[00:31] Hey guys so I just installed Ubuntu Server and I hooked it up to my MacBook via ethernet then I ran ifconfig, but the only thing I saw was lo [00:42] IronDev, is the linux box now connected to a router and to the MacBk? [00:43] PryMar56 Directly to the mac [00:45] IronDev, you might need to make a static config for the NIC on Linux to match the subnet for Mac.. like 10.0.2.0 or ? [00:47] PryMar56 Can I use a DHCP server [00:47] for the openstack installation on ubuntu-server, I was going to setup 3 node cluster [00:47] what is the best way to setup openstack? [00:48] harushimo theres an iso [00:48] I have the ubuntu server iso [00:48] I installed it on VM [00:49] IronDev, I can't grok your setup [00:49] prymar56 grok? [00:49] picture it [00:49] IronDev: is there a openstack iso just for ubuntu? [00:51] IronDev, what was supposed to happen? Is the Mac on Wifi, then you used the spare ethernet port to bridge the Linux to internet? [00:52] harushimo http://www.ubuntu.com/cloud/ubuntu-openstack [00:53] prymar56 exactly theres a feature in mb settings [00:54] IronDev, do you know all the config files for Ubuntu? [00:54] */interfaces, fstab, resolv.conf [00:55] PryMar56 interfaces only [00:55] Internet sharing on Mac OSX has little to do with ubuntu [01:00] vonsyd0w A small bit of info wont change the topic will it? [01:01] IronDev: do I have to create seven VMs? [01:01] IronDev: http://www.ubuntu.com/download/cloud/install-ubuntu-openstack [01:02] i'm looking at these instructions [01:04] harushimo I dont think so but 3 is good [01:04] IronDev: Right now, I setup node 1, node2, node3 [01:04] thanks [01:04] I'm reading the documentation on openstack site too [01:05] IronDev: thanks for the help [01:06] harushimo no prob [01:06] IronDev: Can I ask you one other small question? [01:06] ye [01:07] IronDev: from step 2 onwards, does those repos need to be install on every node? [01:08] IronDev: then I'll do it on all the nodes [01:10] harushimo Ya I think [01:11] IronDev: I'll keep you to update [01:11] thanks again [01:11] harushimo I gtg soon [01:11] harushimo But you can memoserv [01:12] IronDev: I'm good right now [01:12] what's memoserv? === zz_DenBeiren is now known as DenBeiren === zz_DenBeiren is now known as DenBeiren === cripperz is now known as CripperZ` === PryMar56 is now known as Fusaichi_Pegasus [02:41] Hi all. I'm putting together a mail server but must have messed up somewhere. Using postfix + spamassassin + spamass-milter, communicating through a socket. But my mail.log contains the following every time the pipe is used: [02:41] May 2 05:44:41 myhostname postfix/smtpd[15597]: warning: milter unix:/spamassassin/spamd.sock: unreasonable packet length: 1397768525 > 1073741823 [02:41] May 2 05:44:41 myhostname postfix/smtpd[15597]: warning: milter unix:/spamassassin/spamd.sock: read error in initial handshake [02:42] Anyone seen this before and recognise the problem? === Lcawte|Away is now known as Lcawte [07:33] hello all, i need to forward ssh tunneling when someone connecting to my server from outside? i need to proxychain that connection to 127.0.0.1:777 how can i do this? [08:51] Good morning. [08:53] hi. the local dnsmasq thing does not really work out for me (it's flaky, sometimes hostnames don't get resolved for some tries and then they do. problems i don't have when the dns is in /etc/resolv.conf directly) [08:54] any solutions for keeping networkmanager for the most part but not for dnsmasq? [09:00] swizgard: Change the NetworkManager's config. [09:01] swizgard: In Gentoo you add dnsmasq by doing [1], so I guess try to find that and remove it. [1] https://wiki.gentoo.org/wiki/NetworkManager#Dnsmasq [09:06] lordievader: i changed "dns=dnsmasq" to "dns=none", but this just makes dns stop working completely [09:06] swizgard: Try commenting the line ;) [09:08] huh! [09:09] that almost sounds as if it might work (-: [09:38] how to forward user ssh connection to proxychains on server side? [09:41] Alina-malina: proxy chains? [09:41] yes [09:41] proxychains [09:41] Never heard the term before [09:41] what is it? [09:41] a chain of proxies [09:41] for ssh? [09:42] no [09:42] tcp connection [09:42] You have [ client - proxy - proxy - proxy - proxy - destination ] [09:43] And the proxy is a simple forwarder, ie. a router? [09:45] If that is the case, client only knows about the first proxy/router [09:46] no its not the case [09:46] i have a client [09:46] he connects to over ssh to my server via tunneling browsing webpages [09:46] so what i want is to forward his browsing over proxychains and not my