| === nick is now known as Guest8685 | ||
| darthanubis | would ltsp questions be considered server related? | 00:34 |
|---|---|---|
| RoyK | most certainly | 00:38 |
| RoyK | there's an #ltsp channel dedicated for it, though | 00:39 |
| darthanubis | RoyK, I'm in that channel as well, but it's kinda dead. | 00:41 |
| RoyK | some people in here might be able to help | 00:41 |
| RoyK | !ask | darthanubis | 00:41 |
| ubottu | darthanubis: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience | 00:41 |
| * RoyK has been trying to fix his bicycle for some hours and needs sleep | 00:42 | |
| RoyK | nite | 00:42 |
| darthanubis | failed to load session "ubuntu" is what I get from my thin client | 00:43 |
| darthanubis | Google has not been much help as of yet | 00:44 |
| RoyK | probably not the best time to ask in here - people will wake up in Europe in 4-5 hours | 00:44 |
| * RoyK should have been sleeping some time ago | 00:44 | |
| * patdk-lap wonders if royk dreams of digital sheep | 01:05 | |
| ae0000 | i just logged into one of my servers and entered "sudo su" and it logged me in as root straight away... is that suspect? i had not performed any other sudo operations before that, it was literally just after sshing in | 01:11 |
| ae0000 | another server running similar setup asked me for passowrd in the same situation | 01:11 |
| Psi-Jack | ae0000: Yeah, that's highly suspect, if you are not logging in to root. | 01:18 |
| Psi-Jack | If you ARE logging in to root, and sudo su, (which you should stop that immediately! sudo -i!) then it's obviously going to work. you already are root. | 01:18 |
| ae0000 | its ok - i'm just deranged... i was logged in from another terminal :) | 01:19 |
| Psi-Jack | Different sessions are still different sessions. | 01:20 |
| Psi-Jack | Each session is cached individually. | 01:20 |
| ae0000 | hmmm | 01:21 |
| ae0000 | then thats still suspect | 01:21 |
| ae0000 | scan for rootkits? | 01:21 |
| Psi-Jack | I definitely would be wary. | 01:23 |
| Psi-Jack | I just double verified it, logged in as a user from two completely different ssh sessions, and confirmed, sudo is cached per-session on Ubuntu 12.04 | 01:23 |
| Psi-Jack | And 10.04 | 01:23 |
| ae0000 | ok .. thanks for the heads up... this is 10.10.... | 01:25 |
| ae0000 | ok i have tested this... and it remembers sudo access from the same terminal even after logging out and logging in again | 01:39 |
| ae0000 | so.. fresh ssh login, sudo su [asks for password], exit, ssh login, sudo su [DOES NOT ask for password] | 01:40 |
| ae0000 | panic averted :) | 01:40 |
| ae0000 | rkhunter is happy as well | 01:40 |
| aarcane | I'm running iscsi target (targetcli) on my ubuntu server (12.04). I'm trying to figure out how to enable trim support. my underlying device supports trim, and my OS atop the iSCSI volume. I'm not certain about the initiator or the target though. I want to ensure it's active or enabled in lio. | 02:03 |
| RoyK | patdk-wk: Now the world has gone to bed, Darkness won't engulf my head, I can see by infra-red, How I hate the night | 02:03 |
| RoyK | Now I lay me down to sleep, Try to count electric sheep, Sweet dream wishes you can keep, How I hate the night , | 02:03 |
| Daviey | roaksoax: still around? | 02:08 |
| === n0ts_off is now known as n0ts | ||
| maxagaz | I did everyting to have mod_rewrite, but it seems not to be working | 04:33 |
| maxagaz | how can I check it ? | 04:33 |
| qman__ | maxagaz, sudo a2enmod rewrite; sudo service apache2 restart | 04:39 |
| maxagaz | qman__: I did that already | 04:39 |
| qman__ | that's all there is to it | 04:41 |
| qman__ | you can verify by checking to make sure the files are there | 04:41 |
| qman__ | you should have two files, /etc/apache2/modules.enabled/rewrite.load and /usr/lib/apache2/modules/mod_rewrite.so | 04:42 |
| qman__ | /etc/apache2/modules.enabled/rewrite.load loads the module, and /etc/apache2/apache2.conf loads the .load file | 04:44 |
| blackshirt | helllo | 07:15 |
| blackshirt | I have try to login from squirrelmail using virtual user created with ldaputils scripts | 07:15 |
| blackshirt | but the mail.err log says : dovecot: imap(hayate): Error: user hayate: Initialization failed: Namespace '': mkdir(/home/hayate/Maildir) failed: Permission denied (euid=8(mail) egid=8(mail) missing +w perm: /home, dir owned by 0:0 mode=0755) | 07:16 |
| blackshirt | anyone here can help me ? | 07:16 |
| freakynl | hi, anyone know how to get kernels from the list (dpkg -l linux*)? They're already removed but remain in the list (seemingly for ever) | 07:52 |
| rbasak | freakynl: use dpkg -P (for purge). But make sure you don't purge any kernels that you might want to use, such as the one in use! | 08:01 |
| freakynl | rbasak: thx but doesn't work says it's not installed | 08:06 |
| === n0ts is now known as n0ts_off | ||
| freakynl | rbasak: http://pastebin.ca/2197530 | 08:07 |
| === kedare is now known as Guest10697 | ||
| === n0ts_off is now known as n0ts | ||
| === Guest68144 is now known as wordpress | ||
| === wordpress is now known as ikonia | ||
| === Xtrapni is now known as trapni | ||
| progre55 | hi guys. I have a remote server with nfs installed on it. it has been running for only 15 days now, but leaking memory. Total server memory is 590Mb, and top/htop show 546Mb used memory. However, there are no processes in the process list that are using any considerable amount. How can I track what process could be leaking? | 08:43 |
| freakynl | progre55: what does free say | 08:47 |
| progre55 | used: 581920 free: 22460 buffers: 4712 cached: 18164 | 08:48 |
| progre55 | -/+ buffers/cache: 559044 45336 | 08:49 |
