[00:09] <Daemoen> lo all;  anyone else here ever had to install openntpd as their daemon to use unprivileged ports?  in a situation where i cannot use normal ntpd (privilege port issue), where our cloud provider blocks priv port ntp traffic;  openntpd uses nonpriv traffic, so it works;  but it does not seem to have ntpq or any of the other trouble or status tools than the daemon itself,  to further complicate matters, openntpd and ntpd packages
[00:09] <Daemoen> conflict, so trying to find a way of getting the ntp status tools installed to monitor (besides tailing syslog)
[00:11] <RoyK> blocking NTP traffic is just outright stupid
[00:44] <patdk-lap> royk only somewhat
[00:44] <patdk-lap> too many people running open ntp server that are vaunerable
[00:45] <patdk-lap> remember the record breaking ddos traffic takedowns a year or so ago? cause of ntp
[00:47] <RoyK> patdk-lap: I (naïvely?) thought people were updating their servers somewhat regularly ;)
[00:48] <patdk-lap> once every 5 years?
[00:48] <RoyK> well, there was a DNS breakin in bind4 some 15 years back, so we should block DNS!
[00:49] <patdk-lap> well, dns is also horrible
[00:49] <RoyK> yeah, I stick to /etc/hosts
[01:08] <RevertToType> so on 15.04 where would i put/what would i do to make a script run @ login (as in after all other stuff is done) is that still a systemd thing or is it something else?
[01:16] <RoyK> RevertToType: http://www.howtogeek.com/104708/how-to-customize-ubuntus-message-of-the-day/ <-- this might help
[01:19] <RevertToType> nah that just fires off a single message...
[01:40] <pmatulis> RevertToType: in one of your shell's init files or via PAM perhaps
[01:41] <RevertToType> think ~/.bash_login will work... mebbe
[01:41] <RoyK> RevertToType: it can run a script too, you know ;)
[01:51] <RevertToType> it's been a long week :P
[05:44] <lordievader> Good morning.
[05:56] <jak2000> when i try: apt-get update i get this error, how to fix? "E: Unable to synchronize mmap - msync (5: Input/output error)"
[05:57] <lordievader> Sounds like a harddrive failing.
[05:58] <jak2000> mmm but how to fix?
[06:01] <lordievader> jak2000: First run smartctl -a on all disks to confirm. Then replace the faulty disks (if any).
[06:54] <RoyK> jeadre: may be fs problems too, but start with smartctl -a on the disk where the root resides - no other disks should be touched by apt
[06:54] <RoyK> that is, not root, /var
[07:01] <jelly> jak2000: I'd start with "free" and "dmesg" before smartctl
[07:13] <RoyK> jeadre: little memory shouldn't produce an i/o error, bt then, seems jak2000's not listening anywy
[12:23] <acmehandle> Is there a way to do an ln -s where it does not show the path?  Only ../../../ for example?
[16:20] <PryMar56> I fixed my 20s delay in scripts/init-bottom by modifying lib/udev/rules.d/85-lvm2.rules before making ramfs. But I have to restore it afterward
[16:20] <PryMar56> I remove the vgchange
[16:21] <PryMar56> is there a way to have a copy of 85-lvm2.rules reserved for ramfs?
[17:53] <jak2000> how to know if port 4848 is used?
[17:54] <sarnold> jak2000: netstat -anp | grep :4848
[17:57] <jak2000> say: tcp6       0      0 :::4848                 :::*                    LISTEN
[17:59] <sarnold> yup, looks like it is in use
[18:03] <lordievader> jak2000: Have you checked your disks?
[18:04] <jak2000> ok, is possible know the program name that use it?
[18:07] <sarnold> jak2000: the -p option to netstat prints out the program name and pid if you can see the process. run it as root if it might be owned by any users...
[19:28] <K4k> What tool is used to unlock network accounts on the local system?
[19:29] <K4k> nevermind -- pam_tally2 --unlock, derp
[20:53] <sarnold> jamespage,utlemming, 1490361 looks like it should ahve been filed against the cloud-archive version of nova instead of the regular archive version of nova; how should that re-assignment be done? thanks
[22:23] <|\n> hello, could someone please have a look at this https://pastebin.ovrnet.ru/paste/SRN6fhJu#THs7MiO8 looks same as https://bugs.centos.org/view.php?id=8135 happens often with no real impact, however it doesn't reveal itself on practice yet, any hints appreciated, many thanks!
[22:43] <prudentmav> in the file /etc/ssh/sshd_config is it possible that for the Port value to be a variable that is pulled from another file?
[23:16] <pmatulis> prudentmav: you mean having 2 files?
[23:18] <pmatulis> prudentmav: for context, please provide your use case for not having sshd get its entire configuration from sshd_config
[23:19] <prudentmav> I know this sounds crazy but this is what I am trying to do, just for the sake of doing it.  I'll create a script on my local machine.  The script will ping 5 different port numbers in a certain order.   This will act as a "combination" that will then unlock my actual ssh port.  The actual port number will be changed on the server using a rotating number similar with what you see on second level verification where the code changes
[23:19] <prudentmav>  every 30 seconds
[23:20] <Pici> uhh
[23:21] <Pici> It does sound crazy.
