[00:00] <joren> Maybe you're LogLevel value is too low
[00:00] <bananapie> ;)
[00:00] <joren> in /etc/ssh/sshd_config or whatever
[00:00] <bananapie> LogLevel INFO
[00:01] <bananapie> hmm, I see 'failed publickey for root...' not even though it doesn't say 'debug.
[00:01] <bananapie> I think it might be the kernel's rate limiter
[00:02] <joren> maybe watch ssh servername ?
[00:02] <Xanthippus> Any tips for securing an Ubuntu Server?
[00:03] <bananapie> I think it's "a Ubuntu server" and not "an Ubuntu server".
[00:03] <Xanthippus> Either way :P
[00:03] <bananapie> Usually, you use 'an' in front of a vowel, but I think because of the way Ubuntu is pronounced, it's an exception.
[00:05] <bananapie> check netstat -antup make sure there are no unnecessary services running.
[00:05] <joren> https://help.ubuntu.com/community/Security might be some good reading
[00:05] <Xanthippus> Lots of udp and tcp
[00:05] <Xanthippus> From command
[00:06] <Xanthippus> What are the 0.0.0.0 IPs?
[00:06] <bananapie> that means it's listening on all interfaces on your server
[00:06] <Xanthippus> tcp and udp6 = IPv6 correct?
[00:06] <Xanthippus> tcp6*
[00:06] <patdk-lap> heh?
[00:07] <patdk-lap> there are so many more protocols than tcp and udp, and neither of them have anything to do with ipv6
[00:07] <Xanthippus> patdk-lap: I just did a netstat -antup, and I am currently looking at protocols
[00:08] <patdk-lap> does netstat show sctp?
[00:08] <bananapie> hmm, try netstat -atup instead, it will resolve service names, it will make it easier to read :)
[00:08] <Xanthippus> Well the tcp6 and udp6 protocols have IPv6 addresses, which are with colons, like Mac addresses right?
[00:09] <bananapie> the lines that are interesting are the ones with *:* in the Foreign adderss section
[00:09] <patdk-lap> nope, seems netstat is limited to tcp and udp
[00:10] <bananapie> I set the LogLevel in sshd_config to VERBOSE, and I see all my failed connections.
[00:11] <bananapie> fail2ban now works, thx!
[00:11] <joren> cool
[00:16] <bananapie> nevermind
[00:17] <joren> hmm
[00:18] <bananapie> I no longer see 'failed public key' in my logs, I think rsyslog is supressing information.
[00:18] <joren> can you use "watch ssh servername" instead of your for loop?
[00:18] <joren> or make your 50 number higher?
[00:19] <bananapie> I like watch :D
[00:20] <bananapie> OH!
[00:20] <bananapie> I found the problem
[00:22] <bananapie> the second server I am using for the tests doesn't have a private key. I ran ssh-keygen, and fail2ban is now banning the server.
[00:22] <joren> huh, I guess that makes sense
[00:23] <bananapie> Thanks, fail2ban is working now.
[00:25] <Xanthippus> bananapie: What's the directory for configing PostFix again?
[00:25] <Xanthippus> And how do I install modsecurity for nginx?
[00:25] <bananapie> /etc/ contains most configuration fies.
[00:25] <bananapie> and most configs are either /etc/[softwarename].conf or /etc/[softwarename]/[configuration files]
[00:26] <Xanthippus> Oh okay
[00:26] <Xanthippus> How do I know if I'm using those authentification keys you mentioned?
[00:28] <bananapie> Fail2ban is easy to install, nice!
[00:30] <Xanthippus> I'm on step 11 of this guide, what do I enter for SMTP_HOST and SMTP_PORT? http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
[00:30] <bananapie> anyway know an easy command to cause failed logins on an imap server ?
[00:33] <bananapie> given that you want to run an smtp server, you could enter 127.0.0.1 as the host
[00:37] <Xanthippus> aka localhost?
[00:37] <Xanthippus> Can I keep the port also?
[00:42] <Xanthippus> noob question: how do I save rules to iptables?
[00:45] <Xanthippus> I typed iptables-save, would that work?
[00:46] <bananapie> iptables-save saves it yes, but you have to update /etc/network/interfaces as wel
[00:46] <bananapie> well
[00:46] <bananapie> try adding  the following line at the end of the eth0 interface
[00:46] <bananapie> pre-up iptables-restore < /etc/iptables.rules
[00:47] <Xanthippus> I use wlan0
[00:47] <Xanthippus> And uh oh, I think I have a rootkit...?
[00:47] <patdk-lap> yes :)
[00:47] <Xanthippus> bindshell "infected" at ports 465
[00:47] <patdk-lap> heh?
[00:47] <Xanthippus> How do I get rid of this thing?!
[00:48] <patdk-lap> what is, this thing?
[00:48] <Xanthippus> A rootkit I think
[00:48] <Xanthippus> I ran chkrootkit
[00:48] <patdk-lap> netstat -anp
[00:49] <Xanthippus> What am I looking for in netstat?
[00:49] <patdk-lap> the name of the progrm on port 465
[00:50] <bananapie> 465 = encrypted smtp
[00:50] <patdk-lap> normally
[00:50] <bananapie> ok
[00:50] <Xanthippus> I think it's bindshell
[00:50] <Xanthippus> idk
[00:50] <Xanthippus> That's what chkrootkit said
[00:50] <Xanthippus> There's no program on 465 here
[00:50] <patdk-lap> what ip?
[00:50] <Xanthippus> All in the 10k
[00:50] <patdk-lap> heh?
[00:51] <patdk-lap> how can it detect something there, if there isn't something
[00:51] <patdk-lap> seems odd
[00:51] <bananapie> I think he means RFC1918's 10.0.0.0/8
[00:51] <Xanthippus> All the ports listed by netstat are in 14,000
[00:52] <Xanthippus> How does someone find your server if you just activated it?
[00:53] <patdk-lap> simple :)
[00:53] <patdk-lap> isn't the normal time to infection of a winxp computer on the internet, 14min?
[00:53] <Xanthippus> unhide.rb says warning from rkhunter
[00:53] <Xanthippus> What does that mean?
