[01:18] <cluelessperson> I seriously don't understand what the fuck is happening
[01:18] <cluelessperson> Everything is fail for me know
[01:19] <cluelessperson> what the fuck is "public login: mountall: Disconnected from Plymouth" ?
[01:19] <IdleOne> Please stop cursing
[01:21] <cluelessperson> IdleOne: I'm getting extremely frustrated.
[01:21] <cluelessperson> IdleOne:  I cannot get a fraking stable configuration in place, because seemingly, every day, there's an undate that breaks something.
[01:21] <cluelessperson> IdleOne: and by something, I mean everything
[01:24] <IdleOne> I feel for you and wish I knew how to help you but getting upset and swearing is not going to help you get help.
[01:25] <IdleOne> I know that saying everything is broken is not enough detail to start trying to help.
[01:26] <cluelessperson> IdleOne: I cannot shutdown my vm because ubuntu put out a flawed update, I'm getting a "public login: mountall: Disconnected from Plymouth" when the server (FRESH install) boots up
[01:26] <cluelessperson> IdleOne: and apache is not responding on port 80.
[01:28] <patdk-lap> and the logs say?
[01:29] <qman__> does sudo netstat -lanp | grep apache return anything?
[01:30] <cluelessperson> patdk-lap: qman__  I'll respond to your questions in a moment, I appreciate your taking interest
[01:31] <qman__> I don't know anything about Subsonic, and I don't have experience using apache's proxyforward, but I know a thing or two about apache and networking in general
[01:31] <qman__> so hopefully I can at least get you that far
[01:32] <cluelessperson> qman__: I don't think that's broken.  Actually, I think it's virtualbox that may be breaking things.  However the "public login: mountall: Disconnected from Plymouth" and the screwed up shutdown are known bugs now
[01:34] <cluelessperson> You know what?
[01:34] <qman__> well, one other point to verify
[01:35] <qman__> bad downloads can really ruin your day
[01:35] <qman__> they do happen, even with good internet connections, and they have happened to me
[01:35] <qman__> and that is _never_ fun
[01:35] <cluelessperson> qman__: like, bad ubuntu iso?
[01:35] <qman__> bad iso, or bad debs from the net
[01:36] <cluelessperson> qman__: I'm installing very few things.  lamp, openssh, subsonic, virtualbox guest additions
[01:36] <qman__> check the md5sum/sha1sum/whatever to make sure your iso is good, and then I'd check key packages like apache
[01:36] <cluelessperson> okay
[01:36] <qman__> every package downloaded will be in /var/cache/apt/archive
[01:36] <cluelessperson> qman__: The apache thing happened after a restart
[01:38] <qman__> I try not to reboot
[01:39] <qman__> upstart had ruined my day on more than one occasion, too
[01:40] <patdk-lap> packages should be ok, they are signed
[01:40] <patdk-lap> and the signature wouldn't be valid
[01:41] <qman__> should be, but it has happened to me before
[01:41] <patdk-lap> sounds like bad disk then
[01:41] <qman__> I think it displays on screen when a signature isn't valid, but a lot of times that gets blown by with all the other feedback and you miss it
[01:42] <patdk-lap> mine always bombs out on bad sig
[01:42]  * patdk-lap likely would place the blame on virtualbox, it's known to have issues
[01:43] <patdk-lap> one of the reasons I don't use it
[01:43] <qman__> given the alternatives, virtualbox isn't half bad
[01:43] <qman__> but it does have some issues
[01:43] <patdk-lap> alternatives? I'm happy with vmware
[01:44] <qman__> virtual PC is really lacking in options, and last I checked, vmware workstation was expensive
[01:44] <cluelessperson> virtualbox lacks obvious features like start on boot or login, or graceful shutdown with host, dear god
[01:44] <qman__> well, that's not what it's for
[01:45] <qman__> virtualbox is for user-centric virtualization on a desktop
[01:45] <patdk-lap> yep, and this is the server channel
[01:45] <qman__> if you want features like that you need to use a software designed to do it
[01:45] <qman__> like KVM, or ESXi
[01:46] <qman__> or Xen
[01:46] <patdk-lap> depending on the scale you need, lxc :)
[01:46] <patdk-lap> openvz, ...
[01:46] <cluelessperson> qman__: What do you suggest for a small server?
[01:47] <qman__> what's your hardware like, and what sum total are you virtualizing?
[01:47] <patdk-lap> what is the small server? is it inside this vm? or is it what is running these vm's?
