[00:39] <halvors1> Hi!
[00:39] <halvors1> I have a setup with BIND9 and DHCPD and i'm trying to update reverse dns records from dhcp.
[00:39] <halvors1> But i get the following error on the DNS server: client 192.168.0.118#48065/key rndc-key: updating zone '10.IN-ADDR.ARPA/IN': update failed: not authoritative for update zone (NOTAUTH)
[00:40] <halvors1> And on the dhcp server: Unable to add reverse map from 135.40.0.10.in-addr.arpa to halvors02.crew.infected.no.: not found
[00:40] <halvors1> I have no idea why this doesn't work.
[00:40] <sarnold> why is a client on 192.168.x.x updating a record for 10.x.x.x?
[00:43] <halvors1> 192.168.0.118 is the DHCP server and 192.168.0.116 is the DNS server. They just have communication via another network.
[00:43] <halvors1> And 10.x.x.x because dhcp relay :)
[00:44] <sarnold> okay, so something expected :)
[00:44] <halvors1> But i don't fully understand the NOAUTH.
[00:44] <teward> your bind9 server isn't set as authoritative for that zone
[00:45] <halvors1> Does it mean my rndc-key is bad? I've checked and it is excactly the same configuration as the forward zone.
[00:45] <halvors1> teward: How do i set it authorative?
[00:46] <sarnold> halvors1: this guide makes me think you can make it authoritative by adding "recursion no;
[00:46] <sarnold> "
[00:46] <sarnold> https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
[00:50] <halvors1> sarnold: I don't get the: client 192.168.0.118#48065/key rndc-key: updating zone '10.IN-ADDR.ARPA/IN': update failed: not authoritative for update zone (NOTAUTH)
[00:51] <halvors1> Anymore, but i still get the: Unable to add reverse map from 135.40.0.10.in-addr.arpa to halvors02.crew.infected.no.: not found
[00:51] <halvors1> error
[00:52] <halvors1> What confuses me the most is the not found message reported by the dhcp server.
[00:52] <sarnold> halvors1: ooh, this looks useful: http://community.spiceworks.com/topic/174078-isc-dhcp-and-bind-doing-ddns
[00:53] <sarnold> halvors1: looks like you need to add another zone nnn.nnn.nnn.nn.in-addr.arpa { } block to your dhcpd config
[00:55] <halvors1> I have that zone in dhcpd already.
[00:56] <sarnold> do you need to reload the server to know about it? (sorry, but I've gotta ask :)
[00:56] <halvors1> huh? Of course i reloaded both bind and isc-dhcp-server
[00:56] <halvors1> :)
[00:56] <halvors1> Here is a dump of my dhcpd.conf file: http://pastebin.com/G6RKKNNr
[00:59] <sarnold> halvors1: hmm, looks rndc-key is still in the paste
[01:01] <halvors1> yep :P
[01:02] <halvors1> But it's just a lan dns server ;)
[01:02] <halvors1> hmm.
[01:02] <sarnold> halvors1: sorry, I'm not spotting it :(
[01:03] <halvors1> Basiclly it seems like the issue is that somehow bind is complaining about that zone doesn't exist...
[01:03] <halvors1> But cannot figure out why...
[01:03] <sarnold> halvors1: but the error is coming from dhcpd, right?
[01:03] <halvors1> yes
[01:03] <sarnold> halvors1: you could ltrace the thing, you might get lucky..
[01:03] <halvors1> I've tried manually with nsupdate
[01:03] <halvors1> http://pastebin.com/7M70ybeh
[01:04] <halvors1> ltrace?
[01:04] <sarnold> ltrace is like strace, but shows (some, but not all) function calls
[01:05] <halvors1> Here is my zone from bind btw: http://pastebin.com/6YSyQwv0
[01:05] <halvors1> Seems ok, right?
[01:05] <sarnold> halvors1: is that leading "0." alright?
[01:06] <halvors1> Is it just zone "40.0.10.in-addr.arpa" { you mean?
[01:06] <halvors1> Keep in mind that this is bind configuration not dhcpd.
[01:07] <sarnold> halvors1: yea, I just don't know bind all so well :)
[01:07] <halvors1> hmm.
[01:08] <halvors1> The zero seems to be correct.
[01:08] <sarnold> okay
[01:17] <halvors1> sarnold: hmm. I'm gonna need to continue looking at this tomorrow :) Thanks for help so far ;)
[01:17] <sarnold> halvors1: good luck :) I'd be curious to hear what it is when you find it
[01:17] <Patrickdk> :)
[01:18] <Patrickdk> the last time I used bind and dynamic updates like like 10years ago
[01:18] <Patrickdk> the zero is not correct :)
[01:19] <Patrickdk> the 0 would be a dns record (ptr) within the zone
[01:19] <Patrickdk> not the whole zone
[01:19] <halvors1> hmm.
