MACscrfor those that manage a lot of servers that do not normally have an email server on them. how are you typically handling sending emails from root? just installing postfix? seems a little heavy for the need, but i could easily be wrong00:08
=== Piper-Off is now known as Monthrect
=== Monthrect is now known as Piper-Off
=== Piper-Off is now known as Monthrect
=== Monthrect is now known as Piper-Off
=== Piper-Off is now known as Monthrect
=== Monthrect is now known as Piper-Off
wehde_does anyone know how to sync apt-cache across servers?05:34
=== Piper-Off is now known as Monthrect
=== Monthrect is now known as Piper-Off
lordievaderGood morning.08:45
=== Lcawte|Away is now known as Lcawte
jamespagecaribou: hey - around? we're both looking at haproxy problems so might be work chatting on solutions - also been discussing with the debian maintainer as to approach to nbproc > 111:44
Darkyyyhello ppl11:48
=== ronator is now known as Don
=== Don is now known as Don1337
=== notsetkeh is now known as setkeh
=== Lcawte is now known as Lcawte|Away
=== fwwf is now known as adv_
=== balloons is now known as Guest42098
=== Ursinha_ is now known as Ursinha
=== Guest42098 is now known as balloons_
=== balloons_ is now known as balloons
impermanenceIs it difficult to configure postfix or mail to send email to remote clients?  I thought all I would have to do is the minimal install of both and I'd be good but mail seems to only like to be sent from a local user to a local user.  What am I missing?16:09
shaunousually just 'dpkg-reconfigure postfix' and pick the right topology from those offered (bad advice for a proper mailsite, but works really well for a satellite site).  although there's things like ssmtp that cater more directly to such uses now16:13
impermanence@shauno Okay, so I do need to manually configure a bunch of stuff…16:21
impermanence@shauno I don't care about sec.  It's all internal cloud.16:21
=== Joel_ is now known as Guest77853
Waleximpermanence: that's a bit optimistic...16:37
impermanence@Walex how so?16:37
impermanence@Walex oh you mean my cloud comment?16:37
Waleximpermanence: "internal" sometimes is not that internal...16:38
impermanence@Walex you're right.16:38
Waleximpermanence: anyhow for that 'postfix' stuff a satellite config or 'ssmtp' is good as <shauno> said. the config file will be identical on all hosts: just pointing to the "smart host"16:39
Waleximpermanence: note that sends email to a remote server, not a client, but I guess that was a mistype.16:40
impermanence@Walex it was.  the client in this case is the server.  i never know anymore honestly.16:40
Waleximpermanence: something like this looks good: https://www.dnsexit.com/support/mailrelay/postfix.html16:41
Waleximpermanence: similar here: http://www.certdepot.net/smtp-configure-a-mta-with-a-smart-host/16:42
Walexlast time I did this I used 'esmtp' rather than 'ssmtp' can't remember why16:45
herrkinhello community, I have been having trouble with permissions so badly that I think it has to be something I am not understanding of ubuntu.17:01
herrkinfirst it was in apache, I decided to forget about it, I had a symlink to a folder in my home, if I was logged in in the shell it worked perfect, the second I logged out the os it broke saying nobody had permission to go to the page.17:02
herrkinsomething oddly similar is happening to me with pm217:02
TJ-herrkin: Encrypted home directory maybe?17:02
herrkinyes, but in the case of apache the apache user is the same as in my home directory17:03
herrkinthere should be no problem, still there is.17:03
herrkinthat was only to illustrat17:03
herrkinpm2 is giving me a similar error17:03
herrkinit only works if i am logged into the system17:04
herrkinif I log out it kills itself17:04
herrkinif I configure the startup script it never execute17:04
herrkinI have been arround this for a week, its driving me crazy.17:04
TJ-encrypted home will make a big difference, since when you log-out the encrypted user home directory is unmounted and the files disappear17:05
herrkinis there a way to make it keep it mounted?17:05
herrkinor make another user mount it so it can use it?17:05
TJ-No. Don't use encrypted user home if you intend a service to access it17:06
TJ-Or alternatively, move the served content to another directory outside the user's home17:06
