ska | Im trying to install 13.10 on a Asus Z87-Pro, but It fails in non-uefi mode as well as uefi.. Different problems.. | 02:25 |
---|---|---|
ska | I think UEFI fails right after partitioning | 02:26 |
ska | Its a new system with no other OS. | 02:26 |
=== yeahpla is now known as Guest43332 | ||
=== awalker is now known as linodil | ||
=== awalker is now known as linodils | ||
vlad_starkov | QUESTION: Hi there! I'm setting up NFS4 server. Can't find rquotad service. Should I install it manually? | 16:36 |
sync0pate | hey, strange question, don't know if this is the right place but.. if I have a VPS running on a client's server, how secure is it from people who have access to the server? | 17:02 |
sync0pate | say the VPS is encrypting it's data internally, but someone may have access to the box the vps is physically running on? | 17:02 |
sync0pate | sorry by vps I mean a virtual machine | 17:03 |
bekks | As long as someone has physical access to that machine, someone has full control over everything. | 17:04 |
sync0pate | as in they could read all the encrypted data within? | 17:06 |
andol | sync0pate: The main benefit of encrypted data on your VPS is that it helps against some accidently accessing the data, such as afterwards when another customer reuses the same disk blocks. | 17:06 |
andol | sync0pate: It also forces the owner of the physical machine to be more explicilty "evil" to be able to access your data. | 17:07 |
sync0pate | well to be honest, I'm mostly worried about accidental access rather than malicious intent | 17:07 |
sync0pate | and sorry | 17:07 |
sync0pate | when I said VPS, I meant a VM | 17:07 |
sync0pate | what I'm actually talking about, is a VM running at a client site, on one of their servers | 17:07 |
sync0pate | if they provide access to that physical server to other contractors | 17:08 |
sync0pate | how much access could they get to the VM? | 17:08 |
bekks | Then the above still applies. | 17:08 |
sync0pate | so they'd theoretically be able to access everything? | 17:08 |
bekks | Physical access to the server means that they have full control. | 17:08 |
sync0pate | how would they be able to decrypt everything? | 17:08 |
bekks | They dont have to encrypyt anything as long as your VM is running. | 17:09 |
bekks | *decrypt even | 17:09 |
sync0pate | what if there's encrypted data within the VM? | 17:09 |
andol | Not to mention that they can grab the encryption keys from RAM. | 17:09 |
sync0pate | right ok | 17:09 |
sync0pate | so, assume they could get full access | 17:09 |
sync0pate | but considering I'm worried more about accidental access than deliberate malicious intent | 17:10 |
sync0pate | from *that* perspective, it's fairly safe? | 17:10 |
andol | sync0pate: I would use the word safe, but there are certain scenarios you do midigate. | 17:10 |
bekks | As long as your VM is running, they have full, decrypted access to it. | 17:10 |
andol | I wouldn't | 17:11 |
sync0pate | but they're unlikely to get full, decrypted access to it unless they deliberately wanted to? | 17:12 |
bekks | Read again: | 17:12 |
bekks | < bekks> As long as your VM is running, they have full, decrypted access to it. | 17:12 |
sync0pate | ok, how do they? | 17:12 |
bekks | We already told you. | 17:12 |
sync0pate | you told me how someone could get access through grabbing the encryption keys from ram or something | 17:13 |
bekks | Yes, thats one of the attacking vectors possible. | 17:13 |
bekks | It perfectly answers your question "Is it safe?" with a clear "No.". | 17:13 |
sync0pate | I think it shows "Is it secure?" would be a clear "no" | 17:14 |
sync0pate | would their be a better alternative though? | 17:14 |
bekks | Dont host valuable data at a site where others have physical control. :) | 17:15 |
sync0pate | that's not an option | 17:15 |
bekks | Thats the only option. | 17:15 |
sync0pate | OK, I'll explain the situation a bit better | 17:15 |
sync0pate | it's a client site | 17:16 |
sync0pate | a database system I have provided them | 17:16 |
