/srv/irclogs.ubuntu.com/2013/09/07/#ubuntu-server.txt

mgwI'm trying to debug a weird dns issue… I have a .internal zone, which delegates .A.internal to another dns server00:50
mgwWhen I do a dig of foo.A.internal @ns.internal, it works — sometimes00:51
mgwBut more often, ns.internal never sees the response from ns.A.internal — even though I can see the response in a tcpdump running on ns.internal00:52
mgwBy "not see", I mean it does not show in bind's debug log00:53
mgwany ideas?00:53
=== MACscr1 is now known as MACscr
=== ikonia_ is now known as ikonia
=== freeflying_away is now known as freeflying
=== s is now known as Guest38168
=== virusuy_ is now known as virusuy
=== Guest60143 is now known as mosh
=== freeflying is now known as freeflying_away
=== HisaoNakai_ is now known as HisaoNakai
Quest i need to scan the system (from out side) to see if it has any vulnarebilities for an attack. then understand how to fix them.17:27
Questnessus and metasploit, so they dont need to be installed ON the system that is TO BE Scanned?    I wonder how will the vulnerbilitites could be check from out side? only open ports can be checked. like nmap does.  can you elaborate?17:47
nobodiesi have an old ubuntu distro "natty" how can i do an dist upgrade17:59
nobodiese.g. do-release-upgrade is not installed and i cant apt get it because the repo dosnt exist anymore18:04
Patrickdk_sure it exists18:06
Patrickdk_change to the archive repo's18:06
nobodieshow?18:08
tedskinobodies: see here: http://old-releases.ubuntu.com/releases/11.04/18:08
tedskinobodies: edit your sources.list to include the relevant repos from here: http://old-releases.ubuntu.com/ubuntu/dists/18:09
nobodiesgreat thanks i've done that now :)18:12
Questhttp://masoodahmad.com/02.Session-Hijacking-Pt.2.mov how the hell can the email / password be visible in this middleman attack when the user was using HTTPS gmail website ?18:54
qman__Quest, it's a bit off topic, but that's a simple man in the middle19:02
qman__he clicked past the certificate warning19:02
Questqman__,  sorry?  "past the certificate warning?"19:06
qman__Quest, when he browsed to gmail, he was presented with a certificate warning because his traffic was being intercepted19:09
qman__he clicked ok to continue anyway without a single word spoken on it19:09
qman__it's disingenuous, as is using windows 2000 and horribly outdated versions of internet explorer19:10
Questwhat was the warning about?19:12
qman__the certificate name not matching, because it was invalid and presented by the attacker rather than gmail19:12
qman__but again, this is offtopic, it has nothing to do with ubuntu server or even linux in general19:13
Questi think with https, the data , should have gone out of the computer after it has been encrypted. so once it goes out. how can it be seen in a text file by middle man . in plain text.19:13
Questqman__,  oh. the cert was invalid?  he never setup the certificate...... did he in the video?19:14
qman__the man in the middle intercepts and modifies the transmission, the client never reaches gmail to initiate a secure connection19:15
Questqman__,  the client does reaches gmail, how come he would load the login web page else then?19:17
qman__you clearly do not understand the basics of how https and SSL work19:18
bekksAnd it has nothing to do with ubuntu - it is a generic issue.19:18
Questqman__,  can we private chat. (away from ubuntu and bekks )19:20
qman__no, you need to learn a lot more before you can understand how this attack works19:20
qman__take a course or read a good book on PKI19:20
Questqman__,  only think i guess is that. the client did reached gmail. but the certificate was supplied by cain. as its default behaviour?19:21
Questqman__,  it was a course video. iam doing what you said. but i neeed discussions. with you skills. can we chat else where?19:21