[00:56] <Xanthippus> Oh, btw, that port 465 thing with bindshell, it is false positive
[00:56] <Xanthippus> http://benohead.com/chkrootkit-false-positive-bindshell-infected-port-465/
[00:56] <patdk-lap> heh, you could fix your smtp server too, 465 went away a long time ago
[00:56] <patdk-lap> replaced with port 587, submission port
[00:57] <Xanthippus> How would I config that, patdk-lap ?
[00:57] <patdk-lap> depends on your smtp server
[00:58] <Xanthippus> ...would that be PostFix?
[00:58] <patdk-lap> I dunno, did you make an account for me on your server? :)
[01:01] <Xanthippus> lol no!
[01:02] <patdk-lap> I would find it strange postfix would be on port 465, it isn't by default
[01:03] <Xanthippus> Oh, so PostFix is the SMTP server
[01:03] <Xanthippus> Thought it was something like Dovecot or mailman
[01:03] <patdk-lap> postfix is A smtp server, no idea if it is the one installed on your server
[01:04] <patdk-lap> if it is, edit /etc/postfix/master.cf
[01:04] <patdk-lap> though, sounds like you have a lot to learn about just email alone :)
[01:05] <Xanthippus> Exacly
[01:06] <Xanthippus> I have no idea how to use as of yet
[01:06] <Xanthippus> Turns out 465 is not the SMTP port
[01:06] <Xanthippus> Like I said earlier, false positive
[01:06] <Xanthippus> smtp is at port 25
[01:06] <patdk-lap> I know
[01:06] <bananapie> encrypted smtp or smtps is 465
[01:06] <patdk-lap> smtps is 465
[01:06] <patdk-lap> ssl smtp
[01:06] <patdk-lap> tls smtp is 587
[01:07] <Xanthippus> Oh okay there's an smtps on 465
[01:07] <patdk-lap> 465 stopped being used before it was used
[01:07] <Xanthippus> submission is on 587
[01:07] <patdk-lap> 587 is much better
[01:07] <Xanthippus> Should I disable 465 entirely?
[01:07] <patdk-lap> I would
[01:07] <patdk-lap> 587 serves the same purpose
[01:08] <Xanthippus> How would I disable it?
[01:08] <Xanthippus> Would I block it w/ ufw?
[01:08] <patdk-lap> just comment it out in /etc/postfix/master.cf
[01:08] <bananapie> gtg
[01:10] <Xanthippus> Okay
[01:11] <uvirtbot`> New bug: #1076811 in cloud-init "Cloud-init modules do not reflect loaded config" [High,Fix committed] https://launchpad.net/bugs/1076811
[01:12] <Xanthippus> patdk-lap: is it this line? smtps         inet           smtpd
[01:14] <Xanthippus> I don't know which line it is...
[01:15] <hallyn> zul: was out all day...  no objections to libvirt 1.0.0 upload.  as i say the qrt needs an update (sigh, may need python xml parser at this point) but all tests passed in spirit
[01:15] <patdk-lap> that and any line that starts with a space under it
[01:15] <Xanthippus> starts with a space under it?
[01:15] <patdk-lap> #smtps     inet  n       -       -       -       -       smtpd
[01:15] <patdk-lap> #  -o smtpd_tls_wrappermode=yes
[01:15] <patdk-lap> #  -o smtpd_sasl_auth_enable=yes
[01:15] <patdk-lap> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
[01:15] <patdk-lap> #  -o milter_macro_daemon_name=ORIGINATING
[01:17] <Xanthippus> Ah
[01:17] <Xanthippus> k did it
[01:18] <Xanthippus> How do I reload settings?
[01:19] <patdk-lap> service postfix restart
[01:19] <Xanthippus> k
[01:31] <uvirtbot`> New bug: #1076825 in nova (main) "Can't configure nova to use MySQL as backend" [Undecided,New] https://launchpad.net/bugs/1076825
[01:33] <Xanthippus> patdk-lap: I restarted it, and it gave me a bunch of unused parameters
[01:39] <Xanthippus> If a hacker wanted to hack your local machine via a port, would he be unsuccessful if the router blocked that port from the outside?
[01:39] <beeg98> if he was attacking from the outside.
[01:40] <beeg98> if he somehow already got in (either an employee that is already in or via some other hacked service) then the router no longer protects you.
[01:41] <Xanthippus> Then it is up to the local firewall, correct?
[01:41] <patdk-lap> the router doesn't protect anything you go out and get too
[01:41] <patdk-lap> like you viewing websites or other things
[01:43] <sarnold> .. and browsers make it easier to fire up network connections than one may like..
[01:44] <Xanthippus> Ah
[01:44] <Xanthippus> But, if, say, a hacker from the outside tried to hack my server via a port
[01:45] <Xanthippus> It would <supposedly> be blocked by the router right?
[01:45] <patdk-lap> router? no, firewall, sure
[01:45] <Xanthippus> Oh okay
[01:47] <NomadJim> with ubuntu server releases like Precise and Quantal are packages locked? Like the vim on Precise is never going to get an upgrade and you'd need to go to Quantal for that unless you backport
[01:48] <NomadJim> besides security updates
[01:48] <patdk-lap> yes, except if you use backports
[01:49] <sarnold> NomadJim: there's an 'SRU' process to get updates outside of security fixes distributed to existing distributions
[01:51] <ScottK> But that's for bug fixes.
[01:54] <Xanthippus> How would I set up my mail account on my server with Mail on OS X?
[01:54] <Xanthippus> What do I input for Incoming Server?
[01:54] <NomadJim> ok cool thanks
[01:56] <sarnold> Xanthippus: 'incoming server' sounds like it might be asking for your imap4 server details
[01:56] <Xanthippus> I'm sorry, what would that be :-/
[01:57] <Xanthippus> It'd prob be a default value since I most likely didn't config it yet
[01:57] <Xanthippus> I have Dovecot, PostFix, and SquirrelMail on my server, if that helps
[01:57] <sarnold> have you set up dovecot or cyrus or imap4d or something similar yet?