[01:48] <patdk-lap> almost sounds like you want to run a small server vm on a desktop machine
[01:48] <qman__> if you're doing that, and you have a linux desktop, you could use KVM
[01:48] <sarnold> kvm++
[01:48] <qman__> it'll play nice when you're using the host as a desktop
[01:49] <qman__> Xen and ESXi won't do that, they're for dedicated host setups only
[01:49] <qman__> KVM does dedicated host too, but it can work on a user desktop
[01:50] <cluelessperson> qman__: patdk-lap    This is a Xeon 3.4ghz quad core with 8 threads, 10 MB cache, motherboard automatic overclocking to 3.6.  I run Windows Ultimate64 bit
[01:50] <qman__> well, all of the above requires a linux host OS
[01:51] <cluelessperson> qman__: patdk-lap  I use this for gaming, work, several serving functions.  I want the VM for an isolated and modular linux server that handles certain situations
[01:51] <patdk-lap> I wouldn't know anythin about running when using a windows os
[01:51] <qman__> I don't know if microsoft still does virtual server, but that could work
[01:52] <sarnold> qman__: did they ever update that for the CPU-based virtualization deals or did it stay a paravartualized thing?
[01:52] <qman__> but hyper-v probably squashed that product
[01:52] <qman__> in the windows world, hyper-v is the right thing for this situation, but it's pretty expensive
[01:53] <qman__> virtual server was free
[01:53] <qman__> or, if you can still get vmware server, that'd be a good option
[01:54] <qman__> but that was squased with ESXi
[01:54] <qman__> squashed*
[03:28] <cluelessperson> sigh
[03:29] <cluelessperson> So right now.  Apache2 is not responding on port 80
[03:29] <cluelessperson> qman__:  ^
[03:30] <cluelessperson> and I get "psithurisms login: mountall: Disconnected from Plymouth"
[03:31] <cluelessperson> apache2 logs and system logs show nothing.
[03:32] <qman__> cluelessperson, that message is benign, you shouldn't see it at your login screen but it doesn't by itself break anything
[03:33] <qman__> does sudo netstat -lanp | grep apache return anything?
[03:33] <cluelessperson> qman__: it disables my login on that screen
[03:33] <qman__> cluelessperson, press enter, it should give you a new prompt
[03:33] <cluelessperson> qman__: Control Alt F2
[03:33] <cluelessperson> qman__: What's causing it though? -_-;
[03:34] <cluelessperson> qman__: alright, but apache2 doesn't work.  Not responding on port 80
[03:34] <qman__> from what I found while searching, it's a symptom of a lot of other problems
[03:34] <qman__> so is it running or isn't it
[03:34] <cluelessperson> qman__: apache is running, yes
[03:34] <qman__> ok
[03:35] <qman__> and are there any messages in /var/log/apache2/access.log?
[03:35] <qman__> if there are, check error.log for errors
[03:35] <cluelessperson> qman__: None.
[03:35] <qman__> so, what it means is, your requests are not reaching apache for one reason or another
[03:36] <qman__> access.log would contain things regardless if it worked or not
[03:36] <cluelessperson> qman__: Which doesn't make sense to me.  Because I'm able to to putty in from my host over the forwarded port to the guest localhost:22
[03:36] <escott> qman__, can you telnet to http? is your firewall up?
[03:36] <cluelessperson> qman__: and port 80 is forwarded in the exact same way.
[03:37] <escott> rather cluelessperson can you telnet to http? is your firewall up? does it respon on localhost?
[03:37] <qman__> on the server, run curl localhost
[03:37] <qman__> you may have to apt-get install curl
[03:37] <qman__> if you get output that looks like a webpage, apache is working, and something else is causing your problem
[03:40] <cluelessperson> qman__: 404 not found, which means my directory is off, but I should still see that 404 in browser. but yes, apache's apparently working
[03:40] <qman__> yes
[03:41] <qman__> so that means apache is working
[03:41] <qman__> ubuntu does not have any firewall rules enabled out of the box, you can verify with iptables -L
[03:42] <qman__> so the next step is to find out where the networking issue is
[03:42] <qman__> probably virtualbox, networking has never been its strong suit
[03:42] <qman__> could be your windows firewall too
[03:43] <cluelessperson> qman__: Firewalls are disabled.
[03:44] <cluelessperson> qman__: The only way I know to test virtualbox right now is to localhost:22 which is allowing my putty through.
[03:44] <cluelessperson> http is forwarded the same way, I've double checked my port settings on other possible interfering programs.
[03:45] <qman__> you may have another program on your host OS or a feature of virtualbox using port 80 and preventing the port bind
[03:45] <cluelessperson> qman__: Wouldn't netstat show that?
[03:45] <qman__> if you have another app, yes
[03:45] <qman__> if it's virtualbox, maybe
[03:50] <cluelessperson> qman__:   :/  I haven't upgraded virtualbox.  I don't know why it would work one night and not the next.
[03:50] <cluelessperson> qman__: I should've reinstalled it already, will now
[03:51] <qman__> reinstalling is not likely to fix this problem
[03:51] <qman__> though depending on how bad it is that might be a good plan anyway
[03:52] <cluelessperson> qman__: Reinstall virtualbox I meant?