[01:19] <halvors1> Are you sure?
[01:19] <Patrickdk> well, I haven't used bind since like 2005
[01:20] <Patrickdk> but I have been serving up zone entries since 1998
[01:20] <sarnold> this looks like no zero .. http://www.zytrax.com/books/dns/ch3/
[01:20] <Patrickdk> http://www.philchen.com/2007/04/04/configuring-reverse-dns
[01:21] <sarnold> Patrickdk: hrm, that includes the 0 :)
[01:21] <Patrickdk> no it doesn't
[01:21] <sarnold> zone "0.168.192.in-addr.arpa" IN {
[01:21] <sarnold> oh
[01:21] <Patrickdk> 3 places
[01:21] <sarnold> sigh
[01:21] <Patrickdk> not 4 :)
[01:21] <sarnold> me fail reading
[01:21] <sarnold> that's unpossible!
[01:21] <Patrickdk> :)
[01:21] <Patrickdk> wait till you start learning about sub/24 ptr forwarding :)
[01:22] <Patrickdk> like when an isp needs to give you reverse for a smaller than /24 block :)
[01:22] <Patrickdk> or for that matter, anything not on a Class A/B/C boundry
[01:22] <halvors1> :)
[01:23] <halvors1> It is /24 subnets i'm gonna provide reverse dns for :)
[01:23] <Patrickdk> no, the end person, doesn't matter :)
[01:23] <Patrickdk> it can be *too* large, without sideeffects
[01:23] <Patrickdk> it's when you have to correctly forward that info, it gets interesting
[01:24] <Patrickdk> enough they wrote rfc's for it :)
[01:25] <halvors1> Ah, excellent.
[01:25] <halvors1> Now got it actually working over here :D
[01:26] <halvors1> Thank you very much all of you :)
[01:26] <halvors1> The problem was the 0.
[01:26] <sarnold> Patrickdk: nice :)
[01:26] <halvors1> My zone in bind now looks like: http://pastebin.com/yrvB0sRW
[01:27] <halvors1> agh, have to remember that for future installations :)
[01:28] <Patrickdk> hmm, I wonder if I can ban more ips now :)
[01:29] <Patrickdk> http://www.inmotionhosting.com/support/news/general/wp-login-brute-force-attack
[01:29] <Patrickdk> been having that *issue*
[01:29] <Patrickdk> not enough to really even be noticable
[01:29] <Patrickdk> but well, bruteforcing shouldn't be allowed
[01:30] <halvors1> YEah :)
[01:33] <sarnold> Patrickdk: heh, crazy, they don't include firewalling :/
[01:33] <Patrickdk> wouldn't that block the ability for people to use wordpress then? :)
[01:33] <Patrickdk> heh, makes me really happy though that I'm on debian/ubuntu
[01:34] <Patrickdk> apparmor is so much useable than selinux to lock down this crap
[01:35] <sarnold> Patrickdk: dropping packets from login-bruteforcers is unlikely to upset too many legitimate users :)
[01:35] <Patrickdk> sarnold, tell that to my users :)
[01:35] <Patrickdk> I had it dropping packets after 10 logins per minute
[01:35] <sarnold> Patrickdk: oh they try to log in as admin a few hundred times without the right passwords? :) hehe
[01:35] <Patrickdk> I dunno why users where hitting up the login page so often :)
[01:35] <sarnold> haha
[01:36] <Patrickdk> the other part that annoys me :)
[01:36] <Patrickdk> is the wordpress ajax script
[01:36] <Patrickdk> *NORMAL* users hit that up like 3 times a second
[01:36] <Patrickdk> that totally triggers all my anti-dos protection
[01:36] <sarnold> wow..
[01:37] <Patrickdk> where anti-dos is set for, same url, same ip, loads same thing, >100 times in 5min
[01:37] <Patrickdk> sounds reasonable? :)
[01:39] <sarnold> yup :)
[13:11] <punkgeek> how to install ssl on ubuntu?
[16:40] <punkgeek> ListenAddress 192.168.1.2, 192.168.1.3 is it true in sshd_config ?
[18:07] <funman___> hi folks
[18:07] <funman___> who used those?
[18:07] <funman___> http://www.soyoustart.com/us/essential-servers/
[18:21] <funman___> ??
