| === n0ts_off is now known as n0ts | ||
| === cpg|away is now known as cpg | ||
| === n0ts is now known as n0ts_off | ||
| === n0ts_off is now known as n0ts | ||
| cluelessperson | I seriously don't understand what the fuck is happening | 01:18 |
|---|---|---|
| cluelessperson | Everything is fail for me know | 01:18 |
| cluelessperson | what the fuck is "public login: mountall: Disconnected from Plymouth" ? | 01:19 |
| IdleOne | Please stop cursing | 01:19 |
| cluelessperson | IdleOne: I'm getting extremely frustrated. | 01:21 |
| cluelessperson | IdleOne: I cannot get a fraking stable configuration in place, because seemingly, every day, there's an undate that breaks something. | 01:21 |
| cluelessperson | IdleOne: and by something, I mean everything | 01:21 |
| IdleOne | I feel for you and wish I knew how to help you but getting upset and swearing is not going to help you get help. | 01:24 |
| IdleOne | I know that saying everything is broken is not enough detail to start trying to help. | 01:25 |
| cluelessperson | IdleOne: I cannot shutdown my vm because ubuntu put out a flawed update, I'm getting a "public login: mountall: Disconnected from Plymouth" when the server (FRESH install) boots up | 01:26 |
| cluelessperson | IdleOne: and apache is not responding on port 80. | 01:26 |
| patdk-lap | and the logs say? | 01:28 |
| qman__ | does sudo netstat -lanp | grep apache return anything? | 01:29 |
| cluelessperson | patdk-lap: qman__ I'll respond to your questions in a moment, I appreciate your taking interest | 01:30 |
| === n0ts is now known as n0ts_off | ||
| qman__ | I don't know anything about Subsonic, and I don't have experience using apache's proxyforward, but I know a thing or two about apache and networking in general | 01:31 |
| qman__ | so hopefully I can at least get you that far | 01:31 |
| cluelessperson | qman__: I don't think that's broken. Actually, I think it's virtualbox that may be breaking things. However the "public login: mountall: Disconnected from Plymouth" and the screwed up shutdown are known bugs now | 01:32 |
| cluelessperson | You know what? | 01:34 |
| qman__ | well, one other point to verify | 01:34 |
| qman__ | bad downloads can really ruin your day | 01:35 |
| qman__ | they do happen, even with good internet connections, and they have happened to me | 01:35 |
| qman__ | and that is _never_ fun | 01:35 |
| cluelessperson | qman__: like, bad ubuntu iso? | 01:35 |
| qman__ | bad iso, or bad debs from the net | 01:35 |
| cluelessperson | qman__: I'm installing very few things. lamp, openssh, subsonic, virtualbox guest additions | 01:36 |
| qman__ | check the md5sum/sha1sum/whatever to make sure your iso is good, and then I'd check key packages like apache | 01:36 |
| cluelessperson | okay | 01:36 |
| qman__ | every package downloaded will be in /var/cache/apt/archive | 01:36 |
| cluelessperson | qman__: The apache thing happened after a restart | 01:36 |
| qman__ | I try not to reboot | 01:38 |
| qman__ | upstart had ruined my day on more than one occasion, too | 01:39 |
| patdk-lap | packages should be ok, they are signed | 01:40 |
| patdk-lap | and the signature wouldn't be valid | 01:40 |
| qman__ | should be, but it has happened to me before | 01:41 |
| patdk-lap | sounds like bad disk then | 01:41 |
| qman__ | I think it displays on screen when a signature isn't valid, but a lot of times that gets blown by with all the other feedback and you miss it | 01:41 |
| patdk-lap | mine always bombs out on bad sig | 01:42 |
| * patdk-lap likely would place the blame on virtualbox, it's known to have issues | 01:42 | |
| patdk-lap | one of the reasons I don't use it | 01:43 |
| qman__ | given the alternatives, virtualbox isn't half bad | 01:43 |
| qman__ | but it does have some issues | 01:43 |
| patdk-lap | alternatives? I'm happy with vmware | 01:43 |
| qman__ | virtual PC is really lacking in options, and last I checked, vmware workstation was expensive | 01:44 |
| cluelessperson | virtualbox lacks obvious features like start on boot or login, or graceful shutdown with host, dear god | 01:44 |
| qman__ | well, that's not what it's for | 01:44 |
| qman__ | virtualbox is for user-centric virtualization on a desktop | 01:45 |
| patdk-lap | yep, and this is the server channel | 01:45 |
| qman__ | if you want features like that you need to use a software designed to do it | 01:45 |
| qman__ | like KVM, or ESXi | 01:45 |
| qman__ | or Xen | 01:46 |
| patdk-lap | depending on the scale you need, lxc :) | 01:46 |
| patdk-lap | openvz, ... | 01:46 |
| cluelessperson | qman__: What do you suggest for a small server? | 01:46 |
| qman__ | what's your hardware like, and what sum total are you virtualizing? | 01:47 |
| patdk-lap | what is the small server? is it inside this vm? or is it what is running these vm's? | 01:47 |
| patdk-lap | almost sounds like you want to run a small server vm on a desktop machine | 01:48 |
| qman__ | if you're doing that, and you have a linux desktop, you could use KVM | 01:48 |
| sarnold | kvm++ | 01:48 |
| qman__ | it'll play nice when you're using the host as a desktop | 01:48 |
| qman__ | Xen and ESXi won't do that, they're for dedicated host setups only | 01:49 |
| qman__ | KVM does dedicated host too, but it can work on a user desktop | 01:49 |