tewardi was about to say that lol17:06
jrwrenuse byobu to fake always being logged in?17:06
jrwrentmux or screen?17:07
jrwrenit leaves a shell running in your homedir. might be enough to prevent the unmount.17:07
jrwreni don't know how the system decides to unmount the encrypted home17:07
TJ-In which case why bother encrypting it?17:08
TJ-jrwren: when there's no user logged in17:08
herrkinremember I told you I didnt want them to access the files mounting the disk in another machine?17:08
TJ-the mount/umount is done by pam_ecryptfs17:08
herrkinthats why :D17:08
jrwrenTJ-: bothering only for FBI raid protection.17:08
TJ-herrkin: your design is broken then. You can't have it both ways.17:08
herrkinthen its just not possible to deny people accessing files?17:09
jrwrenherrkin: I understand your requirements and I think they are reasonably as long as you are OK with the drawbacks.17:09
herrkinyeah but I am ignorant about the shell you are sugesting17:09
herrkinhow do I do it?17:10
herrkinit might be it.17:10
jrwrenherrkin: apt-get install byobu, then when you ssh, run byobu17:10
herrkinif the home unmounts when I log out then I need a way to keep it alive forever17:10
herrkinI guess17:10
herrkinok just like that?17:10
herrkinnothing else needed?17:10
jrwrento logout, don't close byobu by exiting the window, instead, detach with ctrl-a, d, then exit the ssh.17:10
herrkinoh.. its like a second layer17:11
jrwrenherrkin: byobu is a wrapper around gnu screen or tmux. if you aren't familiar with them, i highly recommend you become so. they are valuable tools.17:11
herrkinI just keep it running in the background17:11
kirklandfyi, there's a video demo at byobu.co17:11
jrwrenyes, keeps shells running in bg17:11
herrkinI will go see it. thanks.17:12
jrwrenkirkland: does it keep an encrypted home fs mounted?17:12
kirklandjrwren: yes, until you logout all sessions17:12
jrwrenthere ya go herrkin. exactly what you want17:13
herrkinwow that term is amazing.17:13
herrkinI can have multiple windows, pretty good17:14
impermanence@Walex Oh hey thanks man.  I'm actually kind of surprised at how complicated this is.17:14
jrwrenherrkin: valuable tools? :)17:14
herrkinok I will try it, I will be reporting the results17:15
acmehandelI set up psad on my server and got flooded with messages within minutes.17:15
acmehandelhow do I set it up to where I get 1 summarized message per day?17:16
herrkinstill there is a problem17:16
herrkinhow do I make it start up?17:17
herrkinjrwren, I think I might have broke something up17:20
herrkinbecause I could go in and out before17:20
herrkinpm2 list and it keept on working17:20
herrkinno matter if I was logged in or not17:20
herrkinwhen I tried to make it start on boot up it screwed that functionality17:21
herrkinI tried to do ctrl-a,d as suggested, didnt work, it still kill pm2 at logout17:27
herrkin maybe it also kills byobu17:27
herrkinit may kill everyting that the user is executing17:28
herrkinI don't really know17:28
herrkinTJ-, so you think I should definitely have it without encryption.17:38
herrkinI would lose the protection of the files :(17:38
herrkinwow, everybody is gone.17:56
tewardherrkin: or busy or patience, it's lunch at some places17:56
tewardherrkin: TJ- has indicated that you have two goals:  protect files, but let services access them.17:57
tewardherrkin: Either move those specific files out of the encrypted home directory and into unencrypted space where it can be accessed by services17:57
tewardor leave a login session running, and your entire home is 'decrypted' per se17:57
herrkinI tried what you told me17:58
tewardIf you're exposing the files to a service anyways, securing the files from being accessed is already out the window17:58
herrkinno luck17:58
herrkinit seems the time l17:58
herrkinI log out it kills byobu too17:58
herrkinwhen I log back in its like I have never logged in before17:58
patdk-wkwell, if your using encrypted home folders, ANYTHING that runs as you, should die17:59
patdk-wkas your home folder will become encrypted when you logout17:59
herrkinyes, is there a way I can have a session running forever? like a service session?18:00
patdk-wkservers and encrypted home folders, genrally don't mix18:00
tewardyour only option in this case is: (1) don't use encryption, or (2) put the web doc root into unencrypted space18:00