[03:52] <qman__> oh, ok
[03:52] <qman__> maybe, don't know
[04:01] <cluelessperson> qman__: No dice. reinstalling did not work
[04:01] <cluelessperson> qman__: At this point, it's a fresh install of Virtualbox, Ubuntu 12.04
[04:02] <cluelessperson> qman__: I've tried closing out and opening other network adapters on the guest.
[04:05] <qman__> cluelessperson, if you're using a NAT networking config, I'd try setting it up as bridged instead and see if it solves the problem
[04:05] <cluelessperson> qman__: I was avoiding that, but okay.
[04:06] <cluelessperson> qman__: Also, I do not have graceful shutdown with "sudo shutdown now" but I'll worry that later
[04:06] <qman__> cluelessperson, try sudo poweroff
[04:07] <cluelessperson> qman__: Upon reboot, Sda1 is not ready or is not present.
[04:09] <cluelessperson> qman__: ...  I don't understand how switching to bridge mode makes a partition inaccessible
[04:09] <cluelessperson> qman__:  I think I may be done with virtualbox
[04:13] <qman__> cluelessperson, you can still get VMWare Server, it's unsupported but available: https://my.vmware.com/web/vmware/evalcenter?p=server20&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFoQFjAI&url=https://www.vmware.com/go/getserver&ei=vgBxUN3jIu66yAG9oYCACw&usg=AFQjCNHs4HR7u8yZ9MQgHmR4wAAVNVOUGw
[04:13] <qman__> I think that will be better suited to your purpose
[04:17] <cluelessperson> qman__: btw, I feel I owe you money.
[04:20] <qman__> heh
[05:28] <cluelessperson> qman__: Sigh.  Now I can't install ubuntu on vmware.  It's stuck
[05:32] <Mammutpanzer> Hello. My name is Mammutpanzer and I plan to administrate a server. Before going onto the real server I want to run a VM to test everything, see if it is possible for me, look if it is fun to me or too much of a desaster. So I installed a VM of Linux Ubuntu Server 12.4. Now I would like to discuss security. Is this the right channel to discuss ubuntu server security?
[06:04] <darthanubis> Mammutpanzer,never ask to ask, just ask your questions
[06:15] <cluelessperson> clear
[06:16] <cluelessperson> So, I've installed VMware Server, and I can't install ubuntu 12.04 because it hangs at the very first menu.
[06:18] <darthanubis> and?
[06:19] <darthanubis> need more info
[06:44] <cluelessperson> darthanubis: sorry
[06:44] <cluelessperson> darthanubis: I just installed VMware server, ubuntu install hangs at "install ubuntu server" first menu
[10:17] <Mammutpanzer> Is this the right channel to ask questions about ubuntu and server security or should I go to ubuntu-hardened?
[10:29] <chris|> Mammutpanzer, don't ask to ask, just ask the question
[10:46] <Mammutpanzer> Well chris I didn't ask to ask a question I just wanted to follow the channel rules and one is that I should be on topic question was if I am on topic
[11:50] <Mammutpanzer> I can't open the man start-stop deamon manual does someone know why? Do I have to download additional man packages?
[12:24] <Mammutpanzer> I am trying the command "ps -aux > foo" but it doesn't write to foo it simply says "bad ps syntax perhaps a bogus"? What am I doing wrong?
[12:36] <woodler> I just recently installed ubuntu server on a vm, Im very new to linux servers. Whats the initial process you would perform to setup on a Linux server? For example does it need to have something such as Active Directory setup, or the promotion of a Domain Controller? Can you give me some thoughts/insight on what they think should be set up first initial process? Please give me a real world testing solution. Thank you
[13:46] <roniez> woodler: well do you use AD or DC_
[14:27] <Rodney353> hi, by any chance has anyone here ever worked in a datacenter?
[14:35] <Rodney353> :(
[14:38] <SpamapS> Rodney353: maybe ask your real question?
[14:38] <SpamapS> Rodney353: a lot of us just read backscroll... so an answer might take a few hours
[14:42] <Rodney353> trying to find information to learn about the equipment in a datacenter
[14:42] <SpamapS> Rodney353: take a tour
[14:42] <Rodney353> trying to get a job in one, took a tour today, and realized i know next to nothing...
[14:42] <roniez> the equipment in a a datacenter can variy alot
[14:43] <SpamapS> Hm, I've been in about 20 DC's ... they are all basically the same in my eyes
[14:43] <Rodney353> there were hard drive arrays, load balancers, and all this crazy equipment...
[14:43] <roniez> what does it say about responsibilities.
[14:43] <SpamapS> the make/model might differ, but the setup is almost always the same
[14:43] <roniez> SpamapS: also depends wheter he will be having access to client cages or not as well
[14:43] <Rodney353> I took ccna and mcsa, and wasnt prepared....at all....
[14:44] <SpamapS> haha
[14:44] <SpamapS> Rodney353: "learn by doing"
[14:44] <Rodney353> i thout it would be just routers, switches and servers
[14:44] <Rodney353> WAY off
[14:44] <roniez> http://www.cisco.com/web/learning/le3/le2/le41/le99/learning_certification_type_home.html
[14:44] <roniez> thats for datacenter certificates.