| freakynl | hmm not much in cache/buffers, if you sort by memory (M) in top you don't see anything consuming memory (many processes can add up)? | 08:50 |
| progre55 | not really.. the highest process using up memory is bash with 1.2% | 08:52 |
| melmoth | slabs ? | 08:53 |
| progre55 | there are a total of 50 processes, and they each use from 0.7 to 0.1 (0.0) | 08:53 |
| melmoth | hmm, however, i would expect slab usage to be included in the cache metric. | 08:54 |
| progre55 | sec, let me post it | 08:54 |
| progre55 | here is the slabtop output http://pastie.org/4573288 | 08:55 |
| progre55 | what is "idr_layer_cache"? | 08:57 |
| progre55 | let me google :) | 08:57 |
| progre55 | well at least I'm not the only one having this problem with a fileserver http://lkml.org/lkml/2012/7/25/495 | 09:00 |
| henkjan | we had this problem also on 12.04 / nfs server | 09:01 |
| henkjan | migrated to netapp :) | 09:01 |
| progre55 | so does that mean we also have to migrate? any bugs open at least? | 09:03 |
| henkjan | in our case the slabcache eat al memory in 1,5 day and let the server OOM | 09:09 |
| henkjan | bad four our customers, we had no time to investigate | 09:09 |
| henkjan | i guess its a kernel issue | 09:10 |
| henkjan | you could try to upgrade to a quantal backported kernel | 09:10 |
| henkjan | progre55: you can add a bug in launcpad | 09:18 |
| henkjan | i'll click the 'affects me to' button :) | 09:18 |
| progre55 | henkjan: I've never opened a bug report :) but let me see what I can do | 09:37 |
| === mcclurmc is now known as mcclurmc_away | ||
| === n0ts is now known as n0ts_off | ||
| brendand | does anyone know the meaning of 'ethtool-lite: ethtool ioctl on eth0 failed'? | 10:29 |
| brendand | is it significant | 10:32 |
| progre55 | can anyone tell me what idr_layer_cache is and what can cause too many idr_layer_cache objects in the slab? | 10:52 |
| progre55 | I'm suspecting frequent I/O might be the reason, but how come the slab is unreclaimable? /proc/meminfo shows "SUnreclaim: 494112 kB" | 10:55 |
| === cpg is now known as cpg|away | ||
| ttilley | where might one find the scripts/software used to build the ubuntu EC2 AMI images? | 10:57 |
| progre55 | ttilley: you can use ec2-bundle-vol from the ec2-ami-tools package, but not sure if you could bundle an AMI from a non-EC2 machine | 10:59 |
| ttilley | progre55: i'm just curious what i can learn from the build system itself | 10:59 |
| ttilley | the goal being to read the code more than to build an AMI :) | 11:00 |
| progre55 | oh I see :) | 11:00 |
| progre55 | well try reading the ec2-bundle-vol code then :) | 11:00 |
| ttilley | heh | 11:01 |
| progre55 | ttilley: there is also an ubuntu cloud service called eucalyptus, and I remember bundling images there, too. I think the package was called euca2ools and you'd run euca-bundle-vol | 11:05 |
| ttilley | isn't eucalyptus effectively deprecated in ubuntu? with the semi-recent switch to and focus on openstack? | 11:06 |
| koolhead11 | ttilley: i think if you want Euca you have to use there PPA for recent pkgs | 11:18 |
| ttilley | koolhead11: i don't want euca, but i do want to read the code for the scripts/software that's used to build the ubuntu EC2 AMI images if you know where I can find that. :) | 11:19 |
| Blazemore|Work | Anyone know why nslcd can't connect to my OpenDP LDAP server, whereas other tools like lat can? | 11:26 |
| Blazemore|Work | The syntax I'm using in /etc/nslcd.conf is "uri ldaps://127.0.0.1:1636" - is that correct? it has SSL and is running on that port | 11:27 |
| Psi-Jack | Blazemore|Work: About that ldapsearch, is that working as expected? | 11:27 |
| === mcclurmc_away is now known as mcclurmc | ||
| anotheruser | Hello. I'm running ubuntu 10.04 LTS on my server. I see in my access.log traces of an attack on phpmyadmin using http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-2506.html | 11:27 |
| uvirtbot | anotheruser: setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506) | 11:27 |
| Blazemore|Work | Psi-Jack: Well I can connect to it with lat | 11:27 |
| Blazemore|Work | What would ldapsearch do? | 11:27 |
| anotheruser | My question is this : why is a year old critical vulnerability still as "needed" for the LTS version ? | 11:28 |
| anotheruser | does that mean my server is vulnerable? | 11:28 |
| Psi-Jack | ldapsearch is the standard openldap client tools. | 11:28 |
| Psi-Jack | anotheruser: File a bug report. It's off topic. | 11:28 |
| anotheruser | It's not off topic | 11:28 |
| anotheruser | i need to determine if my server was compromised or not | 11:29 |
| anotheruser | and it's definitely about ubuntu | 11:29 |
| Psi-Jack | This channel is for people needing help, not griping like a little baby. | 11:29 |
| anotheruser | I need help. | 11:29 |
| Psi-Jack | No, you just want to whine. | 11:29 |
| anotheruser | -_- | 11:29 |
| anotheruser | I want to know if my server is compromised or not | 11:29 |
| anotheruser | which, strangely, is quite important to me | 11:29 |
| anotheruser | can't you understand that? | 11:29 |
| patdk-lap | anotheruser, that isn't even part of ubuntu, that is in universe | 11:29 |
| Psi-Jack | heh | 11:29 |
| Blazemore|Work | Psi-Jack: I just tried using getent passwd again, and analysed using Wireshark | 11:29 |
| anotheruser | universe isn't part of ubuntu? | 11:30 |
| Blazemore|Work | I can see the cert details being exchanged, so something is happening | 11:30 |
| patdk-lap | it's optional | 11:30 |
| anotheruser | it's still in ubuntu | 11:30 |
| rbasak | Universe is community maintained. In this case, it looks like nobody in the community has provided a suitable patch. | 11:30 |
