:39
ivoksdidn't know about that one12:39
JessicaParkerim the only one that is going to have access to the server remotely12:40
JessicaParkerand i was going to block all eastern block ips as well12:40
domasghm12:40
ivoksJessicaParker: take a look at denyhosts for securing ssh12:40
ivokseastern?12:40
domaswould you block me too?12:40
ivokswhat's eastern?12:40
domasthis is a bit harsh12:40
ivoksi'm on the europe's east12:40
JessicaParkerformer eastern european countries including russina, romania,12:40
domas'former eastern european countries'12:41
domaslol12:41
domasthey're still in eastern europe, doh12:41
JessicaParkerwell now they are europe ?12:41
domasor do you think tectonic shift happened and they moved west?12:41
ivoksdomas: maybe JessicaParker moved west :)12:41
ivoksor east12:41
domasmoved east12:41
domasso countries became western!12:41
ivoksso, once west, now they are east :D12:41
JessicaParkeri think i mean former ussr12:42
JessicaParkerexcluding romania12:42
ivoksJessicaParker: you won't achive anything with that12:42
domaswhat is wrong with former ussr?12:42
JessicaParkeri though a lot of hacking dos attacks came from there12:42
domashave you ever seen how Estonia or Lithuania looks like nowadays? :)12:43
JessicaParkerhttps://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=1684912:43
JessicaParkerit happened to our payment provider12:43
domaswell, you can block RBN if you want ;-)12:43
JessicaParkerim in europe12:44
rdw200169at least they kept the mongols at bay ;)12:44
JessicaParkernot been there but told its ok12:44
JessicaParkerbut corruption is very high12:44
domascorruption very high?12:44
JessicaParkerthe amount of12:44
domas*shrug*12:45
JessicaParkerand they arent very developed because half of them are now in london12:45
domaswell, I for one am in Lithuania12:45
JessicaParkerno offence dude, very hard working cultures12:45
JessicaParkerwe have a lot of Eastern Europeans in london12:46
JessicaParkerany way about making secure ubuntu server12:47
ivoksinteresting12:47
ivoksi'm from croatia12:47
JessicaParkerok12:47
ivokswill i get baned too? :)12:47
JessicaParkerwell it was just a thought12:47
domas*shrug*, quite a few of my friends did their masters in LSE12:47
domasare they ones you're talking about? :)12:48
ivoksJessicaParker: anyway, this article is about spam12:48
JessicaParkergiven there are a lot of underemployed intelligent people over in EE  (the ones that dont make it to London! ) and higher wages to be earned from illegal stuff12:48
ivoksJessicaParker: more spam comes from USA then all eastern european countries :)12:48
JessicaParkerno it was a DOS attach12:48
ivoks"We'd received loads of emails like this"...12:49
JessicaParkerthey had to re-route the traffic12:49
domas155mbps is nothing %)12:49
domasthat is minor news item for us :)12:49
ivoksone i was ddoes from israel12:49
ivoksof course, i didn't block whole israel12:49
domasit is not that distributed, if you can identify a country ;-)12:49
ivoksi blocked only the attacker :)12:50
ivoksright12:50
ivoksit was dos12:50
JessicaParkerowever, during that time Malik contacted his ISP Pipex who were already threatening to "black hole" his website as the attack was impacting the whole Pipex network and asked them to implement a Cisco Guard solution which effectively rerouted all traffic and cleaned it of the malicious traffic being generated by the crippling denial of service12:50
domasI used to run 25k sized IRC network once, damn, pissing off any child could have resulted in DDoS :)12:51
domasonce one guy managed to DDoS my 1mbps dsl with few hundred megabits of traffic12:51
ivoksubuntu-hr.org is under ddos whole time12:51
ivoksit just has nice iptables rules :)12:52
JessicaParkerabout securing the server though12:52
JessicaParkerit should be a relatively simple task ? just follow the instructions12:52
domasdepends on level of security you want to achieve12:52
JessicaParkerin the books / web12:52
domasbest solutions are always custom-tailored :)12:52
JessicaParkerjust enough that no-one uses the email for spam12:52
ivoksJessicaParker: if you want secure server, you have to understand security12:52
ivoksand then follow howtos12:53
JessicaParkeri understand some stuff12:53
JessicaParkerlike ip tables12:53
JessicaParkerroot access12:53
ivoksotherwise, you just render you server unusfull12:53
domaswe used to get lots of security consultants telling our website CMS was broken and they could edit pages.12:53
domasthey offered their services to fix our CMS.12:53
ivoksyou want to block lots of countires, that's a fact that tells me that you are very week on understanding the security12:53
domasshould I tell the site name? :)12:53
