=== n0ts_off is now known as n0ts === cpg|away is now known as cpg === n0ts is now known as n0ts_off === n0ts_off is now known as n0ts [01:18] I seriously don't understand what the fuck is happening [01:18] Everything is fail for me know [01:19] what the fuck is "public login: mountall: Disconnected from Plymouth" ? [01:19] Please stop cursing [01:21] IdleOne: I'm getting extremely frustrated. [01:21] IdleOne: I cannot get a fraking stable configuration in place, because seemingly, every day, there's an undate that breaks something. [01:21] IdleOne: and by something, I mean everything [01:24] I feel for you and wish I knew how to help you but getting upset and swearing is not going to help you get help. [01:25] I know that saying everything is broken is not enough detail to start trying to help. [01:26] IdleOne: I cannot shutdown my vm because ubuntu put out a flawed update, I'm getting a "public login: mountall: Disconnected from Plymouth" when the server (FRESH install) boots up [01:26] IdleOne: and apache is not responding on port 80. [01:28] and the logs say? [01:29] does sudo netstat -lanp | grep apache return anything? [01:30] patdk-lap: qman__ I'll respond to your questions in a moment, I appreciate your taking interest === n0ts is now known as n0ts_off [01:31] I don't know anything about Subsonic, and I don't have experience using apache's proxyforward, but I know a thing or two about apache and networking in general [01:31] so hopefully I can at least get you that far [01:32] qman__: I don't think that's broken. Actually, I think it's virtualbox that may be breaking things. However the "public login: mountall: Disconnected from Plymouth" and the screwed up shutdown are known bugs now [01:34] You know what? [01:34] well, one other point to verify [01:35] bad downloads can really ruin your day [01:35] they do happen, even with good internet connections, and they have happened to me [01:35] and that is _never_ fun [01:35] qman__: like, bad ubuntu iso? [01:35] bad iso, or bad debs from the net [01:36] qman__: I'm installing very few things. lamp, openssh, subsonic, virtualbox guest additions [01:36] check the md5sum/sha1sum/whatever to make sure your iso is good, and then I'd check key packages like apache [01:36] okay [01:36] every package downloaded will be in /var/cache/apt/archive [01:36] qman__: The apache thing happened after a restart [01:38] I try not to reboot [01:39] upstart had ruined my day on more than one occasion, too [01:40] packages should be ok, they are signed [01:40] and the signature wouldn't be valid [01:41] should be, but it has happened to me before [01:41] sounds like bad disk then [01:41] I think it displays on screen when a signature isn't valid, but a lot of times that gets blown by with all the other feedback and you miss it [01:42] mine always bombs out on bad sig [01:42] * patdk-lap likely would place the blame on virtualbox, it's known to have issues [01:43] one of the reasons I don't use it [01:43] given the alternatives, virtualbox isn't half bad [01:43] but it does have some issues [01:43] alternatives? I'm happy with vmware [01:44] virtual PC is really lacking in options, and last I checked, vmware workstation was expensive [01:44] virtualbox lacks obvious features like start on boot or login, or graceful shutdown with host, dear god [01:44] well, that's not what it's for [01:45] virtualbox is for user-centric virtualization on a desktop [01:45] yep, and this is the server channel [01:45] if you want features like that you need to use a software designed to do it [01:45] like KVM, or ESXi [01:46] or Xen [01:46] depending on the scale you need, lxc :) [01:46] openvz, ... [01:46] qman__: What do you suggest for a small server? [01:47] what's your hardware like, and what sum total are you virtualizing? [01:47] what is the small server? is it inside this vm? or is it what is running these vm's? [01:48] almost sounds like you want to run a small server vm on a desktop machine [01:48] if you're doing that, and you have a linux desktop, you could use KVM [01:48] kvm++ [01:48] it'll play nice when you're using the host as a desktop [01:49] Xen and ESXi won't do that, they're for dedicated host setups only [01:49] KVM does dedicated host too, but it can work on a user desktop [01:50] qman__: