jorenMaybe you're LogLevel value is too low00:00
jorenin /etc/ssh/sshd_config or whatever00:00
bananapieLogLevel INFO00:00
bananapiehmm, I see 'failed publickey for root...' not even though it doesn't say 'debug.00:01
bananapieI think it might be the kernel's rate limiter00:01
jorenmaybe watch ssh servername ?00:02
XanthippusAny tips for securing an Ubuntu Server?00:02
bananapieI think it's "a Ubuntu server" and not "an Ubuntu server".00:03
XanthippusEither way :P00:03
bananapieUsually, you use 'an' in front of a vowel, but I think because of the way Ubuntu is pronounced, it's an exception.00:03
bananapiecheck netstat -antup make sure there are no unnecessary services running.00:05
jorenhttps://help.ubuntu.com/community/Security might be some good reading00:05
XanthippusLots of udp and tcp00:05
XanthippusFrom command00:05
XanthippusWhat are the IPs?00:06
bananapiethat means it's listening on all interfaces on your server00:06
Xanthippustcp and udp6 = IPv6 correct?00:06
patdk-lapthere are so many more protocols than tcp and udp, and neither of them have anything to do with ipv600:07
Xanthippuspatdk-lap: I just did a netstat -antup, and I am currently looking at protocols00:07
patdk-lapdoes netstat show sctp?00:08
bananapiehmm, try netstat -atup instead, it will resolve service names, it will make it easier to read :)00:08
XanthippusWell the tcp6 and udp6 protocols have IPv6 addresses, which are with colons, like Mac addresses right?00:08
=== glebihan__ is now known as glebihan
bananapiethe lines that are interesting are the ones with *:* in the Foreign adderss section00:09
patdk-lapnope, seems netstat is limited to tcp and udp00:09
bananapieI set the LogLevel in sshd_config to VERBOSE, and I see all my failed connections.00:10
bananapiefail2ban now works, thx!00:11
bananapieI no longer see 'failed public key' in my logs, I think rsyslog is supressing information.00:18
jorencan you use "watch ssh servername" instead of your for loop?00:18
jorenor make your 50 number higher?00:18
bananapieI like watch :D00:19
bananapieI found the problem00:20
bananapiethe second server I am using for the tests doesn't have a private key. I ran ssh-keygen, and fail2ban is now banning the server.00:22
jorenhuh, I guess that makes sense00:22
bananapieThanks, fail2ban is working now.00:23
Xanthippusbananapie: What's the directory for configing PostFix again?00:25
XanthippusAnd how do I install modsecurity for nginx?00:25
bananapie/etc/ contains most configuration fies.00:25
bananapieand most configs are either /etc/[softwarename].conf or /etc/[softwarename]/[configuration files]00:25
XanthippusOh okay00:26
XanthippusHow do I know if I'm using those authentification keys you mentioned?00:26
bananapieFail2ban is easy to install, nice!00:28
XanthippusI'm on step 11 of this guide, what do I enter for SMTP_HOST and SMTP_PORT? http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics00:30
bananapieanyway know an easy command to cause failed logins on an imap server ?00:30
bananapiegiven that you want to run an smtp server, you could enter as the host00:33
Xanthippusaka localhost?00:37
XanthippusCan I keep the port also?00:37
Xanthippusnoob question: how do I save rules to iptables?00:42
XanthippusI typed iptables-save, would that work?00:45
bananapieiptables-save saves it yes, but you have to update /etc/network/interfaces as wel00:46
bananapietry adding  the following line at the end of the eth0 interface00:46
bananapiepre-up iptables-restore < /etc/iptables.rules00:46
XanthippusI use wlan000:47
XanthippusAnd uh oh, I think I have a rootkit...?00:47
patdk-lapyes :)00:47
Xanthippusbindshell "infected" at ports 46500:47
XanthippusHow do I get rid of this thing?!00:47
patdk-lapwhat is, this thing?00:48
XanthippusA rootkit I think00:48
XanthippusI ran chkrootkit00:48
patdk-lapnetstat -anp00:48
XanthippusWhat am I looking for in netstat?00:49
patdk-lapthe name of the progrm on port 46500:49
bananapie465 = encrypted smtp00:50
XanthippusI think it's bindshell00:50
XanthippusThat's what chkrootkit said00:50
XanthippusThere's no program on 465 here00:50
patdk-lapwhat ip?00:50
XanthippusAll in the 10k00:50
patdk-laphow can it detect something there, if there isn't something00:51
patdk-lapseems odd00:51
bananapieI think he means RFC1918's
XanthippusAll the ports listed by netstat are in 14,00000:51
XanthippusHow does someone find your server if you just activated it?00:52
patdk-lapsimple :)00:53
patdk-lapisn't the normal time to infection of a winxp computer on the internet, 14min?00:53
Xanthippusunhide.rb says warning from rkhunter00:53
XanthippusWhat does that mean?00:53
XanthippusOh, btw, that port 465 thing with bindshell, it is false positive00:56
patdk-lapheh, you could fix your smtp server too, 465 went away a long time ago00:56
patdk-lapreplaced with port 587, submission port00:56
XanthippusHow would I config that, patdk-lap ?00:57
patdk-lapdepends on your smtp server00:57
Xanthippus...would that be PostFix?00:58
patdk-lapI dunno, did you make an account for me on your server? :)00:58
Xanthippuslol no!01:01
patdk-lapI would find it strange postfix would be on port 465, it isn't by default01:02
XanthippusOh, so PostFix is the SMTP server01:03
XanthippusThought it was something like Dovecot or mailman01:03
