/srv/irclogs.ubuntu.com/2015/12/02/#ubuntu-server.txt

smackusrevivalpossible attack!00:00
bekksSo maybe it want the webserver which was under attack.00:01
bekks*it wasnt00:01
geniiMaybe check the auth log for bruteforce password attempts00:02
teward^ that00:03
tewardsmackusrevival: your company isn't stupid enough to have your DB servers listening on public internet addresses for traffic from everything is it?00:03
smackusrevivalhold, i think i found problem.00:07
smackusrevivalgot it. hardware issue. router somewhere had changed ip address routes. reverted back and everything good now.00:10
quanticsmackusrevival: what have we learned?00:10
smackusrevivalcheck this first next time.00:10
quanticsmackusrevival: more generally - unless you have evidence pointing to an attack, malfunctions or misconfigurations are far more likely.00:11
tewardagree with quantic there, smackusrevival :)00:12
smackusrevivalthanks for the help. but it doesn't discredit the fact there was major traffic at one point which made server ram 100% during this time.00:13
keithzgThe old saying "cockup before conspiracy" ;)00:13
tewardsmackusrevival: how are you determining RAM usage?00:13
tewardsmackusrevival: if your system shows 100% but `free -m` shows a lot free with the '+/- buffers/cache' line, then it's not really using all the RAM like you think00:13
teward(caching is at play, and that's not really 'in active use')00:14
smackusrevivallike this. http://imgur.com/uCqzGuP00:20
smackusrevivalmy mistake, not 100% but close. red in graph is ram in use. almost maxed out.00:20
smackusrevivalgreen is cached.00:21
smackusrevivalgraph pulled for monitorix.00:21
bekksSo basically cached memory increased.00:21
tewardsmackusrevival: so your cached memory increased, but active usage didn't increase00:21
tewardsmackusrevival: that's not uncommon00:21
tewardand you don't really need to be worried about cached memory being consumed up to the max on your RAM00:21
tewardthough if that were entirely RED that'd be a different story00:21
tewardi had a rogue ruby utility that did that once00:21
ponyofdeathhi, what calles dhclient on ubuntu server 12.04 what is the init script00:22
smackusrevivalwhy only at this one time during the day though?00:22
sarnoldponyofdeath: /etc/network/interfaces configures the interfaces; called via the /etc/init/networking.conf upstart script or /etc/init.d/networking sysv-init script..00:23
bekkssmackusrevival: look at the logs.00:23
tewardsmackusrevival: logs are your friend00:23
tewardread them00:23
smackusrevivalyeah ok. fair enough.00:24
sarnoldbackups? updatedb?00:24
tewardsmackusrevival: also, don't worry if mostly green/cached is taking up a lot of RAM00:25
tewardsmackusrevival: http://paste.ubuntu.com/13609973/00:25
tewardgranted this is my Ubuntu laptop00:25
bekkssmackusrevival: http://www.linuxatemyram.com/00:25
tewardbut point not withstanding, the site bekks gave is important, AND...00:25
tewardyou can see most of the 'memory' is used on mine with buffers/cache, not active use00:25
teward(only about 2.4 GB is in use, which is usual for this system since I do a lot of resource-eating stuff)00:26
smackusrevivalperforming manual backup of server as i write this, as precaution.00:27
tewardsmackusrevival: 99.999% sure the RAM usage is not a concern :)00:27
bekkssmackusrevival: that backup is mostly worthless, since you cant tell for sure wether it is compromised or not.00:27
tewardAND bekks is right00:27
tewardif you can't tell if your machine is compromised, chances are it may be00:27
tewardso a backup won't help you00:27
tewardand if you aren't already doing regular backups you should have been00:28
bekksFor further investigation purposes, that backup may be helpful, but you should strongly consider setting up that server from scratch.00:29
bekksAnd - literally - document every change you are doing to that new server.00:29
teward^00:30
smackusrevivalteward: yeah we have many backups. this was only precautionry, but regular backups are made all the time00:31
teward'this was only precautionary' is wrong00:32
tewardsmackusrevival: if your server *was* compromised then it's not precautionary00:32
tewardit's recklessly00:32
quanticThe only good taking a backup will do is to have an image to analyze later, and taking a normal backup to do so is useless. You need a bit-level image of the system for proper forensics.00:32
smackusrevivallooking through /var/log/auth.log there has been MANY unauthorized login attempts.00:32
quanticsmackusrevival: Is the system connected to the internet?00:33
bekksThe only purpose of that backup *may* be restoring files which have changed since the last know not-compromised backup AND known to be not altered by an attacker.00:33