| patdk-lap | Universe - Community maintained software, i.e. not officially supported software. | 11:30 |
| Psi-Jack | Blazemore|Work: Sounds like nslcd is failing to actually authenticate. | 11:30 |
| anotheruser | i see | 11:30 |
| rbasak | I started from launchpad.net, searched for the CVE and got https://launchpad.net/bugs/cve/CVE-2011-2506 which took me to bug 806788. | 11:30 |
| Psi-Jack | Blazemore|Work: Are you using simple auth, anonymous auth, or kerberos? | 11:30 |
| uvirtbot | Launchpad bug 806788 in phpmyadmin "phpMyAdmin Security fixes in versions 3.3.10.2 and 3.4.3.1" [Undecided,Invalid] https://launchpad.net/bugs/806788 | 11:30 |
| uvirtbot | rbasak: setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506) | 11:30 |
| Blazemore|Work | Psi-Jack: Do you know anything about nslcd? lat connects fine with the same server details | 11:31 |
| anotheruser | so basically, If i want to be safe, I shouldn't use any package from universe? | 11:31 |
| patdk-lap | anotheruser, or track security issues yourself | 11:31 |
| Psi-Jack | Blazemore|Work: Yes, my entire home infrastructure, comprised of 7 physical machines and 16 virtualized servers. | 11:31 |
| Psi-Jack | All KerberosV5+OpenLDAP managed for authentication shared credentials. | 11:32 |
| Blazemore|Work | Why would syslog be saying http://pastebin.com/VVkHx6AG | 11:32 |
| Psi-Jack | Because it can't connect to the LDAP server. | 11:32 |
| Psi-Jack | Now, are you going to run around in circles aimless, or you going to actually answer the asked question leading towards actually helping you? | 11:33 |
| Blazemore|Work | Sorry, I missed that. I am using anonymous auth because we just need to test our password policy config | 11:33 |
| Psi-Jack | Worst idea ever. :) | 11:34 |
| Blazemore|Work | We're going to need to test other things on it too | 11:34 |
| Psi-Jack | To expose full passwords, anonymously, is the worst policy you can ever do. :) | 11:34 |
| Blazemore|Work | They're not real passwords | 11:34 |
| Blazemore|Work | Like I said, it's a test environment running on a single machine | 11:34 |
| Psi-Jack | Well, please pastebin the relevant lines in your nslcd.conf: egrep -v '^[#|\w].*' /etc/nslcd.conf | 11:37 |
| Psi-Jack | Err, egrep -v '^.*' | 11:37 |
| Psi-Jack | Bah.. | 11:37 |
| Psi-Jack | Err, egrep -v '^#.*' | 11:37 |
| Psi-Jack | Skipping commented lines. :) | 11:37 |
| anotheruser | pffffff... how to know if my server is compromised or not... | 11:38 |
| greppy | anotheruser: what makes you think it is? | 11:38 |
| anotheruser | "POST /phpmyadmin/index.php?session_to_unset=123&token=bc45df26a9d74ac15a05241fbc88473c&_SESSION[!bla]=%7Cxxx%7 | 11:38 |
| anotheruser | Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A42%3A%22%2Ftmp%2Fsess%5Fqpeaqpscd4pl0in2ifq43duskcr47hmv%22%3B%7D%7D&_SES | 11:38 |
| anotheruser | SION[payload]=%3C%3Fphp%20eval%28base64%5Fdecode%28%22ZWNobyAic3Q0cjciLnBocF91bmFtZSgpLiI3aDMzbmQiOw%3D%3D%22%29%29%3B%20%3F%3E HTTP/1.1" | 11:38 |
| anotheruser | any idea what that would do, by chance? '^^ | 11:38 |
| standoo | is it worth it to set a dns server on ubuntu or use a 3rd party dns? | 11:38 |
| Blazemore|Work | Psi-Jack: http://pastebin.com/XFPJhpBT | 11:38 |
| Blazemore|Work | standoo: Depends what you need to do | 11:38 |
| Psi-Jack | standoo: Depends. Is it worth it to YOU? | 11:38 |
| Psi-Jack | Blazemore|Work: So your base DN is dc=example,dc=net? | 11:39 |
| greppy | anotheruser: interesting... not sure :) | 11:39 |
| standoo | Blazemore|Work: what do i need to consider? | 11:39 |
| anotheruser | the base 64 decode doesn't make sense to me... | 11:39 |
| Blazemore|Work | Hmm Psi-Jack I'm not sure. Could I find out with lat? | 11:39 |
| Psi-Jack | Blazemore|Work: Dude. I don't even know what the heck "lat" is. | 11:39 |
| Psi-Jack | LOL | 11:40 |
| Blazemore|Work | OhhhhH! One second! | 11:40 |
| Psi-Jack | I use openLDAP, and openLDAP tools. | 11:40 |
| Blazemore|Work | Psi-Jack: it's a graphical tool for managing LDAP | 11:40 |
| Blazemore|Work | We're on Oracle OpenDS | 11:40 |
| Psi-Jack | Ahhhh.. | 11:40 |
| Psi-Jack | So, not actually OpenLDAP. | 11:40 |
| Psi-Jack | I use Apache Directory Studio for my LDAP GUI interface. Eclipse-based. Very sexy. :) | 11:41 |
| Blazemore|Work | Psi-Jack: It was actually com, not net, but the error is the same after changing it and doing service nslcd restart | 11:41 |
| Blazemore|Work | Makes me thing "Server is unavailable" is a generic sort of error message | 11:42 |
| Psi-Jack | OKay, So, now that you've corrected the issue of OpenLDAP vs OpenDS.. Are you running OpenDS using OpenJDK, or Oracle JDK? | 11:42 |
| Blazemore|Work | Oracle JDK | 11:42 |
| Psi-Jack | Good. Won't work at all (with SSL) with openjdk. | 11:42 |
| Blazemore|Work | java version "1.6.0_33" | 11:43 |
| Psi-Jack | tls_cacertfile /path/to/ca/cert | 11:43 |
| Psi-Jack | Add that to your nslcd.conf | 11:43 |
| Blazemore|Work | sp? | 11:43 |
| Blazemore|Work | cacertfile correct? | 11:43 |
| Psi-Jack | Use the full path to your CAcert | 11:43 |
| Blazemore|Work | OK | 11:43 |
| anotheruser | "POST /phpmyadmin/index.php?session_to_unset=123&token=bc45df26a9d74ac15a05241fbc88473c&_SESSION[!bla]=|xxx%7 | 11:44 |
| anotheruser | Ca:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:42:"/tmp/sess_qpeaqpscd4pl0in2ifq43duskcr47hmv";}}&_SES | 11:44 |
| anotheruser | SION[payload]=<?php eval(base64_decode("ZWNobyAic3Q0cjciLnBocF91bmFtZSgpLiI3aDMzbmQiOw==")); ?> HTTP/1.1" | 11:44 |
| anotheruser | it's scary. | 11:44 |
| Psi-Jack | anotheruser: STOP. | 11:44 |
| anotheruser | ... | 11:45 |
| Blazemore|Work | /ignore anotheruser | 11:45 |
