[01:07] <petey> if you're doing something like sudo find you wont need to do it recursively right
[01:07] <petey> a sudo find chmod since it's finding all of those file types
[01:08] <sarnold> hallyn_: hey, how do I test this new libvirt package in quantal? :) I don't recall exactly the steps I had to take to trigger the bug in the first place...
[01:08] <sarnold> petey: indeed, find recurses down directories and mountpoints by default
[01:08] <petey> okay cool thanks
[01:09] <sarnold> hallyn_: I've got a suspicion that it's something like (a) start from precise (b) install a specific SRU release of libvirt and dnsmasq (c) upgrade to quantal...? (d) install new libvirt from proposed and see if the link is repaired?
[01:14] <sarnold> hallyn_: (in other words, I'm not very confident in my ability to provide good verification of your package... I'm hoping you or stgraber have an easy way to reproduce the problem and verify the fix. :)
[01:51] <hallyn_> sarnold: apt-get install libvirt-bin; apt-get rm libvirt-bin; apt-get install libvirt-bin should do it
[01:51] <sarnold> hallyn_: oh, keen, that's easy to try
[01:51] <hallyn_> you shouldn't have to start from precise.  it was the act of removing the package which removed the /etc/dnsmasq.d/libvirt-bin, and installing it then didn't recreated it
[01:52] <hallyn_> then apt-get purge libvirt-bin; apt-get install libvirt-bin; add quantal-proposed; apt-get update; apt-get rm libvirt-bin; apt-get install libirt-bin
[01:52] <hallyn_> i *think* that's all it is, though there were a few bugs along the way there weren't there...
[01:54] <hallyn_> sarnold: thanks  (heading out)
[01:54] <sarnold> hallyn_: have a good night :)
[02:12] <Free99> hey everyone. Having an issue where someone on my network keeps trying to nab my server's IP address. Can't tell if its malicious or accidental, but... any suggestions on what to do?
[02:14] <sarnold> Free99: tcpdump or ethereal ought to show you the MAC address involved. if you have managed switches, you can drop packets from that MAC before they cause problems.
[02:15] <pythonirc1012> TheLordOfTime: Any pushes yet?
[02:15] <Free99> sarnold, my organization is big enough where I'd have to loop the network guy in, and he's very busy (but I know that's the actual solution). Until then, I seem to recall some app or something in the repos that would hold on to your ARP registration really tightly
[02:15] <Free99> like it'd block anyone else from stealing your ip pretty effectively
[02:16] <pythonirc1012> does anyone have a good backup script/software for backing up /home?
[02:16] <sarnold> pythonirc1012: investigate rsnapshot and duplicity
[02:16] <Free99> sarnold, how would I do that with tcpdump? I know arping can do that kind of thing
[02:17] <sarnold> Free99: add enough -e switches to see ethernet macs..
[02:17] <pythonirc1012> sarnold: thanks
[02:18] <Free99> sarnold, what if they are spoofing my MAC address? I'm sorry if these are obvious questions, never dealt with this before
[02:18] <pythonirc1012> sarnold: in my case, my users have copies of exactly the same file stored multiple times. I was hoping that the backup sofware was good enough to not backup multiple copies of the same file.
[02:19] <Free99> pythonirc1012, the ZFS filesystem supposedly does this pretty effectively, it's called data deduplication
[02:19] <Free99> try looking around to see if anyone has ported just the data dedup part into a utility or something
[02:20] <sarnold> Free99: sorry, I can't recall the name of the tool you're thinking of.. and no idea what to do if they clone your mac, you're in trouble at that point, you'll need to mac-firewall every port, I expect. :/
[02:20] <Free99> crud-butter
[02:20] <Free99> so wait a sec, I thought the networks were a lot more resilient to this kind of thing
[02:20] <sarnold> rsnapshot is decent at not duplicating files itself, but I doubt it recognizes duplicated files in homedirs :)
[02:21] <Free99> is that the type of issue that ipsec was supposed to handle?
[02:21] <sarnold> .. and I don't know how well it would manage, even if you hardlinked them all
[02:21] <pythonirc1012> sarnold: perhaps dar would help?