patdk-lappostfix is A smtp server, no idea if it is the one installed on your server01:03
patdk-lapif it is, edit /etc/postfix/master.cf01:04
patdk-lapthough, sounds like you have a lot to learn about just email alone :)01:04
XanthippusI have no idea how to use as of yet01:06
XanthippusTurns out 465 is not the SMTP port01:06
XanthippusLike I said earlier, false positive01:06
Xanthippussmtp is at port 2501:06
patdk-lapI know01:06
bananapieencrypted smtp or smtps is 46501:06
patdk-lapsmtps is 46501:06
patdk-lapssl smtp01:06
patdk-laptls smtp is 58701:06
XanthippusOh okay there's an smtps on 46501:07
patdk-lap465 stopped being used before it was used01:07
Xanthippussubmission is on 58701:07
patdk-lap587 is much better01:07
XanthippusShould I disable 465 entirely?01:07
patdk-lapI would01:07
patdk-lap587 serves the same purpose01:07
XanthippusHow would I disable it?01:08
XanthippusWould I block it w/ ufw?01:08
patdk-lapjust comment it out in /etc/postfix/master.cf01:08
uvirtbot`New bug: #1076811 in cloud-init "Cloud-init modules do not reflect loaded config" [High,Fix committed] https://launchpad.net/bugs/107681101:11
Xanthippuspatdk-lap: is it this line? smtps         inet           smtpd01:12
XanthippusI don't know which line it is...01:14
hallynzul: was out all day...  no objections to libvirt 1.0.0 upload.  as i say the qrt needs an update (sigh, may need python xml parser at this point) but all tests passed in spirit01:15
patdk-lapthat and any line that starts with a space under it01:15
Xanthippusstarts with a space under it?01:15
patdk-lap#smtps     inet  n       -       -       -       -       smtpd01:15
patdk-lap#  -o smtpd_tls_wrappermode=yes01:15
patdk-lap#  -o smtpd_sasl_auth_enable=yes01:15
patdk-lap#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject01:15
patdk-lap#  -o milter_macro_daemon_name=ORIGINATING01:15
Xanthippusk did it01:17
XanthippusHow do I reload settings?01:18
patdk-lapservice postfix restart01:19
uvirtbot`New bug: #1076825 in nova (main) "Can't configure nova to use MySQL as backend" [Undecided,New] https://launchpad.net/bugs/107682501:31
Xanthippuspatdk-lap: I restarted it, and it gave me a bunch of unused parameters01:33
=== guampa_ is now known as guampa
XanthippusIf a hacker wanted to hack your local machine via a port, would he be unsuccessful if the router blocked that port from the outside?01:39
beeg98if he was attacking from the outside.01:39
beeg98if he somehow already got in (either an employee that is already in or via some other hacked service) then the router no longer protects you.01:40
XanthippusThen it is up to the local firewall, correct?01:41
patdk-lapthe router doesn't protect anything you go out and get too01:41
patdk-laplike you viewing websites or other things01:41
=== cpg is now known as cpg|away
sarnold.. and browsers make it easier to fire up network connections than one may like..01:43
XanthippusBut, if, say, a hacker from the outside tried to hack my server via a port01:44
XanthippusIt would <supposedly> be blocked by the router right?01:45
patdk-laprouter? no, firewall, sure01:45
XanthippusOh okay01:45
NomadJimwith ubuntu server releases like Precise and Quantal are packages locked? Like the vim on Precise is never going to get an upgrade and you'd need to go to Quantal for that unless you backport01:47
NomadJimbesides security updates01:48
patdk-lapyes, except if you use backports01:48
sarnoldNomadJim: there's an 'SRU' process to get updates outside of security fixes distributed to existing distributions01:49
ScottKBut that's for bug fixes.01:51
XanthippusHow would I set up my mail account on my server with Mail on OS X?01:54
XanthippusWhat do I input for Incoming Server?01:54
NomadJimok cool thanks01:54
sarnoldXanthippus: 'incoming server' sounds like it might be asking for your imap4 server details01:56
XanthippusI'm sorry, what would that be :-/01:56
XanthippusIt'd prob be a default value since I most likely didn't config it yet01:57
XanthippusI have Dovecot, PostFix, and SquirrelMail on my server, if that helps01:57
sarnoldhave you set up dovecot or cyrus or imap4d or something similar yet?01:57
XanthippusI have Dovecot01:58
patdk-lapnow ask if he has *configured* it :)01:58
sarnoldhaha :)01:58
patdk-lapa very basic mail server can take a few hours to configure01:59
patdk-lapthough, I normally spend a few days01:59
patdk-lapmailserver have lots of moving parts and stuff to make sure you protect against to limit abuse, spam, backscatter02:00
XanthippusAbuse like...02:00
patdk-lapcompromised passwords, open-relay, ...02:01
NomadJimis there a tool to check your mailserver for problems02:01
NomadJimthat you like to use02:01
patdk-lapgenerally if you want others to accept your email, reverse-dns setup, dkim, spf, dmarc, ...02:01
ScottKdmarc is sufficiently new I wouldn't put it on that list.02:01
patdk-lapNomadJim, the wild? and check your logs?02:01
NomadJimi need to get more intimate with my logs02:02
patdk-lapscottk, just setting up the dmarc dns entry so you get reports back is very useful02:02
Xanthippusreverse dns is... reversing a name i.e. google.com and getting its IP?02:02
sarnoldNomadJim: last time I had to run a mail server myself, I found this _very_ useful: telnet relay-test.mail-abuse.org02:02
NomadJimsarnold:  nice thanks02:03
sarnoldXanthippus: other way around, taking and turning it into a human-friendly FQDN02:03
