[00:00] Maybe you're LogLevel value is too low [00:00] ;) [00:00] in /etc/ssh/sshd_config or whatever [00:00] LogLevel INFO [00:01] hmm, I see 'failed publickey for root...' not even though it doesn't say 'debug. [00:01] I think it might be the kernel's rate limiter [00:02] maybe watch ssh servername ? [00:02] Any tips for securing an Ubuntu Server? [00:03] I think it's "a Ubuntu server" and not "an Ubuntu server". [00:03] Either way :P [00:03] Usually, you use 'an' in front of a vowel, but I think because of the way Ubuntu is pronounced, it's an exception. [00:05] check netstat -antup make sure there are no unnecessary services running. [00:05] https://help.ubuntu.com/community/Security might be some good reading [00:05] Lots of udp and tcp [00:05] From command [00:06] What are the 0.0.0.0 IPs? [00:06] that means it's listening on all interfaces on your server [00:06] tcp and udp6 = IPv6 correct? [00:06] tcp6* [00:06] heh? [00:07] there are so many more protocols than tcp and udp, and neither of them have anything to do with ipv6 [00:07] patdk-lap: I just did a netstat -antup, and I am currently looking at protocols [00:08] does netstat show sctp? [00:08] hmm, try netstat -atup instead, it will resolve service names, it will make it easier to read :) [00:08] Well the tcp6 and udp6 protocols have IPv6 addresses, which are with colons, like Mac addresses right? === glebihan__ is now known as glebihan [00:09] the lines that are interesting are the ones with *:* in the Foreign adderss section [00:09] nope, seems netstat is limited to tcp and udp [00:10] I set the LogLevel in sshd_config to VERBOSE, and I see all my failed connections. [00:11] fail2ban now works, thx! [00:11] cool [00:16] nevermind [00:17] hmm [00:18] I no longer see 'failed public key' in my logs, I think rsyslog is supressing information. [00:18] can you use "watch ssh servername" instead of your for loop? [00:18] or make your 50 number higher? [00:19] I like watch :D [00:20] OH! [00:20] I found the problem [00:22] the second server I am using for the tests doesn't have a private key. I ran ssh-keygen, and fail2ban is now banning the server. [00:22] huh, I guess that makes sense [00:23] Thanks, fail2ban is working now. [00:25] bananapie: What's the directory for configing PostFix again? [00:25] And how do I install modsecurity for nginx? [00:25] /etc/ contains most configuration fies. [00:25] and most configs are either /etc/[softwarename].conf or /etc/[softwarename]/[configuration files] [00:26] Oh okay [00:26] How do I know if I'm using those authentification keys you mentioned? [00:28] Fail2ban is easy to install, nice! [00:30] I'm on step 11 of this guide, what do I enter for SMTP_HOST and SMTP_PORT? http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics [00:30] anyway know an easy command to cause failed logins on an imap server ? [00:33] given that you want to run an smtp server, you could enter 127.0.0.1 as the host [00:37] aka localhost? [00:37] Can I keep the port also? [00:42] noob question: how do I save rules to iptables? [00:45] I typed iptables-save, would that work? [00:46] iptables-save saves it yes, but you have to update /etc/network/interfaces as wel [00:46] well [00:46] try adding the following line at the end of the eth0 interface [00:46] pre-up iptables-restore < /etc/iptables.rules [00:47] I use wlan0 [00:47] And uh oh, I think I have a rootkit...? [00:47] yes :) [00:47] bindshell "infected" at ports 465 [00:47] heh? [00:47] How do I get rid of this thing?! [00:48] what is, this thing? [00:48] A rootkit I think [00:48] I ran chkrootkit [00:48] netstat -anp [00:49] What am I looking for in netstat? [00:49] the name of the progrm on port 465 [00:50] 465 = encrypted smtp [00:50] normally [00:50] ok [00:50] I think it's bindshell [00:50] idk [00:50] That's what chkrootkit said [00:50] There's no program on 465 here [00:50] what ip? [00:50] All in the 10k [00:50] heh? [00:51] how can it detect something there, if there isn't