[02:21] <sarnold> Free99: ipsec would prevent the new machine from impersonating yours, but yours would be every bit as offline..
[02:21] <sarnold> pythonirc1012: maybe? never heard of it before :)
[02:22] <Free99> (facepalm)
[02:24] <agu10^> Hello. I had a software running on https (443 port) but after installing Nginx, it stops answering on that port. Any idea why?
[02:26] <sarnold> agu10^: perhaps your nginx is configured to listen there? check the output of sudo netstat -nlpt
[02:27] <agu10^> sarnold, http://paste.ubuntu.com/5649815/
[02:28] <TheLordOfTime> wheee i missed things
[02:28] <TheLordOfTime> pythonirc1012:  yeah i did
[02:28] <TheLordOfTime> pythonirc1012:  not sure if i broke it or not, but it builds... :/
[02:28]  * TheLordOfTime yawns
[02:28] <sarnold> agu10^: hrm, I don't even see :443 ...
[02:28] <agu10^> yeah, i don't know what happened
[02:28] <pythonirc1012> TheLordOfTime: Trying it out now
[02:28] <TheLordOfTime> agu10^:  what did you have installed on that port?
[02:28] <TheLordOfTime> or rather what were you running before nginx
[02:29] <agu10^> iredmail
[02:29] <pythonirc1012> TheLordOfTime: This time it stared and the pid error is gone.
[02:30] <agu10^> ooooh. iredmail is set up to apache and has a virtualhost.conf for apache. I'm running nginx :/
[02:30] <TheLordOfTime> pythonirc1012:  yeah that was the idea :P
[02:30] <pythonirc1012> TheLordOfTime: this time it starts with the default config, but not with my config - complains invalid option /var/run/nginx.pid
[02:30] <TheLordOfTime> pythonirc1012:  pastebin your ENTIRE config file
[02:31] <TheLordOfTime> agu10^:  and that's your issue
[02:31] <TheLordOfTime> agu10^:  does iredmail run as its own native application?
[02:32] <agu10^> no, it doesn't
[02:32] <agu10^> i don't know
[02:38] <TheLordOfTime> sarnold:  whenever there's a weird question about nginx, you're free to ping me
[02:38] <TheLordOfTime> agu10^:  here's an example conf file for iredmail on nginx: http://wiki.nginx.org/IRedMail
[02:38] <TheLordOfTime> can't guarantee it works though, I don't use IRedMail
[02:39] <sarnold> TheLordOfTime: thanks :)
[02:39] <TheLordOfTime> sarnold:  especially when there's a huge version difference between what's in Ubuntu and what they're running :P
[02:40] <TheLordOfTime> case in point pythonirc1012's situation (sorry for the ping!)
[02:40] <sarnold> TheLordOfTime: indeed, that'd have been supremely confusing without you :)
[02:40] <TheLordOfTime> sarnold:  xD
[02:40] <TheLordOfTime> sarnold:  lucky random appearance i guess xD
[02:41] <pythonirc1012> TheLordOfTime: do you recommend running ubuntu's nginx instead of the PPA nginx? I think the problem was that I was using some of the new features of nginx at the time I configured it
[02:42] <TheLordOfTime> pythonirc1012:  i stick to what's in the PPA, but meh
[02:43] <TheLordOfTime> pythonirc1012:  new features in 1.2.x are probably standard features in 1.4.x
[02:43] <TheLordOfTime> pythonirc1012:  but your error was unrelated to features
[02:43] <TheLordOfTime> so IDK what's with that
[02:44] <TheLordOfTime> pythonirc1012:  the stable PPA's updated based on whatever's in Debian, so...
[02:44] <TheLordOfTime> ... yeah, i stick with debian stuff.
[03:05] <Free99> TheLordOfTime, I have several nginx servers to manage. Having a lot of trouble supporting webdav though, do you have any tips?
[03:08] <pythonirc1012> Free99: ubuntu? what OS?
[03:09] <Free99> yeah, ubuntu
[03:09] <Free99> I had to make a really weird config file so that WPMU and Owncloud would work together
[03:09] <Free99> but the webdav doesn't work
[03:09] <Free99> *webdav part of owncloud
[03:10] <pythonirc1012> Free99: what are you using owncloud for?