Xanthippusaka DDNS, which I have02:03
sarnoldNomadJim: if you don't have telnet installed you can probably use nc as well...02:03
sarnoldXanthippus: no, that's altogether different :)02:03
XanthippusUm what02:03
sarnoldXanthippus: ddns is a way to update a dns server with a new hostname / ip binding -- many ddns providers aren't authoritative for the zones in question, so they can't provide reverse dns02:04
ScottKpatdk-lap: I agree.  I have set it up myself.  I even wrote a tool to make it ~easy to figure out - http://www.kitterman.com/dmarc/assistant.html - but that's really not a newbie kind of thing.02:04
NomadJimreverse dns and dns always confuse the hell out of me02:05
NomadJimalways appreciate a refresher02:05
patdk-lapwell, nothing about email is noobie friendly though02:05
sarnoldXanthippus: for fun, run "host <your hostname>" -- pretend it gives you back the ip address Then run "host" and see what the _reverse_ lookup shows...02:05
patdk-lapI was looking at http://www.unlocktheinbox.com/ when I setup mine02:06
patdk-lapreceiving email is simple02:07
patdk-lapsending email is not simple, cause your assumed to be a spam source, till you can pass as many technical issues as the receive wants to put on you02:07
XanthippusIf it's simple as you describe, patdk-lap , then that's now my first order of business02:07
patdk-lapreceiving is as easy as setting an mx entry, and listening on port 25 :)02:08
XanthippusBecause right now, all my logging services etc are configed to send email to me@myddns.com02:08
sarnoldpatdk-lap: .. though receiving is often made difficult to try to raise the technological hurdle of people sending mail; you know, assume they're spammers first :D02:08
patdk-lapsarnold, well I said receiving was easy, not keeping out spam :)02:08
sarnoldpatdk-lap: yes :)02:08
XanthippusTo recieve mail from outside, I need to open port 25 in router, correct?02:08
XanthippusJust firewall on server?02:09
patdk-laprouters do ip addresses, not ports02:09
XanthippusNo, like port forwarding on router02:09
sarnold.. except in the case of NAT-routers..02:09
patdk-lapXanthippus, then your probably have port 25 blocked by your isp02:09
XanthippusWhy would you think that, patdk-lap ?02:10
patdk-lapwell, nat routers is a firewall, nat is a firewall service :)02:10
sarnoldmany ISPs will unblock if you ask politely. some will remind you that your AUP says "run no servers". hehe. :)02:10
patdk-lapya, normally the isp will require you pay for static ip for that02:10
patdk-lapand normally do't run nat-routers on them02:10
XanthippusMy router's running DD-WRT, and it has NAT/QoS section, so I would assume my router is "NAT router"...02:10
patdk-lapyou can always give it a shot02:12
XanthippusWait, if opening ports on the router isn't necessary, I can close 22 aka ssh?02:13
XanthippusBecause I have confirmed that I can SSH to server via this port02:13
sarnoldkeep it forwarding :)02:13
sarnoldthough consider moving to another port to (slightly) cut back on automated probing02:14
sarnoldand consider disabling password access, if you haven't already02:14
XanthippusAutomated probing by who02:14
patdk-lapthe evil one02:14
XanthippusPassword access = enter password to access shell?02:14
Xanthippuslol patdk-lap02:14
sarnoldXanthippus: yes. ssh keys are more secure by a factor of millions. :)02:15
XanthippusOkay, how do I know if it's not using both, if that's even possible02:15
XanthippusBecause when I SSHed from my Mac for the first time, it asked if I wanted to remember an RSA key or something02:16
sarnoldXanthippus: look for "PasswordAuthentication no" in your /etc/ssh/sshd_config file02:17
sarnoldXanthippus: that would be the server's key, so you could tell if it is being impersonated in the future02:17
XanthippusIf it's #PasswordAuthentification yes then remove # and put no?02:17
sarnoldyes. make sure you can log in with a key first :)02:18
beeg98after you test your key, and change that option, restart the ssh service.02:20
XanthippusThe key locations are in the config file itself right?02:20
NomadJimthe EOL dates listed are when there are no more security patches right? https://wiki.ubuntu.com/Releases02:21
sarnoldXanthippus: yes, in AuthorizedKeysFile, though most people don't need to touch it. it just looks into ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 by default.02:21
NomadJimso if I wanted the longest possible security support Precise is the release for me02:21
sarnoldNomadJim: correct on both.02:21
sarnoldNomadJim: do note that some aspects of the distribution are supported for less than five years: https://wiki.ubuntu.com/PrecisePangolin/ReleaseManifest02:22
XanthippusIs there a private/public key?02:23
XanthippusWhich do I use?02:23
XanthippusAnd in terminal, how do I incorporate certs?02:24
sarnoldXanthippus: on the client, the private lives in ~/.ssh/id_rsa, public lives in ~/.ssh/id_rsa.pub -- and on the server, the public lives in ~/.ssh/authorized_keys.02:24
sarnoldXanthippus: ssh-copy-id is handy to automate logging in and copy-pasting the public portion onto the authorized_keys file02:25
escottXanthippus, every ssh server has an RSA key that identifies that computer (to protect against MITM attacks if you connect a second time and the key changes) that was the key you were being asked to remember or not02:35