bekks*known00:33
tewardsmackusrevival: is the system internet-connected, and do you do any hardening on your servers?00:33
smackusrevivalquantic: yes00:33
teward(such as disable pure password auth, etc)00:34
quanticsmackusrevival: Then yeah, you're going to have login attempts. Get used to it.00:34
quanticsmackusrevival: You should be looking for login SUCCESSES, not attempts.00:34
teward^ that00:34
tewardbut you should also be considering hardening your servers a little if you haven't already, such as disable password-based authentication and enforce SSH Key authentication, etc.00:34
smackusrevivalquantic: ok, usually ignore logs unless something like this happens. but need to start paying more attention i think.00:35
smackusrevivalteward: ok thanks.00:35
tewardsmackusrevival: NEVER IGNORE LOGS00:35
tewardthey're IMPORTANT00:35
tewardREALLY important00:35
bekksand - for the sake of reducing the amount of failed attempts - chaning the default ssh port.00:35
teward^ that00:35
tewardbekks: though I just IP-restrict SSH xD00:35
tewardbekks: in some cases changing the defaults won't help, but yes00:35
bekksteward: that helps too :D00:35
tewardI also have Duo Security 2FA enabled so...00:36
tewardthat PAM layer adds additional authentication reqs to get in00:36
sarnold... and don't forget, logs are often scrubbeds after systems are compromised00:36
tewardindeed00:36
tewardsarnold: even better reason to have a syslog server that receives all logs from the server00:36
bekkslog time inconsistencies. great thing to script :)00:36
tewardso even if they're scrubbed locally00:36
tewardthey're not necessarily scrubbed at the syslog location xD00:36
sarnoldteward: yeah00:36
tewardat the *real* syslog location00:36
bekksrsyslog ftw :)00:37
tewardsarnold: speaking of which, know any good Ubuntu syslog solutions that make it nice and readable and searchable, etc. including colorcoded by severity levels and stuff?00:37
bekkswhich reminds me to setup that for a bunch of server regularly used by other employees.00:37
sarnoldteward: I keep hearing things about kibana and elasticsearch and on and on but i've never been too impressed with what I see, compared to just tail -F :(00:38
sarnoldteward: there's some tool named something like czze that apparently does termina-based log coloring00:38
tewardi mean with a syslog server and such included in the list00:39
tewardbecause i want one location NOT on the servers themselves00:39
tewardbut meh00:39
tewardsarnold: i've heard kibana/elasticsearch too but dislike it00:39
tewardsplunk's always an option, but meh00:39
tewardi'll go do more research xD00:39
bekksteward: keep me informed on your proceedings please :)00:40
tewardbekks: probably will do so once I poke my other workplace again xD00:40
bekks;)00:40
smackusrevivalgotta go guys. thank you all so much for your help. a sys admin is never alone when he has irc. ;-)00:53
tewardsmackusrevival: that's why we're here :p00:53
sarnold:)00:53
ponyofdeathsarnold: thanks!01:05
sarnoldponyofdeath: got everything sorted? :)01:07
ponyofdeathsarnold: yup :)01:07
sarnoldwoohoo :)01:07
jvwjgamesI am needing my network interface persistence file fixed or regenerated03:10
jvwjgamesCause I have no network connectivity on that server03:11
jvwjgamesCan anyone please help03:11
tsimonq2jvwjgames: the people in #ubuntu could probably provide help with that03:22
jvwjgamesYa but it is a Ubuntu server witch is why I am here03:23
sarnoldhave you figured out what config options need to change to get the connectivity back?03:23
rbasakjvwjgames: it's in /etc/udev/rules.d/70-persistent-net.rules on 14.04 I think.03:23
rbasakI believe that if you delete it it'll get regenerated on next boot, but don't rely on my knowledge if it'll break your server - test first.03:24
jvwjgamesI know it is but it is messed up is there a way to regenerate it03:24
sarnoldrbasak: ahhh that hting I forgot all about it :)03:24
rbasakIt has changed since 14.04 and I am no longer up to date with the current stuff.03:24
JakeTheAfroPedobhi guys05:07
JakeTheAfroPedobneed some help regarding manaual installation05:08
JakeTheAfroPedobon 14.0405:08
JakeTheAfroPedobLTS that is05:08
=== cpaelzer_ is now known as cpaelzer
orogorhi08:34
orogoranyone here use/know dell open manage essentials ?08:34
OerHeksorogor, i read about it, but have no  PowerEdge Server, the repo instructions is here http://linux.dell.com/repo/community/ubuntu/08:37
lordievaderGood morning.09:19
=== Lcawte|Away is now known as Lcawte