| cluelessperson | qman__: patdk-lap This is a Xeon 3.4ghz quad core with 8 threads, 10 MB cache, motherboard automatic overclocking to 3.6. I run Windows Ultimate64 bit | 01:50 |
| qman__ | well, all of the above requires a linux host OS | 01:50 |
| cluelessperson | qman__: patdk-lap I use this for gaming, work, several serving functions. I want the VM for an isolated and modular linux server that handles certain situations | 01:51 |
| patdk-lap | I wouldn't know anythin about running when using a windows os | 01:51 |
| qman__ | I don't know if microsoft still does virtual server, but that could work | 01:51 |
| sarnold | qman__: did they ever update that for the CPU-based virtualization deals or did it stay a paravartualized thing? | 01:52 |
| qman__ | but hyper-v probably squashed that product | 01:52 |
| qman__ | in the windows world, hyper-v is the right thing for this situation, but it's pretty expensive | 01:52 |
| qman__ | virtual server was free | 01:53 |
| qman__ | or, if you can still get vmware server, that'd be a good option | 01:53 |
| qman__ | but that was squased with ESXi | 01:54 |
| qman__ | squashed* | 01:54 |
| === Ursinha is now known as Ursinha-afk | ||
| === Ursinha-afk is now known as Ursinha | ||
| === Ursinha is now known as Ursinha-afk | ||
| cluelessperson | sigh | 03:28 |
| cluelessperson | So right now. Apache2 is not responding on port 80 | 03:29 |
| cluelessperson | qman__: ^ | 03:29 |
| cluelessperson | and I get "psithurisms login: mountall: Disconnected from Plymouth" | 03:30 |
| cluelessperson | apache2 logs and system logs show nothing. | 03:31 |
| qman__ | cluelessperson, that message is benign, you shouldn't see it at your login screen but it doesn't by itself break anything | 03:32 |
| qman__ | does sudo netstat -lanp | grep apache return anything? | 03:33 |
| cluelessperson | qman__: it disables my login on that screen | 03:33 |
| qman__ | cluelessperson, press enter, it should give you a new prompt | 03:33 |
| cluelessperson | qman__: Control Alt F2 | 03:33 |
| cluelessperson | qman__: What's causing it though? -_-; | 03:33 |
| cluelessperson | qman__: alright, but apache2 doesn't work. Not responding on port 80 | 03:34 |
| qman__ | from what I found while searching, it's a symptom of a lot of other problems | 03:34 |
| qman__ | so is it running or isn't it | 03:34 |
| cluelessperson | qman__: apache is running, yes | 03:34 |
| qman__ | ok | 03:34 |
| qman__ | and are there any messages in /var/log/apache2/access.log? | 03:35 |
| qman__ | if there are, check error.log for errors | 03:35 |
| cluelessperson | qman__: None. | 03:35 |
| qman__ | so, what it means is, your requests are not reaching apache for one reason or another | 03:35 |
| qman__ | access.log would contain things regardless if it worked or not | 03:36 |
| cluelessperson | qman__: Which doesn't make sense to me. Because I'm able to to putty in from my host over the forwarded port to the guest localhost:22 | 03:36 |
| escott | qman__, can you telnet to http? is your firewall up? | 03:36 |
| cluelessperson | qman__: and port 80 is forwarded in the exact same way. | 03:36 |
| escott | rather cluelessperson can you telnet to http? is your firewall up? does it respon on localhost? | 03:37 |
| qman__ | on the server, run curl localhost | 03:37 |
| qman__ | you may have to apt-get install curl | 03:37 |
| qman__ | if you get output that looks like a webpage, apache is working, and something else is causing your problem | 03:37 |
| cluelessperson | qman__: 404 not found, which means my directory is off, but I should still see that 404 in browser. but yes, apache's apparently working | 03:40 |
| qman__ | yes | 03:40 |
| qman__ | so that means apache is working | 03:41 |
| qman__ | ubuntu does not have any firewall rules enabled out of the box, you can verify with iptables -L | 03:41 |
| qman__ | so the next step is to find out where the networking issue is | 03:42 |
| qman__ | probably virtualbox, networking has never been its strong suit | 03:42 |
| qman__ | could be your windows firewall too | 03:42 |
| cluelessperson | qman__: Firewalls are disabled. | 03:43 |
| cluelessperson | qman__: The only way I know to test virtualbox right now is to localhost:22 which is allowing my putty through. | 03:44 |
| cluelessperson | http is forwarded the same way, I've double checked my port settings on other possible interfering programs. | 03:44 |
| qman__ | you may have another program on your host OS or a feature of virtualbox using port 80 and preventing the port bind | 03:45 |
| cluelessperson | qman__: Wouldn't netstat show that? | 03:45 |
| qman__ | if you have another app, yes | 03:45 |
| qman__ | if it's virtualbox, maybe | 03:45 |
| cluelessperson | qman__: :/ I haven't upgraded virtualbox. I don't know why it would work one night and not the next. | 03:50 |
| cluelessperson | qman__: I should've reinstalled it already, will now | 03:50 |
| qman__ | reinstalling is not likely to fix this problem | 03:51 |
| qman__ | though depending on how bad it is that might be a good plan anyway | 03:51 |
| cluelessperson | qman__: Reinstall virtualbox I meant? | 03:52 |
| qman__ | oh, ok | 03:52 |
| qman__ | maybe, don't know | 03:52 |
| cluelessperson | qman__: No dice. reinstalling did not work | 04:01 |