herrkinI thoght that was what happened with apache and others18:00
tewardagreed with patdk-wk18:00
patdk-wkFDE and servers mix, but is normally a pain to manage18:00
patdk-wkwhat do you mean apache and others?18:01
herrkinthen how could i protect some folders that can only be accessed by services?18:01
tewardherrkin: define 'protect'18:01
herrkinnobody can grab the code18:01
patdk-wkencrypted? impossible18:01
tewardherrkin: too late - it's already exposed to the *net if you're using Apache to access it18:01
herrkinyes but apache delivers its version of the code, not everything18:02
tewardpoint missed18:02
herrkinI mean it serves results, not code18:02
tewardherrkin: in theory? set up ACLs for the folders and files18:02
tewardbut that can be painful to maintain over time18:03
herrkinok lets just resume.18:03
patdk-wklets say, your running a php site on your server18:03
patdk-wkand you want to protect the php files from exposure18:03
patdk-wkit's not possible18:03
patdk-wkall it takes is ANY vaunerability in anything that runs under that user, and your exposed18:04
tewardgbah lag18:04
patdk-wkso any flaw in your php code18:04
patdk-wkand your exposed18:04
teward(the last part I was going to say is "That doesn't actually 'hide' the code to the world, really)18:04
tewardpatdk-wk: thanks for adding that on, lag / network weirdness disconnected me for a second18:04
tewardherrkin: if you want the code to NOT be visible to the world, you don't have it served by a web server or service18:04
patdk-wkacl's, apparmor, ..., nothing is going protect against that18:04
teward^ that18:04
herrkinso thats a crap lol.18:05
tewardherrkin: you can protect it from other local users, possibly, accessing it, but NOT if it's being served to the web18:05
teward(I was imprecise earlier)18:05
patdk-wkgenerally this is why people go with multible levels18:05
herrkinthe thing is that I deliver a black box to the client, in theory they should not be allowed to grab anything from the machine18:05
patdk-wkbackend api, frontend webserice18:05
patdk-wkand nothing you care about on the frontend18:05
patdk-wkit will limit that attack pretty well, not perfect, but make it damned hard18:05
herrkinbut nothing is stopping them from taking the hdd and mounting it in another maching18:05
tewardherrkin: FDE18:05
herrkingetting the files and selling my software18:05
tewardfull disk encryption would 'prevent' that, per se18:05
tewardbut, it's painful to manage18:06
tewardto quote patdk-wk...18:06
teward[2015-11-09 13:00:47] <patdk-wk> FDE and servers mix, but is normally a pain to manage18:06
herrkinyes but I would still need to give them the key if they need to reboot the machine18:06
herrkinthats silly18:06
patdk-wkwhy is it silly?18:06
patdk-wkI do it18:06
patdk-wkand I do it automated, most reboots are automatic18:06
herrkingive the encryption key to them?18:06
herrkinwhy would you do that?18:07
herrkinif thats what you are avoiding in the first place?18:07
patdk-wkhow do you unencrypt a system that is encrypted without a key?18:07
herrkinI mean if they have the encryption key they can get everything from the system, cant they?18:07
tewardherrkin: it sounds like you are giving a client a black box, but then not wanting them to be able to use it / install it / reboot it without calling you to come in and reboot everything18:07
herrkinits like its not encrypted18:07
patdk-wkherrkin, heh? I have to give it the key on each boot18:07
patdk-wkno exceptions or work arounds18:08
tewardpatdk-wk: i think herrkin wants to give the client the box and NOT give the client the key, so they can't access the files on the devices18:08
tewardwhich makes zero sense18:08
patdk-wkyes, I do the same18:08
patdk-wkbut then you have to give it the key on each reboot18:08
herrkinall I want is they can reboot the system but not access the files18:08
tewardherrkin: mutually exclusive options18:09
patdk-wkwon't happen18:09
herrkinit seems impossible as you say18:09
tewardherrkin: you get one, or the other18:09
patdk-wkherrkin, even if you used FDE that won't happen18:09
tewardeither they can reboot the box and put in the key, or, you give the machine the key each boot.18:09
herrkinif I enctypt the disk and give them the key its like I wasnt enctypting anything18:09
herrkinso why bother?18:09
patdk-wkforget all that, your protecting against the wrong thing18:09