[14:45] <SpamapS> Rodney353: don't take this the wrong way, but when I evaluate an operations person for hire.. the more certs they have, the more suspicious I am that they know nothing.
[14:45] <roniez> very true
[14:45] <roniez> i worked in a NOC for almost 2 yrs before i took my ccna
[14:45] <roniez> and ccnp
[14:45] <SpamapS> Rodney353: did you bother talking to ops people before getting these certs?
[14:45] <Rodney353> I took them as a extra class at my college
[14:46] <roniez> my entire IT career is based on experiance. i have not landed a single job due to any certificates.
[14:46] <Rodney353> it was cheap, so i took them
[14:46] <Rodney353> figured they couldnt hurt...
[14:46] <roniez> Rodney353: they dont. :)
[14:46] <roniez> can easily get you a better paycheck
[14:47] <Rodney690> but i kinda want this job...
[14:47] <Rodney690> and if I get it I dont want to show up and be clueless...
[14:47] <roniez> DO you know how many other applicants?
[14:47] <Rodney690> even though it is a 'lerning' lower level position
[14:47] <SpamapS> roniez: you'll be fine. my recommendation would be to get an entry level job and just push hard to learn.
[14:48] <roniez> that was for Rodney690 :D
[14:48] <SpamapS> Rodney690: You'll be fine. Be honest about what you don't know, and how excited you are *to learn*
[14:48] <Rodney690> its very entry level, but just giving the tour I felt bad that i didnt know anything
[14:48] <roniez> You cannot know everything from start.
[14:48] <roniez> and entry lvl at a Datacentre means u will have a mentor
[14:49] <roniez> atleast it does here in holland
[14:49] <SpamapS> yeah in fact they probably wouldn't want you to know anything
[14:49] <SpamapS> then you'd want $$
[14:50] <roniez> hehe
[14:50] <Rodney690> well the pay is decent...
[14:50] <roniez> knowledged = higher paycheck demands
[14:50] <Rodney690> not great, but livable
[14:50] <roniez>  so dont worry too much Rodney690 just be honest about what you know and dont lie about it.
[14:51] <Rodney690> well, Im looking for information to learn these things
[14:51] <Rodney690> but i cant find any information on it
[14:52] <SpamapS> Rodney690: seriously, the way to learn these things is to get a job like the one you're applying for.
[14:52] <Rodney690> I think they want me to know at least a little lol
[14:53] <Rodney690> They gave me a test but they were easy
[14:53] <Rodney690> like really easy...
[14:53] <roniez> its entry level
[14:53] <roniez> and if you find them easy your already in a good position
[14:53] <roniez> counting that you passed the test ofc.
[14:53] <Rodney690> like make a crossover cable
[14:53] <roniez> alot of your work will be remote hands supporting
[14:53] <roniez> patching, switching hardwares etc.
[14:53] <roniez> depending on the clients request ofc.
[14:54] <Rodney690> and then we walk into the center and theres milltions of cables everywhere
[14:54] <Rodney690> spools of 100 fiber cables
[14:54] <Rodney690> and im like uhhhh.... Ive connected fiber cables to a switch .... I have no idea what these 100 do
[14:55] <Rodney690> there was equipment I have never even seen before
[14:55] <roniez> just preformance difference.
[14:55] <SpamapS> Rodney690: right, nobody ever sees those except in a job in a DC
[14:55] <SpamapS> Rodney690: *chill out*
[14:55] <Rodney690> lol...
[14:55] <SpamapS> Rodney690: your biggest danger now is your own head, not knowing something.
[14:56]  * SpamapS goes back to regular Sunday
[14:56] <Rodney690> wish there were videos that described what goes on in typical racks
[14:56] <Rodney690> keep searching, found nothing :(
[14:57] <shauno> don't let the cabling phase you.  they can smell fear.  show any sign of weakness, and you'll disappear into a loom and never return
[14:58] <Rodney690> lol, I act like its no big deal, Ive seen it before
[14:58] <Rodney690> when inside Im like: I have no idea what any of these things are doing
[14:59] <Rodney690> I was like a computer helpdesk guy at my old job.
[15:00] <Rodney690> Just delt with routers, switches, and servers
[15:00] <roniez> oh yea cabling is like dont even bother. if they failed it from the start they will never work it out until they redesign the entire DC
[15:00] <Rodney690> never even seen a load balancer, let alone one thats worth over 100k
[15:00] <roniez> a LB is nothing special just a fancy way of moving a round robin DNS to its own hardware.
[15:00] <roniez> :)
[15:01] <Rodney690> yah but they had like 500k equipment
[15:01] <Rodney690> my hp proliant 7 server cost 4k...
