=== Guest83192 is now known as nandemonai | ||
=== erichammond1 is now known as erichammond | ||
=== erichammond1 is now known as erichammond | ||
johna | cab somebody give me some idea why Ubuntu uses ufw rather than iptables? | 01:00 |
---|---|---|
jmarsden | johna: It uses both, ufw is a simpler front end for iptables. | 01:07 |
johna | jmarden: simpler? | 01:09 |
johna | that shuld have been jmarsden, sorry | 01:09 |
johna | where does ubuntu hid the iptables config and input? | 01:10 |
jmarsden | /etc/ufw is one place where you will see some of it. | 01:11 |
jmarsden | If you don't want to use ufw, no one forces you to do so. You can use naked iptables on Ubuntu just fine. | 01:12 |
jmarsden | You'll lose some of the integration of packages that automatically configure ufw, etc. but it can be done. | 01:13 |
johna | jmarsden: I am switching from Centos. I cannot see an advantage to ufw as it seems to make simple things very complicated. what would I be losing if I dropped It? | 01:15 |
jmarsden | How complicated is ufw allow 22/tcp ? | 01:15 |
jmarsden | Seems pretty simple to me :) | 01:15 |
jmarsden | Some packages can automatically configure ufw to allw access to tehir daemons etc... | 01:16 |
jmarsden | You will lose that if you manually set up iptables. | 01:16 |
jmarsden | It is usually better to learn the new way when you enter a new world... but it is your choice. | 01:16 |
johna | i took a look at the ufw config files and there seem to be chains all over the place, I would think that would make debuggiing more time consuming? | 01:17 |
jmarsden | johna: For normal use, debug at the ufw level. Why are you trying to dive in so deep? What weird tricky things that ufw cannot do are you needing to accomplish? | 01:17 |
johna | jmasden: dovecot has all 4 ports open, I restrict to imaps. Plus I like to know whats going on on the systems I administer | 01:21 |
monokrome | Does anyone in here use Ubuntu Server? | 01:33 |
monokrome | Ha. I meant, "Does anyone in here use CloudInit?" | 01:33 |
monokrome | I am trying to generate multi-part MIME for it's user data, but it's not working. | 01:34 |
jdstrand | johna: I suggest you read 'man ufw' and 'man ufw-framework' | 01:42 |
jdstrand | johna: if you choose not to use it either leave it disabled or uninstall it | 01:43 |
JRWR | Ubnutu 10.04 - Dovecot/Postfix SMTPd Issue - Auth - Getthing this error message when someone tries to auth to the smtp server to send a email SASL CRAM-MD5 authentication failed: Invalid authentication mechanism | 01:57 |
patdk-lap | well, fix it :) | 01:58 |
patdk-lap | you oviously didn't store your passwords in plaintext | 01:58 |
JRWR | no, my dovecot passwd is all in cram-md5 | 01:59 |
JRWR | and imap logins work | 01:59 |
patdk-lap | hmm? | 01:59 |
JRWR | here is my dovecot.conf : http://pastebin.com/wWbhXaM2 postfix master.cf http://pastebin.com/kvm7Jx2m | 01:59 |
patdk-lap | I don't exactly know how you can store a password as cram-md5, cause it's not possible | 01:59 |
JRWR | i did a dovecotpw to make them | 02:00 |
patdk-lap | well, what format did it make? | 02:00 |
patdk-lap | and why do you have two auth sections? | 02:01 |
patdk-lap | no wonder | 02:01 |
patdk-lap | the config is just total foobar | 02:01 |
JRWR | the second part of for the SASL for the SMTP server | 02:02 |
patdk-lap | ya, and it has no users or passwords in it | 02:02 |
patdk-lap | so no wonder nothing can auth | 02:02 |
JRWR | it wont | 02:02 |
JRWR | the first section covers that (i think) | 02:02 |
patdk-lap | it won't auth cause there is nothing in there to auth against | 02:02 |
patdk-lap | no, that is a different section | 02:02 |
patdk-lap | sections have nothing to do with each other | 02:02 |
patdk-lap | I have seen some complex setups, but never seen more than one auth section before | 02:03 |