something [00:51] seems odd [00:51] I think he means RFC1918's 10.0.0.0/8 [00:51] All the ports listed by netstat are in 14,000 [00:52] How does someone find your server if you just activated it? [00:53] simple :) [00:53] isn't the normal time to infection of a winxp computer on the internet, 14min? [00:53] unhide.rb says warning from rkhunter [00:53] What does that mean? [00:56] Oh, btw, that port 465 thing with bindshell, it is false positive [00:56] http://benohead.com/chkrootkit-false-positive-bindshell-infected-port-465/ [00:56] heh, you could fix your smtp server too, 465 went away a long time ago [00:56] replaced with port 587, submission port [00:57] How would I config that, patdk-lap ? [00:57] depends on your smtp server [00:58] ...would that be PostFix? [00:58] I dunno, did you make an account for me on your server? :) [01:01] lol no! [01:02] I would find it strange postfix would be on port 465, it isn't by default [01:03] Oh, so PostFix is the SMTP server [01:03] Thought it was something like Dovecot or mailman [01:03] postfix is A smtp server, no idea if it is the one installed on your server [01:04] if it is, edit /etc/postfix/master.cf [01:04] though, sounds like you have a lot to learn about just email alone :) [01:05] Exacly [01:06] I have no idea how to use as of yet [01:06] Turns out 465 is not the SMTP port [01:06] Like I said earlier, false positive [01:06] smtp is at port 25 [01:06] I know [01:06] encrypted smtp or smtps is 465 [01:06] smtps is 465 [01:06] ssl smtp [01:06] tls smtp is 587 [01:07] Oh okay there's an smtps on 465 [01:07] 465 stopped being used before it was used [01:07] submission is on 587 [01:07] 587 is much better [01:07] Should I disable 465 entirely? [01:07] I would [01:07] 587 serves the same purpose [01:08] How would I disable it? [01:08] Would I block it w/ ufw? [01:08] just comment it out in /etc/postfix/master.cf [01:08] gtg [01:10] Okay [01:11] New bug: #1076811 in cloud-init "Cloud-init modules do not reflect loaded config" [High,Fix committed] https://launchpad.net/bugs/1076811 [01:12] patdk-lap: is it this line? smtps inet smtpd [01:14] I don't know which line it is... [01:15] zul: was out all day... no objections to libvirt 1.0.0 upload. as i say the qrt needs an update (sigh, may need python xml parser at this point) but all tests passed in spirit [01:15] that and any line that starts with a space under it [01:15] starts with a space under it? [01:15] #smtps inet n - - - - smtpd [01:15] # -o smtpd_tls_wrappermode=yes [01:15] # -o smtpd_sasl_auth_enable=yes [01:15] # -o smtpd_client_restrictions=permit_sasl_authenticated,reject [01:15] # -o milter_macro_daemon_name=ORIGINATING [01:17] Ah [01:17] k did it [01:18] How do I reload settings? [01:19] service postfix restart [01:19] k [01:31] New bug: #1076825 in nova (main) "Can't configure nova to use MySQL as backend" [Undecided,New] https://launchpad.net/bugs/1076825 [01:33] patdk-lap: I restarted it, and it gave me a bunch of unused parameters === guampa_ is now known as guampa [01:39] If a hacker wanted to hack your local machine via a port, would he be unsuccessful if the router blocked that port from the outside? [01:39] if he was attacking from the outside. [01:40] if he somehow already got in (either an employee that is already in or via some other hacked service) then the router no longer protects you. [01:41] Then it is up to the local firewall, correct? [01:41] the router doesn't protect anything you go out and get too [01:41] like you viewing websites or other things === cpg is now known as cpg|away [01:43] .. and browsers make it easier to fire up network connections than one may like.. [01:44] Ah [01:44] But, if, say, a hacker from the outside tried to hack my server via a port [01:45] It would be blocked by the router right? [01:45] router? no, firewall, sure [01:45] Oh okay [01:47] with ubuntu server releases like Precise and Quantal are packages locked? Like the vim on Precise is never going to get