JessicaParkerit was just a first line of defence12:54
ivoksthat's not a line12:55
JessicaParkeri read a list of stuff somewhere like disabling wget, hiding the apache edition, changing ports on remote connection12:55
ivokswhat stops attacker from russia to take over a server in london and crack you down?12:55
JessicaParkeropening only the ports that are required12:55
JessicaParkerthat i cant do anything about12:55
ivoksthat's obsecurity, not security12:55
JessicaParkeri understand that12:56
JessicaParkerany particular areas i should be looking at more ?12:56
JessicaParkerdisabling unessary services12:56
ivoksby default, ubuntu doesn't open any ports12:56
domasput anything network-talking into apparmor jails, easy12:56
ivoksit's up to you to decide what you'll open12:56
JessicaParkerConfiguring Host-Based Access Restrictions . .12:57
rdw200169a strong iptables firewall is still the best defense12:57
ivoksright12:57
domaslies12:57
JessicaParkerok that im reading more around and in detail so i understand what is going on ?12:57
domasfirewalls are useless ;-)12:58
rdw200169why do you say that?12:58
domasjust don't run anything exposed to outside and you won't need a firewall! :)12:58
ivoksdomas: not true12:58
ivoksdomas: syn flood attacks?12:58
JessicaParkereven u experts seem to be debating the basic security set up12:58
JessicaParkerwhat hope is there12:58
domasI'd just go and have a cup of coffee in case of those ;-)12:58
rdw200169i've always run a firewall, no matter what12:58
rdw200169even if i'm behind a NAT12:59
rdw200169security aside, -j LOG targets are waay to useful to give up13:00
domas*shrug*, I still believe, that packets aren't as threatening as payload ;-)13:00
rdw200169can we 'agree to disagree', though, that security is daemon specific in 99% of the situations13:01
domas:)13:01
domasso true13:01
rdw200169for example, security goes up 10-fold with a secure SSH server, i.e., strong authentication13:02
rdw200169as does using sudo instead of root13:03
rdw200169/192.168.0.201/PUBLIC/ /media/music cifs      rw,mand,noexec,nosuid,nodev,user=randy,uid=randy,password=######,user 0 013:04
rdw200169whoops, wront one13:04
rdw200169wrong#13:04
ivokshaha13:04
ivoksand all the security goes down the toilet :D13:05
domasanyway, most of attacks will be via insecure PHP code anyway :)13:07
rdw200169that's why i use only http for 99% of what i do ;)13:07
rdw200169html i mean13:08
rdw200169that and wiki spamming13:08
ivoksdomas: and weak passwords13:11
domasonce I ran email service for ~500k users, and more than 10% of passwords were 1234... sequences :)13:11
ivoksbiggest security hole comes from social hacking :)13:11
JessicaParkerok weak passwords and insecure php will go on my list13:13
ivokslol13:13
rdw200169and just give up on setting up a mail server; for small applications google-apps can do it for you for free13:14
ivoksone can set up a really good mail server on ubuntu13:14
rdw200169you can get a pseudo google mail account linked to a domain13:15
JessicaParkeri need an outbound smtp13:15
JessicaParkerand the host does not provide mail relay servers13:15
JessicaParkeri did not want to use mail at all13:15
JessicaParkerbut my options seemed to be limited - i know mail configuration is tricky to say the least13:16
JessicaParkerit is just for outbound13:16
ivoksthat's easy13:16
rdw200169gods, for what?13:16
ivokspostfix with disabled smtp13:16
rdw200169what's the difference b/w using a local mail server and a smtp server out there on the internet?13:18
JessicaParkercan i use any smtp server ? do you have to pay to use one ?13:23
rdw200169that's what I was driving at, google apps provides smtp services13:24
JessicaParkeras there is like automatic password reset, notification emails for the customers, etc13:24
domasJessicaParker: local postfix instance would do just fine13:24
JessicaParkerok thank you - that would solve the problems13:24
JessicaParkerbut arent google worried about spammers using it ?13:25
domasyou'd have to configure SMTP authentication for your applications, what may be quite painful :)13:25
domasthough of course, you can do that with postfix yet again13:25
rdw200169true, that's the only drawback13:25
domasfeed emails to local postfix queue, and have postfix use google as smarthost13:25
JessicaParkeri think drupal comes with options to add a smtp connection so as long as i can use that, it will be fine13:26
rdw200169domas, but what what about reverse dns problems?13:26
rdw200169domas, my provider won't do reverse dns for me13:26
domasrdw200169: so I say, use postfix to feed emails into google ;-)13:26
rdw200169domas, then, i didn't know you could do that13:27
