=== zz_denbeiren is now known as denbeiren
cluelesspersonhey guys, I want to make sure my server is really secure02:11
cluelesspersonhow can I go about doing this?02:11
tewardcluelessperson: disconnect it from the internet and put it in a Faraday cage02:11
tewardinside a lead-lined bunker02:11
tewardcluelessperson: 'really secure' is a vague, ambiguous phrase02:12
tewardbecause 'really secure' is based off use case and acceptable risk levels02:12
cluelesspersonteward,  I run owncloud+deluge+apache my personal server with TLS 1.2.  I want to make sure it's impossible for an unknown to penetrate it.02:13
tewardbasics: SSH key auth only, 2FactorAuth where possible, only open ports you need opened, and only open them for 'sources' that you trust02:13
tewardcluelessperson: you can't guarantee that02:13
tewardthere is no such thing as a "100% secure" system02:13
tewardunless it's non-networked and put in a bunker with no wifi capabilities02:13
cluelesspersonteward, only certain ports are open, connections are by default blocked.  I'm using... I forget what it's called to shut down ports on repeated connection attempts.02:14
cluelesspersonteward, yes.  and I need to switch SSH back to key02:14
tewardfail2ban helps a little. SSH Key Auth Only helps too.02:14
tewardputting 2FA on is also helpful02:14
cluelesspersonsentences for passwords,   I might just go with a client certificate requirement to connect to certain applications.02:14
teward(all my offsite servers have 2FA with Duo Security)02:15
tewardcluelessperson: that can help too02:15
cluelesspersonteward, Also, my GPG+owncloud data is stored on another backend server02:15
tewardcluelessperson: security is also a 24/7 thing02:15
tewardputting a IDS/IPS (like Snort in front of things) can help a little more02:15
cluelesspersonteward, the web facing server has credentials for an owncloud sftp account only, and mysql for various applications.02:16
cluelesspersonteward, Do you know how I might hide internally credentials?02:16
cluelesspersonteward, I'm also wondering if there's a way to setup traps, when access to shut off the secure server's access.02:17
cluelesspersonAnyone know anything about creating client certificates?02:21
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== WaddupYo is now known as Waddup
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== markthomas is now known as markthomas|away
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
cluelesspersonHey guys I'm trying to run this command07:03
cluelesspersonopenssl ca -in cpwr.csr -cert cpwr-ca.crt -keyfile cpwr-ca.key -out cpwr.crt07:03
cluelesspersonbut it errors Using configuration from /usr/lib/ssl/openssl.cnf07:03
cluelesspersonI am unable to access the ./demoCA/newcerts directory07:03
ikoniayou're going to need to provide more info than that if you want help07:11
cluelesspersonikonia, like?07:14
lordievaderWaddup: Does fsck detect errors?07:52
lordievaderGood morning, by the by.07:53
=== Guest54024 is now known as IdleOne
=== jelly-home is now known as jelly
=== medz is now known as samsn
phre4kI have 2 NICs in my samba server and when I ping the domain from a client, it always uses the wrong one. How do I fix this?11:34
lordievaderphre4k: How are the two nics set up?11:37
phre4klordievader, forgot to say it's an LXC container11:38
phre4kone is bridged with the host system and the other is bridged with the internal LXC network11:40
phre4kthey show up as eth0 and eth1 inside the container11:41
lordievaderWhat is the default gatway for the container?11:43
phre4kthe bridged connection11:45
phre4kor rather, the local DNS11:47
phre4k*router, sry11:47
lordievaderIs the th nic you want it to use when you ping it?11:51
phre4kI set the local IP as DNS in a client and then I ping the AD Domain (ad.company.org), which gives me back the virtual IP of the server instead of the local IP11:53
lordievaderThe virtual ip? The lxc internal?11:54
phre4kyes, that one11:57
phre4kI am, my DNS is, I ping ad.company.org and should get, but get
lordievaderDo you get the correct address when you resolv ad.c.o on the lxc box?12:12
=== utlemming is now known as utlemming_away
=== utlemming_away is now known as utlemming
phre4kI get "unknown host", wtf12:15
lordievaderDo you get the correct ip when you resolve ad.c.o on 20.149 (don't forget to expend the c.o part ;) )12:16
phre4kyeah, of course, I understood what you mean ;)12:16
phre4k20.149 is the client I have problems on12:17
phre4kmy own laptop is a different IP, but I try it now12:17
phre4kunknown host12:17
=== utlemming is now known as utlemming_away
lordievaderHow do you ping it when you cannot resolve it?12:20
phre4kI entered ad.c.o in the hosts file and can now ping from the samba server, I'll try the clients12:20
lordievaderThat is a bad way of resolving ips.12:22
=== utlemming_away is now known as utlemming
phre4kof course, but if the samba way doesn't work... ;)12:26
phre4kthe client doesn't get it though, but it was worth the try12:26
lordievaderOf course not, /etc/hosts is host only, That is why is a bad method.12:27
