=== zz_denbeiren is now known as denbeiren [02:11] hey guys, I want to make sure my server is really secure [02:11] how can I go about doing this? [02:11] cluelessperson: disconnect it from the internet and put it in a Faraday cage [02:11] inside a lead-lined bunker [02:12] cluelessperson: 'really secure' is a vague, ambiguous phrase [02:12] because 'really secure' is based off use case and acceptable risk levels [02:13] teward, I run owncloud+deluge+apache my personal server with TLS 1.2. I want to make sure it's impossible for an unknown to penetrate it. [02:13] basics: SSH key auth only, 2FactorAuth where possible, only open ports you need opened, and only open them for 'sources' that you trust [02:13] cluelessperson: you can't guarantee that [02:13] there is no such thing as a "100% secure" system [02:13] unless it's non-networked and put in a bunker with no wifi capabilities [02:14] teward, only certain ports are open, connections are by default blocked. I'm using... I forget what it's called to shut down ports on repeated connection attempts. [02:14] fail2ban? [02:14] teward, yes. and I need to switch SSH back to key [02:14] fail2ban helps a little. SSH Key Auth Only helps too. [02:14] putting 2FA on is also helpful [02:14] sentences for passwords, I might just go with a client certificate requirement to connect to certain applications. [02:15] (all my offsite servers have 2FA with Duo Security) [02:15] cluelessperson: that can help too [02:15] teward, Also, my GPG+owncloud data is stored on another backend server [02:15] cluelessperson: security is also a 24/7 thing [02:15] putting a IDS/IPS (like Snort in front of things) can help a little more [02:15] but... [02:16] teward, the web facing server has credentials for an owncloud sftp account only, and mysql for various applications. [02:16] teward, Do you know how I might hide internally credentials? [02:17] teward, I'm also wondering if there's a way to setup traps, when access to shut off the secure server's access. [02:21] Anyone know anything about creating client certificates? === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === WaddupYo is now known as Waddup === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === markthomas is now known as markthomas|away === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren [07:03] Hey guys I'm trying to run this command [07:03] openssl ca -in cpwr.csr -cert cpwr-ca.crt -keyfile cpwr-ca.key -out cpwr.crt [07:03] but it errors Using configuration from /usr/lib/ssl/openssl.cnf [07:03] I am unable to access the ./demoCA/newcerts directory [07:03] wtf [07:11] you're going to need to provide more info than that if you want help [07:14] ikonia, like? [07:52] Waddup: Does fsck detect errors? [07:53] Good morning, by the by. === Guest54024 is now known as IdleOne === jelly-home is now known as jelly === medz is now known as samsn [11:16] Hi, [11:16] ho [11:17] ha [11:34] I have 2 NICs in my samba server and when I ping the domain from a client, it always uses the wrong one. How do I fix this? [11:37] phre4k: How are the two nics set up? [11:38] lordievader, forgot to say it's an LXC container [11:40] one is bridged with the host system and the other is bridged with the internal LXC network [11:41] they show up as eth0 and eth1 inside the container [11:43] What is the default gatway for the container? [11:45] the bridged connection [11:47] or rather, the local DNS [11:47] *router, sry [11:51] Is the th nic you want it to use when you ping it? [11:53] I set the local IP as DNS in a client and then I ping the AD Domain (ad.company.org), which gives me back the virtual IP of the server instead of the local IP [11:54] The virtual ip? The lxc internal? [11:57] yes, that one [11:58] I am 192.168.20.149, my DNS is 192.168.20.11, I ping ad.company.org and should get 192.168.20.11, but get 10.3.1.2 [12:12] Do you get the correct address when you resolv ad.c.o on the lxc box? === utlemming is now known as utlemming_away === utlemming_away is now known as utlemming [12:14] w8 [12:15] I get "unknown host", wtf [12:16] Do you get the correct ip when you resolve ad.c.o on 20.149 (don't forget to expend the c.o part ;) ) [12:16] yeah, of course, I understood what you mean ;) [12:17] 20.149 is the client I have problems on [12:17] my own laptop is a different IP, but I try it now [12:17] unknown host === utlemming is now known as utlemming_away [12:20] How do you ping it when you cannot resolve it? [12:20] I entered ad.c.o in the hosts file and can now ping from the samba server, I'll try the clients [12:22] That is a bad way of resolving ips. === utlemming_away is now known as utlemming [12:26] of course, but if the samba way doesn't work... ;) [12:26] the client doesn't get it though, but it was worth the try [12:27] Of