server ip directly [09:46] got it? [09:47] Alina-malina: I have no idea what you are saying, you are mixing up techologies in your explaination until it makes no sense. [09:47] i want to controll his access [09:47] wow ur stupid [09:47] its basic stuff [09:48] Alina-malina: Maybe ask the question to someone who speaks your native language, since clearly english is not yours. [09:48] Alina-malina: Insulting people won't help you. Please be respectful. Are you trying to string along ssh tunnels? [09:48] string? [09:49] client -> ssh tunnel -> ssh tunnel -> ssh tunnel -> destination. [09:49] nah [09:49] client->ssh tunnel->proxychains -> destination [09:50] and allow ONLY TCP connections for that user and nothing else [09:50] So forward localhost:some-tcp-port to the beginning of the proxychain? [09:51] from where? [09:51] That depends on your configuration, I suppose. [09:52] so why i cant just portforward that specific user to proxyhchain directly? [09:53] You can? Portforward the endpoint of the ssh tunnel to the beginning of the proxychain, that was what I was trying to say with the line above. [09:54] so the client have to do this from his side, i dont get it? or i can do that as root, to force him to use it so he cant do anything else rather then browsing webpages over proxychain i provide to him? [09:55] If you have access to his box, you can control anything. (Given you have the rights) [09:56] yes root [09:57] So you have full control ;) [10:00] so i need to do this forwrading on iptables level or what? you just speak theoretically, no sense [10:01] or user access control? [10:51] Alina-malina: Iptables it probably easiest, yes. [10:51] yes i already figure it out [11:37] HI [11:37] I have apache on my vps and I was thinking to make a user named "developer" and put the website directory in his home dir. By this way, he would have access to the files via ssh, sftp and I dont have to give root password to him. Is that a good idea? [11:38] Voyage: Yes, also look into apache's mod_userdir, or however it is called. [11:40] hm [11:41] lordievader, should I just set apache root to /home and allow each site to a different developer. for instance apache root as /home and site-1 at /home/developer1-name/site-1-files and site-2 at /home/developer2-name/site-2-files [11:42] That doesn't sound like a good idea. Since www-data then needs access to all those home-dirs. [11:43] hm.. you mean www-data needs to be owner or those files or just a chmod 777 would do ? [11:44] No, it needs read (and perhaps execute) rights. Chmodding things to 777 is allways a bad idea. [11:50] lordievader, yes, agreed. [11:50] lordievader, it would need to write in many cases as well. [11:51] so what is the best solution here? [11:52] Voyage: Make dir in /var/www/ that is owned by your user with group www-data which has rx rights? [11:54] how about i do it in home dirs? [11:54] lordievader, should I just set apache root to /home and allow each site to a different developer. for instance apache root as /home and site-1 at /home/developer1-name/site-1-files and site-2 at /home/developer2-name/site-2-files [11:54] If I have to live with conventions, what should be done. I was thinking to add the user in the other group. dev to www-data group or www-data to dev group.. what should it be. (I have many devs and many sites...) [11:54] Then www-data needs x rights to the home-dir, I personally do not like that. [11:54] no, I will not give x to full home === DW-10297 is now known as Teduardo [11:55] only to the site dir [11:55] eg.: [11:55] Voyage: www-data cannot get to a subdir if it cannot acces a parent dir ;) [11:55] . /home/username/site-dir [11:55] oh.. [11:56] then I cant make chroot jails either [11:56] right? [11:57] Err, I have no experience with chroot jails. [11:57] chroot jails is something that wont allow a user to get out of his home dir. this is a security . the user will not see whats outside. the system is invisible [11:59] I know what it is, but never used it ;). So I cannot judge if that will accomplish your goal. [11:59] hm [12:03] lordievader, when you said the following, what did you meant by group? I mean which user to add in which group? Make dir in /var/www/ that is owned by your user with group www-data which has rx rights [12:05] Voyage: Every dir is owned by a user and a group, noted usually like $user:$group, in many cases they are both your username or root (root:root). For all groups see /etc/group. [12:06] ok. [12:07] so you want me to give the directory as the developer:apache-group ? [12:07] or what? [12:09] will