=== Ursinha-afk is now known as Ursinha === aarcane_ is now known as aarcane [02:38] I am hosting ssh server behind a router. I already port forwarded port 22 to my server, and it was accessible via public ip until yesterday when it suddenly decided to stop working, though accessing through local ip is fine (OpenSSH).what might be the cause of this? [02:42] heh? [02:42] what does router and portforwarding have to do with each other? [02:43] you mean behind a nat firewall? [02:43] yes [02:46] #s [02:46] xop: did your public ip change? [02:46] xop: ipchicken.com [02:47] no [02:47] i checked that [02:47] xop: What happens when you try to connect? [02:47] timeout [02:47] nothing [02:48] no promt for password [02:48] it is just weird.. it was fine (public access) until lastnight [02:49] xop: tracepath some.ip.add.ress [02:50] did you install something like fail2ban? [02:50] sshguard yes [02:50] xop: sshguard is a windows application isn't it? [02:50] !info sshguard [02:50] sshguard (source: sshguard): Protects from brute force attacks against ssh. In component universe, is optional. Version 1.5-5 (trusty), package size 123 kB, installed size 333 kB [02:50] nvm me [02:50] xop: that's probably blocking you then. [02:50] eh [02:51] let me check on that [02:54] i[i [02:55] holy hell you were right [02:55] xop: so you enterred your password wrong to many times [02:55] that's the most random and awesome guess at a connectivity problem I've seen yet lol [02:55] i did not access it last night [02:56] somebody must have,,, [02:56] i have a shared account and device so i guess that must be it [02:56] xop: sshguard shouldn't be blocking everything if someone tries to access. If it is uninstall it and install fail2ban [02:57] ah wlp [02:57] welp* [02:57] xop: sshguard should just add a rule to block whatever IP was trying to login multiple times. [02:58] well the defualt limit is 4 so a little mistyping can result in banning [02:58] perhaps i should change that [02:58] Thank you for the help [02:59] I must get going. Awesome hunch btw [02:59] xop++ [03:00] derek, not random at all :) [03:00] hey guys, for standard upstart script, how could I let upstart track the process status ? [03:01] dunno, I need to get moving on my upstart scritps [03:01] have to rewrite them all to systemd now :( [03:01] why [03:01] version 14 ubuntu using systemd only ? [03:01] upstart sucks [03:01] you don't read the news I guess [03:01] http://www.markshuttleworth.com/archives/1316 [03:02] what the fsck [03:02] so init -> upstart -> systemd [03:03] when does it going to settle [03:03] while, I think it was odd for ubuntu to go upstart [03:03] systemd devs are kindof an ass [03:03] so I'm conflicted both ways [03:03] royk, systemd wants to bend the system to their will [03:04] they have attempted to make kernel changes for things they broke in systemd [03:04] lots of fun [03:08] I got it [03:08] nevermind [03:09] Patrickdk: why are you rewriting them now? Just to be ahead of the curve? [03:09] need them for 16.04 [03:09] :) [03:09] Patrickdk: you have 2 years [03:09] I have around 18months [03:09] then I will be defently in testing [03:09] technically 5 years but meh [03:10] 5? [03:10] you want me to upgrade when it's going eol? [03:10] yeah if you are a procrastinator [03:10] and you don't want me to build any new servers using the newer version [03:10] normally, I have things fully tested a month before release [03:10] so I can be filing lots of bug reports :) [03:11] and hope they get fixed [03:12] Patrickdk: in theory you shouldn't run your production infrastructure with latest version [03:12] heh? [03:13] so upgrading 8 months after release is unacceptable? [03:13] I am serious [03:13] yeah [03:13] even if I fully tested it? [03:13] it took us 2 years to migrate from Lucid to Precise [03:13] management decide to stay on Precise a while [03:13] Patrickdk yes it's acceptable. [03:13] and why? [03:14] Patrickdk: 10 servers deployment every month make us very busy [03:14] well, that sounds like your issue :) [03:14] we don't have time to test and retest production system with latest release [03:14] my issue is making sure it tests good [03:14] OH [03:14] QA engineer ? LO [03:14] LOL [03:15] all my critical systems have been upgraded already to trusty [03:15] Patrickdk 12.04 still works. use it or don't. it's supported for 5 years. unless your deployment NEEDS the very latest, greatest, shiniest stuff, why would you, lemming-like, upgrade the instant the new version hits? wait for the first point release at least. [03:15] the