[15:01] <roniez> just wait until they cmoe with the new nexus-switches
[15:01] <roniez> they are fun
[15:01] <Rodney690> they also had cloud servers
[15:02] <Rodney690> with hard drive arrays
[15:02] <Rodney690> no idea how that works...
[15:03] <roniez> just a storage raid setup. :) linked to some ESX environment
[15:04] <roniez> its all Virtualized now and days.
[15:06] <Rodney690> well, yah but if I have to troubleshoot or change wiring on it...
[15:06] <roniez> u wont learn that until u do it
[15:06] <roniez> there is no way to prepare for that kind of stuff.
[15:10] <Rodney690> they were throwing out models left and right
[15:10] <Rodney690> like i was supposed to know what they are talking about lol
[15:11] <Rodney690> needless to say catalyst 6500 was not one of them lol
[16:12] <Joy0x3806> anyone experience a black screen with white cursor on boot from USB?
[16:12] <Joy0x3806> trying to install ubuntu server from usb
[16:13] <Joy0x3806> used universal usb installer and unetbooting
[16:13] <Joy0x3806> both give me the same results
[16:13] <Joy0x3806> anyone?
[16:15] <Joy0x3806> help?
[16:16] <roniez> well black screen with white cursor is not really saying much
[16:24] <Joy0x3806> oh
[16:24] <Joy0x3806> trying to install ubuntu server from usb drive
[16:25] <Joy0x3806> I used universal usb installer
[16:26] <Joy0x3806> when I boot from usb, I dont see any splash screen, not even a grub message, nothing
[16:26] <Joy0x3806> It just hang
[16:28] <Joy0x3806> what could it be ? Maybe the MBR was not properly installed on usb with universal or unetbooting ?
[17:41] <Free99> Hello everyone. I'm setting up a mailstack server (that is, the semi-preconfigured postfix/Dovecot via the repos), but I'm having a little trouble getting postfix to accept mail
[17:41] <Free99> I have the system setup to use my LDAP server, postfix searches the LDAP for any users who have the
[17:42] <Free99> *who have the "mail=" field defined, and if so, accepts the mail... or at least, that's the plan
[17:43] <Free99> I've checked with postmap -q that the ldap search file works, it returns a username if the search for an email address was successful, otherwise it returns nothing
[17:43] <Free99> the stack has been removed from chroot, and I'm sending mail locally, so there should be no problems with the firewall, etc..
[19:14] <Mammutpanzer> Hi I try to do sudo cd directory to go into a directory but it says sudo: cd: command not found
[19:14] <Mammutpanzer> How can I go to the directory?
[19:16] <TJ-> Mammutpanzer: firstly, you don't need "sudo" to change-directory. Secondonly, when you use "sudo" it cannot execute a shell-builtin (which is what 'cd' is) unless you use additional options to "sudo".
[19:18] <Mammutpanzer> but how can I access a dir that has the following? drwx------?
[19:18] <Mammutpanzer> Oh and thanks for the explanation TJ- :)
[19:18] <TJ-> Mammutpanzer: You'd need to do "sudo -i" which gives you an interactive root shell. Once you're done in the shell, type "exit" to return to the non-privileged user
[19:19] <Mammutpanzer> There is no other option?
[19:19] <TJ-> Mammutpanzer: If you want to execute a particular program as super-user, you can do things like: "sudo ls -l /path/to/restricted/dir/"
[19:20] <TJ-> Mammutpanzer: If you need to do several things, you could also create a short shell-script file, and execute it "sudo /path/to/my/simple.sh"
[19:21] <Mammutpanzer> Sounds good thanks for all the advices :D I really try to not login as root
[19:25] <Free99> hello there. I'm curious to see what the standard solution is for when iptables isn't responding correctly
[19:26] <Free99> I have 12.04.1 on a 64-bit server with two interfaces and two bridges
[19:26] <chmuri> could someone used in past klickstart for ubuntu?
[19:27] <Free99> I wound up doing an iptables-save, then iptables- L (which promptly locked me out of my SSH session..ha. ha.) then iptables-restore... seemed to fix the issue. Has that happened to anyone else in the past?
[19:52] <guntbert> Free99: I have only seen instances of iptables not bein configured correctly, the rules you set are followed by the kernel
[19:52] <guntbert> *being
[19:53] <cluelessperson> So I've installed VMWare server, but ubuntu server hangs at selection in the first menu "Install ubuntu server"
[19:53] <cluelessperson> No errors are seen
[19:54] <Free99> guntbert: funny thing is, I had only enabled UFW, no rules were added. I also have fwknopd 2.0.3 running on the server, but I've never had it misconfigure the firewall before
[19:54] <Free99> is there a command I can run to get iptables to mention an erroneous config?
[19:55] <patdk-lap> heh?