[01:58] <Xanthippus> I have Dovecot
[01:58] <patdk-lap> now ask if he has *configured* it :)
[01:58] <sarnold> haha :)
[01:59] <Xanthippus> Sorry!
[01:59] <patdk-lap> a very basic mail server can take a few hours to configure
[01:59] <patdk-lap> though, I normally spend a few days
[02:00] <patdk-lap> mailserver have lots of moving parts and stuff to make sure you protect against to limit abuse, spam, backscatter
[02:00] <Xanthippus> Abuse like...
[02:01] <patdk-lap> compromised passwords, open-relay, ...
[02:01] <NomadJim> is there a tool to check your mailserver for problems
[02:01] <NomadJim> that you like to use
[02:01] <patdk-lap> generally if you want others to accept your email, reverse-dns setup, dkim, spf, dmarc, ...
[02:01] <ScottK> dmarc is sufficiently new I wouldn't put it on that list.
[02:01] <patdk-lap> NomadJim, the wild? and check your logs?
[02:02] <NomadJim> i need to get more intimate with my logs
[02:02] <patdk-lap> scottk, just setting up the dmarc dns entry so you get reports back is very useful
[02:02] <Xanthippus> reverse dns is... reversing a name i.e. google.com and getting its IP?
[02:02] <sarnold> NomadJim: last time I had to run a mail server myself, I found this _very_ useful: telnet relay-test.mail-abuse.org
[02:03] <NomadJim> sarnold:  nice thanks
[02:03] <sarnold> Xanthippus: other way around, taking 4.2.2.1 and turning it into a human-friendly FQDN
[02:03] <Xanthippus> aka DDNS, which I have
[02:03] <sarnold> NomadJim: if you don't have telnet installed you can probably use nc as well...
[02:03] <sarnold> Xanthippus: no, that's altogether different :)
[02:03] <Xanthippus> Um what
[02:04] <sarnold> Xanthippus: ddns is a way to update a dns server with a new hostname / ip binding -- many ddns providers aren't authoritative for the zones in question, so they can't provide reverse dns
[02:04] <ScottK> patdk-lap: I agree.  I have set it up myself.  I even wrote a tool to make it ~easy to figure out - http://www.kitterman.com/dmarc/assistant.html - but that's really not a newbie kind of thing.
[02:05] <NomadJim> reverse dns and dns always confuse the hell out of me
[02:05] <Xanthippus> IKR
[02:05] <NomadJim> always appreciate a refresher
[02:05] <patdk-lap> well, nothing about email is noobie friendly though
[02:05] <sarnold> Xanthippus: for fun, run "host <your hostname>" -- pretend it gives you back the ip address 10.12.14.16. Then run "host 10.12.14.16" and see what the _reverse_ lookup shows...
[02:06] <patdk-lap> I was looking at http://www.unlocktheinbox.com/ when I setup mine
[02:07] <patdk-lap> receiving email is simple
[02:07] <patdk-lap> sending email is not simple, cause your assumed to be a spam source, till you can pass as many technical issues as the receive wants to put on you
[02:07] <Xanthippus> If it's simple as you describe, patdk-lap , then that's now my first order of business
[02:08] <patdk-lap> receiving is as easy as setting an mx entry, and listening on port 25 :)
[02:08] <Xanthippus> Because right now, all my logging services etc are configed to send email to me@myddns.com
[02:08] <sarnold> patdk-lap: .. though receiving is often made difficult to try to raise the technological hurdle of people sending mail; you know, assume they're spammers first :D
[02:08] <patdk-lap> sarnold, well I said receiving was easy, not keeping out spam :)
[02:08] <sarnold> patdk-lap: yes :)
[02:08] <Xanthippus> To recieve mail from outside, I need to open port 25 in router, correct?
[02:09] <patdk-lap> firewall
[02:09] <Xanthippus> Just firewall on server?
[02:09] <patdk-lap> routers do ip addresses, not ports
[02:09] <Xanthippus> No, like port forwarding on router
[02:09] <sarnold> .. except in the case of NAT-routers..
[02:09] <sarnold> exactly
[02:09] <patdk-lap> Xanthippus, then your probably have port 25 blocked by your isp
[02:10] <Xanthippus> Why would you think that, patdk-lap ?
[02:10] <patdk-lap> well, nat routers is a firewall, nat is a firewall service :)
[02:10] <sarnold> many ISPs will unblock if you ask politely. some will remind you that your AUP says "run no servers". hehe. :)
[02:10] <patdk-lap> ya, normally the isp will require you pay for static ip for that
[02:10] <patdk-lap> and normally do't run nat-routers on them
[02:10] <Xanthippus> My router's running DD-WRT, and it has NAT/QoS section, so I would assume my router is "NAT router"...
[02:12] <patdk-lap> you can always give it a shot
[02:13] <Xanthippus> Wait, if opening ports on the router isn't necessary, I can close 22 aka ssh?
[02:13] <Xanthippus> Because I have confirmed that I can SSH to server via this port
[02:13] <sarnold> keep it forwarding :)
[02:13] <Xanthippus> k
[02:14] <sarnold> though consider moving to another port to (slightly) cut back on automated probing
[02:14] <sarnold> and consider disabling password access, if you haven't already
[02:14] <Xanthippus> Automated probing by who
[02:14] <sarnold> worms
[02:14] <patdk-lap> the evil one
[02:14] <Xanthippus> Password access = enter password to access shell?
[02:14] <Xanthippus> lol patdk-lap
[02:15] <sarnold> Xanthippus: yes. ssh keys are more secure by a factor of millions. :)
[02:15] <Xanthippus> Okay, how do I know if it's not using both, if that's even possible
[02:16] <Xanthippus> Because when I SSHed from my Mac for the first time, it asked if I wanted to remember an RSA key or something
[02:17] <sarnold> Xanthippus: look for "PasswordAuthentication no" in your /etc/ssh/sshd_config file
[02:17] <sarnold> Xanthippus: that would be the server's key, so you could tell if it is being impersonated in the future
[02:17] <Xanthippus> If it's #PasswordAuthentification yes then remove # and put no?
