Daemoenlo all;  anyone else here ever had to install openntpd as their daemon to use unprivileged ports?  in a situation where i cannot use normal ntpd (privilege port issue), where our cloud provider blocks priv port ntp traffic;  openntpd uses nonpriv traffic, so it works;  but it does not seem to have ntpq or any of the other trouble or status tools than the daemon itself,  to further complicate matters, openntpd and ntpd packages00:09
Daemoenconflict, so trying to find a way of getting the ntp status tools installed to monitor (besides tailing syslog)00:09
RoyKblocking NTP traffic is just outright stupid00:11
=== markthomas|away is now known as markthomas
patdk-laproyk only somewhat00:44
patdk-laptoo many people running open ntp server that are vaunerable00:44
patdk-lapremember the record breaking ddos traffic takedowns a year or so ago? cause of ntp00:45
RoyKpatdk-lap: I (naïvely?) thought people were updating their servers somewhat regularly ;)00:47
patdk-laponce every 5 years?00:48
RoyKwell, there was a DNS breakin in bind4 some 15 years back, so we should block DNS!00:48
patdk-lapwell, dns is also horrible00:49
RoyKyeah, I stick to /etc/hosts00:49
RevertToTypeso on 15.04 where would i put/what would i do to make a script run @ login (as in after all other stuff is done) is that still a systemd thing or is it something else?01:08
RoyKRevertToType: http://www.howtogeek.com/104708/how-to-customize-ubuntus-message-of-the-day/ <-- this might help01:16
RevertToTypenah that just fires off a single message...01:19
pmatulisRevertToType: in one of your shell's init files or via PAM perhaps01:40
RevertToTypethink ~/.bash_login will work... mebbe01:41
RoyKRevertToType: it can run a script too, you know ;)01:41
RevertToTypeit's been a long week :P01:51
=== FastZ_ is now known as FastZ
=== FastZ_ is now known as Fast
lordievaderGood morning.05:44
jak2000when i try: apt-get update i get this error, how to fix? "E: Unable to synchronize mmap - msync (5: Input/output error)"05:56
lordievaderSounds like a harddrive failing.05:57
=== markthomas is now known as markthomas|away
jak2000mmm but how to fix?05:58
=== ming is now known as Guest38993
lordievaderjak2000: First run smartctl -a on all disks to confirm. Then replace the faulty disks (if any).06:01
RoyKjeadre: may be fs problems too, but start with smartctl -a on the disk where the root resides - no other disks should be touched by apt06:54
RoyKthat is, not root, /var06:54
jellyjak2000: I'd start with "free" and "dmesg" before smartctl07:01
=== ming is now known as Guest90227
RoyKjeadre: little memory shouldn't produce an i/o error, bt then, seems jak2000's not listening anywy07:13
=== pesari_ is now known as pesari
=== Lcawte|Away is now known as Lcawte
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
=== Lcawte is now known as Lcawte|Away
=== Lcawte|Away is now known as Lcawte
=== trick is now known as Guest40518
acmehandleIs there a way to do an ln -s where it does not show the path?  Only ../../../ for example?12:23
=== markthomas|away is now known as markthomas
PryMar56I fixed my 20s delay in scripts/init-bottom by modifying lib/udev/rules.d/85-lvm2.rules before making ramfs. But I have to restore it afterward16:20
PryMar56I remove the vgchange16:20
PryMar56is there a way to have a copy of 85-lvm2.rules reserved for ramfs?16:21
=== xachet is now known as xachet_lunch
jak2000how to know if port 4848 is used?17:53
sarnoldjak2000: netstat -anp | grep :484817:54
jak2000say: tcp6       0      0 :::4848                 :::*                    LISTEN17:57
sarnoldyup, looks like it is in use17:59
lordievaderjak2000: Have you checked your disks?18:03
jak2000ok, is possible know the program name that use it?18:04
sarnoldjak2000: the -p option to netstat prints out the program name and pid if you can see the process. run it as root if it might be owned by any users...18:07
=== xachet_lunch is now known as xachet
=== IdleOne- is now known as io
K4kWhat tool is used to unlock network accounts on the local system?19:28
K4knevermind -- pam_tally2 --unlock, derp19:29
=== JanC_ is now known as JanC
=== markthomas is now known as markthomas|away
sarnoldjamespage,utlemming, 1490361 looks like it should ahve been filed against the cloud-archive version of nova instead of the regular archive version of nova; how should that re-assignment be done? thanks20:53
=== markthomas|away is now known as markthomas
=== jak2016 is now known as jak2000
|\nhello, could someone please have a look at this https://pastebin.ovrnet.ru/paste/SRN6fhJu#THs7MiO8 looks same as https://bugs.centos.org/view.php?id=8135 happens often with no real impact, however it doesn't reveal itself on practice yet, any hints appreciated, many thanks!22:23
prudentmavin the file /etc/ssh/sshd_config is it possible that for the Port value to be a variable that is pulled from another file?22:43