rdw200169domas, i always used the sendemail package13:27
JessicaParkerthanks guys that has really resolved a major headache " port 587 with tls"13:27
JessicaParkerand there is a smtp module for drupal13:27
domas       smtp_sasl_auth_enable (no)13:27
domas              Enable SASL authentication in the Postfix SMTP client.13:27
domas:)13:27
domasrdw200169: you can do pretty much everything with postfix %)13:29
ivokspostfix rulez13:32
domasonce I had a server that was listening on multiple IPs, masquerading as multiple servers, etc - and the guy who was taking over asked why it was done that way13:32
domasthe answer was very simple - so that other SMTP servers would think there're multiple servers and process queues much faster13:33
domasthere were certain other mailhubs that were feeding with hundreds of emails a second :)13:33
rdw200169yeah, a while back i really gave up on setting up a mail server; i got tired of the mail i sent either being mis-routed or ending up in spam because of the lack of SRV records and reverse DNS resolution, etc...13:35
rdw200169real pain.13:35
rdw200169i think i'll stick with trying to get Unicode + LaTeX working the way i want ;)13:38
ivokswhat's so hard with that?13:38
rdw200169Korean Unicode + Ascii Unicode + Koma-Scripts13:39
ivoksoh, korean...13:39
rdw200169i finally got it recently13:39
rdw200169my problem, was that i didn't want to write LaTeX, i wanted to use the LaTeX output form sphinx or docutils; because I write in reStructured Tex13:40
rdw200169*Text13:40
rdw200169xetex + explicit font declarations (mainfont sansfont and monofont) finally worked13:41
rdw200169now i can use all the document classes i want, i.e. KOMA, article, python, etc...13:41
orogorhi here , anyone know<s what sthe default setting for the ubuntu memory split ?  becaus ei do have 4Gb of ram and i see a commitlimit of 2GB ?14:15
domasorogor: actually, depends on kernel, with server kernel you'd be able to address 2.5G14:17
domasPAE lowers the amount a bit14:17
orogorshouldn t i use the 1/3gb memory split ?14:18
domaswell, there's difference between how much userland can use in total, and how much can one program address14:22
orogordomas, as i understand first step is anyway to install linux sqerver to better take advantage of the 4gb14:25
domasubuntu server kernel uses PAE14:25
uvirtbotNew bug: #321091 in bacula (universe) "Probleme de dependance" [Undecided,Confirmed] https://launchpad.net/bugs/32109114:26
orogordomas, not sure i need that , i run an amd6414:26
domasorogor: then you don't need to care about memory split?14:27
orogorthe commit limit is the total adressable limit when is because i currently use a 2/2 split , no ?14:28
domasyou can address as much as you want on amd6414:28
domassee, you're no longer bound by 32-bit constraints, are you? :)14:29
orogorwell , no14:29
orogordomas, http://rafb.net/p/mgZBeH18.html14:30
domasCommitLimit is only adhered to if strict overcommit accounting is enabled..14:33
domasit is calclated by vm.overcommit_ratio * physical ram14:33
orogorhooo, didn t knew that14:33
domasit is in meminfo documentation14:34
domas\o/ CommitLimit:  17487052 kB14:34
orogorhehe14:34
domasdoesn't make sense though14:34
orogorwell sometime strict overcommit is good14:34
domasI don't get the reasoning here14:35
domasCommitLimit:  17487016 kB14:35
domasmachine has 32GB of memory, and isn't running anything14:35
rdw200169wow, that's a lot of ram!14:35
domascheck http://p.defau.lt/?bnzeja85kFZQ5c6uvZN_Yw14:35
domasheh, can try looking at busy server14:35
domashere: busy box: http://p.defau.lt/?gPpiBwTBBzP4s7ymi_qlwQ14:36
domasso, CommitLimit means nada14:36
domasrdw200169: recently I was working on a box with 320GB of memory14:37
orogorit does, it prevent process to run crazy14:37
domasorogor: well, my processes are 31GB sized on 32GB boxes ;-)14:37
rdw200169yay 64 bit, then!14:39
domasindeed14:39
domasI was very very happy when first opterons arrived14:39
rdw200169bollocks to intel...14:39
domaswell, indeed, AMD was kickass at that time14:39
rdw200169they still are!14:40
domasmmm, intel was ahead with quadcores14:40
ivoksstill?14:40
rdw200169yes, of course, but for me, AMD is cheaper14:40
ivoksamd is inferior to intels14:40
orogori need to buy 2x32gb system for the office14:40
orogorneed server consolidation with vmware14:40
ivoksiirc, intel lowered prices ~50% for quad core14:40
domaswoodcrest was ahead14:41
rdw200169only b/c AMD exists14:41
ivoksof course14:41
rdw200169if there's no market competition...14:41
domasthough our new boxes are AMDs14:41
domasnot that I care too much about CPU performance14:41
domasit is all mostly I/O and RAM and such :)14:41