bekks | Doesnt matter actually. If you dont want someone to be able to access your data, take care no one besides you has physical access. | 17:16 |
sync0pate | their internal IT has physical access to the machines | 17:16 |
sync0pate | so, I'm not really concerned about malicious attack | 17:16 |
sync0pate | just curious IT folk changing settings accidentally or something | 17:16 |
sync0pate | deleting the wrong thing etc | 17:17 |
bekks | You better crerate backups then. | 17:17 |
sync0pate | yeah | 17:17 |
bekks | Encryption is not providing any security against logical errors. | 17:17 |
sync0pate | well no, the encryption is more in case someone does take the data out of the office | 17:18 |
sync0pate | or for when I backup | 17:18 |
sync0pate | as I do | 17:18 |
bekks | As long as the VM is running, everyone with physical access has FULL ACCESS to ALL data. | 17:18 |
bekks | Is that clear now? | 17:18 |
sync0pate | that was clear from the start | 17:19 |
bekks | Then why did you ask it on and on? | 17:19 |
sync0pate | because it's not exactly what I'm asking | 17:19 |
sync0pate | thanks anyway though | 17:19 |
bekks | It is exactly what you are asking. You just ont want to accept the answer. Your proposed solution is not providing any security for the usecase you are providing. | 17:20 |
sync0pate | well there isn't a solution that does provide the security I would like | 17:20 |
sync0pate | because I'm not allowed to host the data off site | 17:21 |
bekks | There are. But not for the price you would pay. | 17:21 |
sync0pate | there are? | 17:21 |
sync0pate | hey, I wouldn't be paying | 17:21 |
bekks | Or are you willing to license a full blown Oracle Enterprise Edition with Encryption Option? | 17:21 |
bekks | It will cost several hundreds of thousand of dollars for the license only. | 17:22 |
sync0pate | seems unlikely then :) | 17:22 |
bekks | Then the answer is "No." | 17:22 |
sync0pate | so then there isn't really an affordable solution that would provide the desired level of security | 17:23 |
sync0pate | is there anything more you would suggest to gently discourage curious IT people from poking at stuff? | 17:25 |
sync0pate | other than a stern talking to? | 17:25 |
bekks | Let them sign "Whatever I break, I have to fix it. No one else will help me." | 17:26 |
sync0pate | Aha | 17:26 |
sync0pate | yeah, that's probably what I need | 17:26 |
cfhowlett | bekks oh, I LIKE that one! | 17:27 |
andol | sync0pate: http://www.tacticalknives.biz/ImagesProductsLarge/926795.jpg | 17:27 |
sync0pate | also a good idea andol :) | 17:27 |
bekks | cfhowlett: :D | 17:27 |
sync0pate | sorry if I was unclear before! | 17:27 |
andol | Our Server QA team lead has something like that on his desk. | 17:28 |
sync0pate | tbh it's probably not even a concern | 17:31 |
sync0pate | in this case | 17:31 |
sync0pate | I just had a bad experience once when a marketing manager with a little knowledge started changing my SQL views to try and add extra data to his reports | 17:32 |
cfhowlett | sync0pate so you must also enforce the CLIENT policy; you break, you fix (or you pay the consultant 2X) | 17:32 |
andol | sync0pate: That kind of stuff appear to be more related to who has what kind of access credentials? | 17:33 |
sync0pate | yeah absolutely | 17:33 |
sync0pate | I mean, I still did charge for the fix | 17:33 |
sync0pate | but I would like to not have the headache | 17:33 |
sync0pate | how so andol ? | 17:34 |
sync0pate | like you said, they have physical access to the machine..s o.. | 17:34 |
andol | sync0pate: Yeah, but I doubt a marketing manager would leverage physical root access to root access on the vm, to access to the *sql database. More like the marketing manager had been provided access to the database directly? | 17:35 |
sync0pate | that's kind of what I was getting at earlier andol | 17:36 |
sync0pate | like, I doubt the IT guys are gonna be pulling encryption keys from RAM to piss about with connection settings | 17:36 |
sync0pate | but yeah, in the earlier situation, the guy was given direct access to the DB | 17:36 |