| Blazemore|Work | Psi-Jack: I've done that, same error. var/syslog is mentioning <group/member="root"> do you know how I can check that's correct? | 11:45 |
| anotheruser | I thought the ubuntu community was supposed to be helpful | 11:45 |
| Psi-Jack | Blazemore|Work: Eh? | 11:46 |
| Blazemore|Work | The error message from syslog (follows) | 11:46 |
| Blazemore|Work | nslcd[10917]: [8b4567] <group/member="root"> failed to bind to LDAP server ldaps://127.0.0.1:1636: Can't contact LDAP server: No such file or directory | 11:47 |
| Blazemore|Work | "No such file or directory" is new | 11:47 |
| Psi-Jack | Blazemore|Work: Do you have TLS enabled on the DS? | 11:48 |
| Blazemore|Work | No | 11:48 |
| anotheruser | So from what i gather, the payload in this attack was just to display the version of PHP. What would you do if you were in my situation? upgrade phpmyadmin, and hope that nothing else is compromised? Are there standard ways to check the security of the server? | 11:48 |
| Blazemore|Work | Just... idk "normal" SSL? | 11:48 |
| Psi-Jack | anotheruser: I would stop exposing phpmyadmin to the world. | 11:49 |
| Psi-Jack | Period. | 11:49 |
| Psi-Jack | That's just common sense. | 11:49 |
| Psi-Jack | Blazemore|Work: Does nslcd work without the tls_reqcert and ldap:// uri? | 11:49 |
| Blazemore|Work | I had to do some funky hoop-jumping to turn our .crt and .key files into a .jks that DS can understand | 11:49 |
| anotheruser | well, i upgraded, and changed the alias, that should be enough for that. What i worry more about is how to know if the hacker did something to take control of the server already or not... and how to know it... | 11:50 |
| Blazemore|Work | Let me try | 11:50 |
| Psi-Jack | anotheruser: Did you have aide installed and keeping track? Have you been keeping consistent backups? | 11:50 |
| anotheruser | I have backups of databases websites etc., but not of the whole hard drive... | 11:51 |
| Psi-Jack | Then you'll never know. | 11:51 |
| anotheruser | i didn't know about aide | 11:52 |
| anotheruser | you recommend to use it? | 11:52 |
| Blazemore|Work | The config file can only be read by root, is that relevant? | 11:52 |
| rbasak | There is debsums, but that's not really for security verification, and running it offline might be a bit tricky | 11:52 |
| Blazemore|Work | nslcd: no URIs defined in config ...fail! | 11:52 |
| rbasak | (and for checking a system after a compromise you *must* run any checks offline) | 11:52 |
| Blazemore|Work | That's what happens Psi-Jack if I comment out the url and tls_reqcert | 11:52 |
| Psi-Jack | anotheruser: It's like tripwire, intended to watch over important stuff, and keep track of them, so if they change, you can see it. | 11:52 |
| anotheruser | I see | 11:52 |
| Psi-Jack | Blazemore|Work: Yeah, no shit. Don't comment out the uri, change it to ldap:// non ldaps:// | 11:53 |
| Blazemore|Work | OK | 11:53 |
| Psi-Jack | LOL | 11:53 |
| Blazemore|Work | I'll have to comment out ssl enable as well | 11:53 |
| Blazemore|Work | No still hangs on getent passwd without SSL | 11:54 |
| Psi-Jack | anotheruser: As-is, phpmyadmin isn't running as root, or at least it better not be. So whatever exploit they did to phpmyadmin was isolated to just anything owned by www-data user/group. | 11:54 |
| Psi-Jack | Welp, dunno then, Blazemore|Work. | 11:54 |
| anotheruser | hmm, i might be able to check all of that against backups | 11:55 |
| Psi-Jack | The little time I dealt with OracleDS, it was okay, but java-based pissed me off to no end, so I went back to my trusty OpenLDAP. | 11:55 |
| Blazemore|Work | OK well thanks anyway Psi-Jack | 11:55 |
| Blazemore|Work | Appreciated | 11:55 |
| Psi-Jack | And like I said, I do OpenLDAP with KerberosV5 auth-bind. So I use it rather extensively. :) | 11:55 |
| Psi-Jack | PITA to setup all that, but once it's in place, it's very sexy. :) | 11:56 |
| anotheruser | ok, i think i understand better the attack now... It seems it used the phpmyadmin attack to search for another vulnerability, but thankfully my server was resistant to that, so I should be ok. | 12:07 |
| anotheruser | I will install aide as you suggested | 12:08 |
| anotheruser | but now i wonder, is it reasonable to just remove universe from my apt settings? so that i at least know when i want something that isn't officially supported... | 12:08 |
| anotheruser | yeah it tried to read in /var/lib/php5, which was not readable by www-data | 12:10 |
| Psi-Jack | Like I said. | 12:12 |
| Psi-Jack | Don't expose phpMyAdmin to the world. | 12:12 |
| Psi-Jack | That's just ignorant and stupid. | 12:12 |
| anotheruser | i naively (ignorantly, if you want) thought that ubuntu kept it up to date | 12:12 |
| anotheruser | now i realize my mistake | 12:12 |
| Psi-Jack | That doesn't even matter! | 12:13 |
| Psi-Jack | You should NEVER expose things like that to the public! | 12:13 |
| anotheruser | ok ok, i agree with you on the principle | 12:13 |
| anotheruser | but the truth is that it's just the same to expose phpmyadmin as exposing say a well known CMS | 12:13 |
| anotheruser | a vulnerability will allow to run php on your server just the same | 12:13 |
| anotheruser | ok, it's a bit worse for phpmyadmin if he can then access the databases | 12:14 |
| Psi-Jack | Ya think? | 12:14 |
| anotheruser | but it would probably be possible anyway, from when you can run php | 12:14 |
| patdk-wk | Psi-Jack, well, if you have that option :) | 12:14 |
| anotheruser | and yes, there is the problem that if your customer want a phpmyadmin, you can't always forbid it | 12:15 |