escottNomadJim, no more anything dates and 12.04 is the most recent LTS02:36
=== shantorn_ is now known as shantorn
=== cpg|away is now known as cpg
=== n0ts_off is now known as n0ts
XanthippusHi guys, I'm back04:42
XanthippusHow would I login to SSH with an authentication key on OS X?04:44
escottXanthippus, same way as anywhere else. ssh-keygen; ssh-copyid user@remote; ssh user@remote;04:48
escottXanthippus, you do have to configure the ssh server to be running on OSX and verify it accepts auth-key logins04:48
XanthippusMy server is on Ubuntu, and I want to connect to it from OS X04:49
ubottuSSH is the Secure SHell protocol, see: https://help.ubuntu.com/community/SSH for client usage. PuTTY is an SSH client for Windows; see: http://www.chiark.greenend.org.uk/~sgtatham/putty/ for it's homepage. See also !scp (Secure CoPy) and !sshd (Secure SHell Daemon)04:49
stiv2ktoday i woke up to find my server with a flashing caps lock key04:53
stiv2ki.e., kernel panic04:54
stiv2kwhat can i look at to see what may have gone wrong?04:54
holsteinstiv2k: auto upgrade? hardware broken?04:54
stiv2kholstein i beg your pardon?04:55
holsteinstiv2k: im suggesting you look at an auto upgrade that might have broken something.. unless you dont do auto upgrades, then you can ignore that.. or maybe a bad component. motherboard failure.. etc04:56
stiv2kholstein, oh, i think its setup to only automatically do security updates04:57
stiv2kand... the hardware shold be fine afaik... i was asking more along the lines of what log file might be able to tell me what happeneds04:57
stiv2kit stayed online for like two weeks no problems until this morning04:57
holsteinstiv2k: i would just poke around in the logs... depends on the issue. it might have locked before it could log.. the machine is back up?04:59
stiv2kyes it is after i did a hard restart04:59
stiv2kmy irc client is actually running on it04:59
stiv2kso me being here talking to you means its working :P04:59
holsteini would probably just remove the install from the equation.. run a live CD on the hardware with the hard drive out04:59
holsteinstiv2k: i dont know that you are using it for IRC04:59
stiv2ki know that's why i mentioned it :)05:00
XanthippusHow do I use the ssh-copy-id?05:33
XanthippusDo I run it from the server or from the computer I'm trying to connect it to?05:33
holsteinhttps://help.ubuntu.com/community/SSH/OpenSSH/Keys is what i used05:34
tsimpsonfrom the computer you want to send the key from05:34
holsteinif you are just wanting to connect locally to another box on the lan, you can just use the password05:34
XanthippusNo, I plan to SSH from outside05:36
escottholstein, i think you are confusing telnet with ssh. there is no security risk to doing password across an unsecured network, its just inconvenient05:37
XanthippusOkay, I did the ssh-copy-id command from my Ubuntu server, and inputted "me@mymac" as the parameter05:37
escottXanthippus, its from the client to the server05:37
escottXanthippus, on client you run ssh-copy-id user@server05:38
XanthippusSo can I just delete authorized_keys on the server and do on the client?05:38
escottthe auth_keys file resides on the server. the server checks that to compare to the credentials presented by the client05:38
escottyou have enabled the ubuntu system to ssh into the mac05:39
holsteini didnt mean to imply you could or should do the password.. just that it might be easier to configure rather than configuring a key05:39
escott(without the password)05:39
XanthippusUsing the key I generated on the Ubuntu machine?05:39
holsteinthe key is the way to go though... if you dont mind setting it up05:40
escottXanthippus, yes05:40
XanthippusWhy can't anyone just "ssh-copy-id"?05:40
XanthippusIsn't that more insecure?05:41
XanthippusThan a passowrd?05:41
escottXanthippus, auth keys are more secure05:41
escottcopy-id requires a password to do the initial setup05:41
escottthereafter you could disable password access05:41
escottand you would be more secure05:41
escottit might help to take a step back and talk about public vs private keys05:42
XanthippusOkay, it appears that Mac doesn't have ssh-copy-id05:42
XanthippusBut I found this, which one do I use? http://www.commandlinefu.com/commands/view/188/copy-your-ssh-public-key-to-a-server-from-a-machine-that-doesnt-have-ssh-copy-id05:42
escottwhen you ssh-keygen you create id_rsa and id_rsa.pub05:42
escottyou copy id_rsa.pub to the server and put it in the servers auth_keys file05:42
XanthippusSo do ssh-keygen from client?!05:43
escottyou can do that with  ssh-keygen on the client and then "scp ~/.ssh/id_rsa.pub user@server:~/.ssh/id_rsa.pub.client"05:43
XanthippusSo do I delete the keys that I created on my server? :-/05:43
escottXanthippus, no need to05:44
escottunless you want to05:44
XanthippusI did that ssh keygen on my server, but that's obviously wrong right?05:44
escottpresumably you trust both systems equally so you might be just as happy going from ubuntu->mac as from mac->ubuntu05:44
XanthippusI don't do ubuntu --> mac05:45
XanthippusOnly for ftp05:45
escottyou may not in practice do it, but in theory would you disallow it?05:45
escottthen don't worry about it... if you were to be concerned that the ubuntu server was untrustworthy you would delete the line in the macs auth_keys file05:46