hackeronAnyone has any ideas about this boot issue and how to diagnose further? < https://bugs.launchpad.net/ubuntu/+source/linux/+bug/152174911:30
ubottuLaunchpad bug 1521749 in linux (Ubuntu) "NUC NUC5CPYH Does not boot on 4.2.0-19 (Ubuntu 15.10)" [Undecided,Confirmed]11:30
TJ-hackeron: did the systemd analysis not help narrow it down?11:56
hackeronTJ-: I added comments about that in the bug. I tried starting various services just 1 by 1 after getting into the emergency.target - I can start networking, I can start several random things - but as soon as I start something like ssh or even apport, I see this and it freezes: https://www.dropbox.com/s/gmpse7bx0c70e4v/IMG_1479.jpg?dl=012:01
TJ-ahhh, I still had the bug open from yesterday so couldn't see the updates!12:05
TJ-hackeron: can you add to the bug report a dmesg captured from a 4.2 emergency.target boot? probably need to copy it off to a USB device manually mounted12:10
TJ-hackeron: also, have you tried booting it with 4.2 when *all* USb devices are disconnected?12:11
hackeronTJ-: sure, let me do that12:11
hackeronTJ-: yes, I have12:11
TJ-hackeron: so we can rule out udev stuck due to external devices?12:13
TJ-I notice the iwlwifi firmware isn't found for 3.19... I wonder if 4.2 gets stuck due to that not being available - unlikey, but in the absense of any other evidence...!12:14
hackeronTJ-: yeh, I noticed that as well, but seems unlikely as I can bring networking up without problems12:30
TJ-hackeron: OK, that's the only thing that stands out from the 3.19 logs12:31
hackeronTJ-: I downgraded to ubuntu 15.04 (well, installed from scratch) - I have another unit here, just trying to install 15.10 on it now12:44
=== Guest50543 is now known as hxm
rbasakcpaelzer: I've pushed some suggested changes to the nis merge in https://git.launchpad.net/~racb/ubuntu/+source/nis. Please could you check that you're happy with them?13:09
rbasakcpaelzer: I presume you've re-tested the upgrade paths? If so I'm happy to upload this.13:09
rbasakcpaelzer: my changes are only really minor or couldn't be anticipated by pitti's upload though. I'm completely happy with your solution for the upgrade path - good job on that.13:12
hackeronTJ-: ah! - it seems the older bios does in fact boot on the NUC - but the latest does not, so will check the changelog what Intel changed in the latest bios13:16
cpaelzerrbasak - I tested the upgrade paths, with the new version it continued working13:18
cpaelzerrbasak: no more config file fallout13:18
rbasakGreat!13:18
cpaelzerrbasak: let me look into your upload, but I'm generally happy :-)13:19
cpaelzerrbasak: damn I knew I missed the ~ in that version check, but I couldn't find where exactly in the version string to add it - thanks for fixing13:20
cpaelzerrbasak: thanks for fixing my typos and whitespace :-/13:21
cpaelzerrbasak: about the Tabs I had spaces, but took tabs as the rest of the file had tabs13:22
cpaelzerrbasak: but I'm totally fine with that13:22
cpaelzerrbasak: so as predicted - yes I'm happy13:22
rbasakTabs are fine, but if you want hanging indent to align with something on the previous line, then leading tabs need to match the upper line's tabs and the rest has to be spaces.13:22
rbasakOtherwise it doesn't match up visually unless you match the tab size setting. And since less and "git diff" uses eight space tabs, it all looks wrong immediately to me :-/13:23
rbasakOK, thanks. I'll upload!13:23
rbasakOh, I didn't fix all the version comparisons. I'll do that now.13:25
TJ-hackeron: interesting... did you do a complete factory reset of the BIOS config?13:26
rbasak[ubuntu/xenial-proposed] nis 3.17-34ubuntu3 (Accepted)14:07
rbasakcpaelzer: ^^ do you get that email, out of interest?]14:07
cpaelzerrbasak: no I don't14:08
cpaelzerrbasak: I'm not yet subscribed to all lists that I could be to keep the inbox manageable14:08
cpaelzerrbasak: should that have come through https://lists.ubuntu.com/mailman/listinfo/ubuntu-release?14:09
cpaelzerrbasak: or just because my commits are in there?14:09
rbasakcpaelzer: I just get that email after a dput. I guess it gets sent to the package signer only.14:10
rbasakI thought it might also be copied to you as you're the "uploader" but I guess not.14:10
hackeronTJ-: I didn't reset bios, but this is a brand new unit out of the box - trying now14:45
hackeronTJ-: Not sure if it helped - I rebooted 5 times, 3 of those times it froze, 2 it booted14:51
TJ-hackeron: sounds like a race condition14:52
hackeronTJ-: with 3.19 it reboots every time - I tried via ssh on a loop to reboot 50 times14:52
TJ-hackeron: if you can capture a dmesg when it boots with 4.214:52
=== CiPi is now known as cipi