patdk-lap This is a Xeon 3.4ghz quad core with 8 threads, 10 MB cache, motherboard automatic overclocking to 3.6. I run Windows Ultimate64 bit [01:50] well, all of the above requires a linux host OS [01:51] qman__: patdk-lap I use this for gaming, work, several serving functions. I want the VM for an isolated and modular linux server that handles certain situations [01:51] I wouldn't know anythin about running when using a windows os [01:51] I don't know if microsoft still does virtual server, but that could work [01:52] qman__: did they ever update that for the CPU-based virtualization deals or did it stay a paravartualized thing? [01:52] but hyper-v probably squashed that product [01:52] in the windows world, hyper-v is the right thing for this situation, but it's pretty expensive [01:53] virtual server was free [01:53] or, if you can still get vmware server, that'd be a good option [01:54] but that was squased with ESXi [01:54] squashed* === Ursinha is now known as Ursinha-afk === Ursinha-afk is now known as Ursinha === Ursinha is now known as Ursinha-afk [03:28] sigh [03:29] So right now. Apache2 is not responding on port 80 [03:29] qman__: ^ [03:30] and I get "psithurisms login: mountall: Disconnected from Plymouth" [03:31] apache2 logs and system logs show nothing. [03:32] cluelessperson, that message is benign, you shouldn't see it at your login screen but it doesn't by itself break anything [03:33] does sudo netstat -lanp | grep apache return anything? [03:33] qman__: it disables my login on that screen [03:33] cluelessperson, press enter, it should give you a new prompt [03:33] qman__: Control Alt F2 [03:33] qman__: What's causing it though? -_-; [03:34] qman__: alright, but apache2 doesn't work. Not responding on port 80 [03:34] from what I found while searching, it's a symptom of a lot of other problems [03:34] so is it running or isn't it [03:34] qman__: apache is running, yes [03:34] ok [03:35] and are there any messages in /var/log/apache2/access.log? [03:35] if there are, check error.log for errors [03:35] qman__: None. [03:35] so, what it means is, your requests are not reaching apache for one reason or another [03:36] access.log would contain things regardless if it worked or not [03:36] qman__: Which doesn't make sense to me. Because I'm able to to putty in from my host over the forwarded port to the guest localhost:22 [03:36] qman__, can you telnet to http? is your firewall up? [03:36] qman__: and port 80 is forwarded in the exact same way. [03:37] rather cluelessperson can you telnet to http? is your firewall up? does it respon on localhost? [03:37] on the server, run curl localhost [03:37] you may have to apt-get install curl [03:37] if you get output that looks like a webpage, apache is working, and something else is causing your problem [03:40] qman__: 404 not found, which means my directory is off, but I should still see that 404 in browser. but yes, apache's apparently working [03:40] yes [03:41] so that means apache is working [03:41] ubuntu does not have any firewall rules enabled out of the box, you can verify with iptables -L [03:42] so the next step is to find out where the networking issue is [03:42] probably virtualbox, networking has never been its strong suit [03:42] could be your windows firewall too [03:43] qman__: Firewalls are disabled. [03:44] qman__: The only way I know to test virtualbox right now is to localhost:22 which is allowing my putty through. [03:44] http is forwarded the same way, I've double checked my port settings on other possible interfering programs. [03:45] you may have another program on your host OS or a feature of virtualbox using port 80 and preventing the port bind [03:45] qman__: Wouldn't netstat show that? [03:45] if you have another app, yes [03:45] if it's virtualbox, maybe [03:50] qman__: :/ I haven't upgraded virtualbox. I don't know why it would work one night and not the next. [03:50] qman__: I should've reinstalled it already, will now [03:51] reinstalling is not likely to fix this problem [03:51] though depending on how bad it is that might be a good plan anyway [03:52] qman__: Reinstall virtualbox I meant? [03:52] oh, ok [03:52] maybe, don't know [04:01] qman__: No dice. reinstalling did not work [04:01] qman__: At this point, it's a fresh install of