=== Lcawte is now known as Lcawte|Away
pmatulisprudentmav: you mean having 2 files?23:16
pmatulisprudentmav: for context, please provide your use case for not having sshd get its entire configuration from sshd_config23:18
prudentmavI know this sounds crazy but this is what I am trying to do, just for the sake of doing it.  I'll create a script on my local machine.  The script will ping 5 different port numbers in a certain order.   This will act as a "combination" that will then unlock my actual ssh port.  The actual port number will be changed on the server using a rotating number similar with what you see on second level verification where the code changes23:19
prudentmav every 30 seconds23:19
PiciIt does sound crazy.23:21
tewards/does sound/is/23:21
tewardssh key auth with 2FA is easier to implement lol23:22
prudentmavthis is the kinda crap I think up when I'm bored and too much time on my hands23:22
tewardprudentmav: to make it work you have to first know the ports.  you then have to set up individual TCP listeners on each port23:22
tewardyou then need to accept specially crafted TCP packets (because general is bad)23:23
tewardyou then need to be able to send back on the last one the 'good' port23:23
tewardand then accept the connection.23:23
tewardthe simpler method:23:23
sarnoldprudentmav: I'd be surprised if there's any real benefit to that over standard port knocking23:23
tewardthere isn't, i don't think, sarnold23:23
prudentmavI see what you are saying23:24
tewardthe simpler way is to use ssh key authentication, and maybe a secondary 2FA system or some other access controls23:24
teward(say, key-auth only, and accept SSH access only from certain sources)23:25
prudentmavthat makes sense23:25
tewardyou also reduce complexity, AND you are using a practice that already exists23:25
prudentmavI'll look into secondary 2FA systems23:25
tewardif it's just you, Duo Security is a third party company, i use them for 2FA on my servers' SSH, but i also have insane lockdowns23:25
tewardonly ONE of my servers actually is reachable from the net.23:25
sarnoldwith ssh specifically you'll get most security enhancements by just forbidding password based auth23:25
tewardIt is the pivot point to other systems.23:26
tewardand yes, sarnold is right23:26
tewardforbid password auth23:26
tewardkey auth only :P23:26
sarnoldother nice things like locking down allowed source ranges are easy enough that they make sense to do if you can do it23:26
prudentmavah that is what I forgot to do.... I only use key but forgot it still has a pass23:26
sarnold2fa is one more step beyond that -- still worth it, but much more work23:26
tewardsarnold: indeed.23:27
pmatulisprudentmav: always go for simplicity. but for us to help further you might want to explain what the ssh connections will be for. you might, for instance, implement SSH chroots if user demands are low23:27
tewardsarnold: even with Duo Security, gotta compile the pam modules xD23:27
sarnoldteward: I thuoght we packaged those?23:27
tewardsarnold: do we package duo security's PAM modules?23:28
tewardi didn't know it was included in the LTS yet23:28
prudentmavas of now, I am the only person that accesses the server... I've always done everything as root.  But now that my free lance work is starting to grow I am going to bring on another developer that will need ssh access.  and I also need to look into keeping them confined to only one directory23:28
tewardlast i checked there is no Ubuntu package for the pam module from duo security23:28
sarnoldteward: libpam-duo23:28
tewardsarnold: i lied, they're there.23:28
tewardi wanted latest though :P23:29
sarnoldteward: universe only, but iirc kees also uses it, so probably he'd be on top of issues that need to be fixed23:29
tewardsarnold: indeed.  but nobody at duo security updated their documentation for it xD23:29
tewardsarnold: cool, did not know before.23:30
tewardnow I do.23:30
tewardnow put it on the images :P23:30
tewardwe haven't even added nginx to tasksel, so we sohuld not touch the images xD23:31
sarnold"LNMP stack" just rolls off the tongue doesn't it? :)23:31
tewardalthough i'm happy to see that infinity was nice enough to nuke a package that deserved death.  (bitcoin related stuff is evil)23:31
tewardisn't it LEMP?23:31
tewardoop lamp23:32
teward LEMP is a version where Apache has been replaced with the more lightweight web server Nginx23:32
tewardthere we go.  same article23:32
sarnold"Engine X"? for the E?23:32
prudentmavLEMP is being added to tasksel?23:32
tewardprudentmav: no23:33
tewardit's not23:33
tewardsarnold: i think so, and because LEMP looks better than LNMP23:33
tewardLNMP makes people think of SNMP23:34
sarnoldand no one likes that23:34
tewardi need coffee... brb23:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!