[02:18] <sarnold> yes. make sure you can log in with a key first :)
[02:20] <beeg98> after you test your key, and change that option, restart the ssh service.
[02:20] <Xanthippus> The key locations are in the config file itself right?
[02:21] <NomadJim> the EOL dates listed are when there are no more security patches right? https://wiki.ubuntu.com/Releases
[02:21] <sarnold> Xanthippus: yes, in AuthorizedKeysFile, though most people don't need to touch it. it just looks into ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 by default.
[02:21] <NomadJim> so if I wanted the longest possible security support Precise is the release for me
[02:21] <sarnold> NomadJim: correct on both.
[02:22] <sarnold> NomadJim: do note that some aspects of the distribution are supported for less than five years: https://wiki.ubuntu.com/PrecisePangolin/ReleaseManifest
[02:23] <Xanthippus> Is there a private/public key?
[02:23] <Xanthippus> Which do I use?
[02:24] <Xanthippus> And in terminal, how do I incorporate certs?
[02:24] <sarnold> Xanthippus: on the client, the private lives in ~/.ssh/id_rsa, public lives in ~/.ssh/id_rsa.pub -- and on the server, the public lives in ~/.ssh/authorized_keys.
[02:25] <sarnold> Xanthippus: ssh-copy-id is handy to automate logging in and copy-pasting the public portion onto the authorized_keys file
[02:35] <escott> Xanthippus, every ssh server has an RSA key that identifies that computer (to protect against MITM attacks if you connect a second time and the key changes) that was the key you were being asked to remember or not
[02:36] <escott> NomadJim, no more anything dates and 12.04 is the most recent LTS
[04:42] <Xanthippus> Hi guys, I'm back
[04:44] <Xanthippus> How would I login to SSH with an authentication key on OS X?
[04:48] <escott> Xanthippus, same way as anywhere else. ssh-keygen; ssh-copyid user@remote; ssh user@remote;
[04:48] <escott> Xanthippus, you do have to configure the ssh server to be running on OSX and verify it accepts auth-key logins
[04:49] <Xanthippus> My server is on Ubuntu, and I want to connect to it from OS X
[04:49] <holstein> !ssh
[04:49] <Xanthippus> brb
[04:53] <stiv2k> hello
[04:53] <stiv2k> today i woke up to find my server with a flashing caps lock key
[04:54] <stiv2k> i.e., kernel panic
[04:54] <stiv2k> what can i look at to see what may have gone wrong?
[04:54] <holstein> stiv2k: auto upgrade? hardware broken?
[04:55] <stiv2k> holstein i beg your pardon?
[04:56] <holstein> stiv2k: im suggesting you look at an auto upgrade that might have broken something.. unless you dont do auto upgrades, then you can ignore that.. or maybe a bad component. motherboard failure.. etc
[04:57] <stiv2k> holstein, oh, i think its setup to only automatically do security updates
[04:57] <stiv2k> and... the hardware shold be fine afaik... i was asking more along the lines of what log file might be able to tell me what happeneds
[04:57] <stiv2k> it stayed online for like two weeks no problems until this morning
[04:59] <holstein> stiv2k: i would just poke around in the logs... depends on the issue. it might have locked before it could log.. the machine is back up?
[04:59] <stiv2k> yes it is after i did a hard restart
[04:59] <stiv2k> my irc client is actually running on it
[04:59] <stiv2k> so me being here talking to you means its working :P
[04:59] <holstein> i would probably just remove the install from the equation.. run a live CD on the hardware with the hard drive out
[04:59] <holstein> stiv2k: i dont know that you are using it for IRC
[05:00] <stiv2k> i know that's why i mentioned it :)
[05:18] <Xanthippus> Back
[05:33] <Xanthippus> How do I use the ssh-copy-id?
[05:33] <Xanthippus> Do I run it from the server or from the computer I'm trying to connect it to?
[05:34] <holstein> https://help.ubuntu.com/community/SSH/OpenSSH/Keys is what i used
[05:34] <tsimpson> from the computer you want to send the key from
[05:34] <holstein> if you are just wanting to connect locally to another box on the lan, you can just use the password
[05:36] <Xanthippus> No, I plan to SSH from outside
[05:37] <escott> holstein, i think you are confusing telnet with ssh. there is no security risk to doing password across an unsecured network, its just inconvenient
[05:37] <Xanthippus> Okay, I did the ssh-copy-id command from my Ubuntu server, and inputted "me@mymac" as the parameter
[05:37] <escott> Xanthippus, its from the client to the server
[05:38] <Xanthippus> AH
[05:38] <escott> Xanthippus, on client you run ssh-copy-id user@server
[05:38] <Xanthippus> So can I just delete authorized_keys on the server and do on the client?
[05:38] <escott> the auth_keys file resides on the server. the server checks that to compare to the credentials presented by the client
[05:39] <escott> you have enabled the ubuntu system to ssh into the mac
[05:39] <Xanthippus> AH
[05:39] <holstein> i didnt mean to imply you could or should do the password.. just that it might be easier to configure rather than configuring a key
[05:39] <escott> (without the password)
[05:39] <Xanthippus> Using the key I generated on the Ubuntu machine?
[05:40] <holstein> the key is the way to go though... if you dont mind setting it up
[05:40] <escott> Xanthippus, yes
[05:40] <Xanthippus> Ah
[05:40] <Xanthippus> Why can't anyone just "ssh-copy-id"?
[05:41] <Xanthippus> Isn't that more insecure?
[05:41] <Xanthippus> Than a passowrd?
[05:41] <escott> Xanthippus, auth keys are more secure
[05:41] <escott> copy-id requires a password to do the initial setup
[05:41] <escott> thereafter you could disable password access
[05:41] <escott> and you would be more secure
[05:42] <escott> it might help to take a step back and talk about public vs private keys
[05:42] <Xanthippus> Okay, it appears that Mac doesn't have ssh-copy-id
[05:42] <Xanthippus> But I found this, which one do I use? http://www.commandlinefu.com/commands/view/188/copy-your-ssh-public-key-to-a-server-from-a-machine-that-doesnt-have-ssh-copy-id
[05:42] <escott> when you ssh-keygen you create id_rsa and id_rsa.pub
[05:42] <escott> you copy id_rsa.pub to the server and put it in the servers auth_keys file
[05:43] <Xanthippus> So do ssh-keygen from client?!
