/srv/irclogs.ubuntu.com/2012/11/09/#ubuntu-server.txt

joren	Maybe you're LogLevel value is too low	00:00
bananapie	;)	00:00
joren	in /etc/ssh/sshd_config or whatever	00:00
bananapie	LogLevel INFO	00:00
bananapie	hmm, I see 'failed publickey for root...' not even though it doesn't say 'debug.	00:01
bananapie	I think it might be the kernel's rate limiter	00:01
joren	maybe watch ssh servername ?	00:02
Xanthippus	Any tips for securing an Ubuntu Server?	00:02
bananapie	I think it's "a Ubuntu server" and not "an Ubuntu server".	00:03
Xanthippus	Either way :P	00:03
bananapie	Usually, you use 'an' in front of a vowel, but I think because of the way Ubuntu is pronounced, it's an exception.	00:03
bananapie	check netstat -antup make sure there are no unnecessary services running.	00:05
joren	https://help.ubuntu.com/community/Security might be some good reading	00:05
Xanthippus	Lots of udp and tcp	00:05
Xanthippus	From command	00:05
Xanthippus	What are the 0.0.0.0 IPs?	00:06
bananapie	that means it's listening on all interfaces on your server	00:06
Xanthippus	tcp and udp6 = IPv6 correct?	00:06
Xanthippus	tcp6*	00:06
patdk-lap	heh?	00:06
patdk-lap	there are so many more protocols than tcp and udp, and neither of them have anything to do with ipv6	00:07
Xanthippus	patdk-lap: I just did a netstat -antup, and I am currently looking at protocols	00:07
patdk-lap	does netstat show sctp?	00:08
bananapie	hmm, try netstat -atup instead, it will resolve service names, it will make it easier to read :)	00:08
Xanthippus	Well the tcp6 and udp6 protocols have IPv6 addresses, which are with colons, like Mac addresses right?	00:08
=== glebihan__ is now known as glebihan
bananapie	the lines that are interesting are the ones with : in the Foreign adderss section	00:09
patdk-lap	nope, seems netstat is limited to tcp and udp	00:09
bananapie	I set the LogLevel in sshd_config to VERBOSE, and I see all my failed connections.	00:10
bananapie	fail2ban now works, thx!	00:11
joren	cool	00:11
bananapie	nevermind	00:16
joren	hmm	00:17
bananapie	I no longer see 'failed public key' in my logs, I think rsyslog is supressing information.	00:18
joren	can you use "watch ssh servername" instead of your for loop?	00:18
joren	or make your 50 number higher?	00:18
bananapie	I like watch :D	00:19
bananapie	OH!	00:20
bananapie	I found the problem	00:20
bananapie	the second server I am using for the tests doesn't have a private key. I ran ssh-keygen, and fail2ban is now banning the server.	00:22
joren	huh, I guess that makes sense	00:22
bananapie	Thanks, fail2ban is working now.	00:23
Xanthippus	bananapie: What's the directory for configing PostFix again?	00:25
Xanthippus	And how do I install modsecurity for nginx?	00:25
bananapie	/etc/ contains most configuration fies.	00:25
bananapie	and most configs are either /etc/[softwarename].conf or /etc/[softwarename]/[configuration files]	00:25
Xanthippus	Oh okay	00:26
Xanthippus	How do I know if I'm using those authentification keys you mentioned?	00:26
bananapie	Fail2ban is easy to install, nice!	00:28
Xanthippus	I'm on step 11 of this guide, what do I enter for SMTP_HOST and SMTP_PORT? http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics	00:30
bananapie	anyway know an easy command to cause failed logins on an imap server ?	00:30
bananapie	given that you want to run an smtp server, you could enter 127.0.0.1 as the host	00:33
Xanthippus	aka localhost?	00:37
Xanthippus	Can I keep the port also?	00:37
Xanthippus	noob question: how do I save rules to iptables?	00:42
Xanthippus	I typed iptables-save, would that work?	00:45
bananapie	iptables-save saves it yes, but you have to update /etc/network/interfaces as wel	00:46
bananapie	well	00:46
bananapie	try adding the following line at the end of the eth0 interface	00:46
bananapie	pre-up iptables-restore < /etc/iptables.rules	00:46
Xanthippus	I use wlan0	00:47
Xanthippus	And uh oh, I think I have a rootkit...?	00:47
patdk-lap	yes :)	00:47
Xanthippus	bindshell "infected" at ports 465	00:47
patdk-lap	heh?	00:47
Xanthippus	How do I get rid of this thing?!	00:47
patdk-lap	what is, this thing?	00:48
Xanthippus	A rootkit I think	00:48
Xanthippus	I ran chkrootkit	00:48
patdk-lap	netstat -anp	00:48
Xanthippus	What am I looking for in netstat?	00:49
patdk-lap	the name of the progrm on port 465	00:49
bananapie	465 = encrypted smtp	00:50
patdk-lap	normally	00:50
bananapie	ok	00:50
Xanthippus	I think it's bindshell	00:50
Xanthippus	idk	00:50
Xanthippus	That's what chkrootkit said	00:50
Xanthippus	There's no program on 465 here	00:50
patdk-lap	what ip?	00:50
Xanthippus	All in the 10k	00:50
patdk-lap	heh?	00:50
patdk-lap	how can it detect something there, if there isn't something	00:51
patdk-lap	seems odd	00:51
bananapie	I think he means RFC1918's 10.0.0.0/8	00:51
Xanthippus	All the ports listed by netstat are in 14,000	00:51
Xanthippus	How does someone find your server if you just activated it?	00:52
patdk-lap	simple :)	00:53
patdk-lap	isn't the normal time to infection of a winxp computer on the internet, 14min?	00:53
Xanthippus	unhide.rb says warning from rkhunter	00:53
Xanthippus	What does that mean?	00:53
Xanthippus	Oh, btw, that port 465 thing with bindshell, it is false positive	00:56
Xanthippus	http://benohead.com/chkrootkit-false-positive-bindshell-infected-port-465/	00:56
patdk-lap	heh, you could fix your smtp server too, 465 went away a long time ago	00:56
patdk-lap	replaced with port 587, submission port	00:56
Xanthippus	How would I config that, patdk-lap ?	00:57
patdk-lap	depends on your smtp server	00:57
Xanthippus	...would that be PostFix?	00:58