| cluelessperson | qman__: At this point, it's a fresh install of Virtualbox, Ubuntu 12.04 | 04:01 |
| cluelessperson | qman__: I've tried closing out and opening other network adapters on the guest. | 04:02 |
| qman__ | cluelessperson, if you're using a NAT networking config, I'd try setting it up as bridged instead and see if it solves the problem | 04:05 |
| cluelessperson | qman__: I was avoiding that, but okay. | 04:05 |
| cluelessperson | qman__: Also, I do not have graceful shutdown with "sudo shutdown now" but I'll worry that later | 04:06 |
| qman__ | cluelessperson, try sudo poweroff | 04:06 |
| cluelessperson | qman__: Upon reboot, Sda1 is not ready or is not present. | 04:07 |
| cluelessperson | qman__: ... I don't understand how switching to bridge mode makes a partition inaccessible | 04:09 |
| cluelessperson | qman__: I think I may be done with virtualbox | 04:09 |
| qman__ | cluelessperson, you can still get VMWare Server, it's unsupported but available: https://my.vmware.com/web/vmware/evalcenter?p=server20&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFoQFjAI&url=https://www.vmware.com/go/getserver&ei=vgBxUN3jIu66yAG9oYCACw&usg=AFQjCNHs4HR7u8yZ9MQgHmR4wAAVNVOUGw | 04:13 |
| qman__ | I think that will be better suited to your purpose | 04:13 |
| cluelessperson | qman__: btw, I feel I owe you money. | 04:17 |
| qman__ | heh | 04:20 |
| cluelessperson | qman__: Sigh. Now I can't install ubuntu on vmware. It's stuck | 05:28 |
| Mammutpanzer | Hello. My name is Mammutpanzer and I plan to administrate a server. Before going onto the real server I want to run a VM to test everything, see if it is possible for me, look if it is fun to me or too much of a desaster. So I installed a VM of Linux Ubuntu Server 12.4. Now I would like to discuss security. Is this the right channel to discuss ubuntu server security? | 05:32 |
| darthanubis | Mammutpanzer,never ask to ask, just ask your questions | 06:04 |
| cluelessperson | clear | 06:15 |
| cluelessperson | So, I've installed VMware Server, and I can't install ubuntu 12.04 because it hangs at the very first menu. | 06:16 |
| darthanubis | and? | 06:18 |
| darthanubis | need more info | 06:19 |
| cluelessperson | darthanubis: sorry | 06:44 |
| cluelessperson | darthanubis: I just installed VMware server, ubuntu install hangs at "install ubuntu server" first menu | 06:44 |
| === n0ts_off is now known as n0ts | ||
| === n0ts is now known as n0ts_off | ||
| Mammutpanzer | Is this the right channel to ask questions about ubuntu and server security or should I go to ubuntu-hardened? | 10:17 |
| chris| | Mammutpanzer, don't ask to ask, just ask the question | 10:29 |
| Mammutpanzer | Well chris I didn't ask to ask a question I just wanted to follow the channel rules and one is that I should be on topic question was if I am on topic | 10:46 |
| === n0ts_off is now known as n0ts | ||
| === viezerd- is now known as viezerd | ||
| === n0ts is now known as n0ts_off | ||
| === n0ts_off is now known as n0ts | ||
| === n0ts is now known as n0ts_off | ||
| === Kiall is now known as Guest35492 | ||
| === nandemonai is now known as Guest20421 | ||
| === n0ts_off is now known as n0ts | ||
| === cpg is now known as cpg|away | ||
| Mammutpanzer | I can't open the man start-stop deamon manual does someone know why? Do I have to download additional man packages? | 11:50 |
| === n0ts is now known as n0ts_off | ||
| === johannesasldasld is now known as dacre | ||
| Mammutpanzer | I am trying the command "ps -aux > foo" but it doesn't write to foo it simply says "bad ps syntax perhaps a bogus"? What am I doing wrong? | 12:24 |
| woodler | I just recently installed ubuntu server on a vm, Im very new to linux servers. Whats the initial process you would perform to setup on a Linux server? For example does it need to have something such as Active Directory setup, or the promotion of a Domain Controller? Can you give me some thoughts/insight on what they think should be set up first initial process? Please give me a real world testing solution. Thank you | 12:36 |
| === n0ts_off is now known as n0ts | ||
| roniez | woodler: well do you use AD or DC_ | 13:46 |
| Rodney353 | hi, by any chance has anyone here ever worked in a datacenter? | 14:27 |
| Rodney353 | :( | 14:35 |
| SpamapS | Rodney353: maybe ask your real question? | 14:38 |
| SpamapS | Rodney353: a lot of us just read backscroll... so an answer might take a few hours | 14:38 |
| Rodney353 | trying to find information to learn about the equipment in a datacenter | 14:42 |
| SpamapS | Rodney353: take a tour | 14:42 |
| Rodney353 | trying to get a job in one, took a tour today, and realized i know next to nothing... | 14:42 |
| roniez | the equipment in a a datacenter can variy alot | 14:42 |
| SpamapS | Hm, I've been in about 20 DC's ... they are all basically the same in my eyes | 14:43 |
| Rodney353 | there were hard drive arrays, load balancers, and all this crazy equipment... | 14:43 |
| roniez | what does it say about responsibilities. | 14:43 |
| SpamapS | the make/model might differ, but the setup is almost always the same | 14:43 |
| roniez | SpamapS: also depends wheter he will be having access to client cages or not as well | 14:43 |