[05:43] <escott> you can do that with  ssh-keygen on the client and then "scp ~/.ssh/id_rsa.pub user@server:~/.ssh/id_rsa.pub.client"
[05:43] <Xanthippus> So do I delete the keys that I created on my server? :-/
[05:44] <escott> Xanthippus, no need to
[05:44] <escott> unless you want to
[05:44] <Xanthippus> I did that ssh keygen on my server, but that's obviously wrong right?
[05:44] <escott> presumably you trust both systems equally so you might be just as happy going from ubuntu->mac as from mac->ubuntu
[05:45] <Xanthippus> I don't do ubuntu --> mac
[05:45] <Xanthippus> Only for ftp
[05:45] <escott> you may not in practice do it, but in theory would you disallow it?
[05:46] <Xanthippus> ...no
[05:46] <escott> then don't worry about it... if you were to be concerned that the ubuntu server was untrustworthy you would delete the line in the macs auth_keys file
[05:46] <Xanthippus> Or just delete the whole file altogether because there's only 1 key
[05:47] <escott> sure
[05:47] <escott> the auth_keys file is a list of identities to accept and allow access
[05:47] <Xanthippus> Okay, so down to business: Where do I run the ssh-keygen? Mac or Ubuntu? Ubuntu is the server
[05:47] <Xanthippus> I know
[05:48] <escott> you run ssh-keygen on the client. that defines an identity for the client
[05:48] <escott> you copy the id_rsa.pub from the client to the server (via scp or sneakerNet)
[05:48] <Xanthippus> Okay
[05:48] <escott> and add the id_rsa.pub (its a single line) to the authorized_keys file on the server
[05:49] <escott> you can further modify that line in authorized_keys to further restrict the conditions under which that key is accepted (ie accept only from certain ip addresses, or restrict the programs that can be run, etc)
[05:50] <Xanthippus> Oh okay, there we go. I generated key on Mac
[05:50] <escott> Xanthippus, so now you need to copy it to the server. "scp ~/.ssh/id_rsa.pub user@ubuntu:~/id_rsa.pub.mac"
[05:51] <Xanthippus> I can add the .mac extension?
[05:51] <escott> then you can "ssh user@ubuntu" and you will see id_rsa.pub.mac in $HOME
[05:51] <escott> Xanthippus, sure extensions are meaningless
[05:51] <Xanthippus> Oh...
[05:51] <Xanthippus> How about this: scp ~/.ssh/id_rsa.pub user@machine:.ssh/authorized_keys
[05:51] <escott> and you dont want to confuse id_rsa.pub from the mac with the id_rsa that exists on the server
[05:52] <escott> thats ok ONLY IF authorized_keys is empty
[05:52] <escott> otherwise you blew away your configuration
[05:52] <Xanthippus> There is no authorized_keys
[05:52] <escott> then you can do that.
[05:53] <Xanthippus> Awesome
[05:53] <escott> finally you have to correct permissions of the file on the server
[05:53] <escott> so "ssh user@ubuntu" followed by "chmod 600 ~/.ssh/authorized_keys"
[05:53] <escott> and "cat ~/.ssh/authorized_keys" to double check it is what you want it to be
[05:54] <Xanthippus> It's complained that authorized_keys doesn't exist
[05:54] <Xanthippus> Does it need to be a folder?
[05:54] <escott> what is the exact command you wrote?
[05:55] <Xanthippus> scp ~/.ssh/id_rsa.pub user@machine:~/.ssh/authorized_keys
[05:56] <escott> that should be ok.
[05:58] <Xanthippus> Well here's what came of it: scp: /home/user_of_ubuntu_server/.ssh/authorized_keys: No such file or directory
[05:58] <Xanthippus> OH my mistake
[05:59] <Xanthippus> Deleted the entire ~/.ssh directory, sorry
[05:59] <Xanthippus> Okay, I coped it. Now what?
[06:00] <escott> Xanthippus, now ssh user@machine
[06:00] <escott> you have to fix up two sets of permissions
[06:00] <Xanthippus> ?
[06:00] <escott> chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys;
[06:00] <Xanthippus> Oh okay
[06:01] <escott> then "ls -l ~/.ssh" and verify that . has rwx------ and that authorized_keys has rw-------
[06:02] <Xanthippus> Both have rw
[06:03] <Xanthippus> Do I need to run chmod as root
[06:03] <Xanthippus> ?
[06:03] <escott> Xanthippus, the directory "." needs rwx
[06:03] <escott> no you own the files you can chmod them
[06:03] <Xanthippus> Oh
[06:03] <escott> and it would be "ls -al ~/.ssh" forgot the a
[06:04] <Xanthippus> . is drwx
[06:04] <Xanthippus> so is ..
[06:04] <escott> yes but after the drwx it should be all -'s for "." and after the rw all -'s for auth_keys
[06:05] <escott> for ".." its going to be something like rwx-r-xr-x depending upon configuration
[06:05] <escott> but we don't care about ".."
[06:05] <escott> ".." is ~ we are trying to secure ~/.ssh which is "."
[06:06] <Xanthippus> Oh
[06:06] <Xanthippus> Well there are no 's
[06:06] <Xanthippus> Just dashes
[06:07] <escott> thats what we want
[06:07] <escott> drwx------ and -rw-------
[06:09] <Xanthippus> Oh okay
[06:09] <Xanthippus> Well then in that case it's all good
[06:09] <escott> Xanthippus, so now you can test it
[06:09] <Xanthippus> logout then login?
[06:09] <escott> "exit" from the ssh session, and try ssh user@machine again
[06:10] <escott> it should just let you in
[06:10] <Xanthippus> If I have pwd authentification, I have to enter that?