[03:11] <Free99> file hosting/sharing
[03:11] <pythonirc1012> Free99: with? at work or personal?
[03:12] <Free99> work. It's a server for engineering students to share/backup large CAD files
[03:12] <pythonirc1012> ah cool
[03:12] <Free99> as well as make websites for their respective organizations easily
[03:12] <pythonirc1012> how do deal with the authentication part then?
[03:14] <agu10^> Why is my email taking so long into my inbox? I'm using postfix with iRedMail.
[03:14] <Free99> what do you mean? little hackery of the backend keeps the same credentials in the database for both of them
[03:14] <Free99> agu10^, stop posting in several rooms at once, that's pretty annoying
[03:15] <agu10^> Free99, what do you suggest instead?
[03:16] <Free99> not everyone is at their keyboard waiting for someone to talk to bro. Just wait a little, try somewhere else when you think you've waited enough and nobody helped you
[03:17] <agu10^> okay, i guess i should code a delay for cross-posts ?
[03:17] <pythonirc1012> Free99: how many people are using this thing that you are setting up?
[03:18] <Free99> a bunch? at least 8 clubs, each has their own account and the club president delegates the user/pass to each member
[03:18] <Free99> each club has at least 5 users
[03:18] <Free99> (they have to, to become a club)
[03:19] <Free99> everything works so far but the webdav
[03:20] <pythonirc1012> so 40 users
[03:20] <TheLordOfTime> Free99:  which nginx package are you using
[03:20]  * TheLordOfTime doesn'
[03:20] <TheLordOfTime> bleh
[03:21]  * TheLordOfTime doesn't use WebDAV on his deployments, but might be able to tell you if you're using the wrong nginx binary package
[03:21] <Free99> TheLordOfTime, nginx 1.1.19 I believe
[03:22] <TheLordOfTime> Free99:  i meant nginx-light, nginx-full, etc.
[03:22] <TheLordOfTime> Free99:  wait 1.1.19...
[03:22] <TheLordOfTime> that's... either precise or quantal...
[03:22] <TheLordOfTime> !ping
[03:22] <TheLordOfTime> !info nginx precise
[03:22] <TheLordOfTime> yep precise
[03:22] <Free99> precise it is
[03:23] <Free99> I did nginx-naxsi
[03:23] <Free99> haven't setup the naxsi part yet, its disabled
[03:24] <axisys_> how should one install multiple perl modules ? one way is cat list-of-perl-modules | cpanm --interactive ..  is there a better way to do it?
[03:24] <TheLordOfTime> Free99:  I don't think the naxsi version of nginx ships with webdav support
[03:25] <Free99> hmm. how would I get naxsi along with the full module support then?
[03:25] <TheLordOfTime> but i'm on the nginx PPAs, so i have to dig in the 1.1.19 version instead...
[03:26] <TheLordOfTime> Free99:  a customized version of the naxsi package maybe, i don't see WebDAV and naxsi together in any of the binaries
[03:26] <Free99> (shrug) I guess I can live without naxsi, I have zbblock on the server too
[03:26] <TheLordOfTime> but remember i'm working with 1.4.x i don't have the 1.1.19 stuff around
[03:27] <Free99> let me check
[03:30] <Free99> ah cripes. my ssh server is acting up again
[03:30] <Free99> TheLordOfTime, I'll have to ask you tomorrow if you don't mind
[03:30] <Free99> maybe even monday
[03:30] <TheLordOfTime> Free99:  i am pulling a copy of 1.1.19 right now
[03:30] <TheLordOfTime> if you can hold on a sec i can double check
[03:32] <TheLordOfTime> Free99:  yeah, none of the packages ship with both naxsi and webdav
[03:32] <TheLordOfTime> and that won't ever be changed for precise, because it's kinda frozen that way
[03:32] <TheLordOfTime> the only way to get webdav + naxsi is to either build from source or have someone build you a customized version of nginx
[03:33]  * TheLordOfTime would do that but meh
[03:33] <Free99> lol
[03:33] <Free99> it's not a big deal, I'm fine with compiling myself and using checkinstall
[03:44] <Free99> heading to bed, thanks guys
[10:10] <shwaiil> hi
[10:10] <shwaiil> Q: My server is setup in a VM (virtualbox). I'd like to start apache2 automatically whenever the VM is started or the user logins. What's the best way to do it ? The best practice ? Any suggestion are appreciated! Thank you ;)
[10:10] <shwaiil> I heard about "upstart" script
[10:13] <bekks> Just install Apache, and it is started by default.
