| jamespage | med_, well it might be in icehouse - but it should be ok in grizzly and havana | 06:29 |
|---|---|---|
| tucemiux | how do you guys suggest I configure the management of upgrades? Do it automatically or use landscape? | 07:35 |
| === e^0 is now known as Guest9913 | ||
| cocoa117 | what's the easiet way for linxu admin to get code onto all his controlled machine? | 09:14 |
| cocoa117 | other then write a virus, :) | 09:14 |
| ciastek | cocoa117: i use ansible [1], but am not sure, if it's the easiest way. [1] http://docs.ansible.com/ | 09:20 |
| mardraum | puppet or something? rsync and scripts? | 09:20 |
| cocoa117 | ciastek, ok, thanks, i have look | 09:20 |
| cocoa117 | shame, we have to pay for ansible for more then 10 machines. is anyone here using it for home usage? | 10:09 |
| smb | hallyn, No but I did not run XP. And it also depends on whether one uses xm or xl and xl only for Saucy because before that both were using the xen specific fork (aka qemu-xen-legacy) | 10:09 |
| === MadHatter is now known as Guest4700 | ||
| === Guest4700 is now known as NiTeMaRe | ||
| cocoa117 | No, wait there is github!!! | 10:32 |
| === 20WAA4UBR is now known as hazrpg | ||
| smb | hallyn, Ok, so potentially we want to pick that patch for Trusty. Saucy still had qemu-1.5 which should not be affected. | 11:20 |
| === JanC_ is now known as JanC | ||
| makara | hi. What certifications should someone follow interested in Ubuntu Server, Ceph - basically provisioning for a dev shop | 12:14 |
| daaaaaaaaa | Hello! I want to mount a hard drive from one ubuntu server to another, want to mount it under like /home/user/hdd1, wich would be the easiest way to do this? | 12:14 |
| makara | mkdir /home/user/hdd1; sudo mount /dev/sdx /home/user/hdd1 | 12:15 |
| daaaaaaaaa | Dont i need to use NFS to do this over internet? | 12:16 |
| makara | we need a server provisioned every day, and the sysadmin needs upsmarting because its taking too long :) | 12:17 |
| hxm | im using log watch, but I don't find if I can ban ips automatically | 12:54 |
| hxm | in example after N fail ssh logins | 12:54 |
| geser | take a look at fail2ban | 12:54 |
| rbasak | hxm: you want something like fail2ban for that | 12:54 |
| rbasak | hxm: I think there's another alternative too, but I don't remember what it is right now. | 12:54 |
| hxm | oh, thank you so much, there i go | 12:55 |
| hxm | fail2ban is pretty nice | 13:14 |
| rbasak | I don't like its principle of operation. Parsing textual log files feels error-prone. I wonder what arbitrary text I might be able to inject into your logfile | 13:17 |
| rbasak | ? | 13:17 |
| rbasak | And then fail2ban must parse that and it must run as root. | 13:17 |
| hxm | but log files are owned by root no? | 13:24 |
| hxm | supposed fail2ban prevents the brute force, not fix the already-joined-in | 13:24 |
| geser | didn't fail2ban have that error that it also triggered if you used the error as the ssh user? | 13:25 |
| PricelessTalk | rbanffy deny host is an alternative | 13:26 |
| hxm | at the moment I see nothing wrong | 13:26 |
| geser | CVE-2013-2178 which should be fixed now | 13:27 |
| uvirtbot | geser: The apache-auth.conf, apache-nohome.conf, apache-noscript.conf, and apache-overflows.conf files in Fail2ban before 0.8.10 do not properly validate log messages, which allows remote attackers to block arbitrary IP addresses via certain messages in a request. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2178) | 13:27 |
| rbanffy | PricelessTalk, ? | 13:27 |
| PricelessTalk | DenyHosts is an alternative to fail2ban | 13:28 |
| PricelessTalk | ssh only though | 13:29 |
| geser | http://seclists.org/oss-sec/2013/q4/535 | 13:30 |
| geser | that's the issue I recently read about | 13:31 |
