[14:53] <LeMike> hello. I am not good enough with servers so I have a question. Is it correct, that HTTP (TCP) always allows SNI? So would it be possible to multiplex the HTTP-Port and divide SSH-Logins by their hostname (due to incoming SNI)?
[15:18] <tomreyn> LeMike: so... SNI (server name indication) is an extension to the TLS (transport layer security) transport encryption. TLS can be wrapped around any TCP based application protocol, such as HTTP. For it to be useful, all of the application protocol, server and client implementation, need to be modified to be able to communiacte with this TLS extension (SNI). to my knowledge thia has only been done for HTTP so far.
[15:20] <tomreyn> i.e. you can probably not wrap SSH into TLS + SNI, using the SNI hostname as part of the SSH authentication, unless you also modify the SSH protocol and server and client implementations.
[15:20] <tomreyn> maybe you should discuss where you're coming from / what your actual goal is.
[15:23] <patdk-lap2> heh?
[15:23] <patdk-lap2> didn't think ssh actually used ssl/tls
[15:29] <tomreyn> it doesn't, except for openvpn functionality, i think
[15:30] <tomreyn> but i think lemike meant to wrap ssh in https/tls somehow
[15:33] <LeMike> yee tomreyn . I was hoping for some solution to redirect SSH Logins to their endpoints. I have one "proxy" which should handle the redirects but the SSH protocol gives me nothing usable to distinguish the clients. Except for their ssh-key but this is a thing I should not use.
[15:34] <patdk-lap2> openvpn!=openssh
[15:36] <tomreyn> LeMike: use ipv6 or NAT
[15:39] <LeMike> oh okay. can you please explain this a bit tomreyn ? I am weak at networking and resolving this issue. Just about to learn managing server ;) What has IPv6 and NAT that will help here?
[15:40] <LeMike> I think I only have one IPv6 to the server
[15:58] <tomreyn> LeMike: you have just oine server? you were referring to multiple "endpoints", though?
[15:59] <LeMike> the endpoints are docker container within that server, tomreyn.
[15:59] <tomreyn> oh, and they all run on the same ip address?
[16:01] <tomreyn> isnt docker meant to run just one task within a container as non root user? setting up ssh access to those containers makes me think you want to use those as a cheap and insecure virtualization replacement.
[16:04] <tomreyn> if you plan to do actual virtualization then most providerrs will allocate / route several ipv6 to you for free.
[16:52] <compdoc> my server has a bunch of ram disks created somehow. how can I find whats using them, or remove them:  Disk /dev/ram1
[17:18] <XinZhao> compdoc; set your server on fire with petrol
[17:19] <XinZhao> oops sorry wrong window
[17:19] <compdoc> can I use regular petro, or do I need premium?
[17:20] <XinZhao> crude oil would be best
[17:32] <OerHeks> compdoc, sounds like GPT to me, reading with fdisk
[17:32] <OerHeks> try parted -l
[18:03] <jrwren> LeMike: there is no solution for that. You can use different ports than 22 in the host and map them to 22 in the container.
[21:54] <antonispgs> hey guys
[21:54] <antonispgs> 2TB, 16GB RAM how much swap and how big of a / directory would you suggest?
[21:57] <jrwren> zero swap partition (or accept default, because its a hassle to do in installer) and install swapfile later to allow swapping as needed.  everything in /, no other partitions,  unless you tell us what you will be doing. ;]
[22:00] <antonispgs> intended as a seedbox, there is a control panel that does the original installation, i have the option to remove the /home directory and has 512MB of swap by default. not to be shared
[22:01] <jrwren> if it is from a VPS reseller who specializes in seedboxes, I'd use their defaults.
[22:02] <antonispgs> yea makes sense
[22:02] <antonispgs> thats what i thought, i see the old double the ram rule is no longer suggested
[22:09] <jrwren> no, I think that has not been true for a LONG time.
[22:54] <LaserAllan> anyone in here any familiar with postfix and smtp?
[22:59] <JanC> LaserAllan: there are several people who use it, but you better ask whatever question you have
[23:00] <LaserAllan> JanC: ok so i ahve setup my own mailserver and I seem to have some issues with my xymon monitoring and fail2ban to send stuff to my new email. not sure what logs to look through
[23:02] <LaserAllan> JanC: I am not sure where to look, what log files to check, I have checked mail.log and the email in question seems to have been processed but I am not sure what has happened to it after that
[23:02] <JanC> postfix normally logs to /var/log/mail.log & /var/log/mail.err
[23:02] <LaserAllan> JanC: Lemme check mail.err
[23:03] <LaserAllan> the err log has no activity since lik 6-7 hours back
[23:03] <JanC> if mail.log says that it was processed correctly you should check where it sends it too?