course not, /etc/hosts is host only, That is why is a bad method. [14:43] Hi - is it possible to use unattended updates - e.g ->> https://help.ubuntu.com/lts/serverguide/automatic-updates.html, but only updating specified packages ? [14:43] I know you can prevent certain packages being installed... Just wondering if you can make it so only specified packages are automatically updated. [14:48] i.e I can see how to blacklist packages from updating from https://help.ubuntu.com/lts/serverguide/automatic-updates.html but I want to blacklist all but one package.? [15:32] Make a script that just installs those packages? If there are updates it will install those if not nothing happends. [15:34] lordievader: sure that was the alternative way I was thinking, just wondering if unattended upgrades could also do it... [15:34] cheer [15:34] *cheers* === markthomas|away is now known as markthomas === markthomas is now known as markthomas|away === markthomas|away is now known as markthomas [16:54] hi [16:55] i have a 14.04.02 server with raid 1 ssds, and after an update and reboot, the machine stopped at grub cli [16:55] what should i do? [16:55] i found some info starting the system manually, but what about my raid array ? [17:03] PatBateman: the array is hopefully ok [17:03] yes I can list it [17:03] PatBateman: boot on a usb live thing and check /proc/mdstat [17:03] the folder structure [17:04] RoyK: I can do it only tomorrow, can you tell me what to do in steps in short? [17:05] then - if things work - try to mount the root fs on /mnt, mount proc on /mnt/proc and sys on /mnt/sys and boot on /mnt/boot - chroot /mnt and reinstall grub (update-grub) [17:06] RoyK: thanks [17:06] perhaps grub-install /dev/sda ; grub-install /dev/sdb [17:06] what do you think about boot-repair, could it repair out of the box? [17:06] but update-grub should do [17:07] boot-repair should work - it just does the same without you knowing [17:07] i see [17:08] I'm just used to the old way :) [17:08] linux mdraid is very robust, so having a whole RAID die on you isn't something that happens often [17:08] BUT! Keep a backup anyway - bad things DO happen! [17:08] RAID != backup [17:09] yeah currently i am copying raw data to a hdd (which have my old ubuntu on hdd) [17:09] I use a cloud service [17:10] even from here i see the raid array and all folders which gives hope [17:10] crashplan works ok, although it's very slow on big data (VERY slow, because of the dedup things in there designed by a one-armed monkey) [17:11] I use a Norwegian reseller of crashplan - they've turned all those dedup things off, so it works well (albeit more expensive). You can turn those dedup things off yourself, but my experience with crashplan.com is still that it's very slow [17:12] hm [17:12] doesn't help much with 'unlimited' backup if it takes a year to restore from a crash [17:12] haha yes [17:12] so, have to go, thanks for the help! [17:12] np [17:13] don't they offer to ship you your data on a hard drive when you need it back? [17:13] I have an issue with two ip's on one machine, with one nic. The second ip is seemingly coming out of nowhere. I know this isn't right, but I don't know where to look apparently. I have set a static ip via the interfaces file. I have removed the second ip using the ip del command, but it comes back eventually. I am running server version 14 and a dd-wrt firmware router. Any ideas? Wrong irc channel to ask? [17:15] AndChat59136: IPv4? [17:15] Yes [17:16] what's this other IP that comes out of nowhere? [17:18] 192.168.1.100 is the static, .134 is the one that keeps appearing [17:18] AndChat59136: ps auxw | grep dhc -- I wonder if you've got a dhcp client of some sort goofing around [17:19] there's lots of ways that it could be added, of course, bootp, dhcp, a script, some other program.. [17:22] AndChat59136: pastebin /etc/network/interfaces [17:23] AndChat59136: or as sarnold said [17:23] grep: I: No such file or directory [17:23] AndChat59136: 'ps auxw | grep dhc' [17:25] Haha, duh [17:25] paste.ubuntu.com/11994498/ [17:26] and ps output? [17:26] paste.ubuntu.com/11994514 [17:27] dhclient eth0 [17:27] kill that - have you restarted lately? [17:27] also - which ubuntu version is this? [17:29] 14.04, I should be able to remove dhclient correct? [17:30] not sure what depends on it - but again - with that interfaces file it shouldn't be started [17:30] 19:27 < RoyK > kill that - have you restarted lately? [17:33] I will kill it, and yes, had a restart just today [17:33] and dhclient started again after restart? [17:34] Yes [17:34] I dont have dhclient in my kill list [17:35] So maybe not [17:35] I know that I don't start it [17:35] hm... http://ubuntuforums.org/showthread.php?t=1391829&page=2 [17:36] looks like dhclient may start if the /var/lib/dhcp3/dhclient.leases file exists [17:36] seems like a dumb bug [17:43] I googled a bunch and never found anything like that. Must be the 'override' keyword. I will rename the file and see if that helps. I will report back. [17:47] AndChat59136: the secret about googling is always "use as few and as exact words as possible" - it was on my first search ;) [17:48] I kept using some variation of two ip's on one nic, that just kept bringing up how to set it up. [17:50] Sometimes that's the hardest part of using google [17:58] No luck so far. Thanks for your help anyway. [18:02] AndChat59136: chmod -x /sbin/dhclient # should do it, albeit a bit rednecky [18:07] AndChat59136: you aren't using networkmanager on this system by chance, ar eyou? [18:11] Not to networkmanager [18:11] AndChat59136: is networkmanager installed? [18:12] Let me check [18:13] dpkg -l | grep -i networkma [18:14] or perhaps dpkg -l | grep network-man [18:20] Apparently it is paste.ubuntu.com/11994845/ [18:21] remove it [18:22] 10-4 [18:22] 14-4 :D [18:22] hehe [18:23] I see what you did there [18:25] Shows what I know. I thought I removed that a while ago. When reading about static ips they say to remove it. [18:26] AndChat59136: did it help? [18:38] Does not appear to have. I renamed the dchp leases file and my .134 ip has changed to .140 [18:38] That was before removing network manager. After removing network manager I can't tell any difference. [18:39] Still have the .140 ip [18:41] did you kill the processes, too? [18:43] I removed network manager and restarted [18:43] networking service restart never seems to work, so I reboot the machine [18:45] ah yes, ifup and ifdown are the intended interfaces there [18:51] Ok, bear with me. If i wanted two ips it would look like eth0 and eth0:1. As far as what to bring up and down. I only have eth0, with the two ips. If I am ssh in, make changes and ifdown eth0 i will loses my connection and have to reboot anyway, correct? [18:51] run `ifdown eth0; ifup eth0` [18:51] it first down's eth0, then brings it back up [18:51] the semicolon will make it run those in sequence [18:52] (it's how I take down and instantly bring back up an interface on my servers when I mess with its settings xD) [18:57] Ok, thanks for that bit of info. I really do appreciate everyones input [18:59] is it just me, or did 14.04.02 installer fail to provision partitions [18:59] 300GB RAID1; use entire disk + lvm turned into a cluster mess [18:59] so root got 23GB [18:59] and /dev got.. wait for it [19:00] udev 126G 4.0K 126G 1% /dev [19:00] ^ i lolled ; twice [19:00] did i miss a README that said don't use lvm with hardware raid? [19:00] a1fa: isn't /dev a devtmpfs, which defaults to half your ram or something similar? [19:01] i guess.. but still does not explain where my 300GB drive went to [19:03] indeed, no :) [19:03] 23G 875M 21G 4% / [19:04] i am going to try resizing it [19:04] any chance there's a /home or /opt or something similar that's just not currently mounted/ [19:05] no just checked with cfdisk [19:05] sda5 NC Logical LVM2_member 299709.77 * [19:05] 299.9GB LVM2 [19:06] there is this thing [19:06] none 126G 0 126G 0% /run/shm [19:07] i wonder if swap took all of it ;) [19:07] Size: 274840158208 bytes, 274.8 GB [19:07] punk [19:07] there it is [19:10] ugh [19:10] Sky2 driver is making my network a living hell [19:10] DNS requests failing etc... [19:11] a1fa: 274 gigs of swap? makes sense, you want to suspend your 256 gigabyte RAM machine, right? right? :) [19:20] heh [19:20] i twont let me remove it [19:20] it thinks its busy [19:21] swapoff -a; lvremove .. === denbeiren is now known as zz_denbeiren [19:29] a1fa: 128 gigs of memory? [19:30] 275G 895M 263G 1% / [19:30] back in business, sarnold [19:30] RoyK: 256 [19:31] all is well now [19:31] for some reason it would not disable swap with swapoff -a === zz_denbeiren is now known as denbeiren [19:31] so reboot fixed it, and i was able to extend my partition to 100% [19:31] thanks === zz_denbeiren is now known as denbeiren [19:49] https://letsencrypt.org/ [19:49] thoughts? [20:08] here's my dmesg output: http://pastie.org/private/l2tia3nuotd8zvxier1zw === denbeiren is now known as zz_denbeiren [20:17] sky2 is crashing for my ethernet adapter: http://pastie.org/private/l2tia3nuotd8zvxier1zw [20:24] !poll === zz_denbeiren is now known as denbeiren [20:36] a1fa: great! :) if you've got the time/inclination to try to repeat it, I think it'd be worth a bug report === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === crazybluek is now known as Blueking === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren === zz_denbeiren is now known as denbeiren === denbeiren is now known as zz_denbeiren [23:57] RoyK: thanks for all your help earlier. The chmod command seems to have worked.