| rbasak | hxm: logfiles that fail2ban parse typically contain untrusted data. This exposes fail2ban to more risk than necessary, since in theory the banning could be done at failure time with no parsing of untrusted input. It means that there is a bigger attack surface than there needs to be. | 13:38 |
| hxm | but my log file is full of http scanning botnets and many brute-force attacks to default directories /phpmyadmin /admin /login.php and same thing with ssh port | 13:39 |
| hxm | apart of an iptables rule what software can manage that properly? better than fail2ban | 13:40 |
| rbasak | So what? You want to hide the evidence and pretend that people aren't trying to break in? Sure, use fail2ban then. | 13:40 |
| mardraum | "welcome to the internet" | 13:41 |
| hxm | no, I don't want to hide the evidence, I know this is the world where I am but I just don't want make it so easy | 13:41 |
| rbasak | Does it really make it harder? Attackers control many IPs. Banning them is like playing whack-a-mole. | 13:42 |
| hxm | okay I just miss the times of irc war | 13:42 |
| rbasak | OTOH, using fail2ban introduces more attack surface. What if someone targets fail2ban? | 13:42 |
| rbasak | It's a tradeoff. There's no clear answer. I just like it the other way. | 13:43 |
| mardraum | the times of irc war? | 13:43 |
| jpds | hxm: What kind of website are you running? | 13:43 |
| rbasak | (and I use AppArmor to contain any vulnerable daemons, use write-only backups to another system, etc) | 13:43 |
| hxm | i just have a dedicated server with a few websites, an commerce and other stuff | 13:44 |
| patdk-wk | why must fail2ban run as root? | 13:49 |
| patdk-wk | and how is the user injecting their own crap into logfiles | 13:49 |
| patdk-wk | if invalid user data is going into a log file, that is the same security issue as basically sql injection | 13:50 |
| jpds | patdk-wk: Sounds like they were faking the IPs of the connect to Apache, and fail2ban banned the IPs. | 13:54 |
| patdk-wk | that doesn't work | 13:54 |
| patdk-wk | if you spoof a tcp connection, the connection doesn't get created | 13:54 |
| patdk-wk | and apache doesn't log anything | 13:55 |
| patdk-wk | ip spoofing is limited to connectionless protocols | 13:55 |
| rbasak | patdk-wk: it must run as root to inject iptables rules, surely? And the user selects usernames, URLs, user agents, etc. All of that ends up in the log files. | 14:01 |
| rbasak | patdk-wk: you assume that fail2ban correctly understands the escaping mechanism of everything that writes to the log files, so that it can extract what it needs correctly. | 14:02 |
| rbasak | patdk-wk: and also that everything that writes to log files does in fact escape everything correctly. | 14:03 |
| geser | https://vndh.net/note:fail2ban-089-denial-service describes the problem nicely | 14:03 |
| patdk-wk | fail2ban runs in 2 parts | 14:03 |
| rbasak | I'm not saying that there's a specific vulnerability (I'd have reported it if I knew about any). I'm saying that it's at risk. | 14:03 |
| patdk-wk | a client, reading logs, and a server injecting iptables | 14:03 |
| sarnold | patdk-wk: iirc, there were problems with fail2ban being run on log files that just logged, without mangling, data supplied by clients. they didn't spoof their IP, they simplied supplied user-agent strings or user names or whatever that looked like new log entries. hey-prestro, fail2ban will happily lock out real admins | 14:03 |
| patdk-wk | personally, I never have it touch iptables directly | 14:03 |
| sarnold | the numbre of people surprised: 0 | 14:04 |
| sarnold | hehe | 14:04 |
| patdk-wk | oh, that is just a logging issue then, or a fail2ban reading log issue | 14:04 |
| sarnold | logging issue | 14:04 |
| sarnold | not much fail2ban could do about it | 14:04 |
| rbasak | geser: thanks. That explains my point exactly. | 14:04 |