| Rodney353 | I took ccna and mcsa, and wasnt prepared....at all.... | 14:43 |
| SpamapS | haha | 14:44 |
| SpamapS | Rodney353: "learn by doing" | 14:44 |
| Rodney353 | i thout it would be just routers, switches and servers | 14:44 |
| Rodney353 | WAY off | 14:44 |
| roniez | http://www.cisco.com/web/learning/le3/le2/le41/le99/learning_certification_type_home.html | 14:44 |
| roniez | thats for datacenter certificates. | 14:44 |
| SpamapS | Rodney353: don't take this the wrong way, but when I evaluate an operations person for hire.. the more certs they have, the more suspicious I am that they know nothing. | 14:45 |
| roniez | very true | 14:45 |
| roniez | i worked in a NOC for almost 2 yrs before i took my ccna | 14:45 |
| roniez | and ccnp | 14:45 |
| SpamapS | Rodney353: did you bother talking to ops people before getting these certs? | 14:45 |
| Rodney353 | I took them as a extra class at my college | 14:45 |
| roniez | my entire IT career is based on experiance. i have not landed a single job due to any certificates. | 14:46 |
| Rodney353 | it was cheap, so i took them | 14:46 |
| Rodney353 | figured they couldnt hurt... | 14:46 |
| roniez | Rodney353: they dont. :) | 14:46 |
| roniez | can easily get you a better paycheck | 14:46 |
| Rodney690 | but i kinda want this job... | 14:47 |
| Rodney690 | and if I get it I dont want to show up and be clueless... | 14:47 |
| roniez | DO you know how many other applicants? | 14:47 |
| Rodney690 | even though it is a 'lerning' lower level position | 14:47 |
| SpamapS | roniez: you'll be fine. my recommendation would be to get an entry level job and just push hard to learn. | 14:47 |
| roniez | that was for Rodney690 :D | 14:48 |
| SpamapS | Rodney690: You'll be fine. Be honest about what you don't know, and how excited you are *to learn* | 14:48 |
| Rodney690 | its very entry level, but just giving the tour I felt bad that i didnt know anything | 14:48 |
| roniez | You cannot know everything from start. | 14:48 |
| roniez | and entry lvl at a Datacentre means u will have a mentor | 14:48 |
| roniez | atleast it does here in holland | 14:49 |
| SpamapS | yeah in fact they probably wouldn't want you to know anything | 14:49 |
| SpamapS | then you'd want $$ | 14:49 |
| roniez | hehe | 14:50 |
| Rodney690 | well the pay is decent... | 14:50 |
| roniez | knowledged = higher paycheck demands | 14:50 |
| Rodney690 | not great, but livable | 14:50 |
| roniez | so dont worry too much Rodney690 just be honest about what you know and dont lie about it. | 14:50 |
| Rodney690 | well, Im looking for information to learn these things | 14:51 |
| Rodney690 | but i cant find any information on it | 14:51 |
| SpamapS | Rodney690: seriously, the way to learn these things is to get a job like the one you're applying for. | 14:52 |
| Rodney690 | I think they want me to know at least a little lol | 14:52 |
| Rodney690 | They gave me a test but they were easy | 14:53 |
| Rodney690 | like really easy... | 14:53 |
| roniez | its entry level | 14:53 |
| roniez | and if you find them easy your already in a good position | 14:53 |
| roniez | counting that you passed the test ofc. | 14:53 |
| Rodney690 | like make a crossover cable | 14:53 |
| roniez | alot of your work will be remote hands supporting | 14:53 |
| roniez | patching, switching hardwares etc. | 14:53 |
| roniez | depending on the clients request ofc. | 14:53 |
| Rodney690 | and then we walk into the center and theres milltions of cables everywhere | 14:54 |
| Rodney690 | spools of 100 fiber cables | 14:54 |
| Rodney690 | and im like uhhhh.... Ive connected fiber cables to a switch .... I have no idea what these 100 do | 14:54 |
| Rodney690 | there was equipment I have never even seen before | 14:55 |
| roniez | just preformance difference. | 14:55 |
| SpamapS | Rodney690: right, nobody ever sees those except in a job in a DC | 14:55 |
| SpamapS | Rodney690: *chill out* | 14:55 |
| Rodney690 | lol... | 14:55 |
| SpamapS | Rodney690: your biggest danger now is your own head, not knowing something. | 14:55 |
| * SpamapS goes back to regular Sunday | 14:56 | |
| Rodney690 | wish there were videos that described what goes on in typical racks | 14:56 |
| Rodney690 | keep searching, found nothing :( | 14:56 |
| shauno | don't let the cabling phase you. they can smell fear. show any sign of weakness, and you'll disappear into a loom and never return | 14:57 |
| Rodney690 | lol, I act like its no big deal, Ive seen it before | 14:58 |
| Rodney690 | when inside Im like: I have no idea what any of these things are doing | 14:58 |
| Rodney690 | I was like a computer helpdesk guy at my old job. | 14:59 |
| Rodney690 | Just delt with routers, switches, and servers | 15:00 |
| roniez | oh yea cabling is like dont even bother. if they failed it from the start they will never work it out until they redesign the entire DC | 15:00 |
| Rodney690 | never even seen a load balancer, let alone one thats worth over 100k | 15:00 |
| roniez | a LB is nothing special just a fancy way of moving a round robin DNS to its own hardware. | 15:00 |
| roniez | :) | 15:00 |
| Rodney690 | yah but they had like 500k equipment | 15:01 |
| Rodney690 | my hp proliant 7 server cost 4k... | 15:01 |
| roniez | just wait until they cmoe with the new nexus-switches | 15:01 |