an upgrade and you'd need to go to Quantal for that unless you backport [01:48] besides security updates [01:48] yes, except if you use backports [01:49] NomadJim: there's an 'SRU' process to get updates outside of security fixes distributed to existing distributions [01:51] But that's for bug fixes. [01:54] How would I set up my mail account on my server with Mail on OS X? [01:54] What do I input for Incoming Server? [01:54] ok cool thanks [01:56] Xanthippus: 'incoming server' sounds like it might be asking for your imap4 server details [01:56] I'm sorry, what would that be :-/ [01:57] It'd prob be a default value since I most likely didn't config it yet [01:57] I have Dovecot, PostFix, and SquirrelMail on my server, if that helps [01:57] have you set up dovecot or cyrus or imap4d or something similar yet? [01:58] I have Dovecot [01:58] now ask if he has *configured* it :) [01:58] haha :) [01:59] Sorry! [01:59] a very basic mail server can take a few hours to configure [01:59] though, I normally spend a few days [02:00] mailserver have lots of moving parts and stuff to make sure you protect against to limit abuse, spam, backscatter [02:00] Abuse like... [02:01] compromised passwords, open-relay, ... [02:01] is there a tool to check your mailserver for problems [02:01] that you like to use [02:01] generally if you want others to accept your email, reverse-dns setup, dkim, spf, dmarc, ... [02:01] dmarc is sufficiently new I wouldn't put it on that list. [02:01] NomadJim, the wild? and check your logs? [02:02] i need to get more intimate with my logs [02:02] scottk, just setting up the dmarc dns entry so you get reports back is very useful [02:02] reverse dns is... reversing a name i.e. google.com and getting its IP? [02:02] NomadJim: last time I had to run a mail server myself, I found this _very_ useful: telnet relay-test.mail-abuse.org [02:03] sarnold: nice thanks [02:03] Xanthippus: other way around, taking 4.2.2.1 and turning it into a human-friendly FQDN [02:03] aka DDNS, which I have [02:03] NomadJim: if you don't have telnet installed you can probably use nc as well... [02:03] Xanthippus: no, that's altogether different :) [02:03] Um what [02:04] Xanthippus: ddns is a way to update a dns server with a new hostname / ip binding -- many ddns providers aren't authoritative for the zones in question, so they can't provide reverse dns [02:04] patdk-lap: I agree. I have set it up myself. I even wrote a tool to make it ~easy to figure out - http://www.kitterman.com/dmarc/assistant.html - but that's really not a newbie kind of thing. [02:05] reverse dns and dns always confuse the hell out of me [02:05] IKR [02:05] always appreciate a refresher [02:05] well, nothing about email is noobie friendly though [02:05] Xanthippus: for fun, run "host " -- pretend it gives you back the ip address 10.12.14.16. Then run "host 10.12.14.16" and see what the _reverse_ lookup shows... [02:06] I was looking at http://www.unlocktheinbox.com/ when I setup mine [02:07] receiving email is simple [02:07] sending email is not simple, cause your assumed to be a spam source, till you can pass as many technical issues as the receive wants to put on you [02:07] If it's simple as you describe, patdk-lap , then that's now my first order of business [02:08] receiving is as easy as setting an mx entry, and listening on port 25 :) [02:08] Because right now, all my logging services etc are configed to send email to me@myddns.com [02:08] patdk-lap: .. though receiving is often made difficult to try to raise the technological hurdle of people sending mail; you know, assume they're spammers first :D [02:08] sarnold, well I said receiving was easy, not keeping out spam :) [02:08] patdk-lap: yes :) [02:08] To recieve mail from outside, I need to open port 25 in router, correct? [02:09] firewall [02:09] Just firewall on server? [02:09] routers do ip addresses, not ports [02:09] No, like port forwarding on router [02:09] .. except in the case of