rbasakcpaelzer: I've pushed the nis git branch to ~ubuntu-server-dev/ubuntu/+source/nis for the next merge. I've deliberately not pushed the previous reconstruct and logical tags though as they were mismatched. We shouldn't need them for a future merge anyway, as the current master branch has the logical changes (not fully squashed though).15:15
rbasakIt should be enough to transfer forward to the next merge without losing anything or duplicating work I think.15:15
cpaelzerrbasak: I agree, thank you15:15
=== Piper-Off is now known as Monthrect
RabooDoes anyone know if QLogic 57840S is included in the kernel for ubuntu 14.04?15:50
RabooI'm guessing it's bnx2x15:51
TJ-Raboo: you can search for its PCI ID in /usr/share/misc/pci.ids and then check for a modalias that matches under /lib/modules/<VERSION>/*15:53
RabooTJ- thanks15:56
urthmoverI have been tasked with creating a redundant openstack environment that utilizes docker containers.  I do not have physical machines, but I do have a vmware 5.5 environment that I intend to use for the controller and compute nodes.  I DO NOT have shell access to the vmware hosts though.  What should I install first? What software should I skip because I'm not using physical openstack servers?  I did create a ubuntu autopilot env17:00
=== Pici is now known as Guest87554
=== jelly-home is now known as Guest98020
=== Guest87554 is now known as Pici
=== Guest98020 is now known as jelly-effnfn
=== sarnold_ is now known as sarnold
=== Jare_ is now known as Jare
=== jelly-effnfn is now known as jelly
thomaslnxhi everyone...19:01
thomaslnxwhat should I worry when setting up ubuntu server secure?19:02
thomaslnxany suggestions?19:02
sarnold#1 don't use ssh passwords, require ssh keys   #2 a firewall is nice to make sure you only expose what you intend to expose19:03
geniiMake sure to set up fail2ban, move remote login things to other ports19:03
sarnoldget those two right and the rest gets a lot easier19:03
thomaslnxthanks sarnold and genii19:06
jcastroroaksoax: this one's for you guys! http://askubuntu.com/questions/687325/maas-integration-with-ipam-solution19:42
fooI want to change my system time. By default, server is in New York, so all system time is in EST. However, I'm in PST timezone. If I change system timezone to PST, I imagine I shouldn't have any problems since *everything* should change (as opposed to only changing mysql timezone and leaving system in EST). Is this correct?20:01
geniiGoing forwards in time is fine. When you go backwards the system sometimes becomes confused that some files are from the future20:04
sarnoldand don't sleep with or kill your grandparents20:05
sarnoldfoo: the kernel keeps track of time by counting the number of seconds since jan 01, 00:00:00 1970, in UTC20:06
sarnoldfoo: the "timezones" are just some libraries that convert those seconds to friendly human display20:06
sarnoldfoo: different applications have run in different timezones without issue20:07
foosarnold: thought so, so if I change local timezone, and I have time sensitive software, 3pm will just change to 2pm in both mysql timezone fields and in the software checking against these fields.20:07
foosarnold: eg. nothing should break, am I understanding this correctly?20:07
sarnoldfoo: you might run into some poorly written software that doesn't follow the rules, but I can't name any off-hand20:08
foosarnold: I wrote it all, it's just a matter of using local time from PHP to compare against timestamp in mysql field, so if this all changes, I think I'm good. Oh, and Drupal, but I doubt that'll have any issues (nothing time sensitive there)20:09
sarnoldfoo: last I looked at sql times I think they either store times via utc or combined with a tz offset..20:10
=== rharper` is now known as rharper
foosarnold: yup, tz offset. I set local time, restarted mysql, and I'm golden. Thank you20:12
sarnoldfoo: woot ;) nice work :)20:12
foosarnold++20:13
pvlhey all. im stuck. trying to install 15.10 from usb (which i DD'd), and i keep getting an error that isolinux.bin isnt found20:44
pvlor corrupt20:44
=== cipi is now known as CiPi
=== apb1963_ is now known as apb1963
keithzgpvl: I'd suggest using usb-creator or mkusb instead of directly DD'ing it, see if that works for you.22:09
=== Monthrect is now known as Piper-Off
sadminHey, is there a security/software update schdule? I want to create a patch policy and a schedule23:44
bekksthere is no schedule, no.23:51
bekksPatches are released whenever they are released.23:51
bekksBasic schedule might be: patch your systems once a week, on saturday.23:51
bekksAt least thats how I am patching things.23:54

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!