patdk-lap	I dunno, did you make an account for me on your server? :)	00:58
Xanthippus	lol no!	01:01
patdk-lap	I would find it strange postfix would be on port 465, it isn't by default	01:02
Xanthippus	Oh, so PostFix is the SMTP server	01:03
Xanthippus	Thought it was something like Dovecot or mailman	01:03
patdk-lap	postfix is A smtp server, no idea if it is the one installed on your server	01:03
patdk-lap	if it is, edit /etc/postfix/master.cf	01:04
patdk-lap	though, sounds like you have a lot to learn about just email alone :)	01:04
Xanthippus	Exacly	01:05
Xanthippus	I have no idea how to use as of yet	01:06
Xanthippus	Turns out 465 is not the SMTP port	01:06
Xanthippus	Like I said earlier, false positive	01:06
Xanthippus	smtp is at port 25	01:06
patdk-lap	I know	01:06
bananapie	encrypted smtp or smtps is 465	01:06
patdk-lap	smtps is 465	01:06
patdk-lap	ssl smtp	01:06
patdk-lap	tls smtp is 587	01:06
Xanthippus	Oh okay there's an smtps on 465	01:07
patdk-lap	465 stopped being used before it was used	01:07
Xanthippus	submission is on 587	01:07
patdk-lap	587 is much better	01:07
Xanthippus	Should I disable 465 entirely?	01:07
patdk-lap	I would	01:07
patdk-lap	587 serves the same purpose	01:07
Xanthippus	How would I disable it?	01:08
Xanthippus	Would I block it w/ ufw?	01:08
patdk-lap	just comment it out in /etc/postfix/master.cf	01:08
bananapie	gtg	01:08
Xanthippus	Okay	01:10
uvirtbot`	New bug: #1076811 in cloud-init "Cloud-init modules do not reflect loaded config" [High,Fix committed] https://launchpad.net/bugs/1076811	01:11
Xanthippus	patdk-lap: is it this line? smtps inet smtpd	01:12
Xanthippus	I don't know which line it is...	01:14
hallyn	zul: was out all day... no objections to libvirt 1.0.0 upload. as i say the qrt needs an update (sigh, may need python xml parser at this point) but all tests passed in spirit	01:15
patdk-lap	that and any line that starts with a space under it	01:15
Xanthippus	starts with a space under it?	01:15
patdk-lap	#smtps inet n - - - - smtpd	01:15
patdk-lap	# -o smtpd_tls_wrappermode=yes	01:15
patdk-lap	# -o smtpd_sasl_auth_enable=yes	01:15
patdk-lap	# -o smtpd_client_restrictions=permit_sasl_authenticated,reject	01:15
patdk-lap	# -o milter_macro_daemon_name=ORIGINATING	01:15
Xanthippus	Ah	01:17
Xanthippus	k did it	01:17
Xanthippus	How do I reload settings?	01:18
patdk-lap	service postfix restart	01:19
Xanthippus	k	01:19
uvirtbot`	New bug: #1076825 in nova (main) "Can't configure nova to use MySQL as backend" [Undecided,New] https://launchpad.net/bugs/1076825	01:31
Xanthippus	patdk-lap: I restarted it, and it gave me a bunch of unused parameters	01:33
=== guampa_ is now known as guampa
Xanthippus	If a hacker wanted to hack your local machine via a port, would he be unsuccessful if the router blocked that port from the outside?	01:39
beeg98	if he was attacking from the outside.	01:39
beeg98	if he somehow already got in (either an employee that is already in or via some other hacked service) then the router no longer protects you.	01:40
Xanthippus	Then it is up to the local firewall, correct?	01:41
patdk-lap	the router doesn't protect anything you go out and get too	01:41
patdk-lap	like you viewing websites or other things	01:41
=== cpg is now known as cpg\|away
sarnold	.. and browsers make it easier to fire up network connections than one may like..	01:43
Xanthippus	Ah	01:44
Xanthippus	But, if, say, a hacker from the outside tried to hack my server via a port	01:44
Xanthippus	It would <supposedly> be blocked by the router right?	01:45
patdk-lap	router? no, firewall, sure	01:45
Xanthippus	Oh okay	01:45
NomadJim	with ubuntu server releases like Precise and Quantal are packages locked? Like the vim on Precise is never going to get an upgrade and you'd need to go to Quantal for that unless you backport	01:47
NomadJim	besides security updates	01:48
patdk-lap	yes, except if you use backports	01:48
sarnold	NomadJim: there's an 'SRU' process to get updates outside of security fixes distributed to existing distributions	01:49
ScottK	But that's for bug fixes.	01:51
Xanthippus	How would I set up my mail account on my server with Mail on OS X?	01:54
Xanthippus	What do I input for Incoming Server?	01:54
NomadJim	ok cool thanks	01:54
sarnold	Xanthippus: 'incoming server' sounds like it might be asking for your imap4 server details	01:56
Xanthippus	I'm sorry, what would that be :-/	01:56
Xanthippus	It'd prob be a default value since I most likely didn't config it yet	01:57
Xanthippus	I have Dovecot, PostFix, and SquirrelMail on my server, if that helps	01:57
sarnold	have you set up dovecot or cyrus or imap4d or something similar yet?	01:57
Xanthippus	I have Dovecot	01:58
patdk-lap	now ask if he has configured it :)	01:58
sarnold	haha :)	01:58
Xanthippus	Sorry!	01:59
patdk-lap	a very basic mail server can take a few hours to configure	01:59
patdk-lap	though, I normally spend a few days	01:59
patdk-lap	mailserver have lots of moving parts and stuff to make sure you protect against to limit abuse, spam, backscatter	02:00
Xanthippus	Abuse like...	02:00
patdk-lap	compromised passwords, open-relay, ...	02:01
NomadJim	is there a tool to check your mailserver for problems	02:01
NomadJim	that you like to use	02:01
patdk-lap	generally if you want others to accept your email, reverse-dns setup, dkim, spf, dmarc, ...	02:01
ScottK	dmarc is sufficiently new I wouldn't put it on that list.	02:01
patdk-lap	NomadJim, the wild? and check your logs?	02:01
NomadJim	i need to get more intimate with my logs	02:02
patdk-lap	scottk, just setting up the dmarc dns entry so you get reports back is very useful	02:02