[06:10] <Xanthippus> Because it's still asking me for it
[06:11] <escott> did you put a password on the key you generated with ssh-keygen
[06:11] <escott> because if you did it would ask you for that password, because it needs that to unlock the id_rsa file
[06:12] <escott> and then you are usually ok for the rest of your desktop session on the client
[06:14] <Xanthippus> Yes I did put a passphrase
[06:14] <Xanthippus> Should I try again?
[06:15] <Xanthippus> It's asking for the user password, not the passphrase in the key
[06:15] <Xanthippus> Should I disable that?
[06:15] <escott> there shouldn't be anything to disable
[06:16] <escott> ssh -v user@machine and look for the line(s): debug1: Authentications that can continue: publickey,password and debug1: Next authentication method: publickey
[06:16] <escott> is it listing publickey at all
[06:18] <Xanthippus> Yes
[06:18] <Xanthippus> It actually uses it as first method, idk what goes wrong
[06:18] <escott> Xanthippus, does it ever list publickey?
[06:18] <Xanthippus> Um, id_rsa and id_dsa?
[06:19] <Xanthippus> It tried both, and apparently failed, because it fell back to password
[06:19] <escott> no in the line Authentications that can continue, in the first occurence of that line. does it list publickey
[06:19] <Xanthippus> Yes, publickey, password
[06:19] <escott> so it tried publickey and failed
[06:19] <escott> ok
[06:19] <Xanthippus> idk why, I recreated the .ssh directory, there should be anything conflicting there
[06:20] <escott> Xanthippus, is it finding the correct id_rsa and id_rsa.pub above that
[06:21] <Xanthippus> Found key that matches known_hosts...
[06:21] <escott> not that one further up
[06:21] <escott> the 6th or 7th line from the top
[06:21] <escott> maybe closer to 10th
[06:22] <Xanthippus> identity file ~/.ssh/id_dsa typr -1
[06:22] <Xanthippus> type*
[06:22] <Xanthippus> The line above that is rsa
[06:22] <escott> thats the dsa... presumably you had an rsa
[06:22] <Xanthippus> No there is dsa and rsa
[06:23] <escott> but those are the correct locations of those files on the mac
[06:23] <escott> or would be the correct location
[06:23] <escott> and further down just after the first instance of Authentications that can continue it should say:
[06:23] <escott> debug1: Offering RSA public key: /something/.ssh/id_rsa
[06:24] <Xanthippus> Yes, it does offer it
[06:24] <escott> Xanthippus, then the problem is likely permissions on the server
[06:24] <Xanthippus> Then it loops back to "Authentications that can continue"
[06:24] <escott> Xanthippus, so ssh user@machine again
[06:25] <Xanthippus> verbose?
[06:25] <escott> no
[06:25] <escott> we actually want to login
[06:25] <Xanthippus> k I'm logged in
[06:25] <escott> (a) cat ~/.ssh/authorized_keys and make sure its contents match the id_rsa.pub on the mac
[06:26] <escott> (b) ls -al ~/.ssh and maybe paste that to us
[06:26] <Xanthippus> I included the a in parentheses?
[06:26] <escott> no
[06:26] <escott> (a) and (b) are two things to do
[06:26] <Xanthippus> Okay it spit a bunch of random characters lol
[06:27] <escott> yes. but are those the same random characters as in id_rsa.pub on the mac
[06:27] <Xanthippus> How do I make sure they match?
[06:27] <escott> you just have to check the first few
[06:27] <Xanthippus> Oh okay
[06:27] <escott> it should begin ssh-rsa AAAA
[06:27] <escott> it should begin "ssh-rsa AAAA"
[06:28] <escott> and the characters after the AAAA are the important ones
[06:28] <Xanthippus> Yeah I noticted
[06:28] <Xanthippus> They both start w/ it
[06:28] <Xanthippus> Yeah, went through half way through the first line, and it looks the same
[06:31] <escott> so what are the permissions of ~/.ssh
[06:31] <Xanthippus> On which machine?
[06:31] <escott> ls -al ~/.ssh
[06:31] <escott> on the server
[06:31] <Xanthippus> drwx
[06:32] <Xanthippus> authorized_keys = -rw
[06:32] <escott> can you just paste the output of ls -al ~/.ssh
[06:32] <Xanthippus> I found something in sshd_config I think: # Don't read the user's ~/.rhosts and ~/.shosts files
[06:32] <Xanthippus> IgnoreRhosts yes
[06:32] <escott> no thats different
[06:32] <Xanthippus> But it also says: # For this to work you will also need host keys in /etc/ssh_known_hosts
[06:33] <Xanthippus> And the line under it is: RhostsRSAAuthentication no
[06:33] <escott> Rhosts is about peering hosts... it utilizes auth_keys but its not relevant
[06:33] <Xanthippus> Oh okay
[06:34] <Xanthippus> Could the "AllowUsers" string I added be the problem?
[06:34] <escott> where did you add this?
[06:35] <Xanthippus> Very bottom
[06:35] <escott> very bottom of what
[06:35] <Xanthippus> Thought it'd make it... more secure?
[06:35] <Xanthippus> sshd_config
[06:36] <escott> i dont know what that does. i would guess its unrelated because you can ssh with password
[06:36] <escott> but i dont know
[06:36] <Xanthippus> It only allows certain user on the server I guess) to login.
[06:36] <Xanthippus> (on the server I guess)*
[06:37] <Xanthippus> So I guess if some guy/gal tried to brute force w/ some random username and maybe blank password, they couldn't
[06:38] <escott> Xanthippus, if you look at /etc/shadow you will see that the only user who has a password on your system is the one you are currently logged into. so there is no way to brute force anything
[06:41] <escott> i need to sleep
[06:41] <escott> its probably incorrect permissions in ~/.ssh
[06:41] <escott> but you havent sent them to me so i cant say
[10:33] <Sander^work> Will it work to take a backup of / with eg. rdiff-backup, and use it to restore back an upgrade in case it fails?
[10:53] <vezq> basically yes, but I would create a disk image too if possible
[10:54] <Sander^work> vezq, Will a disk image with dd be inconsistent?