[18:22] <Patrickdk> only you
[18:22] <funman___> ??////??/
[18:22] <funman___> oki
[18:22] <funman___> Patrickdk: which one do u use?
[18:23] <Patrickdk> my own?
[18:23] <funman___> how?
[18:23] <funman___> its cost alot to colo
[18:23] <Patrickdk> place order, receive server, install software, buy datacenter, install into datacenter
[18:24] <funman___> eeee
[18:24] <funman___> buy datacentre?
[18:24] <funman___> u mean colo space?
[18:24] <Patrickdk> sure :)
[18:24] <Patrickdk> well, if your small
[18:24] <funman___> but I just want 1 server :P
[18:24] <funman___> hehe
[18:24] <Patrickdk> it's cheaper to own the datacenter
[18:24] <funman___> how come?
[18:24] <funman___> it cost millions
[18:24] <Patrickdk> and how much would it cost to *rent* a datacenter?
[18:24] <Patrickdk> atleast 4x that price
[18:25] <Patrickdk> why does everyone want to get *bigger*?
[18:25] <Patrickdk> cause you can save more money, when your larger
[18:25] <Patrickdk> till you become management heavy
[18:25] <funman___> I want to rent 1 to 2 boxes
[18:25] <Patrickdk> :)
[18:25] <funman___> surely cheaper to rent?
[18:26] <funman___> datashag got some cheap enough
[18:26] <Patrickdk> those are a strange collection of *desktop* machines
[18:26] <Patrickdk> that is why those are cheap
[18:27] <Patrickdk> it's just a normal desktop
[18:27] <Patrickdk> most of them don't even have ecc
[18:27] <Patrickdk> but it all depends on your requirements
[18:28] <funman___> i want it cheap
[18:28] <funman___> and big
[18:28] <funman___> ::)
[18:29] <Patrickdk> what is *big*?
[18:29] <funman___> 32 MB ram
[18:33] <funman___> so you start also offers anti ddos
[18:33] <funman___> :D
[18:33] <funman___> for free
[18:33] <Patrickdk> there is no such thing as anti-ddos
[18:34] <funman___> they claim they offer it
[18:34] <Patrickdk> what they claim, and what it's called, are going be two totally different things
[18:34] <funman___> means site will stay online
[18:34] <funman___> how come?
[18:34] <Patrickdk> how can it stay online?
[18:34] <funman___> they absord extra BD
[18:35] <Patrickdk> extra bandwidth?
[18:35] <Patrickdk> what about your cpu? what about your server?
[18:35] <Patrickdk> and what about all those ligit clients attempting to access you?
[18:35] <Patrickdk> absorbing bandwidth costs != site is still usable
[18:35] <Patrickdk> just means you won't get a huge bill
[18:35] <Patrickdk> not that things will work
[18:36] <funman___> what about All OVH servers will benefit from automatic anti-DDoS mitigation by default in the event of an attack (reactive mitigation).
[18:36] <funman___>  Anti-DDoS PRO  Subscribing to professional use for your server enables access to permanent mitigation (the permanent settings) and configuration of the Firewall Network.
[18:36] <funman___> but how do they perma mitigate it?
[18:37] <Patrickdk> dunno :)
[18:37] <Patrickdk> how do they know a ddos from just normal usage?
[18:37] <Patrickdk> the first time your site goes vial, it will be considered a ddos
[18:37] <Patrickdk> at the moment you DONT want it to go down
[18:38] <funman___> I think thei offer tilera
[18:38] <funman___> instant scale of cpus cores
[18:38] <funman___> http://www.tilera.com/
[18:40] <funman___> i dont know how they do it but it works
[18:40] <funman___> my mate host site that is often ddosed with them
[18:40] <funman___> fine
[18:40] <funman___> herzner simply nulls IP
[18:43] <Patrickdk> see, I do it the other way
[18:43] <Patrickdk> I just have enough servers to not be ddos
[18:43] <Patrickdk> and will block on a needed bases to stop abuse
[18:44] <Patrickdk> but I don't want stuff to be blocked incase of a spike
[18:44] <funman___> well say u got 1 box
[18:44] <funman___> then its tricky
[18:44] <funman___> :D
[18:44] <funman___> do u also offer hosting?
[18:44] <funman___> :D
[18:45] <Patrickdk> not for a private server
[18:46] <funman___> for what then?
[20:50] <blackdev1l> hello after i uninstalled nginx from my server i can't use the port 80, i stopped the service and rebooted, what am i missing?