patdk-wkwhen using FDE, if the server is on, it's as good as vaunerable18:10
patdk-wkonly when it's powered off is it safe18:10
patdk-wkso yes, they can't remove the drive and reboot18:10
patdk-wkbut they can attack it while it's turned on plunty18:10
herrkinwow thats frustrating18:10
patdk-wkif it was simple18:11
patdk-wkeveryone owuld have perfect security18:11
patdk-wkand there would be no market18:11
herrkinit seems any system is vulnerable then?18:11
patdk-wkanything that can be turned on, is18:11
patdk-wkit's how you want to protect it, and what you want to protect against, that drives up how hard/costly it is to do18:12
patdk-wkusing a tpm module will let you autoreboot18:12
patdk-wkand will protect against drive removal18:12
patdk-wkbut it won't protect against attacks against that same machine18:12
patdk-wkor bios issues18:12
herrkinwhat is tpm?18:12
tewardhttps://en.wikipedia.org/wiki/Trusted_Platform_Module I think18:13
herrkinsorry there are some things I have never used so I get confused18:13
patdk-wkI use tpm's on many things18:13
herrkinhow would it protect against drive removal?18:13
patdk-wksome with passwords, others without18:13
patdk-wkthe drive is encrypted18:13
patdk-wkcannot be decrypted without the tpm18:13
patdk-wkthe tpm cannot be removed from that computer18:14
herrkinpatdk-wk, please tell me the way you protect your work18:14
patdk-wkI don't attempt to protect against the impossible :)18:14
patdk-wkI am only required to protect against powered-off states18:14
patdk-wknot powered-on18:14
patdk-wkfde works great for that18:14
herrkinall I want is that they cant remove the drive and access it from another machine thus grabbing the files18:15
patdk-wkuse a tpm then18:15
tewardFDE (Full Disk Encryption), + TPM module18:15
patdk-wkthe FDE passcode will be generated and stored in the tpm only18:15
herrkinand also prevent the grub from changing pass18:15
herrkinthats another thing I havent been able to do18:16
patdk-wkwhat does grub have to do with FDE?18:16
herrkinthere was a time when I lost my pass18:16
herrkinI remember I read on a page that I just go on grub and type some commands18:16
herrkinI override the root pass18:16
herrkinI could log to the system18:17
herrkinthat is something I want to prevent too.18:17
patdk-wkyes, all that requires having the disk18:17
patdk-wkand we just told you to use fde18:17
patdk-wkif yo uwant to protect against that18:17
herrkinI will look for that.18:17
patdk-wkif you want to protect against something when it's *powered-on* and working, that is totally different18:17
tewardi feel like we're going in circles, so I'm going to go get lunch.18:17
patdk-wkbut to protect against powered off, fde+tpm will do the job for you18:18
herrkinsorry teward18:18
herrkinanother thing the key sharing.18:18
patdk-wkkey sharing? no idea what that is18:18
herrkinhow you prevent them to grab the files if they have the key?18:18
herrkinthe encryption key18:18
patdk-wkhow would they get the encryption key?18:18
herrkinyou said you would give it to them so they can reboot18:19
patdk-wkon my systems yes18:19
patdk-wkbut we aren't discussing my system18:19
patdk-wkbut what you need18:19
patdk-wkfor you, a tpm would be perfect18:20
patdk-wkfor me, sometimes tpm18:20
patdk-wkbut I also want to protect against someone stealing my server18:20
herrkinok, that way you are telling me it allows to reboot without asking for an encryption key?18:20
patdk-wkand so my tpm would need a password18:20
patdk-wkthe encryption key is stored in the tpm18:20
herrkinoh.. great18:20
patdk-wkif you password the tpm is optional18:20
patdk-wkif you don't put a password on the tpm18:21
patdk-wkthat drive is now locked to that computer18:21
herrkinok, so much to learn18:21
patdk-wkwithout that *computer* the drive must be wiped18:21
patdk-wktpm's are bound to the system they are put into18:21
patdk-wkeven doing a bios update on it, will cause the tpm to break18:21
herrkinand changing its hardware does it too?18:22
patdk-wkmotherboard, yes18:22
patdk-wkother stuff, likely not18:22
herrkinfor example more ram, another nic, whatever18:22
TJ-Guys, I think the background to this says everything, since it's a continuation of a long-running saga. If I recall correct, the server is owned by, and on the premises of, a customer of herrkin, who installs his proprietary code on said server. herrkin is trying to prevent the customer having any access to the source-code of his application.18:23