sync0pate | again, nothing I had control over | 17:36 |
ska | Given a choice between UEFI and Legacy installation, what would you recommend? | 17:41 |
martisj | morning | 19:12 |
martisj | What does a + mean next to a file in a file ls? | 19:12 |
tcstar | not the right channel i'm sure, i'm attempting to use tsung to test my server setup -- it's not generating any traffic... #tsung has been dead all weekend.. anyone with experience with this that can help? | 19:20 |
hxm | can I follow symlinks in webdav server? | 19:23 |
hxm | i added Options Indexes FollowSymLinks to the configuration but doesnt works | 19:30 |
martisj | How can I remove custom acl settings for a specific folder? | 19:34 |
martisj | is this in the directory listing: dr- -r- -rwx+ on my folders, what does the + mean? | 19:36 |
Aison | are there any big changes in apache server between raring and saucy? | 20:07 |
Aison | I updated one server and everything still works, except the apache2 | 20:08 |
Aison | well, apache2 still works, but the virtual hosts are not found anymore | 20:08 |
Aison | sites-enabled is somehow ignored or whatever | 20:08 |
=== mc_bluebeard_ is now known as mc_bluebeard | ||
=== esde_ is now known as esde | ||
=== Rasmus`- is now known as Rasmus` | ||
=== justizin_ is now known as justizin | ||
=== arlen_ is now known as arlen | ||
dzeko | Does anyone know how to setup ntp server authentication. I only found one with the centos, but none with the ubuntu. | 20:51 |
bekks | the service is the same ;) | 20:52 |
dzeko | bekks: you've tried it before? | 20:54 |
bekks | I dont see a reason to authenticate for ntp access. If you ont want my clients being able to change the time of the ntp server, I just use nomodify. | 20:56 |
bekks | So "no." :) | 20:56 |
dzeko | bekks: because i've heard that if you don't have this, than it is possible to ddos it. | 20:58 |
bekks | Every service may be ddos'ed, regardless of unneeded authentication. | 20:59 |
bekks | nomodify is totally enough for disallowing modifications. | 20:59 |
dzeko | ok | 21:01 |
dzeko | tnx | 21:01 |
Aison | my apache server is no longer working under saucy | 21:44 |
Aison | the VirtualHosts are not matched | 21:44 |
Aison | always the default is taken | 21:44 |
Aison | what could be wrong? | 21:44 |
Aison | are there any big changes that I have to consider? | 21:45 |
Aison | when I try to access index.php of a virtual domain, always the default one is taken: | 21:47 |
Aison | [:error] [pid 29379] [client 10.0.1.1:52937] script '/var/www/default/index.php' not found or unable to stat | 21:47 |
TJ- | Aison: https://wiki.ubuntu.com/SaucySalamander/ReleaseNotes | 21:47 |
Aison | thx | 21:48 |
=== baggar11_ is now known as baggar11 | ||
Aison | TJ-, no luck. somehow VirtualHost matching is not working | 22:14 |
Aison | damn | 22:14 |
TJ- | Aison: That'll be because of the Apache 2.2 > 2.4 update. Lots of things changed. Run the configuration test option of the apache2 | 22:15 |
Aison | apachectl configtest says Syntax OK | 22:28 |
TJ- | Aison: That's good then! | 22:33 |
TJ- | Aison: Did you check the apache 2.4 upgrade guide, particularly the "NameVirtualHost" changes? | 22:34 |
Aison | yes, I didn't use it before anyway | 22:35 |
TJ- | Is it HTTP or HTTPS? | 22:35 |
Aison | HTTP | 22:37 |
TJ- | Aison: have you confirmed that the site files are being parsed? | 22:38 |
Aison | you mean the files in sites-enabled? | 22:39 |
TJ- | Yes | 22:39 |
TJ- | Look at /etc/apache2/apache2.conf, and the "IncludeOptional" statement. Does it match the naming of the files in your "/etc/apache2/sites-enabled/" ? | 22:40 |
Aison | yeah, there is a IncludeOptional sites-enabled/*.conf | 22:42 |
Aison | well, I can try to add some syntax error to one of the files and config check again | 22:42 |
TJ- | Aison: And your sites files are all named $SOMETHING.conf ? | 22:42 |
Aison | aaaaaaahhh, damn *hit head on table* | 22:47 |
Aison | some have got no conf... | 22:47 |
Aison | lol | 22:47 |
=== thumper is now known as thumper-gym |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!