[20:50] <funman___> hmm
[20:50] <funman___> apt-get purge
[20:50] <funman___> also u missing apache
[20:50] <funman___> or some webserver
[20:50] <funman___> to serve http on port 80
[20:50] <funman___> :D
[20:51] <funman___> or run ls
[20:51] <funman___> ls
[20:51] <funman___> or lsof -l
[20:51] <funman___> something like that
[20:51] <funman___> to see ports
[20:51] <blackdev1l> funman___, i'm using a node.js app, if i change port it works .
[20:51] <blackdev1l> something is blocking the port 80
[20:52] <blackdev1l> and other than nginx i can't thing other things
[20:52] <funman___> run some command to list all ips and ports
[20:52] <funman___> then u know for sure
[20:52] <blackdev1l> i did, nothing is runnign on 80
[20:53] <Patrickdk> heh? that seems hard to figure out
[20:53] <Patrickdk> why not just use, netstat -antp
[20:53] <funman___> netstat -lnptu
[20:53] <funman___> :D
[20:56] <blackdev1l> https://gist.github.com/blackdev1l/1ce488497280fca4d0da funman___  Patrickdk
[20:56] <blackdev1l> :(
[20:56] <Patrickdk> you are running it as *root* right?
[20:56] <blackdev1l> y
[20:57]  * Patrickdk has no idea what a single letter means, you can talk right?
[20:57] <funman___> w
[20:57] <blackdev1l> ....it's not like you can't think what y mean while you type it on terminal uh?
[20:57] <funman___> w u s?
[20:58] <funman___> :D
[20:58] <blackdev1l> yes btw
[20:59] <Patrickdk> y? sounds like why? but could be short for yes? but then I don't even know what your thinking so who knows
[20:59] <Patrickdk> and I shouldn't have to FORCE myself to deciver your encryption
[21:00] <Patrickdk> that is taking free support, too far
[21:00] <blackdev1l> or maybe you can be just a little less pedantic and expect more a yes to a "yes/no" question
[21:00] <blackdev1l> but, whatever, thank you for the support
[21:00] <Patrickdk> I expect answers, not letters
[21:00] <Patrickdk> this is not a scantron test
[21:01] <blackdev1l> someone has an idea about my prior question ?
[21:03] <funman___> netstat -lnptu pastebin
[21:05] <blackdev1l> i did funman___
[21:05] <blackdev1l> https://gist.github.com/blackdev1l/1ce488497280fca4d0da funman___
[21:05] <blackdev1l> i know that something is blocking the 80 port because if i change to default one it just works
[21:06] <funman___> ok try reboot
[21:06] <funman___> :D
[21:06] <funman___> that can fix it
[21:07] <blackdev1l> i already did :( i'm so lost with this problem
[21:07] <Patrickdk> heh, there are only 3 possible things it could be :)
[21:07] <Patrickdk> and reboot is never an answer
[21:08] <funman___> it is
[21:08] <funman___> hehe
[21:09] <Patrickdk> if reboot is the answer, then it was a program running, and that program *failed* to restart
[21:09] <Patrickdk> so really, you ahve two more issues, ontop of your issue :)
[21:10] <funman___> blackdev1l: rebot and see
[21:10] <funman___> :D
[21:11] <blackdev1l> doesn't works
[21:15] <funman___> oki
[21:15] <funman___> top
[21:15] <funman___> and kill all proccesses u dont know
[21:15] <funman___> what they for
[21:15] <funman___> :D
[21:15] <blackdev1l> ahah
[21:16] <blackdev1l> i think i'll give up and use apache
[21:16] <blackdev1l> and do some proxypassReverse
[21:19] <Patrickdk> funman, won't help
[21:19] <Patrickdk> that isn't the problem, already confirmed using netstat
[21:19] <Patrickdk> using apache, likely will work around the issue
[21:19] <blackdev1l> yeah
[21:19] <blackdev1l> :\ kinda bad though
[21:20] <Patrickdk> bad?
[21:20] <Patrickdk> that you don't know what to fix?
[21:20] <Patrickdk> guess so
[23:03] <SP33D> little question
[23:31] <zeroNones> hey guys Im trying to copy files from my local computer to a remote server but I need to copy them to a root owned directory via my user. Is there a way to request sudo on transfer?
[23:32] <zeroNones> I have scp www_example_com.csr ubuntu@165.000.000.200:"/etc/nginx/ssl"
[23:52] <pmatulis> zeroNones: is this a one-off thing?
[23:54] <pmatulis> zeroNones: if so, you can scp to a directory the ubuntu user can write to, ssh to the server, and use sudo to copy that file under /etc/nginx/ssl.  if not, the make the /etc/nginx/ssl directory writeable by user 'ubuntu', or his group