[10:23] <shwaiil> bekks: thanks for looking. not really, whenever I restart the VM, apache is off
[10:23] <shwaiil> adding: service apache2 start, to /etc/rc.local and restarting my VM, I mean my ubuntu server it still doesn't auto init apache2
[10:37] <Shogoot> Hi guys i got this little php file im running on my webserver. itss supoised to load somexml file  and loop troguh and echo/frite to file somdata...     but my opendir is failing....       must be the relative path i think, but my combination of  solutions are not working. HOW CAN i see from wich relative path the file is calling from?       I know its from a /var/ww/html/etcx etc etc, but what is the visiility of the file?
[11:09] <oDiafanos> hello:) what monitoring system do you propose for monitoring web server with databases irc server and icecast ?
[11:11] <bekks> Nagios.
[11:13] <oDiafanos> is there any how to article to help me set it up on 12.04 server? I know the basics but I need it on a "live" srv and I can't experiment a lot
[11:14] <bekks> oDiafanos: http://www.nagios.org/documentation
[11:23] <jacobw> Icinga
[13:58] <yobro> hello
[13:59] <yobro> I can't seem to mount my dvd-rw, I'm getting an error message :"wrong fs type, bad option, bad superblock on /dev/sr0
[14:01] <bekks> yobro: Then how do you try to mount it?
[14:32] <gyre007> is there a way how I can tell which repo takes priority over which for certain package?
[14:32] <gyre007> there was some apt command but I canf seem to find it even in man pages...
[14:32] <Pici> The one with the latest version.
[14:32] <gyre007> not really
[14:32] <gyre007> if you have multiple sources...
[14:32] <gyre007> which provide same packages...
[14:33] <gyre007> how does apt figure out which one to get the package from ?
[14:33] <Pici> Are the packages the same version?
[14:33] <gyre007> not necessarily
[14:33] <gyre007> they can be diffrerent
[14:34] <Pici> I'm not sure how apt treats packages that are the same version, but the highest version number will always be pulled in the other case.
[14:35] <Pici> maybe I'm misunderstanding your question.
[14:35] <gyre007> lets say you have 5  nginx repos...and you decide to install nginx
[14:35] <gyre007> which repo will the nginx be installed from ?
[14:36] <gyre007> Pici: apt-cache policy nginx-full
[14:37] <gyre007> apt-cache policy <pkg_name>
[14:39] <gyre007> now the question is, how do you change the priorities...
[14:40] <Pici> gyre007: aha! found it.  according to the apt_preferences manpage, the entry earliest in the sources.list file will be used for packages with the same version in different repos.
[14:41] <Pici> I think the manpage also has information on how to set the priority for those
[14:42] <gyre007> im checking this now https://help.ubuntu.com/community/PinningHowto
[14:48] <gyre007> actually this wont prioritise the source over another..mm
[16:45] <kearneykid> does anyone know about smoothwall firewall (linux)
[16:49] <kearneykid> A ping is getting through the network and into the web but for some reason websites are being blocked
[16:49] <sarnold> kearneykid: sounds like you allow icmp but block tcp
[16:51] <kearneykid> u see it has been working all along and suddenly it just refuses my connections
[16:54] <kearneykid> sarnold: i cant find anything in the control pannel that would let me block TCP
[16:54] <sarnold> kearneykid: I think you've already blocked tcp..
[16:55] <slide23> Does anyone know of a way to limit ssh accepting connections to a specific hostname? I have many virtualhosts setup that people attempt to connect to all the time and I dont want to limit ssh to just my IPs (because they may change or I may need to access it from somewhere else)
[16:56] <kearneykid> sarnold how will i un-block TCP?