other ones, I haven't, cause of other issues, like php changes [03:15] those will likely get side-by-side deployments [03:15] Patrickdk: actually our developer have their code written on precise [03:15] you mean, it's supported for 2.6years :) [03:15] so effort to move to new version is huge [03:16] or 3.6, something like that [03:16] Patrickdk: it's enough until we change to new job :P [03:16] I'm not going anywhere [03:16] I think eventually we will hire someone do it or I already change job [03:17] this is my 4th time [03:17] centos run like what, 10 years [03:17] this time has been perfectly smooth so far [03:17] centos is likely to run 2months [03:17] Patrickdk: no ? [03:17] Patrickdk: they hardly do big version change [03:17] I have no love for centos [03:17] likely better now with rhel backing them [03:18] but getting security updates 2-3months late [03:18] is not something that is acceptable [03:18] but you get what you get for free [03:18] lots of rhel installs [03:18] lots of ubuntu installs [03:18] for me I find it easier to manage Centos [03:18] no centos [03:18] than ubuntu [03:19] I always found rpm a huge pain, and deb worked better [03:19] how so ? [03:19] rpm always broke my systems everytime it updated software [03:19] * lkthomas never had that problem [03:19] rpm doesn't track installed files [03:19] if you delete a file, it will magically return [03:20] if that file caused a config issue, well, your software just broke [03:20] we are using puppet to manage those crap [03:20] it will never get into problem [03:20] puppet doesn't fix it [03:20] Patrickdk: puppet is a workaround [03:20] though it can make sure it's corrected [03:20] yeah [03:21] anyway [03:21] brb [03:21] need to work on puppet again [03:21] LOL === Sachiru is now known as Guest45106 === Sachiru_ is now known as Sachiru === Sachiru is now known as Guest20043 === Sachiru_ is now known as Sachiru === a1berto_ is now known as a1berto [08:16] I might want to add a wifi-AP/router-function to my home server, I am looking into buying http://www.compex.com.sg/productdetailinfo.asp?model=WLE900VX as a network card, how well is is suopported in ubuntu? [09:02] I have an application that requires several tcp open sockets, and i'd like to increase the default tcp limit on open connections, where can i do this? === Adri2000_ is now known as Adri2000 [14:45] hallyn: hi! would you mind joing #apparmor on oftc? [14:45] hallyn: I have the developer of the libvirt-lxc apparmor patches there and he is looking at fixing that bug for us [14:46] hallyn: he has an unrelated question about libvirt-lxc being started in the net namespace and I thought you might be able to answer his question better than I [14:47] hallyn: (that bug being bug #1331081) [14:47] Launchpad bug 1331081 in libvirt "please split libvirt-driver apparmor abstraction for qemu and containers" [Wishlist,Triaged] https://launchpad.net/bugs/1331081 [15:54] Hi. Working a Canonical support ticket 00069682. I have a large file (900mb) to upload and getting connection refused on ftp to archive.admin.canonical.com. Don't know if that is 'normal' for that machine. [15:55] What is the attachment limit for Launchpad? [16:05] Trying to find this specific version of qemu-kvm and dbgsyms for coredump analysis: 1.2.0+noroms-0ubuntu2.12.10.7~precise1+lp1309676debug. I have precise repos enabled and can't find it. [16:08] rickbeldin: upload it somewhere and link to it - guess you have a webserver somewhere? [16:09] RoyK: I can do that, but Greg Vallande gave me the ftp site yesterday for the 64gb (!) core dump. I assumed he wanted it in the same place. === gaughen_ is now known as gaughen [16:29] Hey all. I am trying to boot the Alternate i386 Server (14.04) on a bit of an old hardware. USB stick is a no-go: blank screen on boot. USB CD boots, but hangs immediately at language selection (complete block: NUM lock does not toggle). Please advise. [16:30] Lachezar: try 10.04 or 12.04 to try and pin it down? [16:30] I wonder if this is related to lack of non-pae support now. [16:30] Though I think it gives you a message in that case. [16:31] rbasak: the machine has 1G RAM, and is a Celeron, so no PAE and no x64. [16:31] Lachezar: PAE has been required recently. [16:31] I have a 10.04.03 server iso. Trying it ou. I'll be back... [16:32] I think pae requirement came into play for 12.04 [16:34] That's my memory too - though in 12.04 it was possible to get a non-pae machine to work using the netinst iso or something. I have a non-pae 12.04 machine that works. [16:47] 10.04 booted, now