patdk-lap | as you can have as many user storage methods as you want in one section | 02:03 |
JRWR | this should work http://pastebin.com/4c9HM9X3 | 02:05 |
patdk-lap | you might want to allow the login method | 02:06 |
patdk-lap | as that is the only method outlook will use | 02:06 |
JRWR | >_> | 02:06 |
JRWR | man this project was harder then it should of been, I dont even have anti-spam in it yet | 02:07 |
patdk-lap | hmm? | 02:07 |
patdk-lap | normally takes about 4 hours for me to setup an email server | 02:08 |
JRWR | wow... my normal time for a LAMP stack is 20mins | 02:08 |
JRWR | just never done it before... bout time i learned | 02:09 |
patdk-lap | heh? to install a lamp stack you just click lamp in the installer, done | 02:09 |
patdk-lap | email is the most annoying thing ever to setup | 02:09 |
patdk-lap | for incoming not too hard | 02:09 |
JRWR | i have a bash script to add users and remove users from dovecot | 02:09 |
patdk-lap | for outgoing, extreemly hard, cause no one else will trust you | 02:09 |
JRWR | SPF helps | 02:09 |
JRWR | DKIM also help | 02:09 |
patdk-lap | spf and dkim only helps if you make it to the junk folder | 02:10 |
patdk-lap | first is using a good ip | 02:10 |
patdk-lap | second is setting up dns and rdns correctly | 02:10 |
patdk-lap | 3rd is having your mail server id itself correctly | 02:10 |
JRWR | mine doesnt... atlest i dont think it does | 02:11 |
JRWR | the rdns is a linode | 02:11 |
JRWR | and the smtp server says its that host | 02:11 |
patdk-lap | so it will probably work on 90% of email servers | 02:12 |
patdk-lap | the other 10% needs the rdns to match | 02:12 |
JRWR | dir | 02:14 |
=== ng_ is now known as zz_ng_ | ||
sond | hi - situation = Lucid-10.04.3amd64 install .. i have a raid1 ( md0 ) and wish to know if Grub will run from within LVM or do i need a physical /boot partition ? | 05:40 |
sond | * LVM on top of raid1 | 05:41 |
photon | is there a command to update the server's clock using internet time servers? | 05:44 |
photon | mine's off couple of days | 05:44 |
sond | ntpdate ip of time serv | 05:45 |
sond | watchout if your remote as it can screw your sudo timestamp | 05:45 |
photon | oh ok. thanks. what could be the worst that can happen? having to re-authenticate? | 05:46 |
sond | the worst ? dunno - it will require a re-auth tho ... do you have physical access to the machine ? | 05:48 |
photon | yes | 05:48 |
sond | no prob then ... | 05:48 |
photon | worked flawlessly, thanks. | 05:52 |
photon | didn't know there were that many NTP servers. | 05:53 |
sond | did you use your -country.pool.ntp.org ? | 05:54 |
sond | *your-country | 05:54 |
photon | yes | 05:57 |
photon | I have no idea though why my server would think it's Thursday in the first place. | 05:59 |
sond | gotta get back to this install... | 06:01 |
=== photon is now known as Guest83739 | ||
sond | installing a VMhost do i enable auto security updates ? | 09:55 |
sond | whats the command for the network-config curses gui ? | 10:46 |
sond | or isn't there one ? | 10:49 |
=== zz_ng_ is now known as ng_ | ||
=== ng_ is now known as zz_ng_ | ||
=== zz_ng_ is now known as ng_ | ||
=== ng_ is now known as zz_ng_ | ||
=== zz_ng_ is now known as ng_ | ||
=== ng_ is now known as zz_ng_ | ||
uvirtbot` | New bug: #815071 in apache2 (main) "package apache2.2-common 2.2.17-1ubuntu1 failed to install/upgrade: installed post-installation script alfolyamat 1 hibakóddal kilépett" [Undecided,New] https://launchpad.net/bugs/815071 | 13:47 |
=== medberry is now known as med_out | ||
=== zz_ng_ is now known as ng_ | ||
=== ng_ is now known as zz_ng_ | ||
[[suarez]] | buenas | 15:46 |
=== zz_ng_ is now known as ng_ | ||
Guest64614 | Has anyone got sound over hdmi to work in ubuntu server using boxee? | 17:55 |
=== ng_ is now known as zz_ng_ | ||