Xanthippus	reverse dns is... reversing a name i.e. google.com and getting its IP?	02:02
sarnold	NomadJim: last time I had to run a mail server myself, I found this _very_ useful: telnet relay-test.mail-abuse.org	02:02
NomadJim	sarnold: nice thanks	02:03
sarnold	Xanthippus: other way around, taking 4.2.2.1 and turning it into a human-friendly FQDN	02:03
Xanthippus	aka DDNS, which I have	02:03
sarnold	NomadJim: if you don't have telnet installed you can probably use nc as well...	02:03
sarnold	Xanthippus: no, that's altogether different :)	02:03
Xanthippus	Um what	02:03
sarnold	Xanthippus: ddns is a way to update a dns server with a new hostname / ip binding -- many ddns providers aren't authoritative for the zones in question, so they can't provide reverse dns	02:04
ScottK	patdk-lap: I agree. I have set it up myself. I even wrote a tool to make it ~easy to figure out - http://www.kitterman.com/dmarc/assistant.html - but that's really not a newbie kind of thing.	02:04
NomadJim	reverse dns and dns always confuse the hell out of me	02:05
Xanthippus	IKR	02:05
NomadJim	always appreciate a refresher	02:05
patdk-lap	well, nothing about email is noobie friendly though	02:05
sarnold	Xanthippus: for fun, run "host <your hostname>" -- pretend it gives you back the ip address 10.12.14.16. Then run "host 10.12.14.16" and see what the _reverse_ lookup shows...	02:05
patdk-lap	I was looking at http://www.unlocktheinbox.com/ when I setup mine	02:06
patdk-lap	receiving email is simple	02:07
patdk-lap	sending email is not simple, cause your assumed to be a spam source, till you can pass as many technical issues as the receive wants to put on you	02:07
Xanthippus	If it's simple as you describe, patdk-lap , then that's now my first order of business	02:07
patdk-lap	receiving is as easy as setting an mx entry, and listening on port 25 :)	02:08
Xanthippus	Because right now, all my logging services etc are configed to send email to me@myddns.com	02:08
sarnold	patdk-lap: .. though receiving is often made difficult to try to raise the technological hurdle of people sending mail; you know, assume they're spammers first :D	02:08
patdk-lap	sarnold, well I said receiving was easy, not keeping out spam :)	02:08
sarnold	patdk-lap: yes :)	02:08
Xanthippus	To recieve mail from outside, I need to open port 25 in router, correct?	02:08
patdk-lap	firewall	02:09
Xanthippus	Just firewall on server?	02:09
patdk-lap	routers do ip addresses, not ports	02:09
Xanthippus	No, like port forwarding on router	02:09
sarnold	.. except in the case of NAT-routers..	02:09
sarnold	exactly	02:09
patdk-lap	Xanthippus, then your probably have port 25 blocked by your isp	02:09
Xanthippus	Why would you think that, patdk-lap ?	02:10
patdk-lap	well, nat routers is a firewall, nat is a firewall service :)	02:10
sarnold	many ISPs will unblock if you ask politely. some will remind you that your AUP says "run no servers". hehe. :)	02:10
patdk-lap	ya, normally the isp will require you pay for static ip for that	02:10
patdk-lap	and normally do't run nat-routers on them	02:10
Xanthippus	My router's running DD-WRT, and it has NAT/QoS section, so I would assume my router is "NAT router"...	02:10
patdk-lap	you can always give it a shot	02:12
Xanthippus	Wait, if opening ports on the router isn't necessary, I can close 22 aka ssh?	02:13
Xanthippus	Because I have confirmed that I can SSH to server via this port	02:13
sarnold	keep it forwarding :)	02:13
Xanthippus	k	02:13
sarnold	though consider moving to another port to (slightly) cut back on automated probing	02:14
sarnold	and consider disabling password access, if you haven't already	02:14
Xanthippus	Automated probing by who	02:14
sarnold	worms	02:14
patdk-lap	the evil one	02:14
Xanthippus	Password access = enter password to access shell?	02:14
Xanthippus	lol patdk-lap	02:14
sarnold	Xanthippus: yes. ssh keys are more secure by a factor of millions. :)	02:15
Xanthippus	Okay, how do I know if it's not using both, if that's even possible	02:15
Xanthippus	Because when I SSHed from my Mac for the first time, it asked if I wanted to remember an RSA key or something	02:16
sarnold	Xanthippus: look for "PasswordAuthentication no" in your /etc/ssh/sshd_config file	02:17
sarnold	Xanthippus: that would be the server's key, so you could tell if it is being impersonated in the future	02:17
Xanthippus	If it's #PasswordAuthentification yes then remove # and put no?	02:17
sarnold	yes. make sure you can log in with a key first :)	02:18
beeg98	after you test your key, and change that option, restart the ssh service.	02:20
Xanthippus	The key locations are in the config file itself right?	02:20
NomadJim	the EOL dates listed are when there are no more security patches right? https://wiki.ubuntu.com/Releases	02:21
sarnold	Xanthippus: yes, in AuthorizedKeysFile, though most people don't need to touch it. it just looks into ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 by default.	02:21
NomadJim	so if I wanted the longest possible security support Precise is the release for me	02:21
sarnold	NomadJim: correct on both.	02:21
sarnold	NomadJim: do note that some aspects of the distribution are supported for less than five years: https://wiki.ubuntu.com/PrecisePangolin/ReleaseManifest	02:22
Xanthippus	Is there a private/public key?	02:23
Xanthippus	Which do I use?	02:23
Xanthippus	And in terminal, how do I incorporate certs?	02:24
sarnold	Xanthippus: on the client, the private lives in ~/.ssh/id_rsa, public lives in ~/.ssh/id_rsa.pub -- and on the server, the public lives in ~/.ssh/authorized_keys.	02:24
sarnold	Xanthippus: ssh-copy-id is handy to automate logging in and copy-pasting the public portion onto the authorized_keys file	02:25
