Nine_9 | seriously, it seems there's no opensource webmail that can manage multiple accounts at once. | 01:53 |
---|---|---|
Nine_9 | it's a pity I'd be forced to go closed-source :( | 01:54 |
baymont | Can anyone provide some help with the Squid proxy | 05:52 |
NginUS | How do I see what I have set as an environment variable? And how do I reset it to what I want it to be? | 07:36 |
NginUS | How do I set the SERVICE_TOKEN environment variable to match that of a value in a config file? | 07:53 |
savr | hi | 07:56 |
savr | why is all the java software in ubuntu really out of date | 07:56 |
savr | like solr/tomcat even eclipse | 07:56 |
savr | they're still out of date for 13.04 | 07:57 |
savr | I know java software doesn't really need to be installed from apt but it is nice to get all the system scripts | 07:57 |
savr | is there a ppa somewhere that I haven't found? | 07:57 |
histo | savr: How "out of date" are they? | 12:09 |
savr | eclipse is years old | 12:09 |
histo | savr: perhaps no one is maintaining the package anymore. | 12:11 |
savr | tomcat is like half a year old | 12:11 |
savr | solr is still on 3.6 | 12:12 |
histo | !info eclipse | 12:12 |
ubottu | eclipse (source: eclipse): Extensible Tool Platform and Java IDE. In component universe, is optional. Version 3.8.0~rc4-1ubuntu1 (quantal), package size 16 kB, installed size 121 kB | 12:12 |
savr | 4.2 has already been released | 12:12 |
histo | !info tomcat | 12:12 |
ubottu | Package tomcat does not exist in quantal | 12:12 |
savr | !info tomcat7 | 12:12 |
ubottu | tomcat7 (source: tomcat7): Servlet and JSP engine. In component main, is optional. Version 7.0.30-0ubuntu1.1 (quantal), package size 37 kB, installed size 353 kB | 12:12 |
savr | oh one sec | 12:14 |
histo | savr: which repo is eclipse in? | 12:14 |
histo | savr: that's why | 12:15 |
savr | tomcat 7.0.35 has recently been pulled in from debian experimental to 13.04 | 12:15 |
histo | It's maintained by the community | 12:15 |
histo | tomcat is in main so it will get updated | 12:15 |
savr | yeah they seem to be pulled in from debian | 12:15 |
histo | If no one updates eclipse it will not be ever updated. | 12:15 |
savr | the latest release of tomcat is .37 | 12:15 |
savr | so it is two released behind | 12:16 |
histo | If it's something you use quite a bit you may want to package it. | 12:16 |
savr | hmm | 12:16 |
histo | savr: linux != windows if you are looking for bleeding edge system that breaks frequently you may want a different distro. | 12:16 |
savr | solr is the one really bothering me | 12:16 |
savr | I'm not... just hope the security fixes are ported back | 12:17 |
histo | savr: no one is stopping you from building the package from source. If you do I would recommend checkinstall It will build a deb for your for easy removal. | 12:17 |
savr | if the security fixes aren't being handled I'm better off installing it myself | 12:17 |
histo | savr: that's why we have the security team | 12:17 |
savr | I like leaving my ubuntu boxes to auto update it's what makes ubuntu so great | 12:18 |
savr | so I prefer to use the apt packages as much as I can | 12:18 |
savr | histo: is it safe to rely that security fixes are being back ported to software like tomcat or should I be managing the latest version on my boxes myself? | 12:19 |
yeats | savr: security fixes are applied, yes. If you're paranoid and have the time, you can manage it manually | 12:20 |
savr | I don't have time :) | 12:20 |
savr | thanks security team :D | 12:20 |
yeats | savr: I would be careful with auto update - sometimes you want to review what's being installed before applying it | 12:20 |
yeats | especially if you're managing manual builds | 12:21 |
savr | yeah | 12:21 |
=== histo1 is now known as histo | ||
=== railsraider_ is now known as railsraider | ||
__dan__ | hi there guys | 14:58 |
__dan__ | having some kernel panic related fun with megaraid | 14:59 |
__dan__ | using an LSI megaraid sata 300-8x card pci-x card | 14:59 |
__dan__ | can anyone help or drum up some ideas etc? | 15:00 |
__dan__ | compiled latest kernel (3.8.3) overnight and tested just now, still getting lockups :/ | 15:01 |
__dan__ | same card has worked without fault for years on win2003 server | 15:02 |
=== loffa is now known as loffa|away | ||