yossarianukHi - is it possible to use unattended updates - e.g ->> https://help.ubuntu.com/lts/serverguide/automatic-updates.html, but only updating specified packages ?14:43
yossarianukI know you can prevent certain packages being installed...  Just wondering if you can make it so only specified packages are automatically updated.14:43
yossarianuki.e I can see how to blacklist packages from updating from https://help.ubuntu.com/lts/serverguide/automatic-updates.html but I want to blacklist all but one package.?14:48
lordievaderMake a script that just installs those packages? If there are updates it will install those if not nothing happends.15:32
yossarianuklordievader: sure that was the alternative way I was thinking, just wondering if unattended upgrades could also do it...15:34
=== markthomas|away is now known as markthomas
=== markthomas is now known as markthomas|away
=== markthomas|away is now known as markthomas
PatBatemani have a 14.04.02 server with raid 1 ssds, and after an update and reboot, the machine stopped at grub cli16:55
PatBatemanwhat should i do?16:55
PatBatemani found some info starting the system manually, but what about my raid array ?16:55
RoyKPatBateman: the array is hopefully ok17:03
PatBatemanyes I can list it17:03
RoyKPatBateman: boot on a usb live thing and check /proc/mdstat17:03
PatBatemanthe folder structure17:03
PatBatemanRoyK: I can do it only tomorrow, can you tell me what to do in steps in short?17:04
RoyKthen - if things work - try to mount the root fs on /mnt, mount proc on /mnt/proc and sys on /mnt/sys and boot on /mnt/boot - chroot /mnt and reinstall grub (update-grub)17:05
PatBatemanRoyK: thanks17:06
RoyKperhaps grub-install /dev/sda ; grub-install /dev/sdb17:06
PatBatemanwhat do you think about boot-repair, could it repair out of the box?17:06
RoyKbut update-grub should do17:06
RoyKboot-repair should work - it just does the same without you knowing17:07
PatBatemani see17:07
RoyKI'm just used to the old way :)17:08
RoyKlinux mdraid is very robust, so having a whole RAID die on you isn't something that happens often17:08
RoyKBUT! Keep a backup anyway - bad things DO happen!17:08
RoyKRAID != backup17:08
PatBatemanyeah currently i am copying raw data to a hdd (which have my old ubuntu on hdd)17:09
RoyKI use a cloud service17:09
PatBatemaneven from here i see the raid array and all folders which gives hope17:10
RoyKcrashplan works ok, although it's very slow on big data (VERY slow, because of the dedup things in there designed by a one-armed monkey)17:10
RoyKI use a Norwegian reseller of crashplan - they've turned all those dedup things off, so it works well (albeit more expensive). You can turn those dedup things off yourself, but my experience with crashplan.com is still that it's very slow17:11
RoyKdoesn't help much with 'unlimited' backup if it takes a year to restore from a crash17:12
PatBatemanhaha yes17:12
PatBatemanso, have to go, thanks for the help!17:12
sarnolddon't they offer to ship you your data on a hard drive when you need it back?17:13
AndChat59136I have an issue with two ip's on one machine, with one nic. The second ip is seemingly coming out of nowhere. I know this isn't right, but I don't know where to look apparently. I have set a static ip via the interfaces file. I have removed the second ip using the ip del command, but it comes back eventually. I am running server version 14 and a dd-wrt firmware router. Any ideas?  Wrong irc channel to ask?17:13
RoyKAndChat59136: IPv4?17:15
RoyKwhat's this other IP that comes out of nowhere?17:16
AndChat59136192.168.1.100 is the static, .134 is the one that keeps appearing17:18
sarnoldAndChat59136: ps auxw | grep dhc  -- I wonder if you've got a dhcp client of some sort goofing around17:18
sarnoldthere's lots of ways that it could be added, of course, bootp, dhcp, a script, some other program..17:19
RoyKAndChat59136: pastebin /etc/network/interfaces17:22
RoyKAndChat59136: or as sarnold said17:23
AndChat59136grep: I: No such file or directory17:23
RoyKAndChat59136: 'ps auxw | grep dhc'17:23
AndChat59136Haha, duh17:25
RoyKand ps output?17:26
RoyKdhclient eth017:27
RoyKkill that - have you restarted lately?17:27
RoyKalso - which ubuntu version is this?17:27
AndChat5913614.04, I should be able to remove dhclient correct?17:29
RoyKnot sure what depends on it - but again - with that interfaces file it shouldn't be started17:30
RoyK19:27 <            RoyK > kill that - have you restarted lately?17:30
AndChat59136I will kill it, and yes, had a restart just today17:33
RoyKand dhclient started again after restart?17:33
AndChat59136I dont have dhclient in my kill list17:34
AndChat59136So maybe not17:35
AndChat59136I know that I don't start it17:35
RoyKhm... http://ubuntuforums.org/showthread.php?t=1391829&page=217:35
RoyKlooks like dhclient may start if the /var/lib/dhcp3/dhclient.leases file exists17:36
RoyKseems like a dumb bug17:36
AndChat59136I googled a bunch and never found anything like that. Must be the 'override' keyword. I will rename the file and see if that helps. I will report back.17:43