XanthippusOr just delete the whole file altogether because there's only 1 key05:46
escottthe auth_keys file is a list of identities to accept and allow access05:47
XanthippusOkay, so down to business: Where do I run the ssh-keygen? Mac or Ubuntu? Ubuntu is the server05:47
XanthippusI know05:47
escottyou run ssh-keygen on the client. that defines an identity for the client05:48
escottyou copy the id_rsa.pub from the client to the server (via scp or sneakerNet)05:48
escottand add the id_rsa.pub (its a single line) to the authorized_keys file on the server05:48
escottyou can further modify that line in authorized_keys to further restrict the conditions under which that key is accepted (ie accept only from certain ip addresses, or restrict the programs that can be run, etc)05:49
XanthippusOh okay, there we go. I generated key on Mac05:50
escottXanthippus, so now you need to copy it to the server. "scp ~/.ssh/id_rsa.pub user@ubuntu:~/id_rsa.pub.mac"05:50
XanthippusI can add the .mac extension?05:51
escottthen you can "ssh user@ubuntu" and you will see id_rsa.pub.mac in $HOME05:51
escottXanthippus, sure extensions are meaningless05:51
XanthippusHow about this: scp ~/.ssh/id_rsa.pub user@machine:.ssh/authorized_keys05:51
escottand you dont want to confuse id_rsa.pub from the mac with the id_rsa that exists on the server05:51
escottthats ok ONLY IF authorized_keys is empty05:52
escottotherwise you blew away your configuration05:52
XanthippusThere is no authorized_keys05:52
escottthen you can do that.05:52
escottfinally you have to correct permissions of the file on the server05:53
escottso "ssh user@ubuntu" followed by "chmod 600 ~/.ssh/authorized_keys"05:53
escottand "cat ~/.ssh/authorized_keys" to double check it is what you want it to be05:53
XanthippusIt's complained that authorized_keys doesn't exist05:54
XanthippusDoes it need to be a folder?05:54
escottwhat is the exact command you wrote?05:54
Xanthippusscp ~/.ssh/id_rsa.pub user@machine:~/.ssh/authorized_keys05:55
escottthat should be ok.05:56
XanthippusWell here's what came of it: scp: /home/user_of_ubuntu_server/.ssh/authorized_keys: No such file or directory05:58
XanthippusOH my mistake05:58
XanthippusDeleted the entire ~/.ssh directory, sorry05:59
XanthippusOkay, I coped it. Now what?05:59
escottXanthippus, now ssh user@machine06:00
escottyou have to fix up two sets of permissions06:00
escottchmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys;06:00
XanthippusOh okay06:00
escottthen "ls -l ~/.ssh" and verify that . has rwx------ and that authorized_keys has rw-------06:01
XanthippusBoth have rw06:02
XanthippusDo I need to run chmod as root06:03
escottXanthippus, the directory "." needs rwx06:03
escottno you own the files you can chmod them06:03
escottand it would be "ls -al ~/.ssh" forgot the a06:03
Xanthippus. is drwx06:04
Xanthippusso is ..06:04
escottyes but after the drwx it should be all -'s for "." and after the rw all -'s for auth_keys06:04
escottfor ".." its going to be something like rwx-r-xr-x depending upon configuration06:05
escottbut we don't care about ".."06:05
escott".." is ~ we are trying to secure ~/.ssh which is "."06:05
XanthippusWell there are no 's06:06
XanthippusJust dashes06:06
escottthats what we want06:07
escottdrwx------ and -rw-------06:07
XanthippusOh okay06:09
XanthippusWell then in that case it's all good06:09
escottXanthippus, so now you can test it06:09
Xanthippuslogout then login?06:09
escott"exit" from the ssh session, and try ssh user@machine again06:09
escottit should just let you in06:10
XanthippusIf I have pwd authentification, I have to enter that?06:10
XanthippusBecause it's still asking me for it06:10
escottdid you put a password on the key you generated with ssh-keygen06:11
escottbecause if you did it would ask you for that password, because it needs that to unlock the id_rsa file06:11
escottand then you are usually ok for the rest of your desktop session on the client06:12
XanthippusYes I did put a passphrase06:14
XanthippusShould I try again?06:14
XanthippusIt's asking for the user password, not the passphrase in the key06:15
XanthippusShould I disable that?06:15
escottthere shouldn't be anything to disable06:15
escottssh -v user@machine and look for the line(s): debug1: Authentications that can continue: publickey,password and debug1: Next authentication method: publickey06:16
escottis it listing publickey at all06:16
XanthippusIt actually uses it as first method, idk what goes wrong06:18
escottXanthippus, does it ever list publickey?06:18
XanthippusUm, id_rsa and id_dsa?06:18
XanthippusIt tried both, and apparently failed, because it fell back to password06:19
escottno in the line Authentications that can continue, in the first occurence of that line. does it list publickey06:19
XanthippusYes, publickey, password06:19
escottso it tried publickey and failed06:19
Xanthippusidk why, I recreated the .ssh directory, there should be anything conflicting there06:19
escottXanthippus, is it finding the correct id_rsa and id_rsa.pub above that06:20
XanthippusFound key that matches known_hosts...06:21
escottnot that one further up06:21
escottthe 6th or 7th line from the top06:21
escottmaybe closer to 10th06:21
Xanthippusidentity file ~/.ssh/id_dsa typr -106:22