[23:08] <LaserAllan> it sends it to the correct domain but i cannot see it in thunderbird
[23:09] <JanC> can you check the logs on the mail server for that other domain?
[23:10] <LaserAllan> Hmm, do I have to setuip a myssql user for the failbvan mailing?
[23:10] <LaserAllan> they Ive done it this far is having it mail my MS mail and the just forward it to my other email but its not a good solution
[23:11] <JanC> MS mail?
[23:11] <LaserAllan> Microsoft
[23:11] <JanC> as in live.com/hotmail stuff?
[23:11] <LaserAllan> Yes
[23:11] <LaserAllan> but i now want it to you know be like "fail2ban" atmy domain
[23:11] <JanC> make sure the domain you use in the From: allows sending mail from your server...
[23:12] <LaserAllan> Well it should since theyre both on the same server, i have tried sending to other emails and its worked so far
[23:13] <JanC> Microsoft probably requires you to set up SPF and/or DKIM
[23:13] <LaserAllan> Well the reason I wanna change is so i dont hav eto deal with Microsoft anymore
[23:14] <LaserAllan> I have my domain emial and i want fail2ban to use that instead
[23:14] <LaserAllan> ill give you an example of the log i found
[23:14] <JanC> if you have your own mail server, send it directly to that?
[23:15] <LaserAllan> thats what Ive done but it doesnt show up in the inbox :)
[23:16] <LaserAllan> ah
[23:16] <LaserAllan> just found the error
[23:16] <LaserAllan> I am stupid sometimes
[23:16] <LaserAllan> I had written "se" instead of com
[23:16] <LaserAllan> not weird that it doesnt work
[23:16] <JanC> LOL
[23:16] <LaserAllan> :D
[23:16] <JanC> PEBKAC
[23:16] <LaserAllan> I have just started to use Thunderbird
[23:16] <LaserAllan> its really neat to be honest
[23:17] <JanC> I use Evolution, because Thunderbird lacks/lacked some features
[23:17] <LaserAllan> Interesting
[23:17] <JanC> at least back when I last used it  :)
[23:17] <LaserAllan> Evolution you say?
[23:17] <LaserAllan> What features?
[23:19] <JanC> filtering on mailing lists & such (IIRC Thunderbird now supports it somewhat with an addon, but still), bugs in the plain text editor, etc.
[23:19] <LaserAllan> damn
[23:19] <LaserAllan> Maybe i should look at Evolution
[23:19] <JanC> but that was really years ago  :)
[23:19] <LaserAllan> hmm
[23:20] <LaserAllan> since my fail2ban is also ran on the same server as the mailserver it should take miliseconds for the mail to arrive
[23:20] <JanC> at least 8-10 years ago
[23:20] <LaserAllan> weird
[23:20] <LaserAllan> damn:P
[23:20] <JanC> mail clients often only check for mail every 5min or so
[23:21] <LaserAllan> lemme see if i can do a manual refresh
[23:21] <JanC> (or every 15min or whatever you set it to)
[23:23] <JanC> (some IMAP servers & IMAP clients also support a push protocol, but that only works if both support it)
[23:23] <LaserAllan> hmm
[23:23] <LaserAllan> It seems like it works now
[23:24] <LaserAllan> not sure though since when restarting fail2ban i usually get an email with it
[23:24] <JanC> cool, so problem solved  \o/
[23:24] <JanC> oh  :)
[23:24] <LaserAllan> I acutally dont know since ive not gotten the "start" mail its only sent the ips its banned:S
[23:24] <LaserAllan> hmm
[23:24] <JanC> ban yourself?  ;)
[23:24] <JanC> (don't!)
[23:26] <LaserAllan> I guess i could or just use a vpn ip and fix it that wau
[23:26] <LaserAllan> "way
[23:28] <LaserAllan> ok
[23:28] <LaserAllan> just banned myself with an ip from romania
[23:30] <LaserAllan> ok
[23:30] <LaserAllan> fail2ban hasn't sent me anything just yet
[23:30] <LaserAllan> hmm
[23:30] <LaserAllan> will see if it happens soon then
[23:34] <LaserAllan> JanC: Well this is interesting but also abit frustrating it seems to not have sent an email about the ban it should have done
[23:34] <LaserAllan> the ban is done but the actual email doesn't show up in mail.log
[23:42] <LaserAllan> JanC: Hmm
[23:42] <LaserAllan> The log seems to have sent another fail2ban email but its showed up in the inbox for some weird reason