| anotheruser | I thought it would be better to use the ubuntu included one, rather than have people install it manually and not keep it up to date | 12:16 |
| anotheruser | but that was my mistake... | 12:16 |
| anotheruser | so... -installing aide - hiding phpmyadmin - other suggestions to improve security? | 12:18 |
| patdk-wk | mod_security? | 12:18 |
| patdk-wk | some good extra rewrite rules to restrict bad things | 12:18 |
| anotheruser | i'm afraid to use too restrictive filter that would prevent legitimate php apps to work normally | 12:20 |
| patdk-wk | heh? | 12:21 |
| anotheruser | well | 12:21 |
| anotheruser | maybe i'm not up-to-date on what this mod_security is exactly | 12:21 |
| anotheruser | in my mind it was something that checked url, and if detecting attacks, blocked it | 12:21 |
| patdk-wk | yep | 12:21 |
| anotheruser | like if there is "<script>" it won't be happy etc. | 12:21 |
| patdk-wk | maybe you should learn how your php apps actually work then | 12:22 |
| patdk-wk | normally when something says, filename=<script> that is bad | 12:22 |
| anotheruser | but i don't control all the php applications on my server | 12:22 |
| anotheruser | so i'm a bit afraid to use that | 12:22 |
| patdk-wk | don't control? | 12:22 |
| patdk-wk | is it your server? | 12:23 |
| anotheruser | it is my server, and other people host applications on it | 12:23 |
| patdk-wk | then you are liable for ANYTHING that server does, whoever it attacks, ... | 12:23 |
| patdk-wk | doesn't matter who hosts stuff on it | 12:23 |
| patdk-wk | yes, someone rooting your server is annoying | 12:24 |
| patdk-wk | but then your server attacking the goverment, well, that gets you in trouble | 12:24 |
| anotheruser | that's not entirely true, legally | 12:24 |
| anotheruser | well, maybe it depends on the country law, but in my country i'm pretty sure it's not | 12:24 |
| anotheruser | a hosting company isn't responsible legally for the content its user upload | 12:25 |
| anotheruser | (though it can be asked to block/remove it) | 12:25 |
| Psi-Jack | anotheruser: Actually it is entirely true. | 12:25 |
| Psi-Jack | I mean, just look at what happened to that torrent site, demonoid. It wasn't illegal, technically, to do what they were doing, however, the Ukraine Ambassador went to the US Ambassador, and were convinced to do a full all-out assault on the site and then take down everyone running it. | 12:27 |
| jdstrand | anotheruser: apparmor would be another way to help: http://wiki.apparmor.net/index.php/Mod_apparmor_example | 12:28 |
| anotheruser | ok, thanks, i'll look into it | 12:29 |
| anotheruser | and thanks for the other suggestions and all the help | 12:29 |
| zul | smb: ping | 12:56 |
| anotheruser | Psi-Jack, do you know if apt-get install aide is enough to have a working installation of aide? I mean, is the default configuration by ubuntu enough for basic use? or do I need to manually configure it... | 13:03 |
| Psi-Jack | Of course now, you actually have to configure it, d'uh./ | 13:05 |
| Psi-Jack | not* | 13:05 |
| Psi-Jack | NEVER just default use anything, especially on a server. Don't be ignorant, use common sense. | 13:06 |
| Guest81255 | anotheruser: It has no default configuration. | 13:06 |
| anotheruser | ok, thanks | 13:06 |
| Pici | never is pretty strong. Just be smart about what defaults you choose. | 13:06 |
| === Guest81255 is now known as jpds | ||
| floogy | Hi I got an issue to upgrade from oneiric to precise with zentyal installed. slab returns an error and leaves zentyal-core unconfigured. Therefore 20 packages are leaving in an inconsistent state. Ooops now slabd returned only error code 1 and some packages could be configured, but 6 packages are left unconfigured due to that error. | 13:45 |
| === n0ts_off is now known as n0ts | ||
| floogy | dpkg --configure slapd Loading the LDIF dump failed, slapadd: line 1: database #1 (dc=mydom,dc=local) not configured to hold "dc=nodomain"; did you mean to use database #2 (dc=nodomain)? | 13:47 |
| floogy | *slabadd | 13:47 |
| floogy | The first error was related to this https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1003854 | 13:49 |
| uvirtbot | Launchpad bug 1003854 in openldap "Database upgrade/migration fails with nested db directories (lucid to precise)" [Medium,Confirmed] | 13:49 |
| floogy | Now it seems to be something like this: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/979833 | 13:51 |
| uvirtbot | Launchpad bug 979833 in openldap "package slapd 2.4.28-1.1ubuntu4 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1" [Low,Expired] | 13:51 |
| floogy | But I don't know how, and where to remove that dc=nodomain example | 13:53 |
| === cyphermox_ is now known as cyphermox | ||
| metap0d | Hi everyone, I installed Ubuntu Server 12.04.1 (64bit) on a spare machine yesterday. I have given it a static IP but can't reference it by the hostname. On Windows when I ping by the hostname there is something like a 10% chance it actually works ... most of the time resulting in a failure. We have a DNS server which I added the IP/Hostname combo of the server to. (I reference the DNS Server in /etc/networking/interfaces). Do | 14:04 |
| rbasak | metap0d: sounds like your problem is on your DNS server rather than the server you've just installed. You can check with nslookup on windows | 14:10 |
| === n0ts is now known as n0ts_off | ||
| metap0d | rbasak: I got DNS request timed out. timeout was 2 seconds. Default Server: UnKnown Address: 192.168.5.26 | 14:15 |
| metap0d | rbasak: 192.168.5.26 is the DNS server | 14:15 |
| Daviey | roaksoax: hey, was http://iso.qa.ubuntu.com/qatracker/milestones/230/builds/21387/testcases/1288/results done? | 14:39 |