NAT-routers.. [02:09] exactly [02:09] Xanthippus, then your probably have port 25 blocked by your isp [02:10] Why would you think that, patdk-lap ? [02:10] well, nat routers is a firewall, nat is a firewall service :) [02:10] many ISPs will unblock if you ask politely. some will remind you that your AUP says "run no servers". hehe. :) [02:10] ya, normally the isp will require you pay for static ip for that [02:10] and normally do't run nat-routers on them [02:10] My router's running DD-WRT, and it has NAT/QoS section, so I would assume my router is "NAT router"... [02:12] you can always give it a shot [02:13] Wait, if opening ports on the router isn't necessary, I can close 22 aka ssh? [02:13] Because I have confirmed that I can SSH to server via this port [02:13] keep it forwarding :) [02:13] k [02:14] though consider moving to another port to (slightly) cut back on automated probing [02:14] and consider disabling password access, if you haven't already [02:14] Automated probing by who [02:14] worms [02:14] the evil one [02:14] Password access = enter password to access shell? [02:14] lol patdk-lap [02:15] Xanthippus: yes. ssh keys are more secure by a factor of millions. :) [02:15] Okay, how do I know if it's not using both, if that's even possible [02:16] Because when I SSHed from my Mac for the first time, it asked if I wanted to remember an RSA key or something [02:17] Xanthippus: look for "PasswordAuthentication no" in your /etc/ssh/sshd_config file [02:17] Xanthippus: that would be the server's key, so you could tell if it is being impersonated in the future [02:17] If it's #PasswordAuthentification yes then remove # and put no? [02:18] yes. make sure you can log in with a key first :) [02:20] after you test your key, and change that option, restart the ssh service. [02:20] The key locations are in the config file itself right? [02:21] the EOL dates listed are when there are no more security patches right? https://wiki.ubuntu.com/Releases [02:21] Xanthippus: yes, in AuthorizedKeysFile, though most people don't need to touch it. it just looks into ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 by default. [02:21] so if I wanted the longest possible security support Precise is the release for me [02:21] NomadJim: correct on both. [02:22] NomadJim: do note that some aspects of the distribution are supported for less than five years: https://wiki.ubuntu.com/PrecisePangolin/ReleaseManifest [02:23] Is there a private/public key? [02:23] Which do I use? [02:24] And in terminal, how do I incorporate certs? [02:24] Xanthippus: on the client, the private lives in ~/.ssh/id_rsa, public lives in ~/.ssh/id_rsa.pub -- and on the server, the public lives in ~/.ssh/authorized_keys. [02:25] Xanthippus: ssh-copy-id is handy to automate logging in and copy-pasting the public portion onto the authorized_keys file [02:35] Xanthippus, every ssh server has an RSA key that identifies that computer (to protect against MITM attacks if you connect a second time and the key changes) that was the key you were being asked to remember or not [02:36] NomadJim, no more anything dates and 12.04 is the most recent LTS === shantorn_ is now known as shantorn === cpg|away is now known as cpg === n0ts_off is now known as n0ts [04:42] Hi guys, I'm back [04:44] How would I login to SSH with an authentication key on OS X? [04:48] Xanthippus, same way as anywhere else. ssh-keygen; ssh-copyid user@remote; ssh user@remote; [04:48] Xanthippus, you do have to configure the ssh server to be running on OSX and verify it accepts auth-key logins [04:49] My server is on Ubuntu, and I want to connect to it from OS X [04:49] !ssh [04:49] SSH is the Secure SHell protocol, see: https://help.ubuntu.com/community/SSH for client usage. PuTTY is an SSH client for Windows; see: http://www.chiark.greenend.org.uk/~sgtatham/putty/ for it's homepage. See also !scp (Secure CoPy) and !sshd (Secure SHell Daemon) [04:49] brb [04:53] hello [04:53] today i woke up to find my