__dan__ | cmon 361 ppl someone must be alive :P | 15:07 |
=== three18t- is now known as three18ti | ||
RoyK | __dan__: got a dump of that panic? | 15:31 |
__dan__ | no mate sorry it never dumps :/ or at least i dont think it does | 15:32 |
__dan__ | it just hangs | 15:32 |
__dan__ | sometimes it flashes the caps and scroll lock lights | 15:32 |
__dan__ | http://bugs.centos.org/view.php?id=5383 | 15:32 |
__dan__ | this looks promising but im not sure whether that patch has made it into any kernel i've tried yet | 15:32 |
__dan__ | and im loathed to install centos although i am comfortable with it | 15:33 |
__dan__ | was just looking at the kernel source to see if that patch has made it into 3.8.3 but im way out of my depth tbh | 15:34 |
__dan__ | seems like at least some of that patch made it into upstream | 15:39 |
__dan__ | although it has been twiddled | 15:39 |
__dan__ | so it seems to me anyway | 15:39 |
__dan__ | been all up and down the internet and tbh other than install centos just to see if it works im out of ideas now | 15:43 |
__dan__ | i know its an old raid card but it's all i got and was working under win2003 server for years | 15:44 |
histo | !enter | __dan__ | 16:14 |
ubottu | __dan__: Please try to keep your questions/responses on one line. Don't use the "Enter" key as punctuation! | 16:14 |
Monotoko | hey guys, after today... is there anything I can do that would stop certain commands actually being executed on servers? One of our clients demanded sudo access to a server, and accidentally ran ... a bad command I'm not sure I'm allowed to put here | 16:14 |
histo | Why would you give a client sudo access | 16:15 |
histo | they have the keys to the kingdom then. | 16:15 |
histo | First you should ask what they need sudo access for in the first place. | 16:15 |
Monotoko | histo, he was a Linux tech himself, I wasn't there when my boss authorized it, I personally wouldn't have given them the access | 16:16 |
histo | Monotoko:You would need to ask why they need the access for what particular file or command? Then just provide them access to that and not the whole system. | 16:17 |
Monotoko | sadly he's my boss and I can't seem to convince him that he really shouldn't hand this access out to clients....and now he's asking about this... and I can't find anything on the web about it - I'm planning to tell him when I next see him "this is the way to do what you wanted, however these things are wrong, and this would be a better way to do it" | 16:18 |
Monotoko | then if he wants to impliemnt the blacklist of sorts, it's on his head next time someone screws up | 16:19 |
histo | Monotoko: Your plan is correct. You can't give them sudo and then restrict certain things. They will find away around it especially since they can just sudo -i or su - to get root. The proper way would be to just give them access to what they need. Or do it the bosses way and not have any access control at all. | 16:20 |
qman__ | sudoers has functionality to grant access for specific commands | 16:20 |
qman__ | however, it's whitelist-style, not blacklist | 16:20 |
__dan__ | lxc is the way ahead :) | 16:21 |
histo | Monotoko: qman__ has it right as i've been saying you have to give them access to the commands they need whitelisting | 16:21 |
qman__ | for example, I use it for the backuppc user to back up my system | 16:21 |
qman__ | backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender * | 16:22 |
Monotoko | qman__, could you whitelist everything, then blacklist certain things in the sudoers file? (I know this isn't the way to do it, and I have suggested he should only give them what they need already - I'm just going to give him the solution he's asked for if possible, then tell him for one last time that the better ways would be to only give them commands they need, not give them access | 16:22 |
Monotoko | etc etc) | 16:22 |
qman__ | that line allows only that user to run only that command as root | 16:22 |
sw_ | hi is it possible to keep apache VirtualHosts in one single file, instead of seperate sites in /etc/apache2/sites-available? | 16:22 |
qman__ | Monotoko, no, that is not possible | 16:23 |
qman__ | it does not have a blacklist function | 16:23 |