Virtualbox, Ubuntu 12.04 [04:02] qman__: I've tried closing out and opening other network adapters on the guest. [04:05] cluelessperson, if you're using a NAT networking config, I'd try setting it up as bridged instead and see if it solves the problem [04:05] qman__: I was avoiding that, but okay. [04:06] qman__: Also, I do not have graceful shutdown with "sudo shutdown now" but I'll worry that later [04:06] cluelessperson, try sudo poweroff [04:07] qman__: Upon reboot, Sda1 is not ready or is not present. [04:09] qman__: ... I don't understand how switching to bridge mode makes a partition inaccessible [04:09] qman__: I think I may be done with virtualbox [04:13] cluelessperson, you can still get VMWare Server, it's unsupported but available: https://my.vmware.com/web/vmware/evalcenter?p=server20&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFoQFjAI&url=https://www.vmware.com/go/getserver&ei=vgBxUN3jIu66yAG9oYCACw&usg=AFQjCNHs4HR7u8yZ9MQgHmR4wAAVNVOUGw [04:13] I think that will be better suited to your purpose [04:17] qman__: btw, I feel I owe you money. [04:20] heh [05:28] qman__: Sigh. Now I can't install ubuntu on vmware. It's stuck [05:32] Hello. My name is Mammutpanzer and I plan to administrate a server. Before going onto the real server I want to run a VM to test everything, see if it is possible for me, look if it is fun to me or too much of a desaster. So I installed a VM of Linux Ubuntu Server 12.4. Now I would like to discuss security. Is this the right channel to discuss ubuntu server security? [06:04] Mammutpanzer,never ask to ask, just ask your questions [06:15] clear [06:16] So, I've installed VMware Server, and I can't install ubuntu 12.04 because it hangs at the very first menu. [06:18] and? [06:19] need more info [06:44] darthanubis: sorry [06:44] darthanubis: I just installed VMware server, ubuntu install hangs at "install ubuntu server" first menu === n0ts_off is now known as n0ts === n0ts is now known as n0ts_off [10:17] Is this the right channel to ask questions about ubuntu and server security or should I go to ubuntu-hardened? [10:29] Mammutpanzer, don't ask to ask, just ask the question [10:46] Well chris I didn't ask to ask a question I just wanted to follow the channel rules and one is that I should be on topic question was if I am on topic === n0ts_off is now known as n0ts === viezerd- is now known as viezerd === n0ts is now known as n0ts_off === n0ts_off is now known as n0ts === n0ts is now known as n0ts_off === Kiall is now known as Guest35492 === nandemonai is now known as Guest20421 === n0ts_off is now known as n0ts === cpg is now known as cpg|away [11:50] I can't open the man start-stop deamon manual does someone know why? Do I have to download additional man packages? === n0ts is now known as n0ts_off === johannesasldasld is now known as dacre [12:24] I am trying the command "ps -aux > foo" but it doesn't write to foo it simply says "bad ps syntax perhaps a bogus"? What am I doing wrong? [12:36] I just recently installed ubuntu server on a vm, Im very new to linux servers. Whats the initial process you would perform to setup on a Linux server? For example does it need to have something such as Active Directory setup, or the promotion of a Domain Controller? Can you give me some thoughts/insight on what they think should be set up first initial process? Please give me a real world testing solution. Thank you === n0ts_off is now known as n0ts [13:46] woodler: well do you use AD or DC_ [14:27] hi, by any chance has anyone here ever worked in a datacenter? [14:35] :( [14:38] Rodney353: maybe ask your real question? [14:38] Rodney353: a lot of us just read backscroll... so an answer might take a few hours [14:42] trying to find information to learn about the equipment in a datacenter [14:42] Rodney353: take a tour [14:42] trying to get a job in one, took a tour today, and realized i know next to nothing... [14:42] the equipment in a a datacenter can variy alot [14:43] Hm, I've been in about 20 DC's ... they are all basically the same in my eyes [14:43] there were hard drive arrays, load balancers, and all this crazy equipment... [14:43] what does it say about responsibilities. [14:43] the make/model might differ, but the setup is almost always the same [14:43] SpamapS: also depends wheter