escott	Xanthippus, every ssh server has an RSA key that identifies that computer (to protect against MITM attacks if you connect a second time and the key changes) that was the key you were being asked to remember or not	02:35
escott	NomadJim, no more anything dates and 12.04 is the most recent LTS	02:36
=== shantorn_ is now known as shantorn
=== cpg\|away is now known as cpg
=== n0ts_off is now known as n0ts
Xanthippus	Hi guys, I'm back	04:42
Xanthippus	How would I login to SSH with an authentication key on OS X?	04:44
escott	Xanthippus, same way as anywhere else. ssh-keygen; ssh-copyid user@remote; ssh user@remote;	04:48
escott	Xanthippus, you do have to configure the ssh server to be running on OSX and verify it accepts auth-key logins	04:48
Xanthippus	My server is on Ubuntu, and I want to connect to it from OS X	04:49
holstein	!ssh	04:49
ubottu	SSH is the Secure SHell protocol, see: https://help.ubuntu.com/community/SSH for client usage. PuTTY is an SSH client for Windows; see: http://www.chiark.greenend.org.uk/~sgtatham/putty/ for it's homepage. See also !scp (Secure CoPy) and !sshd (Secure SHell Daemon)	04:49
Xanthippus	brb	04:49
stiv2k	hello	04:53
stiv2k	today i woke up to find my server with a flashing caps lock key	04:53
stiv2k	i.e., kernel panic	04:54
stiv2k	what can i look at to see what may have gone wrong?	04:54
holstein	stiv2k: auto upgrade? hardware broken?	04:54
stiv2k	holstein i beg your pardon?	04:55
holstein	stiv2k: im suggesting you look at an auto upgrade that might have broken something.. unless you dont do auto upgrades, then you can ignore that.. or maybe a bad component. motherboard failure.. etc	04:56
stiv2k	holstein, oh, i think its setup to only automatically do security updates	04:57
stiv2k	and... the hardware shold be fine afaik... i was asking more along the lines of what log file might be able to tell me what happeneds	04:57
stiv2k	it stayed online for like two weeks no problems until this morning	04:57
holstein	stiv2k: i would just poke around in the logs... depends on the issue. it might have locked before it could log.. the machine is back up?	04:59
stiv2k	yes it is after i did a hard restart	04:59
stiv2k	my irc client is actually running on it	04:59
stiv2k	so me being here talking to you means its working :P	04:59
holstein	i would probably just remove the install from the equation.. run a live CD on the hardware with the hard drive out	04:59
holstein	stiv2k: i dont know that you are using it for IRC	04:59
stiv2k	i know that's why i mentioned it :)	05:00
Xanthippus	Back	05:18
Xanthippus	How do I use the ssh-copy-id?	05:33
Xanthippus	Do I run it from the server or from the computer I'm trying to connect it to?	05:33
holstein	https://help.ubuntu.com/community/SSH/OpenSSH/Keys is what i used	05:34
tsimpson	from the computer you want to send the key from	05:34
holstein	if you are just wanting to connect locally to another box on the lan, you can just use the password	05:34
Xanthippus	No, I plan to SSH from outside	05:36
escott	holstein, i think you are confusing telnet with ssh. there is no security risk to doing password across an unsecured network, its just inconvenient	05:37
Xanthippus	Okay, I did the ssh-copy-id command from my Ubuntu server, and inputted "me@mymac" as the parameter	05:37
escott	Xanthippus, its from the client to the server	05:37
Xanthippus	AH	05:38
escott	Xanthippus, on client you run ssh-copy-id user@server	05:38
Xanthippus	So can I just delete authorized_keys on the server and do on the client?	05:38
escott	the auth_keys file resides on the server. the server checks that to compare to the credentials presented by the client	05:38
escott	you have enabled the ubuntu system to ssh into the mac	05:39
Xanthippus	AH	05:39
holstein	i didnt mean to imply you could or should do the password.. just that it might be easier to configure rather than configuring a key	05:39
escott	(without the password)	05:39
Xanthippus	Using the key I generated on the Ubuntu machine?	05:39
holstein	the key is the way to go though... if you dont mind setting it up	05:40
escott	Xanthippus, yes	05:40
Xanthippus	Ah	05:40
Xanthippus	Why can't anyone just "ssh-copy-id"?	05:40
Xanthippus	Isn't that more insecure?	05:41
Xanthippus	Than a passowrd?	05:41
escott	Xanthippus, auth keys are more secure	05:41
escott	copy-id requires a password to do the initial setup	05:41
escott	thereafter you could disable password access	05:41
escott	and you would be more secure	05:41
escott	it might help to take a step back and talk about public vs private keys	05:42
Xanthippus	Okay, it appears that Mac doesn't have ssh-copy-id	05:42
Xanthippus	But I found this, which one do I use? http://www.commandlinefu.com/commands/view/188/copy-your-ssh-public-key-to-a-server-from-a-machine-that-doesnt-have-ssh-copy-id	05:42
escott	when you ssh-keygen you create id_rsa and id_rsa.pub	05:42
escott	you copy id_rsa.pub to the server and put it in the servers auth_keys file	05:42
Xanthippus	So do ssh-keygen from client?!	05:43
escott	you can do that with ssh-keygen on the client and then "scp ~/.ssh/id_rsa.pub user@server:~/.ssh/id_rsa.pub.client"	05:43
Xanthippus	So do I delete the keys that I created on my server? :-/	05:43
escott	Xanthippus, no need to	05:44
escott	unless you want to	05:44
Xanthippus	I did that ssh keygen on my server, but that's obviously wrong right?	05:44
escott	presumably you trust both systems equally so you might be just as happy going from ubuntu->mac as from mac->ubuntu	05:44
Xanthippus	I don't do ubuntu --> mac	05:45
Xanthippus	Only for ftp	05:45