herrkinok then I will research about tpm fde18:23
TJ-Last time I recall they wanted log-on/root access to 'change the IP' and we ended up recommending simply putting a cheal router 'in front' of the server so the customer changed the router config, not the server.18:24
herrkinyes :D18:24
herrkinthat was just an idea, I like that.18:24
TJ-And before that, when this situation of protecting the code came up, I said it was a pointless endeavour18:25
TJ-If you don't have trust in a customer don't do business with them18:25
herrkinyeah its just inevitable. I want to protect from anything. sorry if I am bothering you, I am learning a lot from you.18:28
TJ-herrkin: the only solution is to host the service off-site where you have full physical control18:28
TJ-herrkin: you could always do that, and then set up a VPN from your server to the customer's premises, or to the customer server, which simply acts as a proxy - therefore it would not store your code on it18:29
herrkinthat wouldn't be efficient because the internet in my country is a crap. instead some of my clients have several servers to handle local data and then replicate18:31
herrkinthe thing is a matter of availability, internet is either not so good or not available18:32
patdk-wkya, I dunno the whole story, just what I ran into the middle of :)18:32
herrkinso they need to have the server in premises18:33
patdk-wkbut yes, it all come down to what you are protecting against18:33
patdk-wkbut pulling a harddrive out of the box, fde is required, and tpm to do the fde is likely needed in this case18:33
patdk-wksince you don't want to manage keys18:33
patdk-wkbut to do other kids, it's different18:33
herrkinyes its seems like the solution.18:34
herrkinoh its a hardware ? lol.18:35
herrkinno way, I think I just leave that unprotected, I can't do much about it18:36
herrkinthanks for clearing it out. sorry for the time wasted. I appreciate it.18:36
patdk-wkmost motherboards support tpm modules18:36
patdk-wkit's just a chip you plug into the motherboard18:36
TJ-herrkin: clearly display your copyright messages in every file, and in the log-on MOTD; that's about the best you can do18:40
herrkinyes. thanks.18:41
herrkinhonestly I wanted to marry them to our support, if they can gain access the code they can edit it and do what they need.18:41
herrkinoff course we could detect if the code has been changed, and one thing to do is not leave the ssh key of our repository, it could be brutal.18:43
herrkinits not that I dont trust them, I am just being paranoic lol. anything can hapen.18:43
TJ-herrkin: you could embed methods that check known cryptographic hashes of the file(s) with live-generated hashes, and cause your service to stop/warn/error if changes are detected18:59
herrkinhm.. like md5 hash of the files? check sums?19:01
bindiubuntu server 14.04, will it run irssi in a screen with 3GB disk space? :P19:10
bindii mean sure the wiki page says minimum is 119:10
bearface_bindi: it should be able to19:11
herrkinTJ-, the thing that worries me the most now that its like that is that they could easily see the db password and screw or edit the data at will living us in a horrible possition. I mean some black hat technisian with a will to distroy it, literally could do it.19:34
=== Lcawte|Away is now known as Lcawte
TJ-herrkin: if it is their data why worry? if they change it that's their issue, totally outside your responsibility.19:59
herrkinthey could think its a malfunction of the system. (lack of security) they could blame us for that. TJ-20:57
TJ-herrkin: negoitate sensible terms, in writing, so both parties understand what is an isn't your responsibilty, and what is theres (like not interfering with the code or database, keeping a written log of all access they make to the server, etc.)21:12
herrkinok thanks21:12
TJ-herrkin: ensure the server keeps good logs of everything, and have it forward them to you on a schedule using cron, maybe21:14
herrkingood what type of logs, access logs?21:16
=== dames is now known as thedac
TJ-Yes, and database access, any kind of program-controlled access to your running code21:22
herrkingot it, thanks21:31

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!