| Daviey | i thought you were doing that last night? | 14:39 |
| roaksoax | Daviey: that test does not apply to precise | 14:39 |
| roaksoax | Daviey: it only applies to quantal maas | 14:40 |
| Daviey | roaksoax: ahh, yes | 14:40 |
| hallyn | zul: i'm leaving 967435 to you until you say otherwise? | 14:42 |
| zul | hallyn: thanks :) | 14:43 |
| zul | hallyn: do we want 0.10.0 in quantal? it will make things easier in the long run | 14:43 |
| Daviey | roaksoax: hey.. the test case it links to was last edited Install/ServerMAAServer (last edited 2012-03-28 20:59:15 by matsubara) | 14:44 |
| Daviey | roaksoax: so why is this not Precise suitable ? | 14:44 |
| roaksoax | Daviey: that tests covers " This will test that the MAAS server offers an option to periodically update cloud images." | 14:45 |
| roaksoax | and "This will test that the MAAS server offers an option to cache archives locally." | 14:45 |
| roaksoax | which are not under Settings | 14:45 |
| roaksoax | in precise | 14:45 |
| Daviey | roaksoax: i don't follow. | 14:46 |
| Daviey | roaksoax: should it not update to the 12.04.1 images? | 14:46 |
| arm4ndina | Hi, I have an Apache server for which I have set up HTTPS (GnuTLS). When I load a page, sometimes the browser some css/js files or only load some of them... any idea how to solve/diagnose this ? | 14:47 |
| roaksoax | Daviey: those are cronjobs | 14:47 |
| roaksoax | Daviey: look at the STEPS: | 14:48 |
| roaksoax | Daviey: http://testcases.qa.ubuntu.com/Install/ServerMAAServer | 14:48 |
| Daviey | roaksoax: So.. this test should be valid for post 12.04.1 images, when the peer images are released, right? | 14:49 |
| hallyn | zul: I'm fine with it, but is it too late? (FF) | 14:49 |
| Daviey | As in, cannot be tested until after release? | 14:49 |
| hallyn | zul: it has the reboot support? | 14:49 |
| === n0ts_off is now known as n0ts | ||
| roaksoax | Daviey: those tests are valid for post-precise MAAS releases | 14:50 |
| zul | hallyn: supposedly im looking at the commit right now...it will easier to backport fixes if we need to as well | 14:50 |
| hallyn | zul: sounds good | 14:51 |
| zul | smoser: what do you think? | 14:51 |
| Daviey | roaksoax: post 12.04 or post 12.04.1? | 14:51 |
| roaksoax | Daviey: both | 14:51 |
| roaksoax | Daviey: there are no MAAS releases backported/SRU'd to precise | 14:52 |
| Daviey | roaksoax: hmm, ok. I don't quite follow, but you seem quite sure :) | 14:57 |
| roaksoax | Daviey: basically, there's MAAS serttins not released in precise, and that test is asking to test those settings | 14:59 |
| roaksoax | Daviey: and futhermore, I', not even sure oif they work | 14:59 |
| roaksoax | s/if/that | 14:59 |
| Daviey | heh | 15:02 |
| smoser | whats the question? | 15:03 |
| capitaninsaneoh | I'm trying to host a webserver that requires SSL on a firewall I have and I've got a few questions about IP's. Do I have to give my server 2 IP's? My firewall uses SAT so I would have to have one address that is internal and one that is publicly available right? Do I just create a sub interface or should I use another nic? | 15:26 |
| metap0d | Hi everyone, I installed Ubuntu Server 12.04.1 (64bit) on a spare machine yesterday. I have given it a static IP but can't reference it by the hostname. On Windows when I ping by the hostname there is something like a 10% chance it actually works ... most of the time resulting in a failure. We have a DNS se | 15:28 |
| === n0ts is now known as n0ts_off | ||
| capitaninsaneoh | metap0d, did you put an A record in your DNS server? | 15:29 |
| rbasak | metap0d: it still sounds like a problem on your DNS server. Is your DNS server running Ubuntu? That's what you need to focus on. | 15:30 |
| metap0d | capitaninsaneoh: I won't lie in saying I don't know much about this, the DNS server is a Microsoft Server 2008 machine. I added a DNS entry of type Host (A) with the name of the Ubuntu Server and Data as the IP Address | 15:32 |
| metap0d | rbasak: It's running Microsoft Server 2008 | 15:32 |
| capitaninsaneoh | metap0d, make sure you (your client) is pointed at that DNS server. Run nslookup and dig for that record | 15:33 |
| rbasak | metap0d: ok, so if the problem is that your windows machine can't look up the IP address of your ubuntu server using your windows DNS server, then Ubuntu has nothing to do with your problem. | 15:33 |
| rbasak | metap0d: you can isolate this with nslookup on your windows machine | 15:33 |
| metap0d | What would I be looking for with nslookup? ;o | 15:34 |
| rbasak | metap0d: a common misconfiguration I've seen in the field in the windows world is that multiple DNS servers are configured on client machines, some pointing to active directory, and some pointing to an ISP directly. | 15:34 |
| rbasak | metap0d: sorry, I can't remember how to operate windows nslookup. You're in the wrong place for this kind of question! | 15:34 |
| capitaninsaneoh | Anyone good with NAT/SAT on Apache | 15:35 |
| metap0d | rbasak: I'll ask just one more since I'm off topic, what did you want me to run the nslookup on, the DNS server? | 15:35 |
| capitaninsaneoh | I'm not sure if I need two nics or just one | 15:35 |
| rbasak | No, on your windows machine where your ping doesn't work from | 15:35 |
| capitaninsaneoh | metap0d, on the client (your desktop) | 15:35 |
| metap0d | no i mean i know to run nslookup on my machine ... but to what IP? | 15:36 |
| capitaninsaneoh | metap0d, do ipconfig /flushdns | 15:36 |
| === railsraider_ is now known as railsraider | ||
| capitaninsaneoh | Then test for that machine | 15:39 |