escott	you may not in practice do it, but in theory would you disallow it?	05:45
Xanthippus	...no	05:46
escott	then don't worry about it... if you were to be concerned that the ubuntu server was untrustworthy you would delete the line in the macs auth_keys file	05:46
Xanthippus	Or just delete the whole file altogether because there's only 1 key	05:46
escott	sure	05:47
escott	the auth_keys file is a list of identities to accept and allow access	05:47
Xanthippus	Okay, so down to business: Where do I run the ssh-keygen? Mac or Ubuntu? Ubuntu is the server	05:47
Xanthippus	I know	05:47
escott	you run ssh-keygen on the client. that defines an identity for the client	05:48
escott	you copy the id_rsa.pub from the client to the server (via scp or sneakerNet)	05:48
Xanthippus	Okay	05:48
escott	and add the id_rsa.pub (its a single line) to the authorized_keys file on the server	05:48
escott	you can further modify that line in authorized_keys to further restrict the conditions under which that key is accepted (ie accept only from certain ip addresses, or restrict the programs that can be run, etc)	05:49
Xanthippus	Oh okay, there we go. I generated key on Mac	05:50
escott	Xanthippus, so now you need to copy it to the server. "scp ~/.ssh/id_rsa.pub user@ubuntu:~/id_rsa.pub.mac"	05:50
Xanthippus	I can add the .mac extension?	05:51
escott	then you can "ssh user@ubuntu" and you will see id_rsa.pub.mac in $HOME	05:51
escott	Xanthippus, sure extensions are meaningless	05:51
Xanthippus	Oh...	05:51
Xanthippus	How about this: scp ~/.ssh/id_rsa.pub user@machine:.ssh/authorized_keys	05:51
escott	and you dont want to confuse id_rsa.pub from the mac with the id_rsa that exists on the server	05:51
escott	thats ok ONLY IF authorized_keys is empty	05:52
escott	otherwise you blew away your configuration	05:52
Xanthippus	There is no authorized_keys	05:52
escott	then you can do that.	05:52
Xanthippus	Awesome	05:53
escott	finally you have to correct permissions of the file on the server	05:53
escott	so "ssh user@ubuntu" followed by "chmod 600 ~/.ssh/authorized_keys"	05:53
escott	and "cat ~/.ssh/authorized_keys" to double check it is what you want it to be	05:53
Xanthippus	It's complained that authorized_keys doesn't exist	05:54
Xanthippus	Does it need to be a folder?	05:54
escott	what is the exact command you wrote?	05:54
Xanthippus	scp ~/.ssh/id_rsa.pub user@machine:~/.ssh/authorized_keys	05:55
escott	that should be ok.	05:56
Xanthippus	Well here's what came of it: scp: /home/user_of_ubuntu_server/.ssh/authorized_keys: No such file or directory	05:58
Xanthippus	OH my mistake	05:58
Xanthippus	Deleted the entire ~/.ssh directory, sorry	05:59
Xanthippus	Okay, I coped it. Now what?	05:59
escott	Xanthippus, now ssh user@machine	06:00
escott	you have to fix up two sets of permissions	06:00
Xanthippus	?	06:00
escott	chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys;	06:00
Xanthippus	Oh okay	06:00
escott	then "ls -l ~/.ssh" and verify that . has rwx------ and that authorized_keys has rw-------	06:01
Xanthippus	Both have rw	06:02
Xanthippus	Do I need to run chmod as root	06:03
Xanthippus	?	06:03
escott	Xanthippus, the directory "." needs rwx	06:03
escott	no you own the files you can chmod them	06:03
Xanthippus	Oh	06:03
escott	and it would be "ls -al ~/.ssh" forgot the a	06:03
Xanthippus	. is drwx	06:04
Xanthippus	so is ..	06:04
escott	yes but after the drwx it should be all -'s for "." and after the rw all -'s for auth_keys	06:04
escott	for ".." its going to be something like rwx-r-xr-x depending upon configuration	06:05
escott	but we don't care about ".."	06:05
escott	".." is ~ we are trying to secure ~/.ssh which is "."	06:05
Xanthippus	Oh	06:06
Xanthippus	Well there are no 's	06:06
Xanthippus	Just dashes	06:06
escott	thats what we want	06:07
escott	drwx------ and -rw-------	06:07
Xanthippus	Oh okay	06:09
Xanthippus	Well then in that case it's all good	06:09
escott	Xanthippus, so now you can test it	06:09
Xanthippus	logout then login?	06:09
escott	"exit" from the ssh session, and try ssh user@machine again	06:09
escott	it should just let you in	06:10
Xanthippus	If I have pwd authentification, I have to enter that?	06:10
Xanthippus	Because it's still asking me for it	06:10
escott	did you put a password on the key you generated with ssh-keygen	06:11
escott	because if you did it would ask you for that password, because it needs that to unlock the id_rsa file	06:11
escott	and then you are usually ok for the rest of your desktop session on the client	06:12
Xanthippus	Yes I did put a passphrase	06:14
Xanthippus	Should I try again?	06:14
Xanthippus	It's asking for the user password, not the passphrase in the key	06:15
Xanthippus	Should I disable that?	06:15
escott	there shouldn't be anything to disable	06:15
escott	ssh -v user@machine and look for the line(s): debug1: Authentications that can continue: publickey,password and debug1: Next authentication method: publickey	06:16
escott	is it listing publickey at all	06:16
Xanthippus	Yes	06:18
Xanthippus	It actually uses it as first method, idk what goes wrong	06:18
escott	Xanthippus, does it ever list publickey?	06:18
Xanthippus	Um, id_rsa and id_dsa?	06:18
Xanthippus	It tried both, and apparently failed, because it fell back to password	06:19
escott	no in the line Authentications that can continue, in the first occurence of that line. does it list publickey	06:19
Xanthippus	Yes, publickey, password	06:19
escott	so it tried publickey and failed	06:19
escott	ok	06:19
Xanthippus	idk why, I recreated the .ssh directory, there should be anything conflicting there	06:19