what can I do to have a 14.04 installed? Custom CD? Or LTS-Upgrade-x2? [16:48] Lachezar you can do an LTS to LTS upgrade to 12.04 > 14.04 or download 14.04 and do a clean install [16:49] cfhowlett: 14.04 won't boot. That's why I'm trying the 10.04 CD, which actually boots and does not hang. [16:50] I'd very much like to install 14.04 straight away, without the LTS upgrade path. [16:50] Lachezar 14.04 won't boot? why not? [16:51] cfhowlett: hangs on language selection. [16:53] Lachezar odd behavior - not sure that direct upgrade would avoid the issue, but ... sorry but 10.04 > 12.04 > 14.04 is your upgrade path [16:55] cfhowlett: people here suggested it has something to do with PAE missing. [16:57] Lachezar I can't comment - not enough knowledge [16:58] Hello. I'm trying to disallow access to a specific port on my server with iptables. This is what I tried: http://pastie.org/9368600 - but its not working. What am I doing wrong? [16:58] you can't upgrade to 14.04, if you don't have pae or x64 support [16:59] oh, 12.04 will work [16:59] but >12.04 won't [17:00] no, I'm wrong :( [17:00] 12.04 needs it too [17:00] http://www.webupd8.org/2012/05/how-to-install-ubuntu-1204-on-non-pae.html [17:00] doubt that is recommended though [17:16] patdk-wk: So basically I'm stuck with 10.04 on that machine? [17:17] Good evening. [17:18] sounds like you could upgrade to 12.04, but it won't be much fun [17:18] and then, dead end, yes [17:19] you could always compile your own kernels [17:19] hard to believe I used to do that for _fun_ [17:19] :) [17:20] I used to have lots of fun with the 2.0 and 2.2 kernels [17:20] lots of patches and stuff I worked on in them [17:20] yeah, back in those days you -could- read through the whole menuconfig in an afternoon and see what the world had to offer :) hehe [17:20] now if I could quit my jobs and stay at home all day like back then :) [17:20] haha [17:23] sarnold, it's not just going be a kernel issue is it? [17:23] isn't all packages compled it those options? [17:23] and that old cpu support is going have issues with instructions not existing [17:23] besides just pae [17:25] patdk-wk,Lachezar, oh this is the 'hangs at language selection' thing.. can you try again with a ps2 keyboard? iirc that was a usb keyboard problem :P [17:27] I dunno, I'm just suggesting, he is likely to have more issues, if he does solve the pae issue :) [17:27] sure could be [17:28] heck depending upon the 12.04 installer people use they might run into issues. the original 12.04 discs might be best for long-term support for some older hardware, those get the full five years of support, I think the intermediate "hwe" kernels in the newer discs will drop out of support when 14.04.1 is released. [17:31] hell, last night I suprised myself, I still have a machine running 32bit [17:31] nice :) [17:32] Can someone tell me how I can have an SSH user jailed to their var/www/sitename.com ? [17:32] For example, I have multiple sites, for multiple clients. I want to give them SFTP access to their site only [17:32] again? [17:33] michaelaguiar: check ChrootDirectory in the sshd_config(5) manpage [17:33] but it's not likely to work the way you want :) [17:34] if you want something easier, try proftpd [17:34] ok I’ll try proftpd [17:34] but then, you can't have ssh and proftp/sftp on the same port [17:35] patdk-wk: oh? why wouldn't chrootdirectory work out for sftp? [17:35] it does work :) [17:35] oh okay [17:36] Hmm, would it work if I jail the users to their home directory, and link any file they need into that home directory, so that they can upload and it can just sync over? [17:36] it just has very insane settings to make it work [17:36] now, those insane settings are nice, it makes it very secure [17:36] maybe a symlink or something? [17:36] you cant symlink outside a chroot [17:36] that is the whole point of the chroot [17:36] michaelaguiar: symlinks are resolved relative to the 'root' they live in. it can lead to madness. [17:36] to not allow it [17:36] ah [17:37] * Lachezar has had enough for today. The 'server' has an 10.04.3 installation. [17:37] Thanks for the pointers everyone. [17:37] What would you guys recommend then? just using proftpd or trying to use ChrootDirectory [17:38] And in the chroot path, would it be best to have that users site served from their home directory, instead of /var/www? [17:43] sarnold: do you know how I can use the ChrootDirectory method, but have the user access his site in /var/www? [17:45] michaelaguiar: why not just chroot them right into their directory