| roniez | they are fun | 15:01 |
| Rodney690 | they also had cloud servers | 15:01 |
| Rodney690 | with hard drive arrays | 15:02 |
| Rodney690 | no idea how that works... | 15:02 |
| roniez | just a storage raid setup. :) linked to some ESX environment | 15:03 |
| roniez | its all Virtualized now and days. | 15:04 |
| Rodney690 | well, yah but if I have to troubleshoot or change wiring on it... | 15:06 |
| roniez | u wont learn that until u do it | 15:06 |
| roniez | there is no way to prepare for that kind of stuff. | 15:06 |
| Rodney690 | they were throwing out models left and right | 15:10 |
| Rodney690 | like i was supposed to know what they are talking about lol | 15:10 |
| Rodney690 | needless to say catalyst 6500 was not one of them lol | 15:11 |
| === n0ts is now known as n0ts_off | ||
| === maxb_ is now known as maxb | ||
| === railsraider_ is now known as railsraider | ||
| === n0ts_off is now known as n0ts | ||
| === n0ts is now known as n0ts_off | ||
| Joy0x3806 | anyone experience a black screen with white cursor on boot from USB? | 16:12 |
| Joy0x3806 | trying to install ubuntu server from usb | 16:12 |
| Joy0x3806 | used universal usb installer and unetbooting | 16:13 |
| Joy0x3806 | both give me the same results | 16:13 |
| Joy0x3806 | anyone? | 16:13 |
| Joy0x3806 | help? | 16:15 |
| roniez | well black screen with white cursor is not really saying much | 16:16 |
| Joy0x3806 | oh | 16:24 |
| Joy0x3806 | trying to install ubuntu server from usb drive | 16:24 |
| Joy0x3806 | I used universal usb installer | 16:25 |
| Joy0x3806 | when I boot from usb, I dont see any splash screen, not even a grub message, nothing | 16:26 |
| Joy0x3806 | It just hang | 16:26 |
| Joy0x3806 | what could it be ? Maybe the MBR was not properly installed on usb with universal or unetbooting ? | 16:28 |
| Free99 | Hello everyone. I'm setting up a mailstack server (that is, the semi-preconfigured postfix/Dovecot via the repos), but I'm having a little trouble getting postfix to accept mail | 17:41 |
| Free99 | I have the system setup to use my LDAP server, postfix searches the LDAP for any users who have the | 17:41 |
| Free99 | *who have the "mail=" field defined, and if so, accepts the mail... or at least, that's the plan | 17:42 |
| Free99 | I've checked with postmap -q that the ldap search file works, it returns a username if the search for an email address was successful, otherwise it returns nothing | 17:43 |
| Free99 | the stack has been removed from chroot, and I'm sending mail locally, so there should be no problems with the firewall, etc.. | 17:43 |
| === cpg|away is now known as cpg | ||
| Mammutpanzer | Hi I try to do sudo cd directory to go into a directory but it says sudo: cd: command not found | 19:14 |
| Mammutpanzer | How can I go to the directory? | 19:14 |
| TJ- | Mammutpanzer: firstly, you don't need "sudo" to change-directory. Secondonly, when you use "sudo" it cannot execute a shell-builtin (which is what 'cd' is) unless you use additional options to "sudo". | 19:16 |
| Mammutpanzer | but how can I access a dir that has the following? drwx------? | 19:18 |
| Mammutpanzer | Oh and thanks for the explanation TJ- :) | 19:18 |
| TJ- | Mammutpanzer: You'd need to do "sudo -i" which gives you an interactive root shell. Once you're done in the shell, type "exit" to return to the non-privileged user | 19:18 |
| Mammutpanzer | There is no other option? | 19:19 |
| TJ- | Mammutpanzer: If you want to execute a particular program as super-user, you can do things like: "sudo ls -l /path/to/restricted/dir/" | 19:19 |
| TJ- | Mammutpanzer: If you need to do several things, you could also create a short shell-script file, and execute it "sudo /path/to/my/simple.sh" | 19:20 |
| Mammutpanzer | Sounds good thanks for all the advices :D I really try to not login as root | 19:21 |
| Free99 | hello there. I'm curious to see what the standard solution is for when iptables isn't responding correctly | 19:25 |
| Free99 | I have 12.04.1 on a 64-bit server with two interfaces and two bridges | 19:26 |
| chmuri | could someone used in past klickstart for ubuntu? | 19:26 |
| Free99 | I wound up doing an iptables-save, then iptables- L (which promptly locked me out of my SSH session..ha. ha.) then iptables-restore... seemed to fix the issue. Has that happened to anyone else in the past? | 19:27 |
| === X66Mammut is now known as Mammutpanzer | ||
| === cpg is now known as cpg|away | ||
| === chronossc is now known as chronos | ||
| === cpg|away is now known as cpg | ||
| guntbert | Free99: I have only seen instances of iptables not bein configured correctly, the rules you set are followed by the kernel | 19:52 |
| guntbert | *being | 19:52 |
| cluelessperson | So I've installed VMWare server, but ubuntu server hangs at selection in the first menu "Install ubuntu server" | 19:53 |
| cluelessperson | No errors are seen | 19:53 |
| Free99 | guntbert: funny thing is, I had only enabled UFW, no rules were added. I also have fwknopd 2.0.3 running on the server, but I've never had it misconfigure the firewall before | 19:54 |
| Free99 | is there a command I can run to get iptables to mention an erroneous config? | 19:54 |
| patdk-lap | heh? | 19:55 |
| patdk-lap | there is no such thing as an erroneous config | 19:55 |