escott	Xanthippus, is it finding the correct id_rsa and id_rsa.pub above that	06:20
Xanthippus	Found key that matches known_hosts...	06:21
escott	not that one further up	06:21
escott	the 6th or 7th line from the top	06:21
escott	maybe closer to 10th	06:21
Xanthippus	identity file ~/.ssh/id_dsa typr -1	06:22
Xanthippus	type*	06:22
Xanthippus	The line above that is rsa	06:22
escott	thats the dsa... presumably you had an rsa	06:22
Xanthippus	No there is dsa and rsa	06:22
escott	but those are the correct locations of those files on the mac	06:23
escott	or would be the correct location	06:23
escott	and further down just after the first instance of Authentications that can continue it should say:	06:23
escott	debug1: Offering RSA public key: /something/.ssh/id_rsa	06:23
Xanthippus	Yes, it does offer it	06:24
escott	Xanthippus, then the problem is likely permissions on the server	06:24
Xanthippus	Then it loops back to "Authentications that can continue"	06:24
escott	Xanthippus, so ssh user@machine again	06:24
Xanthippus	verbose?	06:25
escott	no	06:25
escott	we actually want to login	06:25
Xanthippus	k I'm logged in	06:25
escott	(a) cat ~/.ssh/authorized_keys and make sure its contents match the id_rsa.pub on the mac	06:25
escott	(b) ls -al ~/.ssh and maybe paste that to us	06:26
Xanthippus	I included the a in parentheses?	06:26
escott	no	06:26
escott	(a) and (b) are two things to do	06:26
Xanthippus	Okay it spit a bunch of random characters lol	06:26
escott	yes. but are those the same random characters as in id_rsa.pub on the mac	06:27
Xanthippus	How do I make sure they match?	06:27
escott	you just have to check the first few	06:27
Xanthippus	Oh okay	06:27
escott	it should begin ssh-rsa AAAA	06:27
escott	it should begin "ssh-rsa AAAA"	06:27
escott	and the characters after the AAAA are the important ones	06:28
Xanthippus	Yeah I noticted	06:28
Xanthippus	They both start w/ it	06:28
Xanthippus	Yeah, went through half way through the first line, and it looks the same	06:28
escott	so what are the permissions of ~/.ssh	06:31
Xanthippus	On which machine?	06:31
escott	ls -al ~/.ssh	06:31
escott	on the server	06:31
Xanthippus	drwx	06:31
Xanthippus	authorized_keys = -rw	06:32
escott	can you just paste the output of ls -al ~/.ssh	06:32
Xanthippus	I found something in sshd_config I think: # Don't read the user's ~/.rhosts and ~/.shosts files	06:32
Xanthippus	IgnoreRhosts yes	06:32
escott	no thats different	06:32
Xanthippus	But it also says: # For this to work you will also need host keys in /etc/ssh_known_hosts	06:32
Xanthippus	And the line under it is: RhostsRSAAuthentication no	06:33
escott	Rhosts is about peering hosts... it utilizes auth_keys but its not relevant	06:33
Xanthippus	Oh okay	06:33
Xanthippus	Could the "AllowUsers" string I added be the problem?	06:34
escott	where did you add this?	06:34
Xanthippus	Very bottom	06:35
escott	very bottom of what	06:35
Xanthippus	Thought it'd make it... more secure?	06:35
Xanthippus	sshd_config	06:35
escott	i dont know what that does. i would guess its unrelated because you can ssh with password	06:36
escott	but i dont know	06:36
Xanthippus	It only allows certain user on the server I guess) to login.	06:36
Xanthippus	(on the server I guess)*	06:36
Xanthippus	So I guess if some guy/gal tried to brute force w/ some random username and maybe blank password, they couldn't	06:37
escott	Xanthippus, if you look at /etc/shadow you will see that the only user who has a password on your system is the one you are currently logged into. so there is no way to brute force anything	06:38
escott	i need to sleep	06:41
escott	its probably incorrect permissions in ~/.ssh	06:41
escott	but you havent sent them to me so i cant say	06:41
=== smb` is now known as smb
=== kInOzAwA__ is now known as kInOzAwA
=== mcclurmc_away is now known as mcclurmc
=== edu-afk is now known as edamato
Sander^work	Will it work to take a backup of / with eg. rdiff-backup, and use it to restore back an upgrade in case it fails?	10:33
vezq	basically yes, but I would create a disk image too if possible	10:53
Sander^work	vezq, Will a disk image with dd be inconsistent?	10:54
vezq	dd works okay but takes also unused space, clonezilla is option take image	10:55
uvirtbot`	New bug: #1076898 in mysql-5.5 (main) "failed to install lamp-server through tasksel in a fresh install of ubuntu 12.10 - package mysql-server-core-5.5 (not installed) failed to install/upgrade: cannot copy extracted data for './usr/bin/my_print_defaults' to '/usr/bin/my_print_defaults.dpkg-new': unexpected end of file or stream" [Undecided,Invalid] https://launchpad.net/bugs/1076898	12:20
=== blackdex is now known as BlackDex
=== Ursinha is now known as Ursinha-afk
=== cpg is now known as cpg\|away
=== Ursinha-afk is now known as Ursinha
AlphaWolf	I've got 2 partitions I'm trying to format and mount. I've put more information (fdisk -lu and more specific information) on Ubuntu Pastebin if anyone can help. I've tried GParted but it just sees the disk and no partitions. http://paste.ubuntu.com/1332125/	13:42
patdk-wk	fdisk /dev/sda, d 2, d 3, n p 2 enter enter	13:44
AlphaWolf	Thank you, patdk-wk! I've verified the new table and saving it/rebooting :)	14:03
eagles0513875__	hey guys I am trying to setup samba to be accessible not only to windows machines in the work group but mac machines as well. how do i go about doing that i am following 2 how to's at the moment and im a bit stuck	14:19
eagles0513875__	the how to's are https://help.ubuntu.com/12.04/serverguide/samba-fileserver.html and https://help.ubuntu.com/12.04/serverguide/samba-fileprint-security.html any one have any ideas of what I am doing wrong?	14:20