| metap0d | capitaninsaneoh: Sorry to test your patience, but I flushed the DNS and am ready to run the nslookup ... but it asks for an IP/Hostname. I ran nslookup SK-Server on my client but it finds Server: UnKnown Address: 192.168.5.26 *** UnKnown can't find SK-SERVER: Non-existent domain | 15:42 |
| arosales | utlemming: looks like cloud images test ok for 12.04.1 | 15:43 |
| utlemming | arosales: yes, other than some invalid test cases in the tracker things look good | 15:44 |
| arosales | utlemming: thanks for testing that. | 15:44 |
| arosales | utlemming: to confirm I have your ack on signing off on the cloud images for https://wiki.ubuntu.com/PrecisePangolin/ReleaseManifest/12.04.1 | 15:44 |
| === n0ts_off is now known as n0ts | ||
| capitaninsaneoh | Anyone good with NAT/SAT wirewalling and multiple IPs on Apache | 15:49 |
| ikonia | what ? | 15:49 |
| capitaninsaneoh | Anyone good with NAT/SAT firewalling issues and multiple IPs on Apache | 15:51 |
| capitaninsaneoh | firewalling... sorry | 15:52 |
| ikonia | why don't you just state the problem....... | 15:52 |
| capitaninsaneoh | I'm trying to host a webserver that requires SSL on a firewall I have and I've got a few questions about IP's. Do I have to give my server 2 IP's? My firewall uses SAT so I would have to have one address that is internal and one that is publicly available right? Do I just create a sub interface or should I use another nic? | 15:52 |
| capitaninsaneoh | There it is =) | 15:52 |
| ikonia | you are doing the address translation on the firewall / | 15:53 |
| ikonia | ? | 15:53 |
| * patdk-wk is more confused | 15:53 | |
| patdk-wk | are the webserver and firwall the *same* computer? | 15:53 |
| ikonia | yeah the "on a firewall" wording isn't helpful | 15:54 |
| capitaninsaneoh | patdk-wk, , no i have a sep hardware firewall | 15:54 |
| ikonia | capitaninsaneoh: are you installing this on ubuntu yes/no | 15:55 |
| capitaninsaneoh | ikonia, Yes my server is on Ubuntu server | 15:55 |
| ikonia | capitaninsaneoh: right, so you are not installing "on a firewall" | 15:55 |
| ikonia | you are installing on a server that sits behind a firewall, yes/no ? | 15:55 |
| capitaninsaneoh | ikonia, YEs behind a hardware firewall | 15:55 |
| ikonia | capitaninsaneoh: the firewall is doing the IP address translation yes/no | 15:56 |
| capitaninsaneoh | that is what NAT/SAT means | 15:56 |
| ikonia | no it doesn't | 15:56 |
| capitaninsaneoh | In this case it does | 15:56 |
| capitaninsaneoh | I have a hardware firewll | 15:56 |
| ikonia | tell you what, sort it yourself | 15:56 |
| capitaninsaneoh | not using Iptables | 15:56 |
| ikonia | if you can't be bothered to answer questions I'm going out of my way to be clear on, sort it yourself | 15:56 |
| capitaninsaneoh | I'm answering them | 15:56 |
| ikonia | argue your poor wording with someone else. | 15:57 |
| capitaninsaneoh | I'm just trying to be clear | 15:57 |
| capitaninsaneoh | ikonia, go not help someone else | 15:57 |
| ikonia | understood, | 15:57 |
| capitaninsaneoh | =) | 15:57 |
| === n0ts is now known as n0ts_off | ||
| jdstrand | zul: one last question on the cinder mir | 16:09 |
| jdstrand | zul: hi btw :) | 16:09 |
| josePhoenix | I think automatic upgrades got me in a pickle | 16:24 |
| josePhoenix | It started installing a new kernel version but couldn't because /boot was full | 16:25 |
| josePhoenix | Now I can't remove old kernel packages because it says there are uninstalled dependencies | 16:25 |
| anotheruser | josePhoenix, when apt is broken you can try to remove manually things with dpkg... but caution with that, or you'll have a totally unusable system :) | 16:34 |
| josePhoenix | if I'm running a 3.0 series kernel... I can safely remove the 2.6 packages, right? | 16:34 |
| anotheruser | removing with apt is safe yeah (if it works) | 16:35 |
| josePhoenix | Well, apt won't work.. it hits me with the "the following packages have unmet dependencies" when I try to do apt-get remove linux-image-2.6.38-11-server | 16:36 |
| anotheruser | what package, if i may ask? | 16:36 |
| anotheruser | or several? | 16:36 |
| anotheruser | there is also the apt-get with the -f option to try to fix broken installations | 16:37 |
| anotheruser | sometimes that work | 16:37 |
| genii-around | josePhoenix: If you have another partition/disk with more room, you can make a boot directory there, copy the current contents over to it, then bind-mount it long enough to uninstall stuff. Then you can un-mount it, mv the dir back to original spot overwriting whats there. | 16:38 |
| anotheruser | and only if nothing else work, you can try with dpkg directly, as i said (dpkg --remove or something), which always work, but can break things further if you're not careful | 16:39 |
| === dendrobates is now known as dendro-afk | ||
| josePhoenix | anotheruser, genii-around: here's what I have tried (apt-get -f install and apt-get remove) http://dpaste.org/U1vk9/ | 16:40 |
| === dendro-afk is now known as dendrobates | ||
| zul | jdstrand: ping for the /usr/share/cinder/rootwrap it looks like an optional directory for other distros its empty for us | 16:41 |
| anotheruser | josePhoenix, I would start by removing the newly installed packages that weren't fully installed | 16:41 |
| anotheruser | then remove older kernels with apt | 16:41 |
| anotheruser | then install again the new one | 16:41 |
| anotheruser | all of this should normally be possible with apt | 16:41 |
| genii-around | josePhoenix: I'm not suggesting any arcane apt or dpkg commands. Merely to fix: "<josePhoenix> It started installing a new kernel version but couldn't because /boot was full" by temporarily giving the /boot directory more room on another drive or partition | 16:42 |