[19:55] <patdk-lap> there is no such thing as an erroneous config
[19:55] <patdk-lap> either the iptable command works or doesn't
[19:56] <patdk-lap> it is easy possible to create some kind of packet flow logic that doesn't do what you want, but no way iptables would know that
[19:56] <Free99> that's what I figured, considering that I ran iptables-restore on a possibly bad config, and it works fine now
[19:56] <Free99> hmm
[19:56] <guntbert> Free99: it may be that there are misunderstandings between yourself and the programmer of a tool...
[19:56] <Free99> I do have two interfaces, so that could have something to do with it
[19:57] <guntbert> Free99: its still a matter of your understanding what some tool will do - the final commands are unambiguous
[19:59] <Free99> I do not know how to directly control iptables. This much I do know: UFW has worked a-ok in the past, as has fwknopd. The only reason I think I may have an issue is because this is the first time I've had two interfaces active as opposed to just one
[19:59] <patdk-lap> your not attempting to use both are you?
[19:59] <patdk-lap> you should only have one or the other installed
[19:59] <patdk-lap> having both, is going be unpredictable
[20:00] <Free99> really? why is that?
[20:00] <patdk-lap> likely, at reboot, both will run
[20:00] <patdk-lap> so the last one to run will be active
[20:01] <patdk-lap> and with upstart, that order could be random :)
[20:01] <Free99> well, I see both have their own separate tables
[20:01] <patdk-lap> heh?
[20:01] <patdk-lap> they both have to use the input/output/forward tables at least
[20:02] <Free99> sudo ufw show raw:
[20:02] <Free99>   533070 775614937 FWKNOP_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:02] <Free99>   532389 775567243 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:02] <Free99>   532389 775567243 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:02] <Free99>   123399 20614426 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:02] <Free99>     2741    89822 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:02] <cluelessperson> sigh
[20:02] <Free99>     2741    89822 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:02] <Free99>     2741    89822 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[20:03] <Free99> that's for the input chain
[20:03] <escott> oh joy
[20:03] <guntbert> Free99: having more than one program to manage iptables is like calling trouble
[20:03] <Free99> so yeah, you're right, they all go through in out and forward
[20:03] <guntbert> !paste | Free99
[20:03] <patdk-lap> in this case, FWKNOP gets priority, then ufw
[20:03] <Free99> woops, my bad
[20:04] <patdk-lap> and if upstart flipped it, ufw might get priority and fwk later
[20:04] <patdk-lap> and it could make a huge difference
[20:04] <patdk-lap> though you don't seem to understand why
[20:04] <Free99> Ho-hum.
[20:04] <Free99> I see what you mean
[20:04] <Free99> ufw's default is to deny access
[20:06] <Free99> incidentally, I'm still not sure how upstart works. I'm used to making sysV style scripts and using update-rc.d to install them in init.d
[20:06] <Free99> hang on, I'll google it rather than bother you blokes
[20:08] <guntbert> Free99: STOP - uninstall one of them, and keep the other, then you can try to tweak the rules
[20:10] <Free99> system is running ok for the time being, I'll leave it be without rebooting it for now
[20:11] <Free99> I'm going to need UFW, my boss doesn't know much about iptables. I'll try writing an upstart script for fwknopd rather than use sysV
[20:12] <guntbert> Free99: not the best of possible ideas - usually the system restarts at one point in the future when you definitely cannot cope with any problems :-)
[20:13] <Free99> I think it'll be ok for a couple of days... I know what you're saying however lol
[20:14] <guntbert> Free99: and you migt want to have a look into shorewall
[20:14] <guntbert> *might
[20:15] <guntbert> and keep in mind: only one tool at a given time!
[20:16] <Free99> well.. let me ask you then: this server is a KVM host, it doesn't need to anything but directly route packets to the VMs which are connected to bridges br0 and br1..
[20:16] <Free99> I need to be able to SSH in, but other than that, nothing really (and obviously ssh is protected by fwknop)
[20:17] <guntbert> Free99: I have no idea what fwknop might be - but it doesn't protect anything by itself - all tools only generate iptables rules
[20:18] <Free99> oh, silly me. It's a single-packet port knocker, basically asks iptables to unshield port 22 to a specific ip that sends a correctly encrypted packet
[20:19] <Free99> works really well, no 0day exploits or anything of the sort are possible against commonly attacked ports when fwknop is in use
[20:21] <guntbert> Free99: don't rely on port knockers - they provide just a not so secure password - configure your ssh server to only accept pubkey based logins
[20:22] <guntbert> Free99: SEE http://bsdly.blogspot.co.at/2012/04/why-not-use-port-knocking.html
[20:22] <patdk-lap> hmm, no need for fwdnop, iptables does that itself
[20:23] <Free99> umm... gpg keys are supported for fwknop. Besides, sometimes I have to manage something on my android phone, it's a bitch to use pub/priv keys with
[20:24] <guntbert> Free99: suit yourself - but you have been warned :-)
[20:25] <Free99> guntbert: I actually read something like this, it's not based on knocking different ports in sequence
[20:26] <Free99> http://www.cipherdyne.org/fwknop/
[20:28] <patdk-lap> wait? fwdnop is an daemon? with root permissions?