[10:55] <vezq> dd works okay but takes also unused space, clonezilla is option take image
[12:20] <uvirtbot`> New bug: #1076898 in mysql-5.5 (main) "failed to install lamp-server through tasksel in a fresh install of ubuntu 12.10 - package mysql-server-core-5.5 (not installed) failed to install/upgrade: cannot copy extracted data for './usr/bin/my_print_defaults' to '/usr/bin/my_print_defaults.dpkg-new': unexpected end of file or stream" [Undecided,Invalid] https://launchpad.net/bugs/1076898
[13:42] <AlphaWolf> I've got 2 partitions I'm trying to format and mount. I've put more information (fdisk -lu and more specific information) on Ubuntu Pastebin if anyone can help. I've tried GParted but it just sees the disk and no partitions. http://paste.ubuntu.com/1332125/
[13:44] <patdk-wk> fdisk /dev/sda, d 2, d 3, n p 2 enter enter
[14:03] <AlphaWolf> Thank you, patdk-wk! I've verified the new table and saving it/rebooting :)
[14:19] <eagles0513875__> hey guys I am trying to setup samba to be accessible not only to windows machines in the work group but mac machines as well. how do i go about doing that i am following 2 how to's at the moment and im a bit stuck
[14:20] <eagles0513875__> the how to's are https://help.ubuntu.com/12.04/serverguide/samba-fileserver.html and https://help.ubuntu.com/12.04/serverguide/samba-fileprint-security.html any one have any ideas of what I am doing wrong?
[14:31] <uvirtbot`> New bug: #1077003 in ntp (main) "ntp ignores config option "interface ignore all"" [Undecided,New] https://launchpad.net/bugs/1077003
[15:16] <uvirtbot`> New bug: #1077020 in cloud-init (main) "cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf" [Undecided,New] https://launchpad.net/bugs/1077020
[17:33] <drag0nius> would it be hard to set up backup WAN for ubuntu server?
[17:33] <drag0nius> like if primary goes down it instantly switches to backup
[17:33] <drag0nius> and then switch to primary when i tell it to
[17:36] <sarnold> drag0nius: if you just want to protect against dead nic / switch then something like this may work: http://ubuntuforums.org/showthread.php?t=785471
[17:36] <drag0nius> basically i've access to 2 networks
[17:36] <drag0nius> one quicker & faster
[17:36] <sarnold> drag0nius: as I understand it, if you want to failover to different routes entirely, something like bgp or ospf may be needed -- but that's a bit outside of my experience.
[17:36] <drag0nius> and another one perfectly stable
[17:37] <drag0nius> but less responsive and slower
[17:42] <Free99> hey everyone... having a strange issue with a 12.04.1 x64 server: I add rules to UFW allowing SSH access, but nobody can access. Seems like iptables is ignoring the UFW chains, but I'm not sure
[17:43] <holstein> Free99: can you connect locally? maybe its just the router firewall?
[17:44] <Free99> I can connect locally, and nope, no firewall between us
[17:44] <Free99> holstein: this server's been in production for at least a month, and until now had no issues or changes
[17:45] <holstein> Free99: if you can connect to it inside your network from another box, that makes me thinnk its not the local firewall on the box that is the issue
[17:46] <ewindisch> how do I report bugs against cloudarchive? Apport hates it.
[17:48] <Free99> holstein: I thought you meant connecting via localhost when you said locally
[17:48] <Free99> but no, outside the machine I cannot connect
[17:48] <holstein> Free99: yup.. i should have clarified... i would try bringing the firewall down if that is safe to test that way temporarily
[17:49] <holstein> Free99: i am using ufw to set rules without any issues... but who knows
[17:49] <Free99> I tried that too, ufw disable then enable, even service ufw restart
[17:50] <holstein> Free99: can you connect with the firewall is down?
[17:51] <Free99> holstein: tcpdump says I'm receiving the request packets for port 22 but somehow, despite netstat showing ssh (which I've also restarted) as listening on 22, the packets don't get through to SSH
[17:51] <Free99> *sshd
[17:51] <holstein> Free99: and you can connect localhost...
[17:51] <thesheff17> Free99: did you change ENABLED=yes in /etc/ufw/ufw.conf?
[17:52] <Free99> holstein: can connect localhost, but not outside whether firewall open or closed. I didn't change the /etc/ufw/ufw.conf
[17:52] <Free99> should I try reinstalling UFW or SSH?
[17:54] <holstein> i dont think that will hurt anything Free99 .. and maybe someone has a better idea while you are doing that
[17:55] <Free99> holstein: the rules for port 22 show up in the list when I do "ufw show raw" but...
[17:55] <holstein> Free99: well, if its disabled, its disabled. makes me think its not a firewall issue
[17:56] <holstein> take it out of the equation and go from there
[17:58] <Free99> I'd normally try to figure this out so as to file a bug report or whatever, but this is kind of... well, I need this fixed pronto
[18:00] <holstein> Free99: sure, but we dont know that this is a bug yet.. could be misconfiguration
[18:01] <holstein> Free99: i would take ufw out of the equation.. disable the firewall.. check that its down, and troubleshoot ssh seperate
[18:01] <Free99> thing is, UFW may be down but iptables is still up, yes?
[18:02] <holstein> Free99: i usually pull the firewall down. to remove it from the euquation.. you dont have to do this, but you can do that however you choose
[18:27] <batzi> hi
[18:28] <batzi> i trying to improve the usage of my ubuntuz 10.04 usage - so there is an question regarding the usage of remote x session on osx ? is this a wise way to go or should i use some remote desktop app?
[18:44] <xnox> how/where are the cloud images generated? I'd like to experiment and request for a few settings changes by default.
[19:19] <Xanthippus> Hi everyone
[19:19] <Xanthippus> I'm having trouble with RSA key authorization on my server
[19:20] <Xanthippus> I am currently using the same keys on another server, and they work just fine. How come this one isn't working?