Questam i correct about the cain and cert ? qman__19:24
bekksNo.19:25
Questbekks,  dont respond. its ubuntu channel19:25
Questqman__,  so?19:25
bekksQuest: If you dont like the answer, dont ask.19:25
Questnot asking you )19:25
Quest:)19:25
bekksIgnoring you. Good luck.19:26
qman__no, you do not understand how it works19:26
Questbekks,  atlast. thanks19:26
qman__stop pestering me, and learn how PKI functions19:26
qman__I have already explained how it works19:26
Questhm.. i thought i knew https and read docs19:26
Questlast question. qman__   is cain or abel sending its own certificate to client?19:26
Questy/n?19:27
LargePrimehey all.  my /tmp is full?19:28
LargePrime http://paste.ubuntu.com/6076170/19:28
bekksLargePrime: Thats not a standard ubuntu filesystem. What did you do?19:28
bekksLargePrime: Please provide the output of "lsb_release -a"19:29
bekksLargePrime: In a pastebin please.19:29
qman__LargePrime, http://stackoverflow.com/questions/17536139/releasing-unneccesary-space-used-in-tmp19:30
qman__the second answer, in particular19:30
LargePrimebekks: "No LSB modules are available."19:31
Questlast question. qman__   is cain or abel sending its own certificate to client?19:31
bekksLargePrime: The entire output. Not just one line.19:31
bekksLargePrime: So where is the entire output? :)19:35
LargePrimehttp://paste.ubuntu.com/6076180/19:36
bekksLargePrime: And pastebin your /etc/fstab too, please, along with "uname -a"19:37
LargePrimeqman__:   /tmp: device is busy. when i try and unmount19:37
LargePrimebekks: http://paste.ubuntu.com/6076217/ is uname -a  .  I dont understand "pastebin your /etc/fstab"19:40
bekksLargePrime: Copy the content of /etc/fstab into a pastebin.19:40
bekksYou are running a pretty old kernel, on your 12.04.319:40
LargePrime`i should update it?19:41
bekksThe current kernel for 12.04.3 is 3.5.019:41
bekksYes, you should.19:41
LargePrimeright now i cant update anything, cause /tmp issue19:41
LargePrimebekks:  fstab http://paste.ubuntu.com/6076226/19:43
bekksSo you did mount your /tmp on your own, dont you?19:44
LargePrimenope19:45
LargePrimeit happened cause / was full19:45
bekksIt didnt. /tmp did not mount because / is full. And your / has 6.1GB free space.19:48
LargePrimemy / WAS full19:48
LargePrimeas qman__  link points out19:49
LargePrimeubuntu mounts /tmp in ram19:49
LargePrimewhen that happens19:49
LargePrimebut i am not sure how to unmount it19:49
LargePrimeand unmount says it is in use19:49
LargePrimehttp://paste.ubuntu.com/6076245/ is what i get when i try an unmount19:52
bekksThen you have to reboot.19:52
LargePrimepoop19:53
LargePrimeso reboot then unmount it19:53
LargePrime?19:53
bekksNo.19:53
bekksReboot unmounts everything, and reboots your computer.19:54
LargePrimeis there any other option to rebooting?20:10
PastafarianAnyone Ubuntu staffers online?20:14
PastafarianThe lack of an apache 2.4 port is getting more and more worrying.20:16
PastafarianWhen is a 2.4 port to 12.04 lts and others planned?20:16
Pastafarianhttps://bugs.launchpad.net/ubuntu/+source/apache2/+bug/119788420:27
uvirtbotLaunchpad bug 1197884 in apache2 "apache2.2 SSL has no forward-secrecy: need ECDHE keys" [Wishlist,Fix committed]20:27
PastafarianThis needs to be sorted right now.20:27
LargePrimePastafarian:20:28
LargePrimeMy imaginary friend still loves you.20:28
PastafarianFSM ?20:30
PastafarianThis bug is not "wishlist"20:47
Pastafarianhttps://bugs.launchpad.net/ubuntu/+source/apache2/+bug/119788420:47
uvirtbotLaunchpad bug 1197884 in apache2 "apache2.2 SSL has no forward-secrecy: need ECDHE keys" [Wishlist,Fix committed]20:47
PastafarianIt's security critical. RC4 is being implied as being cracked by the NSA etc...  meaning we could do with the newer ciphers.20:47
mdeslaurPastafarian: Bruce Schneier said "Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can"21:01