server with a flashing caps lock key [04:54] i.e., kernel panic [04:54] what can i look at to see what may have gone wrong? [04:54] stiv2k: auto upgrade? hardware broken? [04:55] holstein i beg your pardon? [04:56] stiv2k: im suggesting you look at an auto upgrade that might have broken something.. unless you dont do auto upgrades, then you can ignore that.. or maybe a bad component. motherboard failure.. etc [04:57] holstein, oh, i think its setup to only automatically do security updates [04:57] and... the hardware shold be fine afaik... i was asking more along the lines of what log file might be able to tell me what happeneds [04:57] it stayed online for like two weeks no problems until this morning [04:59] stiv2k: i would just poke around in the logs... depends on the issue. it might have locked before it could log.. the machine is back up? [04:59] yes it is after i did a hard restart [04:59] my irc client is actually running on it [04:59] so me being here talking to you means its working :P [04:59] i would probably just remove the install from the equation.. run a live CD on the hardware with the hard drive out [04:59] stiv2k: i dont know that you are using it for IRC [05:00] i know that's why i mentioned it :) [05:18] Back [05:33] How do I use the ssh-copy-id? [05:33] Do I run it from the server or from the computer I'm trying to connect it to? [05:34] https://help.ubuntu.com/community/SSH/OpenSSH/Keys is what i used [05:34] from the computer you want to send the key from [05:34] if you are just wanting to connect locally to another box on the lan, you can just use the password [05:36] No, I plan to SSH from outside [05:37] holstein, i think you are confusing telnet with ssh. there is no security risk to doing password across an unsecured network, its just inconvenient [05:37] Okay, I did the ssh-copy-id command from my Ubuntu server, and inputted "me@mymac" as the parameter [05:37] Xanthippus, its from the client to the server [05:38] AH [05:38] Xanthippus, on client you run ssh-copy-id user@server [05:38] So can I just delete authorized_keys on the server and do on the client? [05:38] the auth_keys file resides on the server. the server checks that to compare to the credentials presented by the client [05:39] you have enabled the ubuntu system to ssh into the mac [05:39] AH [05:39] i didnt mean to imply you could or should do the password.. just that it might be easier to configure rather than configuring a key [05:39] (without the password) [05:39] Using the key I generated on the Ubuntu machine? [05:40] the key is the way to go though... if you dont mind setting it up [05:40] Xanthippus, yes [05:40] Ah [05:40] Why can't anyone just "ssh-copy-id"? [05:41] Isn't that more insecure? [05:41] Than a passowrd? [05:41] Xanthippus, auth keys are more secure [05:41] copy-id requires a password to do the initial setup [05:41] thereafter you could disable password access [05:41] and you would be more secure [05:42] it might help to take a step back and talk about public vs private keys [05:42] Okay, it appears that Mac doesn't have ssh-copy-id [05:42] But I found this, which one do I use? http://www.commandlinefu.com/commands/view/188/copy-your-ssh-public-key-to-a-server-from-a-machine-that-doesnt-have-ssh-copy-id [05:42] when you ssh-keygen you create id_rsa and id_rsa.pub [05:42] you copy id_rsa.pub to the server and put it in the servers auth_keys file [05:43] So do ssh-keygen from client?! [05:43] you can do that with ssh-keygen on the client and then "scp ~/.ssh/id_rsa.pub user@server:~/.ssh/id_rsa.pub.client" [05:43] So do I delete the keys that I created on my server? :-/ [05:44] Xanthippus, no need to [05:44] unless you want to [05:44] I did that ssh keygen on my server, but that's obviously wrong right? [05:44] presumably you trust both systems equally so you might be just as happy going from ubuntu->mac as from mac->ubuntu [05:45] I don't do ubuntu --> mac [05:45] Only for ftp [05:45] you may not in