Guest64614 | Has anyone got sound over hdmi to work in ubuntu server using boxee? | 18:18 |
Guest64614 | anyone out there? | 18:34 |
* Datz nods as he can here you | 18:37 | |
Datz | but no, I haven't done that | 18:37 |
Guest64614 | thanks, just seems very quiet here... was starting to wonder if i was on my own | 18:42 |
Datz | everyone's at the lunch party, I was full | 18:43 |
Guest64614 | :) | 18:43 |
=== zz_ng_ is now known as ng_ | ||
=== ng_ is now known as zz_ng_ | ||
=== zz_ng_ is now known as ng_ | ||
frogger | hi all | 20:32 |
frogger | i have a little dns related question that maybe someone can help me with | 20:32 |
frogger | i have a bind server running on our net that does dns-caching as well as master for local dns | 20:32 |
frogger | now i would like to override an external domain to point to a server in our local net | 20:33 |
frogger | what would be the smartest way to handle this? | 20:33 |
goddard | when i upload files via web interface it is uploading them as user www-data instead of the user name | 21:22 |
goddard | what are all you jackasses doing in this channel any way | 21:25 |
goddard | few hundred bots? | 21:25 |
frogger | goddard: www-data is the user of the apache process, so there is nothing wrong with it | 21:27 |
goddard | frogger if your running a multi user enviornment and fastcgi it is suppose to assign to the user | 21:28 |
goddard | mod_suexec | 21:28 |
goddard | frogger not to menton if you use sftp then try and make any changes you cant | 21:30 |
goddard | its idiotic actually to leave it as www-data | 21:31 |
goddard | any other idiots wasting space on freenode? | 21:34 |
fyrfaktry | lots :) | 22:10 |
goddard | fyrfaktry you got that right | 22:11 |
=== ng_ is now known as zz_ng_ | ||
johna | where does ubuntu server keep things like dkim keys, apache ssl keys? | 22:19 |
patdk-lap | where-ever? | 22:20 |
patdk-lap | normally ssl stuff is in /etc/ssl | 22:20 |
patdk-lap | personally I just make /etc/ssl/dkim for well, the ovious | 22:20 |
ScottK | But it's a function of the where the config file is set to look for them. | 22:21 |
ScottK | It depends a bit on what implementation you are dealing with. | 22:21 |
johna | patdk-lap: so there is no recommended location for crypto keys? | 22:21 |
patdk-lap | heh? didn't I just say /etc/ssl? | 22:22 |
johna | Scottk: it must be configurable for each app? | 22:23 |
ScottK | It is. | 22:23 |
ScottK | I'm not saying it must be. | 22:23 |
ScottK | DKIM is a protocol, not an application. | 22:23 |
johna | patdk-lap: yep, so the "recommended loc is /etc/ssl/..." | 22:24 |
ScottK | johna: For example, my /etc/opendkim.conf says: KeyFile /etc/dkim/keys/... | 22:25 |
ScottK | You could put it anywhere. | 22:25 |
johna | ScottK: I just like to keep things neat, and if there were a "prefered" loc use it. | 22:26 |
ScottK | There isn't. Just in /etc somewhere that makes sense to you. | 22:27 |
goddard | when i upload files via web interface it is uploading them as user www-data instead of the user name | 22:27 |
patdk-lap | goddard, that is pretty ovious | 22:31 |
patdk-lap | the webbrowser runs as www-data | 22:31 |
patdk-lap | it shouldn't be allowed to be run as your user | 22:31 |
patdk-lap | or to even do that, root | 22:31 |
patdk-lap | that would be some serious security issues | 22:31 |
goddard | this part makes sense sure | 22:31 |
goddard | what if you in a multi-user enviornment | 22:32 |
goddard | one that doesn't have the permissions to change www-data | 22:32 |
qman__ | with a web interface, said environment is handled by said web interface | 22:32 |
qman__ | as in, the web interface controls user access and file permission separately from the filesystem | 22:36 |
qman__ | with, say, an SQL database full of users and password hashes | 22:36 |
goddard | some systems let you upload components via the web infact it is much easier this way | 22:36 |