XanthippusThe line above that is rsa06:22
escottthats the dsa... presumably you had an rsa06:22
XanthippusNo there is dsa and rsa06:22
escottbut those are the correct locations of those files on the mac06:23
escottor would be the correct location06:23
escottand further down just after the first instance of Authentications that can continue it should say:06:23
escottdebug1: Offering RSA public key: /something/.ssh/id_rsa06:23
XanthippusYes, it does offer it06:24
escottXanthippus, then the problem is likely permissions on the server06:24
XanthippusThen it loops back to "Authentications that can continue"06:24
escottXanthippus, so ssh user@machine again06:24
escottwe actually want to login06:25
Xanthippusk I'm logged in06:25
escott(a) cat ~/.ssh/authorized_keys and make sure its contents match the id_rsa.pub on the mac06:25
escott(b) ls -al ~/.ssh and maybe paste that to us06:26
XanthippusI included the a in parentheses?06:26
escott(a) and (b) are two things to do06:26
XanthippusOkay it spit a bunch of random characters lol06:26
escottyes. but are those the same random characters as in id_rsa.pub on the mac06:27
XanthippusHow do I make sure they match?06:27
escottyou just have to check the first few06:27
XanthippusOh okay06:27
escottit should begin ssh-rsa AAAA06:27
escottit should begin "ssh-rsa AAAA"06:27
escottand the characters after the AAAA are the important ones06:28
XanthippusYeah I noticted06:28
XanthippusThey both start w/ it06:28
XanthippusYeah, went through half way through the first line, and it looks the same06:28
escottso what are the permissions of ~/.ssh06:31
XanthippusOn which machine?06:31
escottls -al ~/.ssh06:31
escotton the server06:31
Xanthippusauthorized_keys = -rw06:32
escottcan you just paste the output of ls -al ~/.ssh06:32
XanthippusI found something in sshd_config I think: # Don't read the user's ~/.rhosts and ~/.shosts files06:32
XanthippusIgnoreRhosts yes06:32
escottno thats different06:32
XanthippusBut it also says: # For this to work you will also need host keys in /etc/ssh_known_hosts06:32
XanthippusAnd the line under it is: RhostsRSAAuthentication no06:33
escottRhosts is about peering hosts... it utilizes auth_keys but its not relevant06:33
XanthippusOh okay06:33
XanthippusCould the "AllowUsers" string I added be the problem?06:34
escottwhere did you add this?06:34
XanthippusVery bottom06:35
escottvery bottom of what06:35
XanthippusThought it'd make it... more secure?06:35
escotti dont know what that does. i would guess its unrelated because you can ssh with password06:36
escottbut i dont know06:36
XanthippusIt only allows certain user on the server I guess) to login.06:36
Xanthippus(on the server I guess)*06:36
XanthippusSo I guess if some guy/gal tried to brute force w/ some random username and maybe blank password, they couldn't06:37
escottXanthippus, if you look at /etc/shadow you will see that the only user who has a password on your system is the one you are currently logged into. so there is no way to brute force anything06:38
escotti need to sleep06:41
escottits probably incorrect permissions in ~/.ssh06:41
escottbut you havent sent them to me so i cant say06:41
=== smb` is now known as smb
=== kInOzAwA__ is now known as kInOzAwA
=== mcclurmc_away is now known as mcclurmc
=== edu-afk is now known as edamato
Sander^workWill it work to take a backup of / with eg. rdiff-backup, and use it to restore back an upgrade in case it fails?10:33
vezqbasically yes, but I would create a disk image too if possible10:53
Sander^workvezq, Will a disk image with dd be inconsistent?10:54
vezqdd works okay but takes also unused space, clonezilla is option take image10:55
uvirtbot`New bug: #1076898 in mysql-5.5 (main) "failed to install lamp-server through tasksel in a fresh install of ubuntu 12.10 - package mysql-server-core-5.5 (not installed) failed to install/upgrade: cannot copy extracted data for './usr/bin/my_print_defaults' to '/usr/bin/my_print_defaults.dpkg-new': unexpected end of file or stream" [Undecided,Invalid] https://launchpad.net/bugs/107689812:20
=== blackdex is now known as BlackDex
=== Ursinha is now known as Ursinha-afk
=== cpg is now known as cpg|away
=== Ursinha-afk is now known as Ursinha
AlphaWolfI've got 2 partitions I'm trying to format and mount. I've put more information (fdisk -lu and more specific information) on Ubuntu Pastebin if anyone can help. I've tried GParted but it just sees the disk and no partitions. http://paste.ubuntu.com/1332125/13:42
patdk-wkfdisk /dev/sda, d 2, d 3, n p 2 enter enter13:44
AlphaWolfThank you, patdk-wk! I've verified the new table and saving it/rebooting :)14:03
eagles0513875__hey guys I am trying to setup samba to be accessible not only to windows machines in the work group but mac machines as well. how do i go about doing that i am following 2 how to's at the moment and im a bit stuck14:19
eagles0513875__the how to's are https://help.ubuntu.com/12.04/serverguide/samba-fileserver.html and https://help.ubuntu.com/12.04/serverguide/samba-fileprint-security.html any one have any ideas of what I am doing wrong?14:20
uvirtbot`New bug: #1077003 in ntp (main) "ntp ignores config option "interface ignore all"" [Undecided,New] https://launchpad.net/bugs/107700314:31
=== shantorn_ is now known as shantorn