uvirtbot`	New bug: #1077003 in ntp (main) "ntp ignores config option "interface ignore all"" [Undecided,New] https://launchpad.net/bugs/1077003	14:31
=== shantorn_ is now known as shantorn
uvirtbot`	New bug: #1077020 in cloud-init (main) "cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf" [Undecided,New] https://launchpad.net/bugs/1077020	15:16
=== matsubara is now known as matsubara-lunch
=== matsubara-lunch is now known as matsubara
=== gary_poster\|away is now known as gary_poster
=== gary_poster is now known as gary_poster\|away
=== gary_poster\|away is now known as gary_poster
=== gary_poster\|away is now known as gary_poster
=== n0ts is now known as n0ts_off
drag0nius	would it be hard to set up backup WAN for ubuntu server?	17:33
drag0nius	like if primary goes down it instantly switches to backup	17:33
drag0nius	and then switch to primary when i tell it to	17:33
sarnold	drag0nius: if you just want to protect against dead nic / switch then something like this may work: http://ubuntuforums.org/showthread.php?t=785471	17:36
drag0nius	basically i've access to 2 networks	17:36
drag0nius	one quicker & faster	17:36
sarnold	drag0nius: as I understand it, if you want to failover to different routes entirely, something like bgp or ospf may be needed -- but that's a bit outside of my experience.	17:36
drag0nius	and another one perfectly stable	17:36
drag0nius	but less responsive and slower	17:37
Free99	hey everyone... having a strange issue with a 12.04.1 x64 server: I add rules to UFW allowing SSH access, but nobody can access. Seems like iptables is ignoring the UFW chains, but I'm not sure	17:42
holstein	Free99: can you connect locally? maybe its just the router firewall?	17:43
Free99	I can connect locally, and nope, no firewall between us	17:44
Free99	holstein: this server's been in production for at least a month, and until now had no issues or changes	17:44
holstein	Free99: if you can connect to it inside your network from another box, that makes me thinnk its not the local firewall on the box that is the issue	17:45
ewindisch	how do I report bugs against cloudarchive? Apport hates it.	17:46
Free99	holstein: I thought you meant connecting via localhost when you said locally	17:48
Free99	but no, outside the machine I cannot connect	17:48
holstein	Free99: yup.. i should have clarified... i would try bringing the firewall down if that is safe to test that way temporarily	17:48
holstein	Free99: i am using ufw to set rules without any issues... but who knows	17:49
Free99	I tried that too, ufw disable then enable, even service ufw restart	17:49
holstein	Free99: can you connect with the firewall is down?	17:50
Free99	holstein: tcpdump says I'm receiving the request packets for port 22 but somehow, despite netstat showing ssh (which I've also restarted) as listening on 22, the packets don't get through to SSH	17:51
Free99	*sshd	17:51
holstein	Free99: and you can connect localhost...	17:51
thesheff17	Free99: did you change ENABLED=yes in /etc/ufw/ufw.conf?	17:51
Free99	holstein: can connect localhost, but not outside whether firewall open or closed. I didn't change the /etc/ufw/ufw.conf	17:52
Free99	should I try reinstalling UFW or SSH?	17:52
holstein	i dont think that will hurt anything Free99 .. and maybe someone has a better idea while you are doing that	17:54
Free99	holstein: the rules for port 22 show up in the list when I do "ufw show raw" but...	17:55
holstein	Free99: well, if its disabled, its disabled. makes me think its not a firewall issue	17:55
holstein	take it out of the equation and go from there	17:56
Free99	I'd normally try to figure this out so as to file a bug report or whatever, but this is kind of... well, I need this fixed pronto	17:58
holstein	Free99: sure, but we dont know that this is a bug yet.. could be misconfiguration	18:00
holstein	Free99: i would take ufw out of the equation.. disable the firewall.. check that its down, and troubleshoot ssh seperate	18:01
Free99	thing is, UFW may be down but iptables is still up, yes?	18:01
holstein	Free99: i usually pull the firewall down. to remove it from the euquation.. you dont have to do this, but you can do that however you choose	18:02
=== mcclurmc is now known as mcclurmc_away
batzi	hi	18:27
=== Ursinha_ is now known as Ursinha
batzi	i trying to improve the usage of my ubuntuz 10.04 usage - so there is an question regarding the usage of remote x session on osx ? is this a wise way to go or should i use some remote desktop app?	18:28
xnox	how/where are the cloud images generated? I'd like to experiment and request for a few settings changes by default.	18:44
=== edamato is now known as edamato-afk
=== yofel_ is now known as yofel
=== mcclurmc_away is now known as mcclurmc
Xanthippus	Hi everyone	19:19
Xanthippus	I'm having trouble with RSA key authorization on my server	19:19
Xanthippus	I am currently using the same keys on another server, and they work just fine. How come this one isn't working?	19:20
Xanthippus	I am forced to keep PasswordAuthentification on because I can't SSH with the key method	19:20
MoleMan	How can I give a user access to control a single service? (I have an account that is used to manage web hosts and I want it to be able to reload/restart apache)	19:25
Seveas	Xanthippus, usually /var/log/auth.log on the server will provide you with clues. Common problems are file permissions on the ~/.ssh/authorized_keys file or public key authentication not being enabled	19:25
Seveas	MoleMan, sudo is your friend. You can limit his sudo access to only restart apache	19:26