and not force them to know a /var/www/ prefix? [17:45] sarnold: thats what I want to do [17:45] can I chroot them to a directory that is not their home? [17:46] with ssh? don't think so [17:47] I didn’t think so [17:47] but the bigger issue will be the permissions on the /var/www folder to make that work [17:48] Might as well just use proftpd for this case [17:49] thanks for the info guys === ashleyd is now known as ashd [19:04] is ACL a good solution for locking people to specific directories? [19:08] Are any of you aware of a GUI that makes it significantly easier to use Ubuntu as a router? We've got a box already running as a router, but I have to believe there is a better way to manage IP forwards and whatnot than straight IPTables [19:14] FunnyLookinHat: I forget the name but there are for sure GUI tools for iptables. [19:15] If all you require is basic iptables support: gufw. [19:17] lordievader, is there a web-GUI version of gufw? We run our servers headless... :) [19:19] FunnyLookinHat: There's a cli version, but then you can just write iptables ;) [19:19] lordievader, hehe - well the problem is managing a lot of iptables rules... they're quite... unruly :) [19:19] I've made the mistake of writing a badly written iptables rule one too many times [19:20] ufw is pretty straight forward from the CLI. I prefer to edit /etc/iptables/rules.v? manually [19:20] ufw might not be the best choice for routers though :) [19:20] whooops missed that [19:21] Yeah the big thing we want to be able to do is easily setup one-to-one forwards [19:22] vuurmuur looks pretty nifty [19:22] rberg, Ah that one is cool - I'll dig into it a bit [19:23] FunnyLookinHat: some pals really liked this, dunno if I could ever get the hang of it though: http://ferm.foo-projects.org/download/2.0/ferm.html [19:23] sarnold, ooh, nested rules! Very cool [19:24] FunnyLookinHat: probably you know iptables better enough than I do that it'd be easy but whether it is improvement enough over iptables, no idea :) [19:24] * patdk-wk loves shorewall [19:24] Yeah I mean - I know how to use IPTables well enough... this is more of a "what if my tech wants to setup a server that grabs one of our external static IPs so that a customer could test something" [19:25] I seriously miss ipf/pf -- I found that one pretty easy to use. (which is part of why I like ufw, it's close to pf, but it is just a front end with assumptions, rather than a native full language. oh well.) [19:25] I was good at making iptables manually [19:25] but it becomes too much work to maintain and audit [19:25] shorewall makes it much simpler [19:25] http://shorewall.net/NAT.htm very cool :) [19:26] not sure if it will solve *that* issue though [19:27] I tried fwbuilder, didn't really like it :( [19:28] patdk-wk, yeah but it'd make writing a web-gui much easier [19:29] ya, my iptables was getting to be around 300 lines [19:29] just became unmanagable [19:29] shorewall makes it even more secure, but does increase it to aorund 1200 iptables lines [19:29] but it's also quicker :) [19:46] quick apache2 question, how does it know to use /etc/apache2/sites-enabled as a config directory? [19:48] ttoll_renci: IncludeOptional sites-enabled/*.conf [19:49] oh, thanks, didn't look at the apache2.conf file, used to RHEL packaging [20:37] how to start VVM with BoxHeadless at startup on Ubuntu Server 12.04? === xnox is now known as xnox_ === xnox_ is now known as Eisbrecher === Eisbrecher is now known as Eisbrecher_xnox [21:48] hi, anyone know what version of tomcat gets installed in ubuntu server 14.04 LTS when you select it during install? [22:03] Hi, does anyone have any experience with LXC? I'm having some issues reaching a server from a container, but not from the host. [22:37] Hello, I wonder if this is a good solution. Im thinking of installing a MAAS solution with four servers and then installing iredmail on top of them. Is this a smart solution and a doable solution? If not, what is a good solution for a stable email solution. [22:39] how is the auto screen off/blank configured in 13.10 server? [22:41] oh and also the kernel message behaviour? [22:42] I'm recovering a disk with safecopy and getting a lot of "buffer I/O error on device dev/sdb" in all my ttys [22:42] and my tty fors go blank so I have to type in the safecopy output to see it again lol [22:43] *ttys -for [22:43] **my ttys go [22:47] interestingly screen contains kernel messages in an empty area of a split [22:49] oh, no it doesn't, the regions scroll away with the outside bbbbuffer [22:49] *buffer ... odd =/