uvirtbot`New bug: #1077020 in cloud-init (main) "cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf" [Undecided,New] https://launchpad.net/bugs/107702015:16
=== matsubara is now known as matsubara-lunch
=== matsubara-lunch is now known as matsubara
=== gary_poster|away is now known as gary_poster
=== gary_poster is now known as gary_poster|away
=== gary_poster|away is now known as gary_poster
=== gary_poster|away is now known as gary_poster
=== n0ts is now known as n0ts_off
drag0niuswould it be hard to set up backup WAN for ubuntu server?17:33
drag0niuslike if primary goes down it instantly switches to backup17:33
drag0niusand then switch to primary when i tell it to17:33
sarnolddrag0nius: if you just want to protect against dead nic / switch then something like this may work: http://ubuntuforums.org/showthread.php?t=78547117:36
drag0niusbasically i've access to 2 networks17:36
drag0niusone quicker & faster17:36
sarnolddrag0nius: as I understand it, if you want to failover to different routes entirely, something like bgp or ospf may be needed -- but that's a bit outside of my experience.17:36
drag0niusand another one perfectly stable17:36
drag0niusbut less responsive and slower17:37
Free99hey everyone... having a strange issue with a 12.04.1 x64 server: I add rules to UFW allowing SSH access, but nobody can access. Seems like iptables is ignoring the UFW chains, but I'm not sure17:42
holsteinFree99: can you connect locally? maybe its just the router firewall?17:43
Free99I can connect locally, and nope, no firewall between us17:44
Free99holstein: this server's been in production for at least a month, and until now had no issues or changes17:44
holsteinFree99: if you can connect to it inside your network from another box, that makes me thinnk its not the local firewall on the box that is the issue17:45
ewindischhow do I report bugs against cloudarchive? Apport hates it.17:46
Free99holstein: I thought you meant connecting via localhost when you said locally17:48
Free99but no, outside the machine I cannot connect17:48
holsteinFree99: yup.. i should have clarified... i would try bringing the firewall down if that is safe to test that way temporarily17:48
holsteinFree99: i am using ufw to set rules without any issues... but who knows17:49
Free99I tried that too, ufw disable then enable, even service ufw restart17:49
holsteinFree99: can you connect with the firewall is down?17:50
Free99holstein: tcpdump says I'm receiving the request packets for port 22 but somehow, despite netstat showing ssh (which I've also restarted) as listening on 22, the packets don't get through to SSH17:51
holsteinFree99: and you can connect localhost...17:51
thesheff17Free99: did you change ENABLED=yes in /etc/ufw/ufw.conf?17:51
Free99holstein: can connect localhost, but not outside whether firewall open or closed. I didn't change the /etc/ufw/ufw.conf17:52
Free99should I try reinstalling UFW or SSH?17:52
holsteini dont think that will hurt anything Free99 .. and maybe someone has a better idea while you are doing that17:54
Free99holstein: the rules for port 22 show up in the list when I do "ufw show raw" but...17:55
holsteinFree99: well, if its disabled, its disabled. makes me think its not a firewall issue17:55
holsteintake it out of the equation and go from there17:56
Free99I'd normally try to figure this out so as to file a bug report or whatever, but this is kind of... well, I need this fixed pronto17:58
holsteinFree99: sure, but we dont know that this is a bug yet.. could be misconfiguration18:00
holsteinFree99: i would take ufw out of the equation.. disable the firewall.. check that its down, and troubleshoot ssh seperate18:01
Free99thing is, UFW may be down but iptables is still up, yes?18:01
holsteinFree99: i usually pull the firewall down. to remove it from the euquation.. you dont have to do this, but you can do that however you choose18:02
=== mcclurmc is now known as mcclurmc_away
=== Ursinha_ is now known as Ursinha
batzii trying to improve the usage of my ubuntuz 10.04 usage - so there is an question regarding the usage of remote x session on osx ? is this a wise way to go or should i use some remote desktop app?18:28
xnoxhow/where are the cloud images generated? I'd like to experiment and request for a few settings changes by default.18:44
=== edamato is now known as edamato-afk
=== yofel_ is now known as yofel
=== mcclurmc_away is now known as mcclurmc
XanthippusHi everyone19:19
XanthippusI'm having trouble with RSA key authorization on my server19:19
XanthippusI am currently using the same keys on another server, and they work just fine. How come this one isn't working?19:20
XanthippusI am forced to keep PasswordAuthentification on because I can't SSH with the key method19:20
MoleManHow can I give a user access to control a single service? (I have an account that is used to manage web hosts and I want it to be able to reload/restart apache)19:25
SeveasXanthippus, usually /var/log/auth.log on the server will provide you with clues. Common problems are file permissions on the ~/.ssh/authorized_keys file or public key authentication not being enabled19:25
SeveasMoleMan, sudo is your friend. You can limit his sudo access to only restart apache19:26
XanthippusI checked my sshd_config already, and compared it w/ the sshd_config of the working server19:26