[23:21] <teward> s/does sound/is/
[23:22] <teward> ssh key auth with 2FA is easier to implement lol
[23:22] <prudentmav> haha
[23:22] <prudentmav> ok
[23:22] <prudentmav> this is the kinda crap I think up when I'm bored and too much time on my hands
[23:22] <teward> prudentmav: to make it work you have to first know the ports.  you then have to set up individual TCP listeners on each port
[23:23] <teward> you then need to accept specially crafted TCP packets (because general is bad)
[23:23] <teward> you then need to be able to send back on the last one the 'good' port
[23:23] <teward> and then accept the connection.
[23:23] <teward> the simpler method:
[23:23] <sarnold> prudentmav: I'd be surprised if there's any real benefit to that over standard port knocking
[23:23] <teward> there isn't, i don't think, sarnold
[23:24] <prudentmav> I see what you are saying
[23:24] <teward> the simpler way is to use ssh key authentication, and maybe a secondary 2FA system or some other access controls
[23:25] <teward> (say, key-auth only, and accept SSH access only from certain sources)
[23:25] <teward> etc.
[23:25] <prudentmav> that makes sense
[23:25] <teward> you also reduce complexity, AND you are using a practice that already exists
[23:25] <prudentmav> I'll look into secondary 2FA systems
[23:25] <teward> if it's just you, Duo Security is a third party company, i use them for 2FA on my servers' SSH, but i also have insane lockdowns
[23:25] <teward> i.e.
[23:25] <teward> only ONE of my servers actually is reachable from the net.
[23:25] <sarnold> with ssh specifically you'll get most security enhancements by just forbidding password based auth
[23:26] <teward> It is the pivot point to other systems.
[23:26] <teward> and yes, sarnold is right
[23:26] <teward> forbid password auth
[23:26] <teward> key auth only :P
[23:26] <sarnold> other nice things like locking down allowed source ranges are easy enough that they make sense to do if you can do it
[23:26] <prudentmav> ah that is what I forgot to do.... I only use key but forgot it still has a pass
[23:26] <sarnold> 2fa is one more step beyond that -- still worth it, but much more work
[23:27] <teward> sarnold: indeed.
[23:27] <pmatulis> prudentmav: always go for simplicity. but for us to help further you might want to explain what the ssh connections will be for. you might, for instance, implement SSH chroots if user demands are low
[23:27] <teward> sarnold: even with Duo Security, gotta compile the pam modules xD
[23:27] <sarnold> teward: I thuoght we packaged those?
[23:28] <teward> sarnold: do we package duo security's PAM modules?
[23:28] <teward> i didn't know it was included in the LTS yet
[23:28] <teward> :P
[23:28] <prudentmav> as of now, I am the only person that accesses the server... I've always done everything as root.  But now that my free lance work is starting to grow I am going to bring on another developer that will need ssh access.  and I also need to look into keeping them confined to only one directory
[23:28] <teward> last i checked there is no Ubuntu package for the pam module from duo security
[23:28] <sarnold> teward: libpam-duo
[23:28] <teward> sarnold: i lied, they're there.
[23:29] <teward> i wanted latest though :P
[23:29] <sarnold> teward: universe only, but iirc kees also uses it, so probably he'd be on top of issues that need to be fixed
[23:29] <teward> mmm
[23:29] <teward> sarnold: indeed.  but nobody at duo security updated their documentation for it xD
[23:29] <sarnold> hehe
[23:30] <teward> sarnold: cool, did not know before.
[23:30] <teward> now I do.
[23:30] <teward> now put it on the images :P
[23:30] <teward> loljk
[23:31] <teward> we haven't even added nginx to tasksel, so we sohuld not touch the images xD
[23:31] <sarnold> "LNMP stack" just rolls off the tongue doesn't it? :)
[23:31] <teward> although i'm happy to see that infinity was nice enough to nuke a package that deserved death.  (bitcoin related stuff is evil)
[23:31] <teward> isn't it LEMP?
[23:32] <teward> https://en.wikipedia.org/wiki/LAMP_(software_bundle)
[23:32] <teward> oop lamp
[23:32] <teward>  LEMP is a version where Apache has been replaced with the more lightweight web server Nginx
[23:32] <teward> there we go.  same article
[23:32] <sarnold> "Engine X"? for the E?
[23:32] <prudentmav> LEMP is being added to tasksel?
[23:33] <teward> prudentmav: no
[23:33] <teward> it's not
[23:33] <teward> sarnold: i think so, and because LEMP looks better than LNMP
[23:34] <teward> LNMP makes people think of SNMP
[23:34] <sarnold> and no one likes that
[23:34] <teward> i need coffee... brb