| patdk-wk | I'm logging to a database | 14:05 |
| rbasak | patdk-wk: doesn't matter where the issue comes from. That's why I said I didn't like its principle of operation. | 14:05 |
| patdk-wk | and use sql to locate abuse | 14:05 |
| geser | and you use regex in the SQL queries? | 14:05 |
| patdk-wk | no | 14:05 |
| patdk-wk | and if I did | 14:05 |
| patdk-wk | say I used regex sql, issue? | 14:06 |
| sarnold | patdk-wk: hah, yes, a well-formatted database would nicely side-step the issue. | 14:06 |
| patdk-wk | but the real issue is, sloppy log formatting, and/or sloppy regex matching | 14:09 |
| rbasak | No, the real issue is a principle of operation that is vulnerable to sloppy log formatting or sloppy regex matching. | 14:10 |
| patdk-wk | rbasak, if that was followed, there would be nothing | 14:11 |
| patdk-wk | cause nothing would be made unless it was perfect | 14:11 |
| rbasak | As I say, it's a tradeoff. Here, I don't think fail2ban is worth the tradeoff. It doesn't buy you much. | 14:11 |
| rbasak | Sure, there will be cases where fail2ban might save you. There also might be cases where fail2ban might make you vulnerable. | 14:12 |
| rbasak | IMHO, fail2ban isn't worth the benefit. YMMV. | 14:12 |
| hallyn | smb: mjt has cherrypicked it into debian-qemu yesterday: http://anonscm.debian.org/gitweb/?p=pkg-qemu/qemu.git;a=commit;h=bd910ee4b6e8e68bd1758d008c3cfcbccb6edb49 | 14:14 |
| patdk-wk | ya, that whole fail2ban issue is sloppy regex | 14:14 |
| patdk-wk | they didn't follow basic rules of fixing the strings to the beginning of hte line | 14:15 |
| * patdk-wk wonders if there is a way to slip in a newline | 14:15 | |
| smb | hallyn, Ok, so if we pull from Debian we will get it. If we do rebase again for T of course | 14:15 |
| hallyn | smb: yup i'm going to do a merge on march 1. | 14:21 |
| sarnold | vlad_sta_: https://lists.ubuntu.com/archives/ubuntu-announce/2014-February/000180.html | 14:21 |
| smb | hallyn, wfm, at least we don't have an issue to worry about for older releases. :) | 14:21 |
| vlad_sta_ | sarnold: Hi. Nice, 3.11 kernel. Will try it. | 14:23 |
| sarnold | vlad_sta_: cool! I hope that one works for you. :) if not, please file bugs... | 14:27 |
| vlad_sta_ | sarnold: yep. thanks for good wishes :) | 14:27 |
| * beisner is here. good morning! | 14:42 | |
| === freeflying is now known as freeflying_away | ||
| MavKen | can someone point me in the right direction... I want to create a script to automate creating a new user, creating a mysql username and db for that user and a few other things. From the command line I want to enter "mavapp username" and then it plug in the username as a variable in my script file. Is this possible and if so, what is that process called so I can do some googlin? | 15:52 |
| MavKen | Thanks | 15:52 |
| sarnold | MavKen: look at the adduser(8) manpage; there's a hook file, /usr/local/sbin/adduser.local, that you could use for creating your database users and so forth | 15:54 |
| MavKen | thanks! will check it out | 15:55 |
| sarnold | MavKen: (of course if you don't want every newuser t oget database credentials and so forth, it might be easier to just write your own script for it all.) | 15:55 |
| MavKen | ok. I have the script written, just not sure how to make it work from the command line. For example I want to have 2 commands that I can use, "mavapp addclient username" and "mavapp remclient username" and use the username variable in the script. Some of the script involves mailing out initial password and instructions to change pass. | 15:57 |
| sarnold | MavKen: the details of that would depend upon the language you've used; bash would use $1 and $2 and so forth, C would use argv[1], argv[2], and so on | 15:58 |