| patdk-lap | either the iptable command works or doesn't | 19:55 |
| patdk-lap | it is easy possible to create some kind of packet flow logic that doesn't do what you want, but no way iptables would know that | 19:56 |
| Free99 | that's what I figured, considering that I ran iptables-restore on a possibly bad config, and it works fine now | 19:56 |
| Free99 | hmm | 19:56 |
| guntbert | Free99: it may be that there are misunderstandings between yourself and the programmer of a tool... | 19:56 |
| Free99 | I do have two interfaces, so that could have something to do with it | 19:56 |
| guntbert | Free99: its still a matter of your understanding what some tool will do - the final commands are unambiguous | 19:57 |
| Free99 | I do not know how to directly control iptables. This much I do know: UFW has worked a-ok in the past, as has fwknopd. The only reason I think I may have an issue is because this is the first time I've had two interfaces active as opposed to just one | 19:59 |
| patdk-lap | your not attempting to use both are you? | 19:59 |
| patdk-lap | you should only have one or the other installed | 19:59 |
| patdk-lap | having both, is going be unpredictable | 19:59 |
| Free99 | really? why is that? | 20:00 |
| patdk-lap | likely, at reboot, both will run | 20:00 |
| patdk-lap | so the last one to run will be active | 20:00 |
| patdk-lap | and with upstart, that order could be random :) | 20:01 |
| Free99 | well, I see both have their own separate tables | 20:01 |
| patdk-lap | heh? | 20:01 |
| patdk-lap | they both have to use the input/output/forward tables at least | 20:01 |
| Free99 | sudo ufw show raw: | 20:02 |
| Free99 | 533070 775614937 FWKNOP_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| Free99 | 532389 775567243 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| Free99 | 532389 775567243 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| Free99 | 123399 20614426 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| Free99 | 2741 89822 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| cluelessperson | sigh | 20:02 |
| Free99 | 2741 89822 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| Free99 | 2741 89822 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 | 20:02 |
| Free99 | that's for the input chain | 20:03 |
| escott | oh joy | 20:03 |
| guntbert | Free99: having more than one program to manage iptables is like calling trouble | 20:03 |
| Free99 | so yeah, you're right, they all go through in out and forward | 20:03 |
| guntbert | !paste | Free99 | 20:03 |
| ubottu | Free99: For posting multi-line texts into the channel, please use http://paste.ubuntu.com | To post !screenshots use http://imagebin.org/?page=add | !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. | 20:03 |
| patdk-lap | in this case, FWKNOP gets priority, then ufw | 20:03 |
| Free99 | woops, my bad | 20:03 |
| patdk-lap | and if upstart flipped it, ufw might get priority and fwk later | 20:04 |
| patdk-lap | and it could make a huge difference | 20:04 |
| patdk-lap | though you don't seem to understand why | 20:04 |
| Free99 | Ho-hum. | 20:04 |
| Free99 | I see what you mean | 20:04 |
| Free99 | ufw's default is to deny access | 20:04 |
| Free99 | incidentally, I'm still not sure how upstart works. I'm used to making sysV style scripts and using update-rc.d to install them in init.d | 20:06 |
| Free99 | hang on, I'll google it rather than bother you blokes | 20:06 |
| guntbert | Free99: STOP - uninstall one of them, and keep the other, then you can try to tweak the rules | 20:08 |
| Free99 | system is running ok for the time being, I'll leave it be without rebooting it for now | 20:10 |
| Free99 | I'm going to need UFW, my boss doesn't know much about iptables. I'll try writing an upstart script for fwknopd rather than use sysV | 20:11 |
| guntbert | Free99: not the best of possible ideas - usually the system restarts at one point in the future when you definitely cannot cope with any problems :-) | 20:12 |
| Free99 | I think it'll be ok for a couple of days... I know what you're saying however lol | 20:13 |
| guntbert | Free99: and you migt want to have a look into shorewall | 20:14 |
| guntbert | *might | 20:14 |
| guntbert | and keep in mind: only one tool at a given time! | 20:15 |
| Free99 | well.. let me ask you then: this server is a KVM host, it doesn't need to anything but directly route packets to the VMs which are connected to bridges br0 and br1.. | 20:16 |
| Free99 | I need to be able to SSH in, but other than that, nothing really (and obviously ssh is protected by fwknop) | 20:16 |
| guntbert | Free99: I have no idea what fwknop might be - but it doesn't protect anything by itself - all tools only generate iptables rules | 20:17 |
| Free99 | oh, silly me. It's a single-packet port knocker, basically asks iptables to unshield port 22 to a specific ip that sends a correctly encrypted packet | 20:18 |
| Free99 | works really well, no 0day exploits or anything of the sort are possible against commonly attacked ports when fwknop is in use | 20:19 |
| guntbert | Free99: don't rely on port knockers - they provide just a not so secure password - configure your ssh server to only accept pubkey based logins | 20:21 |