[19:20] <Xanthippus> I am forced to keep PasswordAuthentification on because I can't SSH with the key method
[19:25] <MoleMan> How can I give a user access to control a single service? (I have an account that is used to manage web hosts and I want it to be able to reload/restart apache)
[19:25] <Seveas> Xanthippus, usually /var/log/auth.log on the server will provide you with clues. Common problems are file permissions on the ~/.ssh/authorized_keys file or public key authentication not being enabled
[19:26] <Seveas> MoleMan, sudo is your friend. You can limit his sudo access to only restart apache
[19:26] <Xanthippus> I checked my sshd_config already, and compared it w/ the sshd_config of the working server
[19:26]  * genii-around gets some highlight about "coffee" and investigates
[19:26] <MoleMan> Seveas: can that be controlled within the sudoers file then?
[19:27] <Xanthippus> Add him to the group sudo...?
[19:27] <Seveas> MoleMan, something like this line: his_login your_hostname=(root) /etc/init.d/apache2
[19:28] <genii-around> Xanthippus: That would be too far-reaching for only allowing start-stop of apache
[19:28] <Xanthippus> Oh :-/
[19:28] <Seveas> MoleMan, the sudoers file allows fine grained access control. At work we have a sudoers file that's over 100 lines long :)
[19:29] <Xanthippus> What would I be looking for in auth.log if there's an error w/ the keys?
[19:31] <Seveas> Xanthippus, grep sshd /var/log/auth.log. I think it says failed publick key authentication
[19:32] <Xanthippus> I think I found an error...
[19:32] <Xanthippus> Error attempting to parse .ecryptfsrc file; rc = [-13]
[19:32] <Seveas> oh yeah, if your homedir is encrypted, you password will be needed to decrypt it
[19:33] <Seveas> so either don't encrypt your homedir on that server or live with passwords :)
[19:33] <Xanthippus> AH
[19:33] <Xanthippus> Any way to remove that?
[19:34] <sarnold> Xanthippus,Seveas: or use sshd_config option AuthorizedKeysFile to store authorized_keys files outside the encrypted homedir
[19:34] <Xanthippus> Holy chiz I think somebody's trying to get in
[19:34] <Seveas> sarnold, you'll still need access to your homedir don't you? :)
[19:34] <sarnold> Seveas: not if you store them all in /etc/users/<username>/authorized_keys or something
[19:35] <sarnold> Seveas: might be a bit ugly, but does let you use both
[19:35] <Seveas> Xanthippus, I don't know the "official" way to undo homedir encryption. I'd rsync the decrypted to /var/tmp, log in as root, remove the encrypted one and move the unencrypted one from /var/tmp to /home
[19:35] <Seveas> sarnold, but then you still need to type in your password to access your other files...
[19:35] <Seveas> (such as .bashrc...)
[19:36] <sarnold> Seveas: hrm. before or after the key?
[19:37] <MoleMan> Seveas: is there any way I could allow access to any 'service apache2' command? would 'service apache2 *' work or something?
[19:37] <Seveas> sarnold, the key can't unencrypt anything...
[19:37] <Seveas> MoleMan, that should work
[19:37] <sarnold> Seveas: indeed
[19:38] <sarnold> Seveas: but my hope is that you can make a configuration that requires key for authentication then password to decrypt your data -- best of both.
[19:38] <Seveas> sarnold, what's the use of that?
[19:38] <Seveas> (I would in this case use ldap and store the keys in there)
[19:39] <Xanthippus> I think it'd be more efficient to move the authorized_keys
[19:40] <sarnold> Seveas: it'd keep ssh-robots from eventually guessing password and logging in..
[19:40] <Seveas> hmm, fair enough
[19:41] <Seveas> I use iptables for private servers or fail2ban for more public servers to chase robots away
[19:41] <Seveas> (and only pubkey authentication, so their password attempts are futile anyway...)
[19:41] <Xanthippus> I'm going through the logs, and I'm getting a lot of break in attempts from this IP...
[19:42] <Xanthippus> ...all failed of course
[19:42] <Seveas> Xanthippus, welcome to the internet :-)
[19:42] <Xanthippus> Man now I'm really freaking out about those keys
[19:43] <Seveas> !info fail2ban | Xanthippus
[19:43] <Xanthippus> I have that on my server
[19:43] <Xanthippus> I put jail profiles on ftp and something else, I forgot
[19:43] <Xanthippus> I think the profile's enabled on ssh too
[19:47] <Xanthippus> Wait, my ~/ directory is encrypted when it says something about cryptswap at boot?
[22:41] <NotLarry> I have an ubuntu 11.04 that drops me to initramfs with an error "ALERT! /dev/mapper/servername-root does not exist." When I ls for it in /dev/mapper it shows it is a ln to ../dm-0  which does exist.  My google skillz are lacking.
[22:41] <sarnold> NotLarry: no luck yet? :(
[22:42] <genii-around> Sounds like initrd has no raid support
[22:42] <sarnold> NotLarry: try symbolhound, it may do a better job than google on 'ln' and '../dm-0' and so forth
[22:44] <NotLarry> This box has been running for about 4 months now.  I moved it to a new location and this is how it is coming up.
[22:45] <sarnold> anything interesting in dmesg?
[22:48] <genii-around> After a physical move like that I'd suspect of course a component. Like a ribbon came loose, etc
[22:48] <sarnold> or a drive just stops spinning...
[22:49] <genii-around> Yup
[22:51] <jjcm> Hey all
[22:52] <jjcm> I just set up a vps, and while I can ssh to it fine, I cant seem to ping it or get any connection on 80
[22:52] <jjcm> Can someone help me troubleshoot?
[22:52] <jjcm> There aren't any restrictions in iptables
[22:52] <jjcm> apache's ports.conf register 80 just fine
[22:52] <xnox> are there restrictions / firewall by your vps provider?
[22:53] <xnox> e.g. on amazon, gandi, etc you need to open ports via their interface / api tools.
[22:53] <jjcm> Unsure.
[22:53] <jjcm> Lemme poke around
[22:53] <jjcm> I can defininitely hit apache locally
[22:53] <jjcm> so that's running at least
[22:53] <jjcm> lemme check their web interface
[22:55] <jjcm> Looks like that may have been it
[22:55] <jjcm> Didnt' realize they used a whitelist for ports
[22:56] <jjcm> xnox: many thanks, that worked.
[22:57] <xnox> np, typical.....
[23:07] <Xanthippus> Hi guys