rdw2001696 months ago, you could build a quad-core AMD desktop for under $900, fantastic14:42
rdw200169well... a lot less if you wanted to e-bay and newegg yourself to death...14:44
orogortrying reboot with server kernel14:48
uvirtbotNew bug: #321185 in mysql-dfsg-5.1 (universe) "Package mysql-server-5.1 failed to install: tried to ovewrite `/usr/sbin/mysqld', witch is already in package mysql-server-core-5.0" [Undecided,New] https://launchpad.net/bugs/32118516:55
notezYo, How do I reset video effects back off? I enabled it and now I can't see nothing on the screen but white18:37
notezbut I can click stuff and see the mouse icon18:37
ivokswrong channel, goto #ubuntu18:37
notezon serve18:37
notezserver18:38
ivoksthere are no video effects on server18:38
notezwell18:38
ivoksthere is no graphic interface on server18:38
notezI got gui inatLLEED18:38
notezgnome18:38
notezor w/e it's called18:38
ivoksthen you have ubuntu desktop, not server18:38
andolAnyone feel like taking a look at my suggested solution to bug #296952?19:14
uvirtbotLaunchpad bug 296952 in mysql-dfsg-5.0 "mysqlhotcopy failed on table with hyphen in name" [Undecided,Confirmed] https://launchpad.net/bugs/29695219:14
uvirtbotNew bug: #321233 in bind9 (main) "Failed to install upgrade package" [Undecided,New] https://launchpad.net/bugs/32123319:55
=== Mohammad[B] is now known as |boozary
=== Mohammad[B] is now known as iqson716
RainCTHi21:07
RainCTI've setup a Hardy box to authenticate through LDAP (on another Hardy box) and sudo/su/etc work fine, but GDM lets the users login even if the password is wrong.21:08
RainCTAny idea?21:08
RainCTyeha, nvm, got it :)21:20
andolRainCT: What was the problem?21:25
RainCTI had "auth sufficient pam_unix.so nullok_secure    auth sufficient pam_ldap.so use_first_pass" in /etc/pam.d/common-auth21:26
RainCTandol: changing that to "auth sufficient pam_ldap.so nullok_secure     auth requried pam_unix.so use_first_pass" fixed it21:26
andolyes, I can see how two sufficient and no required can cause trouble :)21:27
RainCThehe21:28
* RainCT doesn't know how all this PAM stuff works :P21:28
andolRainCT: Well, once get friendly with PAM it allows you to do all kinds of creative and useful stuff :)21:29
=== |boozary is now known as Mohammad[B]
JessicaParkerhow do i open up port 46521:47
RainCTJessicaParker: Open it where? On a firewall, router..?21:48
JessicaParkerfirewall but i dont think ive configured one21:48
JessicaParkeri will also need to look at the router - thanks for that i will do that........so need help with firewall21:49
RainCTyou could check if there's some unwanted iptables rule.. not sure how that's done, though (perhaps  man iptables  will help)21:49
JessicaParkerat the moment on the firewall i have 3306 , 80 631 and 25 open21:50
andolJessicaParker: what firewall do you use?21:50
JessicaParkernot sure21:51
JessicaParker:)21:51
JessicaParkerit came as standar21:51
JessicaParkerstandard21:51
JessicaParkerif any21:51
RainCTafaik there is no firewall by default21:51
JessicaParkerok then no firewall but......i thought that controlled the ports that are open ?21:51
JessicaParkerit could be the router then ?21:51
RainCTports are "open" if something is listening on them and they are not blocked21:52
andolJessicaParker: Is your computer/server directly on a public IP or is behind some kind of router on a NAT, using an internal ip-address?21:53
JessicaParkerrouter21:54
JessicaParkerinternal ip21:54
JessicaParkerso when i do a netstat i get a few open ports21:55
JessicaParkernot everything is open21:55
JessicaParkerstill getting the following SMTP Error: Could not connect to SMTP host.21:57
JessicaParkerok opened all the ports22:09
JessicaParkerstill get the same problem22:09
JessicaParkercan anyone assist ?22:09
kansan__sudo: unable to resolve host ec2-174-129-X.compute-1.amazonaws.com22:16
kansan__what does that mean, and should i be worried?22:16
brundlefliegehi guys - running ubuntu 8.10 - can i use the /etc/ssl/private/ssl-cert-snakeoil.key for my server cert needs? or should i generate my own (if I am wrong and the said key is not automatically generated upon my individual installation that is)?22:43
jtajibrundlefliege: there's nothing wrong with using the snakeoil cert22:43
brundlefliegeok thanks22:44
brundlefliegewhy is it named "snakeoil" - is it because i am "lame" because i didn't generate it myself?22:45
brundlefliegelol22:45
jtajiit's a dumb name really :p22:45
brundlefliegegood to know ;) i thought it would be related to this http://www.faqs.org/faqs/cryptography-faq/snake-oil/22:46
jtajino not at all22:46
brundlefliegeyeah thanks again :)22:48

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!