| anotheruser | josePhoenix, hmm actually the package that has problem is linux-image-server which you need obviously, so my solution isn't exactly correct i guess | 16:43 |
| anotheruser | or is it possible to remove it without removing anything else? i'm not sure in truth, i don't use the server packages '^^ | 16:44 |
| josePhoenix | genii-around: that sounds like the easiest solution actually, I just don't remember how to bind mount stuff (haven't done it since I did a Gentoo install about five years ago xD) | 16:45 |
| anotheruser | if you can, just apt-get remove linux-image-server, then removing old kernels, then installing linux-image-server would fix it... .but that only works if removing linux-image-server breaks nothing :-) | 16:45 |
| anotheruser | i have no idea if other packages depend on linux-image-server | 16:47 |
| josePhoenix | Okay, well I must go for now.. but back to this shortly | 16:49 |
| genii-around | eg: If you have room on sdb1 which is mounted say at /mnt .. sudo mkdir /mnt/boot && sudo cp -arv /boot/* /mnt/boot && sudo mount --bind /mnt/boot /boot ... then in here you do the apt-get stuff that was previously failing due to no space on /boot ... then sudo sync && sudo umount /boot && sudo mv /mnt/boot /boot | 16:51 |
| anotheruser | it seems nothing depends on linux-image-server, so my solution probably works | 16:52 |
| ubuntu_12 | hello, i have a question about a black screen issue on an 12.04 64 bit install | 16:57 |
| ubuntu_12 | i have tried the nomodeset fix but it does not seem to help | 16:57 |
| === mcclurmc is now known as mcclurmc_away | ||
| === n0ts_off is now known as n0ts | ||
| === n0ts is now known as n0ts_off | ||
| === nrd is now known as nerdux | ||
| === lordievader_ is now known as lordievader | ||
| poningru | hey guys how long is the lts releases supported for the server os? | 18:45 |
| andol | poningru: Five years, and as of 12.04 that goes for the Desktop too. | 18:46 |
| andol | ...and that last part is good news even server side, sparing you from having to concern yourself with whatever a package is a server package or not. | 18:47 |
| poningru | indeed | 18:47 |
| poningru | we are just now switching to 12.04 | 18:47 |
| poningru | thanks andol | 18:50 |
| andol | np | 18:50 |
| arrrghhh | hey all. anyone know how logrotate works? i don't see a cron job for my user or root, but i assume logrotate runs on a regular basis? | 18:53 |
| andol | arrrghhh: No /etc/cron.daily/logrotate file? | 18:54 |
| geekbri | That is indeed where it lives. | 18:54 |
| arrrghhh | ah i didn't think about looking there. | 18:54 |
| arrrghhh | i was always looking at crontab, thanks. | 18:54 |
| arrrghhh | so i'd guess that means it runs daily? :P at midnight? | 18:55 |
| geekbri | Mine runs at 0625 | 18:58 |
| geekbri | if you look in /etc/crontab you can verify when your cron.daily runs | 18:59 |
| arrrghhh | 0625 | 19:02 |
| arrrghhh | thx :) | 19:02 |
| === arrrghhh is now known as Arrrghhh | ||
| === Arrrghhh is now known as arrrghhh | ||
| josePhoenix | Hello all | 19:23 |
| josePhoenix | I'm trying to work around a full /boot and borked apt-get install | 19:23 |
| anotheruser | josePhoenix, have you tried my solution | 19:25 |
| === railsraider_ is now known as railsraider | ||
| === jibel__ is now known as jibel | ||
| === cpg|away is now known as cpg | ||
| josePhoenix | anotheruser: I actually did get the bind mount thing to work | 20:43 |
| anotheruser | ok, good then | 20:43 |
| josePhoenix | Can't reboot the server though :| | 20:44 |
| anotheruser | (though i think it was a lot of work for something much easier to solve :p) | 20:44 |
| anotheruser | hem | 20:44 |
| anotheruser | so you mounted to another boot, which was a copy of your old boot, installed the kernel, removed old kernels, copied the new boot to the old boot, and tried to reboot | 20:44 |
| anotheruser | correct? | 20:44 |
| josePhoenix | well, I know how mount, cp -a, and rm work... and I can't claim the same familiarity with dpkg and apt | 20:44 |
| josePhoenix | I mean, it might be fine. I just can't reboot it until I have access to a windows machine, because my IT department is stupid | 20:45 |
| anotheruser | oh, ok | 20:45 |
| anotheruser | misunderstood :) | 20:45 |
| josePhoenix | The VMWare console program only works on windows.. remarkable shortsightedness, don't you think? | 20:46 |
| josePhoenix | Well, we won't know if anything works until tomorrow evening at the earliest :D Gotta move across the country | 20:47 |
| === cpg is now known as cpg|away | ||
| === cpg|away is now known as cpg | ||
| === cpg is now known as cpg|away | ||
| === cpg|away is now known as cpg | ||
| === zyga_ is now known as zyga | ||
| === Ursinha` is now known as Ursinha | ||
| === dendrobates is now known as dendro-afk | ||
| dan64 | I have a user on my system name "nobody" created by a server I am using to serve cgi scripts. I would like to be able to use nice in the cgi scripts, so I added the following to /etc/security/limits.conf: "nobody - nice -20". It works when I also add the same line for another user (myself), but it doesn't work in isolation. Any ideas? | 23:29 |
| SpamapS | dan64: those limits are not applied to services | 23:42 |
| SpamapS | dan64: thats a pam-session thing | 23:42 |
| === cpg is now known as cpg|away | ||
| === dendro-afk is now known as dendrobates | ||
| dan64 | I am launching the cgi-server manually. It's not starting as a service. Something I just noticed is that I can nice a process as nobody with just my username in limits.conf, and not nobody. | 23:58 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!