| guntbert | Free99: SEE http://bsdly.blogspot.co.at/2012/04/why-not-use-port-knocking.html | 20:22 |
| patdk-lap | hmm, no need for fwdnop, iptables does that itself | 20:22 |
| Free99 | umm... gpg keys are supported for fwknop. Besides, sometimes I have to manage something on my android phone, it's a bitch to use pub/priv keys with | 20:23 |
| guntbert | Free99: suit yourself - but you have been warned :-) | 20:24 |
| Free99 | guntbert: I actually read something like this, it's not based on knocking different ports in sequence | 20:25 |
| Free99 | http://www.cipherdyne.org/fwknop/ | 20:26 |
| patdk-lap | wait? fwdnop is an daemon? with root permissions? | 20:28 |
| patdk-lap | and it's allowed to receive generic ip traffic? and you trust it more than sshd? | 20:28 |
| patdk-lap | just use the built in iptables port knocking, so much safer | 20:28 |
| patdk-lap | ifyou must use port knocking at all | 20:29 |
| Free99 | well, you have to know what port it's on, it uses UDP...hmm. | 20:29 |
| patdk-lap | an those things make it secure? no | 20:29 |
| patdk-lap | forget about a zero day ssh issue, any issue in fwdnop and your toast | 20:30 |
| patdk-lap | I personally never saw the point of portknocking though | 20:31 |
| guntbert | Free99: how many different ports are there? | 20:31 |
| patdk-lap | shorewall has portknocking built in though, using iptables rules to do it, no extra software insecurity | 20:32 |
| Free99 | alright, so look: on the client, I run "fwknop -a 123.123.123.1 -A tcp/22 -D 123.234.111.12 --test" and then input my password, or use my gpg key | 20:34 |
| Free99 | it encodes as 2146526055123413:ZmFsY29uZXll:1349642014:2.0.3:1:MTIzLjEyMy4xMjMuMSx0Y3AvMjI | 20:34 |
| patdk-lap | that isn't the point | 20:35 |
| patdk-lap | your exchanging one daemon (opensshd) with another daemon(fwdnopd) to cause the same root exploit | 20:35 |
| patdk-lap | your protecting x, with something just as insecure, y | 20:35 |
| Free99 | so if I run it as a different user with permission to run a sudo script that opens only 22 to a specific address...? | 20:36 |
| Free99 | it=the dameon, that is | 20:36 |
| patdk-lap | would be better then | 20:36 |
| Free99 | so why should I trust any of the author (Michael Abrash) | 20:36 |
| Free99 | *any of the author's other stuff? | 20:37 |
| patdk-lap | I dunno? should you? | 20:37 |
| patdk-lap | I personally don't trust many people | 20:37 |
| patdk-lap | and defently not random blogs | 20:37 |
| Free99 | he has a module that listens for stuff via snort and blocks skiddies automatically based on the rules.. well. I looked through his code, it looks good, and people liked him at toor | 20:38 |
| Free99 | (shrug) I guess it is a trust thing. | 20:38 |
| Free99 | it's in the repos, by the way | 20:38 |
| Free99 | fwknop, that is | 20:38 |
| patdk-lap | no one is saying it's a bad idea, there is no usecase for it | 20:39 |
| patdk-lap | but care must be taking in how it's used | 20:39 |
| patdk-lap | and it seems overkill for simple ssh protection | 20:39 |
| Free99 | yeah, kinda forgot that it was running as root :-/ | 20:39 |
| Free99 | I'm not a professional sysadmin if you couldn't tell lol | 20:40 |
| Free99 | I got tired of the ssh bots running around my school network, this seemed to fit the bill | 20:40 |
| patdk-lap | I just use basic tech, like fail2ban | 20:41 |
| patdk-lap | also submit all those firewall blocked logs to dshield, and do my own parsing on them | 20:41 |
| Free99 | I originally like denyhosts until I heard about the ssh botnets that purposely distribute cracking attempts | 20:42 |
| patdk-lap | haven't ever had an issue with one of them | 20:43 |
| Free99 | I understand that these are all band-aids to a problem... but I've got this running successfully on ~8 different servers, it'll be a while before I can get people to adapt to something new | 20:51 |
| Free99 | perhaps an apparmor profile? | 20:51 |
| patdk-lap | apparmor would just be more bandaid protection to fwdnop | 20:53 |
| Free99 | someone's mentioning that the server listens passively via libfko, no direct tpc or udp connections per se. Sigh. that sucks man, I thought this was great | 20:55 |
| patdk-lap | well, udp is passive | 20:55 |
| patdk-lap | but it processes data contained in that passive udp listener | 20:55 |
| patdk-lap | that is where issues can come up | 20:55 |
| patdk-lap | buffer overflows, being common | 20:56 |
| Free99 | you know, that reminds me. why the hell doesn't the ubuntu kernel use NX? | 20:56 |
| Free99 | I have to compile my own kernel for that, what gives? | 20:56 |
| Free99 | anyway, yeah. I'm looking over shorewall right now | 20:57 |
| Free99 | wrong again also, looks like they put no-exec in after 10.04 | 21:01 |
| Free99 | https://wiki.ubuntu.com/Security/CPUFeatures | 21:01 |
| patdk-lap | no, that has always been there | 21:08 |
| patdk-lap | the WARNING, if your on a noexec compatable cpu, that has that feature disabled, is on 10.04+ | 21:08 |
| Free99 | I appreciate your help so far patdk-lap. I have one more Q... any reason I shouldn't compile my own kernel for a web-facing system using the grsecurity patches? | 21:12 |
| patdk-lap | it all depends | 21:15 |
| patdk-lap | seems like it has a lot of interesting stuff, I have never used that though | 21:15 |