Monotoko | qman__, okay cheers, I will have a google around to see if I can find anything with a blacklist function, but if not I will just tell him what he wants isn't feasible | 16:23 |
qman__ | as mentioned, such a thing is pointless, because the user could write their own script or program and work around it, if not abuse the shell | 16:23 |
qman__ | a whitelist is the only way to actually secure things | 16:24 |
qman__ | you won't find one, but even if you do, it won't work | 16:24 |
qman__ | it's not possible to secure a system that way | 16:24 |
Monotoko | qman__, I know... but work is work, and when your boss isn't being logical it's difficult to convince him... hopefully if I find something, and it breaks, he will understand | 16:24 |
Monotoko | personally I'm hoping a user does break it so he sees sense | 16:25 |
qman__ | it's your job to demonstrate this without doing that | 16:25 |
qman__ | show him a list of fork bombs, or a list of ways to delete files, make it visible that there's an infinite number of possible ways to actually achieve it | 16:26 |
Monotoko | qman__, I have tried... I've shown him the hex bomb, and told him there could be many many others created that this blacklist thing he wants wouldn't pick up | 16:26 |
qman__ | then, in my opinion, it's time to dust off the resume | 16:27 |
Monotoko | trust me, this has turned into a bit of a heated arguement at work today... with him pointing fingers at me and me pointing fingers at him | 16:27 |
Monotoko | I explicitly told him not to give users root access to servers because that's what we are paid to manage | 16:27 |
Monotoko | and he went and did it anyway | 16:28 |
qman__ | I won't be held responsible for systems that incompetents have root access on | 16:30 |
qman__ | and that's exactly the position you're in | 16:30 |
Monotoko | I'd rather him call me at 2am to sort a problem | 16:30 |
Monotoko | than give the bloody user root access | 16:31 |
Monotoko | >.> | 16:31 |
sw_ | hi is it possible to keep apache VirtualHosts in one single file, instead of seperate sites in /etc/apache2/sites-available? | 16:31 |
qman__ | sw_, yes, but that's not the debian way | 16:31 |
__dan__ | just write a script that runs for him instead of sudo | 16:31 |
__dan__ | and says "Bad command or file name" | 16:31 |
__dan__ | or sommet | 16:31 |
__dan__ | eheh | 16:31 |
histo | lol | 16:31 |
sw_ | qman__: it still works though? | 16:31 |
qman__ | yes | 16:31 |
histo | You could make a fake sudo lmao | 16:32 |
qman__ | as a matter of fact, the stock apache configuration is a single file | 16:32 |
qman__ | debian splits it up to make it more manageable | 16:32 |
sw_ | qman__: how would we do that if we wanted them all in a single file? like where should it be stored etc.? | 16:32 |
Monotoko | histo, that's so insane... it sounds like exactly what he'd go for | 16:32 |
__dan__ | sometimes u gotta fight moron with moron :) | 16:32 |
qman__ | sw_, it can go in any of the files | 16:33 |
__dan__ | or do what i said before and play with lxc | 16:33 |
qman__ | sw_, there isn't a right one to do that in, because that's not the right way to do it | 16:33 |
__dan__ | make him a little sandbox you can blow away and reinstate in 30 seconds :) | 16:33 |
sw_ | qman__: how isn't it the right way? the Debian way is the right way? | 16:34 |
Monotoko | "here is the new username and password for this server, whatever you do, do not ever give it to the user *hint* *cough*" | 16:34 |
qman__ | sw_, ubuntu is debian based and uses the debian way, therefore the right way to do things on ubuntu is the debian way | 16:34 |
Monotoko | knowing him, il set that up, and he'll bloody not do it again | 16:34 |
qman__ | that's the supported way, the way the system is designed to be used | 16:34 |
qman__ | you can do whatever you like, of course | 16:34 |
Monotoko | hmmm, on an unrelated topic | 16:38 |
Monotoko | where is service located? I thought it was /sbin/service | 16:38 |
sw_ | qman__: is there a reason why Debian does it this way? | 16:38 |
__dan__ | still got this megaraid problem if anyone fancies taking that on | 16:38 |
qman__ | sw_, as mentioned, it's for manageablility, if each site has its own file, it's easy to turn them on and off with the a2ensite/a2dissite commands, for both troubleshooting and general management purposes | 16:39 |