* genii-around gets some highlight about "coffee" and investigates19:26
MoleManSeveas: can that be controlled within the sudoers file then?19:26
XanthippusAdd him to the group sudo...?19:27
SeveasMoleMan, something like this line: his_login your_hostname=(root) /etc/init.d/apache219:27
genii-aroundXanthippus: That would be too far-reaching for only allowing start-stop of apache19:28
XanthippusOh :-/19:28
SeveasMoleMan, the sudoers file allows fine grained access control. At work we have a sudoers file that's over 100 lines long :)19:28
XanthippusWhat would I be looking for in auth.log if there's an error w/ the keys?19:29
SeveasXanthippus, grep sshd /var/log/auth.log. I think it says failed publick key authentication19:31
XanthippusI think I found an error...19:32
XanthippusError attempting to parse .ecryptfsrc file; rc = [-13]19:32
Seveasoh yeah, if your homedir is encrypted, you password will be needed to decrypt it19:32
Seveasso either don't encrypt your homedir on that server or live with passwords :)19:33
XanthippusAny way to remove that?19:33
sarnoldXanthippus,Seveas: or use sshd_config option AuthorizedKeysFile to store authorized_keys files outside the encrypted homedir19:34
XanthippusHoly chiz I think somebody's trying to get in19:34
Seveassarnold, you'll still need access to your homedir don't you? :)19:34
sarnoldSeveas: not if you store them all in /etc/users/<username>/authorized_keys or something19:34
sarnoldSeveas: might be a bit ugly, but does let you use both19:35
SeveasXanthippus, I don't know the "official" way to undo homedir encryption. I'd rsync the decrypted to /var/tmp, log in as root, remove the encrypted one and move the unencrypted one from /var/tmp to /home19:35
Seveassarnold, but then you still need to type in your password to access your other files...19:35
Seveas(such as .bashrc...)19:35
sarnoldSeveas: hrm. before or after the key?19:36
MoleManSeveas: is there any way I could allow access to any 'service apache2' command? would 'service apache2 *' work or something?19:37
Seveassarnold, the key can't unencrypt anything...19:37
SeveasMoleMan, that should work19:37
sarnoldSeveas: indeed19:37
sarnoldSeveas: but my hope is that you can make a configuration that requires key for authentication then password to decrypt your data -- best of both.19:38
Seveassarnold, what's the use of that?19:38
Seveas(I would in this case use ldap and store the keys in there)19:38
XanthippusI think it'd be more efficient to move the authorized_keys19:39
sarnoldSeveas: it'd keep ssh-robots from eventually guessing password and logging in..19:40
Seveashmm, fair enough19:40
SeveasI use iptables for private servers or fail2ban for more public servers to chase robots away19:41
Seveas(and only pubkey authentication, so their password attempts are futile anyway...)19:41
XanthippusI'm going through the logs, and I'm getting a lot of break in attempts from this IP...19:41
Xanthippus...all failed of course19:42
SeveasXanthippus, welcome to the internet :-)19:42
XanthippusMan now I'm really freaking out about those keys19:42
Seveas!info fail2ban | Xanthippus19:43
ubottuXanthippus: fail2ban (source: fail2ban): ban hosts that cause multiple authentication errors. In component universe, is optional. Version (quantal), package size 86 kB, installed size 434 kB19:43
XanthippusI have that on my server19:43
XanthippusI put jail profiles on ftp and something else, I forgot19:43
XanthippusI think the profile's enabled on ssh too19:43
XanthippusWait, my ~/ directory is encrypted when it says something about cryptswap at boot?19:47
=== peterrus- is now known as peterrus
=== cpg|away is now known as cpg
=== tuv0k is now known as darthanubis
NotLarryI have an ubuntu 11.04 that drops me to initramfs with an error "ALERT! /dev/mapper/servername-root does not exist." When I ls for it in /dev/mapper it shows it is a ln to ../dm-0  which does exist.  My google skillz are lacking.22:41
sarnoldNotLarry: no luck yet? :(22:41
genii-aroundSounds like initrd has no raid support22:42
sarnoldNotLarry: try symbolhound, it may do a better job than google on 'ln' and '../dm-0' and so forth22:42
NotLarryThis box has been running for about 4 months now.  I moved it to a new location and this is how it is coming up.22:44
sarnoldanything interesting in dmesg?22:45
genii-aroundAfter a physical move like that I'd suspect of course a component. Like a ribbon came loose, etc22:48
sarnoldor a drive just stops spinning...22:48
jjcmHey all22:51
jjcmI just set up a vps, and while I can ssh to it fine, I cant seem to ping it or get any connection on 8022:52
jjcmCan someone help me troubleshoot?22:52
jjcmThere aren't any restrictions in iptables22:52
jjcmapache's ports.conf register 80 just fine22:52
xnoxare there restrictions / firewall by your vps provider?22:52
xnoxe.g. on amazon, gandi, etc you need to open ports via their interface / api tools.22:53
jjcmLemme poke around22:53
jjcmI can defininitely hit apache locally22:53
jjcmso that's running at least22:53
jjcmlemme check their web interface22:53
jjcmLooks like that may have been it22:55
jjcmDidnt' realize they used a whitelist for ports22:55
jjcmxnox: many thanks, that worked.22:56
xnoxnp, typical.....22:57
=== acidflash_ is now known as acidflash
XanthippusHi guys23:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!