he will be having access to client cages or not as well [14:43] I took ccna and mcsa, and wasnt prepared....at all.... [14:44] haha [14:44] Rodney353: "learn by doing" [14:44] i thout it would be just routers, switches and servers [14:44] WAY off [14:44] http://www.cisco.com/web/learning/le3/le2/le41/le99/learning_certification_type_home.html [14:44] thats for datacenter certificates. [14:45] Rodney353: don't take this the wrong way, but when I evaluate an operations person for hire.. the more certs they have, the more suspicious I am that they know nothing. [14:45] very true [14:45] i worked in a NOC for almost 2 yrs before i took my ccna [14:45] and ccnp [14:45] Rodney353: did you bother talking to ops people before getting these certs? [14:45] I took them as a extra class at my college [14:46] my entire IT career is based on experiance. i have not landed a single job due to any certificates. [14:46] it was cheap, so i took them [14:46] figured they couldnt hurt... [14:46] Rodney353: they dont. :) [14:46] can easily get you a better paycheck [14:47] but i kinda want this job... [14:47] and if I get it I dont want to show up and be clueless... [14:47] DO you know how many other applicants? [14:47] even though it is a 'lerning' lower level position [14:47] roniez: you'll be fine. my recommendation would be to get an entry level job and just push hard to learn. [14:48] that was for Rodney690 :D [14:48] Rodney690: You'll be fine. Be honest about what you don't know, and how excited you are *to learn* [14:48] its very entry level, but just giving the tour I felt bad that i didnt know anything [14:48] You cannot know everything from start. [14:48] and entry lvl at a Datacentre means u will have a mentor [14:49] atleast it does here in holland [14:49] yeah in fact they probably wouldn't want you to know anything [14:49] then you'd want $$ [14:50] hehe [14:50] well the pay is decent... [14:50] knowledged = higher paycheck demands [14:50] not great, but livable [14:50] so dont worry too much Rodney690 just be honest about what you know and dont lie about it. [14:51] well, Im looking for information to learn these things [14:51] but i cant find any information on it [14:52] Rodney690: seriously, the way to learn these things is to get a job like the one you're applying for. [14:52] I think they want me to know at least a little lol [14:53] They gave me a test but they were easy [14:53] like really easy... [14:53] its entry level [14:53] and if you find them easy your already in a good position [14:53] counting that you passed the test ofc. [14:53] like make a crossover cable [14:53] alot of your work will be remote hands supporting [14:53] patching, switching hardwares etc. [14:53] depending on the clients request ofc. [14:54] and then we walk into the center and theres milltions of cables everywhere [14:54] spools of 100 fiber cables [14:54] and im like uhhhh.... Ive connected fiber cables to a switch .... I have no idea what these 100 do [14:55] there was equipment I have never even seen before [14:55] just preformance difference. [14:55] Rodney690: right, nobody ever sees those except in a job in a DC [14:55] Rodney690: *chill out* [14:55] lol... [14:55] Rodney690: your biggest danger now is your own head, not knowing something. [14:56] * SpamapS goes back to regular Sunday [14:56] wish there were videos that described what goes on in typical racks [14:56] keep searching, found nothing :( [14:57] don't let the cabling phase you. they can smell fear. show any sign of weakness, and you'll disappear into a loom and never return [14:58] lol, I act like its no big deal, Ive seen it before [14:58] when inside Im like: I have no idea what any of these things are doing [14:59] I was like a computer helpdesk guy at my old job. [15:00] Just delt with routers, switches, and servers [15:00] oh yea cabling is like dont even bother. if they failed it from the start they will never work it out until they redesign the entire DC [15:00] never even seen a load balancer, let alone one thats worth over 100k [15:00] a LB is nothing special just a fancy way of moving a round robin DNS to its own hardware. [15:00] :) [15:01] yah but they had like 500k equipment [15:01] my hp proliant 7 server cost 4k... [15:01] just wait until they cmoe with the new