[20:28] <patdk-lap> and it's allowed to receive generic ip traffic? and you trust it more than sshd?
[20:28] <patdk-lap> just use the built in iptables port knocking, so much safer
[20:29] <patdk-lap> ifyou must use port knocking at all
[20:29] <Free99> well, you have to know what port it's on, it uses UDP...hmm.
[20:29] <patdk-lap> an those things make it secure? no
[20:30] <patdk-lap> forget about a zero day ssh issue, any issue in fwdnop and your toast
[20:31] <patdk-lap> I personally never saw the point of portknocking though
[20:31] <guntbert> Free99: how many different ports are there?
[20:32] <patdk-lap> shorewall has portknocking built in though, using iptables rules to do it, no extra software insecurity
[20:34] <Free99> alright, so look: on the client, I run "fwknop -a 123.123.123.1 -A tcp/22 -D 123.234.111.12 --test" and then input my password, or use my gpg key
[20:34] <Free99> it encodes as 2146526055123413:ZmFsY29uZXll:1349642014:2.0.3:1:MTIzLjEyMy4xMjMuMSx0Y3AvMjI
[20:35] <patdk-lap> that isn't the point
[20:35] <patdk-lap> your exchanging one daemon (opensshd) with another daemon(fwdnopd) to cause the same root exploit
[20:35] <patdk-lap> your protecting x, with something just as insecure, y
[20:36] <Free99> so if I run it as a different user with permission to run a sudo script that opens only 22 to a specific address...?
[20:36] <Free99> it=the dameon, that is
[20:36] <patdk-lap> would be better then
[20:36] <Free99> so why should I trust any of the author (Michael Abrash)
[20:37] <Free99> *any of the author's other stuff?
[20:37] <patdk-lap> I dunno? should you?
[20:37] <patdk-lap> I personally don't trust many people
[20:37] <patdk-lap> and defently not random blogs
[20:38] <Free99> he has a module that listens for stuff via snort and blocks skiddies automatically based on the rules.. well. I looked through his code, it looks good, and people liked him at toor
[20:38] <Free99> (shrug) I guess it is a trust thing.
[20:38] <Free99> it's in the repos, by the way
[20:38] <Free99> fwknop, that is
[20:39] <patdk-lap> no one is saying it's a bad idea, there is no usecase for it
[20:39] <patdk-lap> but care must be taking in how it's used
[20:39] <patdk-lap> and it seems overkill for simple ssh protection
[20:39] <Free99> yeah, kinda forgot that it was running as root :-/
[20:40] <Free99> I'm not a professional sysadmin if you couldn't tell lol
[20:40] <Free99> I got tired of the ssh bots running around my school network, this seemed to fit the bill
[20:41] <patdk-lap> I just use basic tech, like fail2ban
[20:41] <patdk-lap> also submit all those firewall blocked logs to dshield, and do my own parsing on them
[20:42] <Free99> I originally like denyhosts until I heard about the ssh botnets that purposely distribute cracking attempts
[20:43] <patdk-lap> haven't ever had an issue with one of them
[20:51] <Free99> I understand that these are all band-aids to a problem... but I've got this running successfully on ~8 different servers, it'll be a while before I can get people to adapt to something new
[20:51] <Free99> perhaps an apparmor profile?
[20:53] <patdk-lap> apparmor would just be more bandaid protection to fwdnop
[20:55] <Free99> someone's mentioning that the server listens passively via libfko, no direct tpc or udp connections per se. Sigh. that sucks man, I thought this was great
[20:55] <patdk-lap> well, udp is passive
[20:55] <patdk-lap> but it processes data contained in that passive udp listener
[20:55] <patdk-lap> that is where issues can come up
[20:56] <patdk-lap> buffer overflows, being common
[20:56] <Free99> you know, that reminds me. why the hell doesn't the ubuntu kernel use NX?
[20:56] <Free99> I have to compile my own kernel for that, what gives?
[20:57] <Free99> anyway, yeah. I'm looking over shorewall right now
[21:01] <Free99> wrong again also, looks like they put no-exec in after 10.04
[21:01] <Free99> https://wiki.ubuntu.com/Security/CPUFeatures
[21:08] <patdk-lap> no, that has always been there
[21:08] <patdk-lap> the WARNING, if your on a noexec compatable cpu, that has that feature disabled, is on 10.04+
[21:12] <Free99> I appreciate your help so far patdk-lap. I have one more Q... any reason I shouldn't compile my own kernel for a web-facing system using the grsecurity patches?