practice do it, but in theory would you disallow it? [05:46] ...no [05:46] then don't worry about it... if you were to be concerned that the ubuntu server was untrustworthy you would delete the line in the macs auth_keys file [05:46] Or just delete the whole file altogether because there's only 1 key [05:47] sure [05:47] the auth_keys file is a list of identities to accept and allow access [05:47] Okay, so down to business: Where do I run the ssh-keygen? Mac or Ubuntu? Ubuntu is the server [05:47] I know [05:48] you run ssh-keygen on the client. that defines an identity for the client [05:48] you copy the id_rsa.pub from the client to the server (via scp or sneakerNet) [05:48] Okay [05:48] and add the id_rsa.pub (its a single line) to the authorized_keys file on the server [05:49] you can further modify that line in authorized_keys to further restrict the conditions under which that key is accepted (ie accept only from certain ip addresses, or restrict the programs that can be run, etc) [05:50] Oh okay, there we go. I generated key on Mac [05:50] Xanthippus, so now you need to copy it to the server. "scp ~/.ssh/id_rsa.pub user@ubuntu:~/id_rsa.pub.mac" [05:51] I can add the .mac extension? [05:51] then you can "ssh user@ubuntu" and you will see id_rsa.pub.mac in $HOME [05:51] Xanthippus, sure extensions are meaningless [05:51] Oh... [05:51] How about this: scp ~/.ssh/id_rsa.pub user@machine:.ssh/authorized_keys [05:51] and you dont want to confuse id_rsa.pub from the mac with the id_rsa that exists on the server [05:52] thats ok ONLY IF authorized_keys is empty [05:52] otherwise you blew away your configuration [05:52] There is no authorized_keys [05:52] then you can do that. [05:53] Awesome [05:53] finally you have to correct permissions of the file on the server [05:53] so "ssh user@ubuntu" followed by "chmod 600 ~/.ssh/authorized_keys" [05:53] and "cat ~/.ssh/authorized_keys" to double check it is what you want it to be [05:54] It's complained that authorized_keys doesn't exist [05:54] Does it need to be a folder? [05:54] what is the exact command you wrote? [05:55] scp ~/.ssh/id_rsa.pub user@machine:~/.ssh/authorized_keys [05:56] that should be ok. [05:58] Well here's what came of it: scp: /home/user_of_ubuntu_server/.ssh/authorized_keys: No such file or directory [05:58] OH my mistake [05:59] Deleted the entire ~/.ssh directory, sorry [05:59] Okay, I coped it. Now what? [06:00] Xanthippus, now ssh user@machine [06:00] you have to fix up two sets of permissions [06:00] ? [06:00] chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys; [06:00] Oh okay [06:01] then "ls -l ~/.ssh" and verify that . has rwx------ and that authorized_keys has rw------- [06:02] Both have rw [06:03] Do I need to run chmod as root [06:03] ? [06:03] Xanthippus, the directory "." needs rwx [06:03] no you own the files you can chmod them [06:03] Oh [06:03] and it would be "ls -al ~/.ssh" forgot the a [06:04] . is drwx [06:04] so is .. [06:04] yes but after the drwx it should be all -'s for "." and after the rw all -'s for auth_keys [06:05] for ".." its going to be something like rwx-r-xr-x depending upon configuration [06:05] but we don't care about ".." [06:05] ".." is ~ we are trying to secure ~/.ssh which is "." [06:06] Oh [06:06] Well there are no 's [06:06] Just dashes [06:07] thats what we want [06:07] drwx------ and -rw------- [06:09] Oh okay [06:09] Well then in that case it's all good [06:09] Xanthippus, so now you can test it [06:09] logout then login? [06:09] "exit" from the ssh session, and try ssh user@machine again [06:10] it should just let you in [06:10] If I have pwd authentification, I have to enter that? [06:10] Because it's still asking me for it [06:11] did you put a password on the key you generated with ssh-keygen [06:11] because if you did it would ask you for that password, because it needs that to unlock the id_rsa file [06:12] and then you are usually ok for the rest of your desktop session on the client [06:14]