RoyKAndChat59136: the secret about googling is always "use as few and as exact words as possible" - it was on my first search ;)17:47
AndChat59136I kept using some variation of two ip's on one nic, that just kept bringing up how to set it up.17:48
AndChat59136Sometimes that's the hardest part of using google17:50
AndChat59136No luck so far. Thanks for your help anyway.17:58
RoyKAndChat59136: chmod -x /sbin/dhclient # should do it, albeit a bit rednecky18:02
sarnoldAndChat59136: you aren't using networkmanager on this system by chance, ar eyou?18:07
AndChat59136Not to networkmanager18:11
RoyKAndChat59136: is networkmanager installed?18:11
AndChat59136Let me check18:12
RoyKdpkg -l | grep -i networkma18:13
RoyKor perhaps dpkg -l | grep network-man18:14
AndChat59136Apparently it is paste.ubuntu.com/11994845/18:20
RoyKremove it18:21
RoyK14-4 :D18:22
AndChat59136I see what you did there18:23
AndChat59136Shows what I know. I thought I removed that a while ago. When reading about static ips they say to remove it.18:25
RoyKAndChat59136: did it help?18:26
AndChat59136Does not appear to have. I renamed the dchp leases file and my .134  ip has changed to .14018:38
AndChat59136That was before removing network manager. After removing network manager I can't tell any difference.18:38
AndChat59136Still have the .140 ip18:39
sarnolddid you kill the processes, too?18:41
AndChat59136I removed network manager and restarted18:43
AndChat59136networking service restart never seems to work, so I reboot the machine18:43
sarnoldah yes, ifup and ifdown are the intended interfaces there18:45
AndChat59136Ok, bear with me.  If i wanted two ips it would look like eth0 and eth0:1. As far as what to bring up and down. I only have eth0, with the two ips. If I am ssh in, make changes and ifdown eth0 i will loses my connection and have to reboot anyway, correct?18:51
tewardrun `ifdown eth0; ifup eth0`18:51
tewardit first down's eth0, then brings it back up18:51
tewardthe semicolon will make it run those in sequence18:51
teward(it's how I take down and instantly bring back up an interface on my servers when I mess with its settings xD)18:52
AndChat59136Ok, thanks for that bit of info. I really do appreciate everyones input18:57
a1fais it just me, or did 14.04.02 installer fail to provision partitions18:59
a1fa300GB RAID1; use entire disk + lvm turned into a cluster mess18:59
a1faso root got 23GB18:59
a1faand /dev got.. wait for it18:59
a1faudev                        126G  4.0K  126G   1% /dev19:00
a1fa^ i lolled ; twice19:00
a1fadid i miss a README that said don't use lvm with hardware raid?19:00
sarnolda1fa: isn't /dev a devtmpfs, which defaults to half your ram or something similar?19:00
a1fai guess.. but still does not explain where my 300GB drive went to19:01
sarnoldindeed, no :)19:03
a1fa 23G  875M   21G   4% /19:03
a1fai am going to try resizing it19:04
sarnoldany chance there's a /home or /opt or something similar that's just not currently mounted/19:04
a1fano just checked with cfdisk19:05
a1fa        sda5                       NC                         Logical               LVM2_member                                                          299709.77               *19:05
a1fa299.9GB LVM219:05
a1fathere is this thing19:06
a1fanone                        126G     0  126G   0% /run/shm19:06
a1fai wonder if swap took all of it ;)19:07
a1fa                                                                        Size: 274840158208 bytes, 274.8 GB19:07
a1fathere it is19:07
ReScOSky2 driver is making my network a living hell19:10
ReScODNS requests failing etc...19:10
sarnolda1fa: 274 gigs of swap? makes sense, you want to suspend your 256 gigabyte RAM machine, right? right? :)19:11
a1fai twont let me remove it19:20
a1fait thinks its busy19:20
a1faswapoff -a; lvremove ..19:21
=== denbeiren is now known as zz_denbeiren
RoyKa1fa: 128 gigs of memory?19:29
a1fa  275G  895M  263G   1% /19:30
a1faback in business, sarnold19:30
a1faRoyK: 25619:30
a1faall is well now19:31
a1fafor some reason it would not disable swap with swapoff -a19:31
=== zz_denbeiren is now known as denbeiren
a1faso reboot fixed it, and i was able to extend my partition to 100%19:31
=== zz_denbeiren is now known as denbeiren
ReScOhere's my dmesg output: http://pastie.org/private/l2tia3nuotd8zvxier1zw20:08
=== denbeiren is now known as zz_denbeiren
ReScOsky2 is crashing for my ethernet adapter: http://pastie.org/private/l2tia3nuotd8zvxier1zw20:17
=== zz_denbeiren is now known as denbeiren
sarnolda1fa: great! :) if you've got the time/inclination to try to repeat it, I think it'd be worth a bug report20:36
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== crazybluek is now known as Blueking
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
=== zz_denbeiren is now known as denbeiren
=== denbeiren is now known as zz_denbeiren
AndChat59136RoyK: thanks for all your help earlier. The chmod command seems to have worked.23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!