Xanthippus	I checked my sshd_config already, and compared it w/ the sshd_config of the working server	19:26
* genii-around gets some highlight about "coffee" and investigates		19:26
MoleMan	Seveas: can that be controlled within the sudoers file then?	19:26
Xanthippus	Add him to the group sudo...?	19:27
Seveas	MoleMan, something like this line: his_login your_hostname=(root) /etc/init.d/apache2	19:27
genii-around	Xanthippus: That would be too far-reaching for only allowing start-stop of apache	19:28
Xanthippus	Oh :-/	19:28
Seveas	MoleMan, the sudoers file allows fine grained access control. At work we have a sudoers file that's over 100 lines long :)	19:28
Xanthippus	What would I be looking for in auth.log if there's an error w/ the keys?	19:29
Seveas	Xanthippus, grep sshd /var/log/auth.log. I think it says failed publick key authentication	19:31
Xanthippus	I think I found an error...	19:32
Xanthippus	Error attempting to parse .ecryptfsrc file; rc = [-13]	19:32
Seveas	oh yeah, if your homedir is encrypted, you password will be needed to decrypt it	19:32
Seveas	so either don't encrypt your homedir on that server or live with passwords :)	19:33
Xanthippus	AH	19:33
Xanthippus	Any way to remove that?	19:33
sarnold	Xanthippus,Seveas: or use sshd_config option AuthorizedKeysFile to store authorized_keys files outside the encrypted homedir	19:34
Xanthippus	Holy chiz I think somebody's trying to get in	19:34
Seveas	sarnold, you'll still need access to your homedir don't you? :)	19:34
sarnold	Seveas: not if you store them all in /etc/users/<username>/authorized_keys or something	19:34
sarnold	Seveas: might be a bit ugly, but does let you use both	19:35
Seveas	Xanthippus, I don't know the "official" way to undo homedir encryption. I'd rsync the decrypted to /var/tmp, log in as root, remove the encrypted one and move the unencrypted one from /var/tmp to /home	19:35
Seveas	sarnold, but then you still need to type in your password to access your other files...	19:35
Seveas	(such as .bashrc...)	19:35
sarnold	Seveas: hrm. before or after the key?	19:36
MoleMan	Seveas: is there any way I could allow access to any 'service apache2' command? would 'service apache2 *' work or something?	19:37
Seveas	sarnold, the key can't unencrypt anything...	19:37
Seveas	MoleMan, that should work	19:37
sarnold	Seveas: indeed	19:37
sarnold	Seveas: but my hope is that you can make a configuration that requires key for authentication then password to decrypt your data -- best of both.	19:38
Seveas	sarnold, what's the use of that?	19:38
Seveas	(I would in this case use ldap and store the keys in there)	19:38
Xanthippus	I think it'd be more efficient to move the authorized_keys	19:39
sarnold	Seveas: it'd keep ssh-robots from eventually guessing password and logging in..	19:40
Seveas	hmm, fair enough	19:40
Seveas	I use iptables for private servers or fail2ban for more public servers to chase robots away	19:41
Seveas	(and only pubkey authentication, so their password attempts are futile anyway...)	19:41
Xanthippus	I'm going through the logs, and I'm getting a lot of break in attempts from this IP...	19:41
Xanthippus	...all failed of course	19:42
Seveas	Xanthippus, welcome to the internet :-)	19:42
Xanthippus	Man now I'm really freaking out about those keys	19:42
Seveas	!info fail2ban \| Xanthippus	19:43
ubottu	Xanthippus: fail2ban (source: fail2ban): ban hosts that cause multiple authentication errors. In component universe, is optional. Version 0.8.7.1-1 (quantal), package size 86 kB, installed size 434 kB	19:43
Xanthippus	I have that on my server	19:43
Xanthippus	I put jail profiles on ftp and something else, I forgot	19:43
Xanthippus	I think the profile's enabled on ssh too	19:43
Xanthippus	Wait, my ~/ directory is encrypted when it says something about cryptswap at boot?	19:47
=== peterrus- is now known as peterrus
=== cpg\|away is now known as cpg
=== tuv0k is now known as darthanubis
NotLarry	I have an ubuntu 11.04 that drops me to initramfs with an error "ALERT! /dev/mapper/servername-root does not exist." When I ls for it in /dev/mapper it shows it is a ln to ../dm-0 which does exist. My google skillz are lacking.	22:41
sarnold	NotLarry: no luck yet? :(	22:41
genii-around	Sounds like initrd has no raid support	22:42
sarnold	NotLarry: try symbolhound, it may do a better job than google on 'ln' and '../dm-0' and so forth	22:42
NotLarry	This box has been running for about 4 months now. I moved it to a new location and this is how it is coming up.	22:44
sarnold	anything interesting in dmesg?	22:45
genii-around	After a physical move like that I'd suspect of course a component. Like a ribbon came loose, etc	22:48
sarnold	or a drive just stops spinning...	22:48
genii-around	Yup	22:49
jjcm	Hey all	22:51
jjcm	I just set up a vps, and while I can ssh to it fine, I cant seem to ping it or get any connection on 80	22:52
jjcm	Can someone help me troubleshoot?	22:52
jjcm	There aren't any restrictions in iptables	22:52
jjcm	apache's ports.conf register 80 just fine	22:52
xnox	are there restrictions / firewall by your vps provider?	22:52
xnox	e.g. on amazon, gandi, etc you need to open ports via their interface / api tools.	22:53
jjcm	Unsure.	22:53
jjcm	Lemme poke around	22:53
jjcm	I can defininitely hit apache locally	22:53
jjcm	so that's running at least	22:53
jjcm	lemme check their web interface	22:53
jjcm	Looks like that may have been it	22:55
jjcm	Didnt' realize they used a whitelist for ports	22:55
jjcm	xnox: many thanks, that worked.	22:56
xnox	np, typical.....	22:57
=== acidflash_ is now known as acidflash
Xanthippus	Hi guys	23:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!