[16:57] <andol> slide23: The ssh protocol doesn't really deal with hostname that way. There is (obviously) a DNS lookup on the client side, but that is a about it. The server has no idea what hostname the client went for.
[16:58] <slide23> hrm dang
[16:58] <slide23> any other ideas for reducing login spam heh, I am using fail2ban which is helping
[16:59] <sarnold> kearneykid: sorry, I've never used smoothwall, can't suggest how to unblock a protocol..
[16:59] <sarnold> slide23: something hokey like port knocking?
[17:00] <andol> slide23: One option, especially if you are the only one connecting to the server, is to have sshd listen on an alternate port. While it might not matter much security wise, it will keep your log files a bit more clean.
[17:00] <kearneykid> sarnold: just looking at the firewall logs and there are connections blocked about 2 every second. most of them are odd ports like 53099
[17:00] <sarnold> kearneykid: src ports or dst ports?
[17:01] <slide23> hrm port knocking seems interesting
[17:02] <kearneykid> sarnold: its a different src ip going to my ip.
[17:02] <kearneykid> sarnold: there are both UDP and TCP ports
[17:03] <sarnold> kearneykid: note that outgoing requests from web browsers will use a randomly-selected port, often in the range 40,000-65535, for the source port..
[17:05] <kearneykid> sarnold: could this be the problem so; its blocking the websites for no reason
[17:05] <sarnold> kearneykid: hrm, can you pastebin your rules? perhaps someone here will be able to spot the issue
[17:06] <kearneykid> I'm sorry i can only post it here as the web isn't working
[17:07] <kearneykid> 11:12:12 IN=ppp0 OUT= MAC= SRC=189.222.24.70 DST=*****(MY IP) LEN=131 TOS=0x00 PREC=0x00 TTL=114 ID=22709 PROTO=UDP SPT=43731 DPT=25732 LEN=111
[17:08] <kearneykid> that is just a random one i picked out of the list
[17:09] <sarnold> that's just a blocked packet, not rule. but you can _irc_ fine but not http?
[17:09] <sarnold> how about https?
[17:10] <kearneykid> yes both http and https
[17:11] <kearneykid> the error is saying "connection refused"
[17:11] <kearneykid> also a nslookup works
[17:12] <winterpk> Hi I'm having a problem with my ubuntu webserver.  I have multiple sites set up with virtual hosts and one has an SSL cert.  However, my client is getting an ssl cert error on a different site (even though I have no links to https on that site) where its trying to use a differet domain ssl. Does anyone know the best practice when setting up mulitple sites on the same server where some
[17:12] <winterpk> use SSL and others dont?
[17:14] <kearneykid> sarnold: actually for http; i get the error connection refused
[17:14] <kearneykid> sarnold: and for https; it just times out
[17:14] <sarnold> kearneykid: ah, perhaps a REJECT for http and DROP for https?
[17:15] <sarnold> winterpk: investigate SNI: http://en.wikipedia.org/wiki/TLS/SSL#Support_for_name-based_virtual_servers
[17:16] <kearneykid> mabye, how could i fix that?
[17:17] <sarnold> kearneykid: perhaps I could pastebin your firewall rules for you, if you /query me, then paste them in, it wo'nt flood the channel..
[17:17] <winterpk> sarnold thank you.  I will look into it directly
[17:18] <winterpk> So I can only use one cert per server?!
[17:18] <kearneykid> thanks very much for your help sarnold query opened
[17:19] <winterpk> or a different IP
[17:19] <winterpk> ugh, this is not good
[17:19] <sarnold> winterpk: different IP is the usual approach, but I think SNI lets you get there, with newer clients anyway
[17:20] <winterpk> well what If I only really care about one cert.  I just dont want to get a cert error on the other sites.
[17:20] <sarnold> ah. I don't think there's anything you can do about that :/
[17:21] <winterpk> oh  man this is not good
[17:21] <RoyK> SNI should work with most clients these days
[17:21] <winterpk> client = browser?