| patdk-lap | personally, I perfer to detect if a system is compromised long before something like that should kick in | 21:15 |
| Free99 | I was looking at it in terms of just mitigating that potential as much as possible | 21:16 |
| Free99 | I have backups already implemented, and I tried to harden nginx and php as much as possible | 21:16 |
| Free99 | or at least, as much as I knew how to w/o breaking anything | 21:17 |
| chris| | harden php.. that one never gets old | 21:17 |
| patdk-lap | while those are a problem, 90% of the issues is normally the php program themselves | 21:17 |
| Free99 | lol I have to run wordpress, so... yeah | 21:17 |
| Free99 | I'm using the suhosin patches | 21:18 |
| patdk-lap | heh, wordpress has a long histroy of issues :) | 21:18 |
| Free99 | (shrug) Its a fickle thing you know? | 21:18 |
| patdk-lap | I would opt for using mod_security | 21:18 |
| Free99 | isn't that only for apache? | 21:18 |
| patdk-lap | yep | 21:18 |
| Free99 | <- nginx | 21:19 |
| patdk-lap | your running facebook? | 21:19 |
| patdk-lap | performance over security? | 21:19 |
| Free99 | apparently? lol.. | 21:19 |
| patdk-lap | it's all what you want :) | 21:19 |
| patdk-lap | I have crapload of iis server I *must* use | 21:19 |
| Free99 | guh | 21:19 |
| patdk-lap | but I do shove an apache with mod_security on them | 21:19 |
| patdk-lap | makes me feel better | 21:19 |
| patdk-lap | also require vpn access to even hit the proxy | 21:20 |
| patdk-lap | and yes, I do perfer not to use apache when I can | 21:20 |
| patdk-lap | but some things, it still is required | 21:20 |
| Free99 | I mean look, I'd use thttpd if I could make it run with php | 21:21 |
| Free99 | I like simple, it usually translates to secure (I used to tinker with freeBSD a lot) | 21:21 |
| Free99 | nginx hasn't been too bad security-wise though, you have to structure the rules correctly from what I understand | 21:22 |
| Free99 | it freaked me out how my apache mpm prefork would jump in cpu and memory every time I tested connecting to it | 21:23 |
| Free99 | one firefox connect= 2% ? | 21:23 |
| roniez | thttpd should work with php no? | 21:25 |
| Free99 | I wish man, I turned the internet upside down looking for a way to do fastCGI | 21:27 |
| patdk-lap | heh? | 21:33 |
| patdk-lap | I have >300 connections with apache and I don't have 2% cpu usage | 21:33 |
| patdk-lap | but then, prefork is the issue there, just don't use prefork | 21:34 |
| Free99 | cripes, just when you think you're getting good at being a sysadmin, you find out you don't know your dick from your elbow :P | 21:37 |
| roniez | hehe | 21:38 |
| roniez | the life of a sysadmin | 21:38 |
| roniez | always learning | 21:38 |
| patdk-lap | ya, it's whatever works best | 21:39 |
| patdk-lap | I do not use apache on a lot of systems | 21:39 |
| roniez | agreed. | 21:39 |
| patdk-lap | but I do use apache on any systems I don't have full control over | 21:39 |
| patdk-lap | you could implement a lot of mod_security stuff by making nginx rules in it's config | 21:40 |
| patdk-lap | but it would get highly annoying | 21:40 |
| === doko_ is now known as doko | ||
| Free99 | I followed the nginx tutorials... all I cna hope for is that they're secure enough, I have too much to do atm | 21:45 |
| Free99 | :-/ what a cop out though | 21:45 |
| CrypticSquared | Free99: nickto is a nice little tool | 21:45 |
| CrypticSquared | er nikto | 21:45 |
| Free99 | wow crypticsquared, that's awesome! thanks! | 21:49 |
| CrypticSquared | np | 21:49 |
| codescience | can i still download ubuntu server 8.10? | 21:55 |
| holstein | codescience: http://old-releases.ubuntu.com/releases/8.10/ though the repos are down AFAIK | 21:56 |
| codescience | thanks. | 21:59 |
| Free99 | anyone good with postfix here? | 22:02 |
| patdk-lap | !ask | 22:02 |
| ubottu | Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience | 22:02 |
| roniez | Yea be ready to idle. :) | 22:03 |
| roniez | sometimes an answer can take a while | 22:03 |
| patdk-lap | there is a whole #postfix channel too, though I am normally only there during working hours | 22:04 |
| gen0cide_ | Anyone know what happens when rsyslog on ubuntu tries to send to a server but can't resolve the DNS name? | 22:50 |
| gen0cide_ | I'm trying it now, but can't see anything in syslog to tell that it's failing | 22:50 |
| TJ- | gen0cide_: "man rsyslog" might give you some clues | 22:54 |
| gen0cide_ | " If the remote hostname cannot be resolved at startup, because the name-server might not be accessible (it may be started after rsyslogd) you don’t have to worry. Rsyslogd will retry to resolve the name ten times and then complain. " - I don't see the complaint. Where would that happen? | 22:56 |
| TJ- | In the log, I'd have thought | 22:57 |
| gen0cide_ | Nope, nothing -.- | 22:59 |
| TJ- | Maybe the startup-script is sending output to /dev/null | 23:00 |
| techie | im going to be setting up a machine running ubuntu-server as a game server in the next few weeks and i was wondering if there was a way to recursively create folders and symlinks | 23:46 |
| techie | for shared resources | 23:47 |
| techie | or would i have to manually create folders, and symlink everything in them | 23:48 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!