| MavKen | my only experience is as a front end developer using php/mysql... what would be the easiest? Basically, I have a text file right now of each command I normally enter 1 by 1 for when I add a new client or remove. If I can get this to work, would help avoid the need for cpanel | 16:00 |
| sarnold | MavKen: that is awfully close to a bash script; this might be helpful: https://help.ubuntu.com/community/Beginners/BashScripting http://tldp.org/LDP/abs/html/index.html | 16:04 |
| MavKen | thanks | 16:05 |
| MavKen | is it possible to use php cli and run system commands as root? | 16:13 |
| sarnold | MavKen: yes, but that terrifies me. PHP is .. not a precise language. | 16:19 |
| MavKen | ok | 16:19 |
| shredding | Hey all. | 16:43 |
| shredding | Is this crontab meaning it's running at 15 past 12: 12 */4 * * *? | 16:49 |
| Pici | No. Its running every 4 hours at 12 minutes past. | 16:50 |
| sarnold | crontab lists minutes, hours, DOM, mon, DOW -- that ought to run at 0:12 4:12 8:12 12:12 16:12 20:12 | 16:50 |
| shredding | Pici: So basically 6 Times a day? | 16:51 |
| shredding | Thanks! | 16:51 |
| shredding | sarnold: Thanks! | 16:52 |
| w0rmie | cp: cannot stat '/./home/server/.gvfs': Permission denied. | 17:24 |
| w0rmie | even i set /home/server to chmod 777 and recopy again i get the same permission failure. | 17:25 |
| w0rmie | i am under ubuntu server 12.4 LTS with xubunto GUI installed | 17:26 |
| w0rmie | any ideas? | 17:26 |
| smb | roaksoax, Looks like people start "complaining" about the progress of bug 1185756 ;) | 17:41 |
| uvirtbot | Launchpad bug 1185756 in drbd8 "drbd8-utils not compatible with linux-lts-raring kernel in 12.04" [High,Confirmed] https://launchpad.net/bugs/1185756 | 17:41 |
| roaksoax | smb: argh! sorry.. been pretty busy lately! I'll get to that! | 17:41 |
| smb | roaksoax, Cheers. :) Or find someone willing and with the right powers. ;) | 17:43 |
| roaksoax | smb: i'll talke care of it now. So the https://launchpadlibrarian.net/151933272/debdiff-raring.patch is debdiff between what we have in raring/saucy against the latest? | 17:44 |
| smb | Let me make sure | 17:45 |
| roaksoax | smb: it is just raring it seems | 17:45 |
| smb | roaksoax, Yeah, I think it is (for the sake of simpler patch) | 17:46 |
| smb | So changes I mean what is on top of saucy/raring version | 17:47 |
| smb | The source package should be on chinstrap | 17:48 |
| smb | roaksoax, ~smb/4review | 17:48 |
| roaksoax | smb: cool thanks | 17:48 |
| smb | hm... not yet but soon | 17:48 |
| smb | ok now | 17:50 |
| smb | roaksoax, So I also put a debdiff between current P and the new R/S version. Of course that looks scary as one would expect | 17:53 |
| roaksoax | smb: are we sure we only want 8.4.3 (which is in saucy) or we want 8.4.4 what's in trusty? | 17:55 |
| smb | roaksoax, right now I'd say 8.4.3 and then check again before T gets out | 17:56 |
| roaksoax | smb: ok cool | 17:56 |
| === RoyK is now known as RoyK^ | ||
| === unreal_ is now known as unreal | ||
| rostam | HI how to set unlimited file handles on a particular user? | 19:13 |
| sarnold | rostam: does this user log in or is it a service user? | 19:14 |
| bekks | Whats the actual problem behind all that? | 19:14 |
| rostam | sarnold, log in | 19:14 |
| RoyK | rostam: you can use ulimit or setrlimit(), but the global limit will be the max | 19:14 |
| sarnold | rostam: /etc/security/limits.conf | 19:15 |
| rostam | RoyK , sarnold thank you. | 19:15 |
| === keithzg_ is now known as keithzg | ||
| MavKen | anyone happen to know if centos has something similar to tasksel? | 20:55 |
| MavKen | any recommended open source control panels? | 21:01 |
| w0rmie | how can i adjust the TFTP server timeout response? | 21:14 |
| === mjohnson15_2 is now known as mjohnson15 | ||
| === gary_poster is now known as gary_poster|away | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!