__dan__ | although i compiled latest from kernel.org and disabled pcie aspm and so far badblocks hasnt made it puke :) | 16:39 |
__dan__ | also does anyone know how to force text mode on bootup? | 16:44 |
__dan__ | i did it once but i forget - this machine tries setting 1280x1024 and my screen doesnt display that properly | 16:45 |
qman__ | nomodeset | 16:46 |
qman__ | if you mean disabling KMS | 16:46 |
qman__ | and you can configure in grub to use a different resolution at boot time | 16:47 |
__dan__ | kind of - i just want standard text mode | 16:49 |
qman__ | as opposed to? | 16:49 |
qman__ | are you using X or a high resolution console? | 16:50 |
__dan__ | no it's text only, doesnt boot a gui | 16:50 |
__dan__ | but it sets the mode to 1280x1024 | 16:50 |
__dan__ | i just want it to leave things alone and use whatever it gets when it boots | 16:50 |
qman__ | ok, then if you append nomodeset to the kernel line, it will boot to an old 80x25 console instead of a high resolution framebuffer | 16:50 |
=== loffa|away is now known as loffa | ||
__dan__ | cool yeah thats exactly what i want, will try next time it dies :) thx | 16:50 |
qman__ | KMS is really good in general, that's why it's default | 16:52 |
qman__ | works on widescreen and everything | 16:52 |
qman__ | but some monitors report resolutions that they don't work well or at all with | 16:52 |
__dan__ | ah this is an old ati rage onboard, its a server | 16:53 |
__dan__ | doubt it would know what to do with kms | 16:53 |
__dan__ | and since i installed 3.8 kernel it doesnt display at all - on 3.5 ubuntu standard kernel it cut off the left hand side | 16:54 |
=== loffa is now known as loffa|away | ||
=== tmclaugh[work] is now known as tmclaugh- | ||
=== tmclaugh- is now known as tmclaugh[cafe] | ||
=== loffa|away is now known as loffa | ||
sliddjur | How do I block an IP to connect to my server? I see somebody has tried to login via ssh over 9000 (!) times | 20:07 |
pmatulis | sliddjur: just make sure you're using keys for authentication | 20:20 |
sliddjur | pmatulis: i want to block an ip | 20:20 |
pmatulis | sliddjur: not much sense in doing that as IPs tend to change a lot. but use iptables | 20:21 |
pmatulis | sliddjur: if not familiar with iptables (linux firewall) use ufw, it's a frontend that is more user-friendly | 20:21 |
pmatulis | !info ufw | 20:21 |
ubottu | ufw (source: ufw): program for managing a Netfilter firewall. In component main, is standard. Version 0.33-0ubuntu2.1 (quantal), package size 156 kB, installed size 714 kB | 20:21 |
sliddjur | i have ufw | 20:21 |
sliddjur | but it doesnt seem to work | 20:22 |
sliddjur | "ufw deny proto tcp from 59.6.39.170" | 20:22 |
sliddjur | still get tries from that ip | 20:22 |
sliddjur | I also did iptables -A INPUT -s 59.6.39.170 -j DROP | 20:23 |
pmatulis | sliddjur: i don't have the syntax memorized. you're prolly missing something | 20:26 |
pmatulis | sliddjur: a quick search show 'sudo ufw deny from 192.168.0.1 to any port 22' | 20:27 |
pmatulis | sliddjur: also, you need to look at all the rules. an earlier allow rule may be triggering (first-match-wins) | 20:30 |
shauno | I'd look into something like fail2ban so they never reach 9000 | 20:30 |
sw_ | sliddjur: pastebin your $ iptables --list, might be best to $ iptables --flush and start over though, as pmatulis said you might have an earlier ALLOW rule that's overriding it | 20:43 |
metap0d | Hi everyone, I've just set up Ubuntu Server 12.10 on my home computer but I'm having issues setting a static IP. I followed some documentation I found online but I end up having no internet access. My googling tells me this is an issue related to DNS so I tried to add "nameserver 192.168.0.1" to use my router but that didn't fix it. Any ideas? | 21:34 |
metap0d | For the time being I've installed SSH server on the machine and set the network back to dhcp | 21:35 |
Monotoko | hey guys, I have a bit of a weird problem... my server is set up with BIND9, and the domain itself works | 22:24 |
Monotoko | but I can't query it: http://pastebin.com/r9v5LDbR | 22:24 |
Monotoko | here is the contents of the /var/lib/bind entry: http://pastebin.com/c0CZqHX0 | 22:26 |
Monotoko | (very basic I know - maybe that's the problem here?) | 22:27 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!