nexus-switches [15:01] they are fun [15:01] they also had cloud servers [15:02] with hard drive arrays [15:02] no idea how that works... [15:03] just a storage raid setup. :) linked to some ESX environment [15:04] its all Virtualized now and days. [15:06] well, yah but if I have to troubleshoot or change wiring on it... [15:06] u wont learn that until u do it [15:06] there is no way to prepare for that kind of stuff. [15:10] they were throwing out models left and right [15:10] like i was supposed to know what they are talking about lol [15:11] needless to say catalyst 6500 was not one of them lol === n0ts is now known as n0ts_off === maxb_ is now known as maxb === railsraider_ is now known as railsraider === n0ts_off is now known as n0ts === n0ts is now known as n0ts_off [16:12] anyone experience a black screen with white cursor on boot from USB? [16:12] trying to install ubuntu server from usb [16:13] used universal usb installer and unetbooting [16:13] both give me the same results [16:13] anyone? [16:15] help? [16:16] well black screen with white cursor is not really saying much [16:24] oh [16:24] trying to install ubuntu server from usb drive [16:25] I used universal usb installer [16:26] when I boot from usb, I dont see any splash screen, not even a grub message, nothing [16:26] It just hang [16:28] what could it be ? Maybe the MBR was not properly installed on usb with universal or unetbooting ? [17:41] Hello everyone. I'm setting up a mailstack server (that is, the semi-preconfigured postfix/Dovecot via the repos), but I'm having a little trouble getting postfix to accept mail [17:41] I have the system setup to use my LDAP server, postfix searches the LDAP for any users who have the [17:42] *who have the "mail=" field defined, and if so, accepts the mail... or at least, that's the plan [17:43] I've checked with postmap -q that the ldap search file works, it returns a username if the search for an email address was successful, otherwise it returns nothing [17:43] the stack has been removed from chroot, and I'm sending mail locally, so there should be no problems with the firewall, etc.. === cpg|away is now known as cpg [19:14] Hi I try to do sudo cd directory to go into a directory but it says sudo: cd: command not found [19:14] How can I go to the directory? [19:16] Mammutpanzer: firstly, you don't need "sudo" to change-directory. Secondonly, when you use "sudo" it cannot execute a shell-builtin (which is what 'cd' is) unless you use additional options to "sudo". [19:18] but how can I access a dir that has the following? drwx------? [19:18] Oh and thanks for the explanation TJ- :) [19:18] Mammutpanzer: You'd need to do "sudo -i" which gives you an interactive root shell. Once you're done in the shell, type "exit" to return to the non-privileged user [19:19] There is no other option? [19:19] Mammutpanzer: If you want to execute a particular program as super-user, you can do things like: "sudo ls -l /path/to/restricted/dir/" [19:20] Mammutpanzer: If you need to do several things, you could also create a short shell-script file, and execute it "sudo /path/to/my/simple.sh" [19:21] Sounds good thanks for all the advices :D I really try to not login as root [19:25] hello there. I'm curious to see what the standard solution is for when iptables isn't responding correctly [19:26] I have 12.04.1 on a 64-bit server with two interfaces and two bridges [19:26] could someone used in past klickstart for ubuntu? [19:27] I wound up doing an iptables-save, then iptables- L (which promptly locked me out of my SSH session..ha. ha.) then iptables-restore... seemed to fix the issue. Has that happened to anyone else in the past? === X66Mammut is now known as Mammutpanzer === cpg is now known as cpg|away === chronossc is now known as chronos === cpg|away is now known as cpg [19:52] Free99: I have only seen instances of iptables not bein configured correctly, the rules you set are followed by the kernel [19:52] *being [19:53] So I've installed VMWare server, but ubuntu server hangs at selection in the first menu "Install ubuntu server" [19:53] No errors are seen [19:54] guntbert: funny thing is, I had only enabled UFW, no rules were added. I also have fwknopd 2.0.3 running on the server, but I've never had it misconfigure the firewall before [19:54] is there a command I can run to get iptables to mention an erroneous config? [19:55] heh? [19:55] there is no such thing as an erroneous config [19:55] either the iptable command works or doesn't [19:56] it is easy possible to create some kind of packet flow logic that doesn't do what you want, but no way iptables would know that [19:56] that's what I figured, considering that I ran iptables-restore on a possibly bad config, and it works fine now [19:56] hmm [19:56] Free99: it may be that there are misunderstandings between yourself and the programmer of a tool... [19:56] I do have two interfaces, so that could have something to do with it [19:57] Free99: its still a matter of your understanding what some tool will do - the final commands are unambiguous [19:59] I do not know how to directly control iptables. This much I do know: UFW has worked a-ok in the past, as has fwknopd. The only reason I think I may have an issue is because this is the first time I've had two interfaces active as opposed to just one [19:59] your not attempting to use both are you? [19:59] you should only have one or the other installed [19:59] having both, is going be unpredictable [20:00] really? why is that? [20:00] likely, at reboot, both will run [20:00] so the last one to run will be active [20:01] and with upstart, that order could be random :) [20:01] well, I see both have their own separate tables [20:01] heh? [20:01] they both have to use the input/output/forward tables at least [20:02] sudo ufw show raw: [20:02] 533070 775614937 FWKNOP_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 [20:02] 532389 775567243 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 [20:02] 532389 775567243 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 [20:02] 123399 20614426 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 [20:02] 2741 89822 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 [20:02] sigh [20:02] 2741 89822 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 [20:02] 2741 89822 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 [20:03] that's for the input chain [20:03] oh joy [20:03] Free99: having more than one program to manage iptables is like calling trouble [20:03] so yeah, you're right, they all go through in out and forward [20:03] !paste | Free99 [20:03] Free99: For posting multi-line texts into the channel, please use http://paste.ubuntu.com | To post !screenshots use http://imagebin.org/?page=add | !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. [20:03] in this case, FWKNOP gets priority, then ufw [20:03] woops, my bad [20:04] and if upstart flipped it, ufw might get priority and fwk later [20:04] and it could make a huge difference [20:04] though you don't seem to understand why [20:04] Ho-hum. [20:04] I see what you mean [20:04] ufw's default is to deny access [20:06] incidentally, I'm still not sure how upstart works. I'm used to making sysV style scripts and using update-rc.d to install them in init.d [20:06] hang on, I'll google it rather than bother you blokes [20:08] Free99: STOP - uninstall one of them, and keep the other, then you can try to tweak the rules [20:10] system is running ok for the time being, I'll leave it be without rebooting it for now [20:11] I'm going to need UFW, my boss doesn't know much about iptables. I'll try writing an upstart script for fwknopd rather than use sysV [20:12] Free99: not the best of possible ideas - usually the system restarts at one point in the future when you definitely cannot cope with any problems :-) [20:13] I think it'll be ok for a couple of days... I know what you're saying however lol [20:14] Free99: and you migt want to have a look into shorewall [20:14] *might [20:15] and keep in mind: only one tool at a given time! [20:16] well.. let me ask you then: this server is a KVM host, it doesn't need to anything but directly route packets to the VMs which are connected to bridges br0 and br1.. [20:16] I need to be able to SSH in, but other than that, nothing really (and obviously ssh is protected by fwknop) [20:17] Free99: I have no idea what fwknop might be - but it doesn't protect anything by itself - all tools only generate iptables rules [20:18] oh, silly me. It's a single-packet port knocker, basically asks iptables to unshield port 22 to