[17:21] <RoyK> yes
[17:22] <winterpk> hmm ok I'll try it.
[17:25] <winterpk> its still trying to use the default ssl darnit
[17:26] <gyre007> anyone here understands how package pinning works ? arrrgh...major headache
[17:26] <winterpk> is there someway to just turn of SSL for the sites that dont use it?
[17:30] <gyre007> I have the following preferences set https://gist.github.com/milosgajdos83/5555584
[17:30] <gyre007> YET they are totally ignored
[17:31] <gyre007> nginx-full is being installed from the second source..
[17:31] <gyre007> arrrgh..
[17:33] <sarnold> winterpk: you only get to open a port on an ip address. you can't selectively 'close' that port for requests coming in with one name vs another name -- it can't know which hostname the request is intended for until it has accepted the connection and read some bytes from it.
[17:34] <winterpk> I see ok
[17:35] <winterpk> its a chicken before egg paradox
[17:35] <sarnold> hehe, yeah
[17:35] <winterpk> SNI is supposed to hint at the right domain
[17:35] <sarnold> or, one more motivating factor behind ipv6 :)
[17:35] <winterpk> before the connection actually happen
[17:35] <winterpk> I'm just having trouble with my config now I suppose
[17:35] <sarnold> .. but sni assumes all domains you're hosting on that IP are supposed to have SSL :)
[17:36] <sarnold> you _could_ segregate your hosts onto two IPs: the first IP for ones with ssl, the second one for hosts without ssl
[17:36] <winterpk> ugh this is getting worse
[17:36] <sarnold> most providers will sell you a second IP for sometihng like $5/mo. not too bad.
[17:36] <winterpk> hmm I don't think I can assign two IPs to myu server.  I'm on AWS
[17:38] <sarnold> winterpk: that might be "elastic IPs" in the console..
[17:38] <winterpk> right, but I think I can only assign 1 per
[17:38] <winterpk> stupid
[17:38] <sarnold> oh? hrm. that is stupid.
[17:41] <sarnold> winterpk: oh, check out the section titles "Assigning an Elastic IP Address to the Secondary Private IP Address" here http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
[17:41] <kearneykid> sarnold should i leave smoothwall and use a different firewall/router ?
[17:41] <winterpk> hmm ok
[17:42] <sarnold> kearneykid: maybe? :)
[17:43] <kearneykid> what would ye recommend because this is really annoying me.
[17:47] <kearneykid> any ideas on what to try?
[17:50] <winterpk> hmm so aws has this virtual nic i need to implement. weird
[18:34] <ppetraki> hallyn_, can you do me a favor and mark this triaged until we learn different? Thanks. https://bugs.launchpad.net/ubuntu/+source/multipath-tools/+bug/1178721
[18:34] <jkyle> e
[20:44] <slide23> Can anyone see anything wrong with this rule for allowing ssh in from a specific ip?
[20:44] <slide23> /sbin/iptables -A INPUT -s 192.168.0.99 -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT; /sbin/iptables -A OUTPUT -d 192.168.0.99 -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
[20:55] <bekks> It doesnt allow new connections to be established (outbound in return to inbound new)
[21:12] <kathy1> Holaaa
[21:22] <RoyK> kathy2: hi
[21:22] <RoyK> slide23: not really
[21:23] <kathy2> How are you?
[21:23] <RoyK> fine, thanks
[21:23] <kathy2> emmm
[21:23] <kathy2> ok
[21:23] <kathy2> ;)
[21:24] <RoyK> so what up?
[21:37] <hxm> i configured smtp and all mails are marked as spam
[21:38] <hxm> i have defined the spf in the txt dns record
[21:38] <hxm> and configured openkim
[21:38] <hxm> what do i miss
[21:38] <sarnold> hxm: which tool said your mails are spam? did it give you any reasoning?
[21:39] <hxm> gmail and hotmail, they just redirect to a generic page for many reasons
[21:44] <sarnold> hxm: you could try this.. https://ers.trendmicro.com/reputations/index
[23:35] <coalwater> I want to build a clustered/distributed web server using virtual boxes for learning purposes, is there a good link/book i could read ? thanks.