mdeslaurPastafarian: if someone backports the ECDHE stuff to apache 2.2, we may consider adding it21:02
ScottKOTOH, some of the black hat (or defcon, I can't recall) presentations this year gave me the impression that RSA/DSA's days are numbered.21:03
mdeslaurScottK: that turned out to be overly exaggerated21:03
ScottKInteresting.21:03
mdeslaursee https://www.schneier.com/blog/archives/2013/08/the_cryptopocal.html21:04
mdeslaurthe fact that ECC is patented doesn't help the situation at all21:06
mdeslaurunless everyone starts giving royalties to Blackberry21:06
ScottKAgreed.21:06
mdeslaurIt's been a pretty depressing few months :P21:06
ScottKThanks.21:07
PastafarianThat being said21:31
Pastafarianwe need it updating in one of the two ways21:31
Pastafarianasap21:31
PastafarianThe major hint is that RSA is over21:32
Pastafarianand that RC4 can be broken.21:32
Pastafarianmdeslaur, if ubuntu is meant to have a server version which they're selling support to shouldnt the devs give more of a crap about this21:33
mdeslaurPastafarian: yes, ubuntu devs should definitely be looking at that21:34
Pastafarianultimately someone needs to get elgamal going21:34
mdeslaurPastafarian: someone needs to backport the support to apache 2.221:34
Pastafarianthat should have been done certainly21:35
Pastafarianhowever it's not like they shouldnt drop 2.4 into raring and earlier21:35
Pastafarianespecially lts21:35
mdeslaurreleases rarely get newer versions, especially for something like this21:36
mdeslaurthis is far from a critical issue21:36
PastafarianWhere as I would disagree ;)21:36
PastafarianRC4 is flogging a dead horse.21:37
mdeslaurI don't see any other distros rushing out to do the backporting work, or to release apache 2.4 into older releases21:37
PastafarianThe alternatives are locked into 2.2.2221:37
Pastafarianhowever debian has it in testing21:37
Pastafarianand has for a long while21:37
mdeslaurPastafarian: saucy will have 2.421:37
PastafarianI know, and I still don't want to wait until October21:37
Pastafarianand I cannot jerk around on production machines compiling it instead21:38
mdeslaurPastafarian: you're not in the US, are you?21:38
PastafarianNope.21:38
=== freeflying_away is now known as freeflying
PastafarianSo I have slightly less to be concerned about, regardless. It's committed. Just needs speeding the hell up.21:40
mdeslaurcommitted?21:40
PastafarianFix committed, i,e, in saucy21:41
PastafarianI'd expect it to be shoved in 12.04 quickly too.21:41
mdeslaurthat's likely not going to happen21:42
PastafarianThen someone needs to pull a cranium out of somewhere.21:42
Pastafarian>LTS when we feel like it.21:42
mdeslaurPastafarian: your definition of what an LTS is is flawed21:43
PastafarianIn which case by 5 years of support they mean, at our discretion regardless of security?21:48
mdeslaurPastafarian: that's not a security issue21:49
PastafarianNot for the Operating System21:50
PastafarianFor anyone using it21:50
PastafarianIf the ubuntu devs are making their definitions strictly to the security of a SERVER operating system only to the OS21:50
Pastafarianthey're being at best, stupid.21:50
=== freeflying is now known as freeflying_away
ScottKSo you want the stability of an LTS on a system that's updated all the time?22:29
ScottKPick one.22:29
=== freeflying_away is now known as freeflying
PastafarianScottK, don't be dense.23:21
PastafarianYou want stability and security.23:22
PastafarianThese are not mutually exclusive23:22
ScottKNo, but dumping a new version of apache into an already release LTS is insanity.23:22
Pastafarianand when tested has it presented issues?23:23
Pastafarianhave someone even tried?23:23
Pastafarianplenty of PPAs out there23:23
Pastafarianwhy is it insanity? I can choose 2.2 or 2.4 in windows23:25
Pastafarianor debian23:25
Pastafarianand expect on many other distros23:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!