[21:15] <patdk-lap> it all depends
[21:15] <patdk-lap> seems like it has a lot of interesting stuff, I have never used that though
[21:15] <patdk-lap> personally, I perfer to detect if a system is compromised long before something like that should kick in
[21:16] <Free99> I was looking at it in terms of just mitigating that potential as much as possible
[21:16] <Free99> I have backups already implemented, and I tried to harden nginx and php as much as possible
[21:17] <Free99> or at least, as much as I knew how to w/o breaking anything
[21:17] <chris|> harden php.. that one never gets old
[21:17] <patdk-lap> while those are a problem, 90% of the issues is normally the php program themselves
[21:17] <Free99> lol I have to run wordpress, so... yeah
[21:18] <Free99> I'm using the suhosin patches
[21:18] <patdk-lap> heh, wordpress has a long histroy of issues :)
[21:18] <Free99> (shrug) Its a fickle thing you know?
[21:18] <patdk-lap> I would opt for using mod_security
[21:18] <Free99> isn't that only for apache?
[21:18] <patdk-lap> yep
[21:19] <Free99> <- nginx
[21:19] <patdk-lap> your running facebook?
[21:19] <patdk-lap> performance over security?
[21:19] <Free99> apparently? lol..
[21:19] <patdk-lap> it's all what you want :)
[21:19] <patdk-lap> I have crapload of iis server I *must* use
[21:19] <Free99> guh
[21:19] <patdk-lap> but I do shove an apache with mod_security on them
[21:19] <patdk-lap> makes me feel better
[21:20] <patdk-lap> also require vpn access to even hit the proxy
[21:20] <patdk-lap> and yes, I do perfer not to use apache when I can
[21:20] <patdk-lap> but some things, it still is required
[21:21] <Free99> I mean look, I'd use thttpd if I could make it run with php
[21:21] <Free99> I like simple, it usually translates to secure (I used to tinker with freeBSD a lot)
[21:22] <Free99> nginx hasn't been too bad security-wise though, you have to structure the rules correctly from what I understand
[21:23] <Free99> it freaked me out how my apache mpm prefork would jump in cpu and memory every time I tested connecting to it
[21:23] <Free99> one firefox connect= 2% ?
[21:25] <roniez> thttpd should work with php no?
[21:27] <Free99> I wish man, I turned the internet upside down looking for a way to do fastCGI
[21:33] <patdk-lap> heh?
[21:33] <patdk-lap> I have >300 connections with apache and I don't have 2% cpu usage
[21:34] <patdk-lap> but then, prefork is the issue there, just don't use prefork
[21:37] <Free99> cripes, just when you think you're getting good at being a sysadmin, you find out you don't know your dick from your elbow :P
[21:38] <roniez> hehe
[21:38] <roniez> the life of a sysadmin
[21:38] <roniez> always learning
[21:39] <patdk-lap> ya, it's whatever works best
[21:39] <patdk-lap> I do not use apache on a lot of systems
[21:39] <roniez> agreed.
[21:39] <patdk-lap> but I do use apache on any systems I don't have full control over
[21:40] <patdk-lap> you could implement a lot of mod_security stuff by making nginx rules in it's config
[21:40] <patdk-lap> but it would get highly annoying
[21:45] <Free99> I followed the nginx tutorials... all I cna hope for is that they're secure enough, I have too much to do atm
[21:45] <Free99> :-/ what a cop out though
[21:45] <CrypticSquared> Free99: nickto is a nice little tool
[21:45] <CrypticSquared> er nikto
[21:49] <Free99> wow crypticsquared, that's awesome! thanks!
[21:49] <CrypticSquared> np
[21:55] <codescience> can i still download ubuntu server 8.10?
[21:56] <holstein> codescience: http://old-releases.ubuntu.com/releases/8.10/ though the repos are down AFAIK
[21:59] <codescience> thanks.
[22:02] <Free99> anyone good with postfix here?
[22:02] <patdk-lap> !ask
[22:03] <roniez> Yea be ready to idle. :)
[22:03] <roniez> sometimes an answer can take a while
[22:04] <patdk-lap> there is a whole #postfix channel too, though I am normally only there during working hours
[22:50] <gen0cide_> Anyone know what happens when rsyslog on ubuntu tries to send to a server but can't resolve the DNS name?
[22:50] <gen0cide_> I'm trying it now, but can't see anything in syslog to tell that it's failing
[22:54] <TJ-> gen0cide_: "man rsyslog" might give you some clues
[22:56] <gen0cide_> " If  the  remote  hostname cannot be resolved at startup, because the name-server might not be accessible (it may be started after rsyslogd)  you  don’t  have  to  worry.   Rsyslogd will retry to resolve  the  name  ten  times  and  then   complain.    " - I don't see the complaint. Where would that happen?
[22:57] <TJ-> In the log, I'd have thought
[22:59] <gen0cide_> Nope, nothing -.-
[23:00] <TJ-> Maybe the startup-script is sending output to /dev/null
[23:46] <techie> im going to be setting up a machine running ubuntu-server as a game server in the next few weeks and i was wondering if there was a way to recursively create folders and symlinks
[23:47] <techie> for shared resources
[23:48] <techie> or would i have to manually create folders, and symlink everything in them