goddard | if they upload pictures even | 22:37 |
qman__ | yes, and they work the way I described | 22:37 |
goddard | that is not what is in question | 22:37 |
qman__ | the files on the filesystem are still owned by www-data (or whatever group their system happens to run the web server as) | 22:38 |
qman__ | because the web server, rightly, does not have the ability to change the owners of files to any given user | 22:38 |
qman__ | that would be an enormous security risk | 22:38 |
goddard | unless the process is apart of a virtual enviornment | 22:39 |
qman__ | virtual environments don't change this fundamental process | 22:39 |
goddard | haha ok i can see we are going to go now where with this so thanks for sharing with me your point of view | 22:40 |
qman__ | an owned virtual server is no different from an owned bare metal server | 22:41 |
goddard | thanks for the information | 22:41 |
goddard | just for your own future reference qman__ check this out http://httpd.apache.org/docs/current/mod/mod_suexec.html#suexecusergroup | 22:45 |
goddard | in conjunction with fastcgi it all becomes possible | 22:46 |
qman__ | I never said it was impossible | 22:46 |
qman__ | just that it was a huge security risk | 22:46 |
qman__ | which it is | 22:46 |
goddard | oh ok ... :D haha | 22:46 |
goddard | Care to explain how this setup is a security risk? | 22:47 |
qman__ | running a given CGI process as a dedicated user separate from the web server user isn't a big risk | 22:47 |
qman__ | running a given CGI process as many different users, probably specified by the web site code, is an enormous risk | 22:48 |
goddard | ok if this is true how? | 22:49 |
qman__ | because if the web site can run code as any given user, with input generated by the web site, that site has the potential to be exploited to privilege escalation | 22:50 |
qman__ | i.e. one bad page in your site means root access | 22:51 |
goddard | i think you have the process confused a little bit because it is only defined when the apache virtual enviornment is defined | 22:51 |
goddard | and it is defined as the user you create | 22:52 |
goddard | that user has specific privalges | 22:52 |
qman__ | yes, but that user must be determined at some point | 22:52 |
goddard | i guess they could sudo su | 22:52 |
qman__ | and if that user is not hard coded in the system, it must be provided by the user | 22:52 |
qman__ | and any time you process user input you are taking in a risk | 22:52 |
goddard | that isn't the way mod_su works | 22:52 |
goddard | read the link | 22:52 |
goddard | if a virtual user was attemping to hack into root you could find out pretty quickly | 22:53 |
goddard | 3 fail attempts and he gets blocked | 22:53 |
goddard | no more access | 22:53 |
qman__ | that's great, until the web site code is exploited, and only one attempt is needed | 22:54 |
goddard | id be interested to hear this method but im not seeing what your saying | 22:54 |
qman__ | I assume that your web site is PHP | 22:54 |
qman__ | I also assume that your web site was written by a human | 22:55 |
qman__ | therefore, I can conclude that said website has flaws | 22:55 |
goddard | right using fastcgi | 22:55 |
goddard | all systems have flaws | 22:56 |
qman__ | and when you allow such a high risk thing as filesystem access as an arbitrary user with an interface that has a high risk of potential exploits, you are playing a dangerous game | 22:56 |
goddard | this is with jailkit? | 22:56 |
qman__ | jails are great too, but I'm guessing you wouldn't want to lose any of your users' data either | 22:57 |
qman__ | and that user data must exist inside the jail, otherwise it couldn't be uploaded in the first place | 22:58 |
goddard | this is all just to vague | 23:00 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!