a specific ip that sends a correctly encrypted packet [20:19] works really well, no 0day exploits or anything of the sort are possible against commonly attacked ports when fwknop is in use [20:21] Free99: don't rely on port knockers - they provide just a not so secure password - configure your ssh server to only accept pubkey based logins [20:22] Free99: SEE http://bsdly.blogspot.co.at/2012/04/why-not-use-port-knocking.html [20:22] hmm, no need for fwdnop, iptables does that itself [20:23] umm... gpg keys are supported for fwknop. Besides, sometimes I have to manage something on my android phone, it's a bitch to use pub/priv keys with [20:24] Free99: suit yourself - but you have been warned :-) [20:25] guntbert: I actually read something like this, it's not based on knocking different ports in sequence [20:26] http://www.cipherdyne.org/fwknop/ [20:28] wait? fwdnop is an daemon? with root permissions? [20:28] and it's allowed to receive generic ip traffic? and you trust it more than sshd? [20:28] just use the built in iptables port knocking, so much safer [20:29] ifyou must use port knocking at all [20:29] well, you have to know what port it's on, it uses UDP...hmm. [20:29] an those things make it secure? no [20:30] forget about a zero day ssh issue, any issue in fwdnop and your toast [20:31] I personally never saw the point of portknocking though [20:31] Free99: how many different ports are there? [20:32] shorewall has portknocking built in though, using iptables rules to do it, no extra software insecurity [20:34] alright, so look: on the client, I run "fwknop -a 123.123.123.1 -A tcp/22 -D 123.234.111.12 --test" and then input my password, or use my gpg key [20:34] it encodes as 2146526055123413:ZmFsY29uZXll:1349642014:2.0.3:1:MTIzLjEyMy4xMjMuMSx0Y3AvMjI [20:35] that isn't the point [20:35] your exchanging one daemon (opensshd) with another daemon(fwdnopd) to cause the same root exploit [20:35] your protecting x, with something just as insecure, y [20:36] so if I run it as a different user with permission to run a sudo script that opens only 22 to a specific address...? [20:36] it=the dameon, that is [20:36] would be better then [20:36] so why should I trust any of the author (Michael Abrash) [20:37] *any of the author's other stuff? [20:37] I dunno? should you? [20:37] I personally don't trust many people [20:37] and defently not random blogs [20:38] he has a module that listens for stuff via snort and blocks skiddies automatically based on the rules.. well. I looked through his code, it looks good, and people liked him at toor [20:38] (shrug) I guess it is a trust thing. [20:38] it's in the repos, by the way [20:38] fwknop, that is [20:39] no one is saying it's a bad idea, there is no usecase for it [20:39] but care must be taking in how it's used [20:39] and it seems overkill for simple ssh protection [20:39] yeah, kinda forgot that it was running as root :-/ [20:40] I'm not a professional sysadmin if you couldn't tell lol [20:40] I got tired of the ssh bots running around my school network, this seemed to fit the bill [20:41] I just use basic tech, like fail2ban [20:41] also submit all those firewall blocked logs to dshield, and do my own parsing on them [20:42] I originally like denyhosts until I heard about the ssh botnets that purposely distribute cracking attempts [20:43] haven't ever had an issue with one of them [20:51] I understand that these are all band-aids to a problem... but I've got this running successfully on ~8 different servers, it'll be a while before I can get people to adapt to something new [20:51] perhaps an apparmor profile? [20:53] apparmor would just be more bandaid protection to fwdnop [20:55] someone's mentioning that the server listens passively via libfko, no direct tpc or udp connections per se. Sigh. that sucks man, I thought this was great [20:55] well, udp is passive [20:55] but it processes data contained in that passive udp listener [20:55] that is where issues can come up [20:56] buffer overflows, being common [20:56] you know, that reminds me. why the hell doesn't the ubuntu kernel use NX? [20:56] I have to compile my own kernel for that, what gives? [20:57] anyway, yeah. I'm looking over shorewall right now [21:01] wrong again also, looks like they put no-exec in after 10.04 [21:01]