developer-name:www-data do for any dir? [12:15] lordievader, there are groups and users. each user hase a group. so If I give permission, for a file, to a user: some-other-group-that-user-is-not-a-member-of but the required www-data user is. will do ? [12:18] Yes. The user does not need to be a member of www-data. [12:18] but if I just do chown -R a:b /dir and then 'a' comes and creates some new files. those files will have permission to what? == to 'a' and 'a's group, not ' b' group and its users. correct? [12:19] Make the group sticky, read the chown man page ;) [12:21] sticky? [12:21] hm ok [12:21] if you run "id" it will say your primary group. If you create new files and don't change the owner, it'll be owned by your user and your primary group [12:21] ok. I will read [12:21] thanks! [12:25] Voyage: see the "Sharing Write Permissions" at the bottom of https://help.ubuntu.com/14.04/serverguide/httpd.html [12:25] hm [12:25] It does not really explain the sticky bit though. We should update that. [12:27] would I have to chmode everytime I make an update/create a new file? [12:27] chmod/chown [12:28] jrwren, ^ [12:28] no, that is the point of the sticky bit or ACL [12:28] I cant come to a final conclusion... I want 3 people to have access to a dir and subdirs, create files, read/write but also want www-data:www-data to read/write those dirs. I dont want to chmod/chown evertime theres a change in dir. so what should I do? will this help?https://help.ubuntu.com/14.04/serverguide/httpd.html#http-directory-permissions [12:28] jrwren, hm ACL. how to do that? [12:28] I think sticky group will do everything you want. [12:28] try it. [12:29] ok [12:30] wait. how about i just make a new user an add him to www-data group as his pri group? [12:30] try it. [12:31] Voyage: You don't really want to give the www-data too much write access ;) [12:35] lordievader, ya, but those users will be only for website management. [12:35] how about I make pri group of www-data for all the 3 users? [12:39] I was more talking about the security aspect of giving www-data, read apache, read the world, write acces ;) [12:40] ya but ultimately the site content should be r/w by apache. so what ever dir it is. [12:40] Why write? [12:40] no, write by apache is generally not a good idea. [12:40] wordpress and other stuff needs write access [12:41] so www-data should have write access [12:41] and wordpress has a vulnerability every week :) [12:41] true [12:41] but have to live with it [12:41] indeed. [12:41] I thought it had 3 last week [12:41] patdk-wk: lol [12:41] it does a lot of things. .htaccess writes, configs, plugins install etc [12:41] so need write access [12:41] so... [12:42] you should not give write access to apache [12:42] run wordpress as a different user [12:42] Voyage: Give very specific write access. [12:42] atleast limit it's damage it can do [12:42] patdk-wk, run? the apache runs the site/wp not the user and apache is ran by www-data [12:42] For as far as I know it needs write acces to a couple of tmp folders. [12:42] apache doesn't run crap [12:42] php runs wordpress [12:43] lordievader, autoupdates [12:43] patdk-wk, isnt php ran by apahce? [12:43] On most of my wordpress stuff ww-data can only read. [12:43] patdk-wk, isnt php ran by apahce/www-data? [12:43] patdk-wk: That is broken here ;) [12:43] Voyage, only if your insanely lazy, and use mod_php [12:44] patdk-wk, actually I did... well, In installed apt-get apache2 php5 and it all went by itself [12:44] use php5-fpm [12:44] and then there is this: https://insights.ubuntu.com/2015/04/22/rewriting-wordpress-juju-charms-for-security-and-ha-on-openstack/ [12:45] fpm? [12:45] ut oh, sounds like the wordpress chapter of the server guide needs some rewriting too. [12:45] hm.. this sounds sane but I have read a lot [12:45] so there are no simple things. [12:46] I wonder how cpanel and web hosts do stuff. they deliver my theory in practical terms [12:46] if things where simple, everyone would be doing it, and no one would have problems :) [12:47] I would say, making a nice apparmor wrapper for wordpress would work great [12:47] but would also be annoying to make and maintain [12:47] And so no one does it ;) [12:48] I did, it worked, till 4.1.2 last week [12:48] I have to work on it again [12:48] Hihi ;) [12:48] and now we are on 4.2.1 [12:58] hm === erlon_awaY is now known as erlon === Voyage_ is now known as Voyage [13:55] I'm trying to add rules to UFW to deny some IPs that are showing in our logs, but when I add them I still get traffic from them [13:56] I'm using 'sudo ufw deny from ' [13:56] and in ufw status it is loaded [13:56] no rewrite logs appearing. did LogLevel alert rewrite:trace5. I dont think rewrite is even working. How can I redirect every page to google.com? [14:00] Onionnion: Could you paste the output of 'iptables-save' and state the ip you are trying to block? [14:02] Onionnion: Pastebin: sudo ufw status verbose [14:02] I am only redirecting by .htaccess file. do I need to enable mode_rewrite? [14:05] you can't redirect in .htaccess without mod_rewrite [14:05] Voyage: Which modules you need depends on which functions and configuration you want to use - *not* which file you put the configuration in [14:06] jpds, http://pastebin.com/6Zv0EZQp [14:06] trying to block 24.123.82.46 and a couple others [14:06] patdk-wk: Why do you say that? Redirect is valid in .htaccess scope [14:06] does that not depend on rewrite mod? [14:06] no [14:06] oh he was using wordpress though [14:07] Onionnion: Which port are you trying to block? [14:07] that does depend on mod_rewrite [14:07] Onionnion: Could you pastebin the iptables-save too :) [14:07] jpds, trying to drop anything from it [14:07] lordievader, on that now [14:07] \o/ [14:07] Onionnion: Your problem is that the DENY comes AFTER the allows. [14:08] ahh [14:08] Ah, yes. Indeed. [14:08] ufw instert ? [14:09] insert* [14:09] Onionnion: Yep. [14:09] Onionnion: Also, blocking by individual IP like this is never going to scale. [14:09] Onionnion: Take a look at ipset. [14:10] jpds, we've been getting hard traffic from these 4 specific IPs over the weekend [14:10] Onionnion: On specific ports? [14:13] jpds, haven't checked ports, but they're requesting a wpad.dat and it's been so hard that it's brough apache down a few times [14:13] over 5000 times within the most recent access.log [14:13] Onionnion: You could try something like: sudo ufw delete allow 80/tcp && sudo ufw limit 80/tcp [14:14] not familiar with limit [14:14] Onionnion: 6 new requests/IP/30 seconds. [14:15] well it's only been from 4 specific ips [14:15] A limit that strict sounds like it could impact normal website serving [14:16] it would [14:16] wpad == web proxy auto discovery - therefore this sounds like it could just be incompetent config rather than malicious activity [14:18] maxb: The point there is that it only limits sources which show a lot of connection in a short period. Normal serving should not show that behaviour. [14:18] But as allways, it's a trade off. [14:18] why not just add a rewrite 403 rule to the wpad? [14:18] apache can easily handle thousands of those per second [14:19] All you need is a couple of users behind a NAT browsing a site with a moderate amount of images / css / js files, and you'd trivially hit [B[B[B[B[B[B[B6 new requests/IP/30 seconds [14:19] I routinely hit 50 connections per ip [14:20] and giving a single browser will only do 6 [14:20] Philippines have a huge /24 of just proxy servers that just blast out requests [14:20] smaller, block, but more traffic, than aol [14:21] 6? I thought the common browser connection limits were 4 or 2? [14:21] 4-6 [14:26] Onionnion: If it is a problem, rate-limit port 80 [14:26] with iptables [14:35] anyone into systemd here yet? I'm having trouble with my rc.local being run before network is up on vivid. And yes, I know it is kind of legacy to use that :-" [14:36] frickler: Convert the actions taken there to a systemd script? [14:49] yes, might be possible, but this comes from an auto-install system that at the same time still should work with 12.04 [14:53] I'm seeing the hostname service is masked in ubuntu 15.04 [14:53] why's this? [15:17] Hey guys [15:17] I must have moronically typed a command wrong, my user doesn't appear to be sudo anymore. === smoser` is now known as smoser [15:18] How can I add myself to sudo again without root access? Can I boot into a recovery mode or something? I do have console [15:19] cluelessperson, without root you'll need to boot via recovery and access root that way, re-edit the file, then continue [15:34] lordievader, [15:34] good morning [15:38] lordievader: commenting the dns= line in NetworkManager.conf was exactly the right thing! [15:38] thank you 1000x === mfisch is now known as Guest65197 [15:43] I have a question about running an Ubuntu release mirror. I've got it all set up and it works great but there is a small stylesheet issue with the page. When I look at any release mirror page it has background colors and font colors to match the Ubuntu color theme but my Ubuntu release mirror does not have the background colors. [15:43] The CSS is coming from an @import in the