| terabyte | Hey, I'm confused about .deb package signatures. Having just built a .deb file, I was expecting to look inside and find a signature file, instead I have a .changes file in addition to my .deb file which contains a signature. Have I missed something or is there no way to have a single signed .deb file? Tools used to sign are (choice of either: dpkg-sig, debsig-verify) | 01:02 |
|---|---|---|
| terabyte | Looking around I see that debsigs is used to sign .deb files and contain the signature inside the file, is it the case then that I should use debsigs and that the other two tools are not designed to sign the packages themselves? | 01:04 |
| sarnold | terabyte: afaik there's no equivalent to rpm's signatures-on-packages | 01:04 |
| terabyte | hmm | 01:05 |
| sarnold | terabyte: I think the signed .changes files are strictly for admitting packages into the builders | 01:05 |
| sarnold | terabyte: .. and then the apt hashes in repositories are used for distributing packages back to machines | 01:05 |
| terabyte | ok | 01:06 |
| seph | i'm just learning nginx for the first time so i'm trying to document how i would want to configure the web server for security/optimization. can anyone briefly review the relevant sections on this doc? just the letsencrypt and nginx related sections. thank you! ^_^ https://www.razorbelle.com/public/text/initial_server_config_NGINX.txt | 02:24 |
| sarnold | seph: seems sane | 02:31 |
| sarnold | seph: you know you're just a few steps away from a full automation.. puppet or chef or ansible or salt or whatever you dislike the least :) | 02:31 |
| seph | im not familiar with those | 02:32 |
| seph | do you have a recommendation among those choices? | 02:36 |
| sarnold | seph: basically you'd write recipes or playbooks or whatever they call them, and then deploy them to servers, where they'd run and configure things asy ou wish | 02:36 |
| sarnold | seph: not really, they've all made staggeringly stupid mistakes, and all have their own proponents who like them for various reasons.. :) | 02:37 |
| seph | ok | 02:37 |
| seph | so i will trust doing it by hand | 02:37 |
| seph | especially since this is specifically for security | 02:37 |
| sarnold | fair enough, after all that's mostly how I manage my few machines :) | 02:37 |
| sarnold | but just keep in mind when you've copy-pasted these and filled in *username* a few too many times, that you can automate automate automate | 02:37 |
| seph | yeah | 02:38 |
| seph | i have 7x vps, but most are just basic apache web servers | 02:38 |
| seph | this one i want to be more secure and fast | 02:38 |
| sarnold | you can even automate 'give me new machines running foo, bar, baz, and hook them all together" https://jujucharms.com/ | 02:38 |
| seph | yeah | 02:38 |
| seph | i broke nginx a few times so i spun up a new vps just to play and test things | 02:39 |
| seph | going to reformat and follow my own guide | 02:39 |
| sarnold | :) | 02:39 |
| seph | see if it works and gets a+ ssl | 02:39 |
| === test is now known as Guest23978 | ||
| thmbssfruit | why remotely (from internet) my servernot accept ssh? connections but in my lan yes | 04:28 |
| iDanoo | Probably portforwarding thmbssfruit | 04:45 |
| iDanoo | From the internet what IP are you trying to connect to? | 04:45 |
| thmbssfruit | iDanoo | 04:47 |
| thmbssfruit | assk me user and password | 04:47 |
| thmbssfruit | i think isnt a portforwarding | 04:47 |
| iDanoo | Oh okay | 04:47 |
| thmbssfruit | ssay me access denied | 04:47 |
| thmbssfruit | why?/ | 04:47 |
| iDanoo | If you check your sshd_config under /etc/ssh/sshd_config, there may be a line labelled #ListenAddress | 04:48 |
| iDanoo | you need to make sure that is set to 0.0.0.0, or commented out should work | 04:48 |
| thmbssfruit | wait | 04:48 |
| thmbssfruit | with nano how to find a string? | 04:49 |
| iDanoo | ctrl+w I believe | 04:49 |
| iDanoo | Otherwise you can try run 'sudo netstat -nlp | grep 22' and paste the line it outputs :) | 04:49 |
| iDanoo | wait | 04:49 |
| iDanoo | No I'm wrong sorry. | 04:49 |
| iDanoo | You said it was hitting authentication | 04:49 |
| thmbssfruit | was commented | 04:50 |
| thmbssfruit | enabled and then: | 04:50 |
| thmbssfruit | : /etc/init.d/ssh restart | 04:50 |
| iDanoo | If you're hitting the user:pass it shouldn't make much difference though | 04:50 |
| thmbssfruit | try and | 04:50 |
| iDanoo | but you can always try that | 04:50 |
| thmbssfruit | again access denied | 04:50 |
| thmbssfruit | :( | 04:50 |
| iDanoo | How are you testing this? | 04:51 |
| iDanoo | Are you just trying to use your public IP from inside the LAN? | 04:51 |
| thmbssfruit | yes | 04:51 |
| thmbssfruit | inside the lan i can connect | 04:51 |
| iDanoo | can you try in the commandline | 04:51 |
| iDanoo | curl <publicip> | 04:51 |
| thmbssfruit | in client? | 04:51 |
| thmbssfruit | or server? | 04:52 |
| iDanoo | just do that on the client :) | 04:52 |
| iDanoo | I have a feeling it's hitting your routers SSH server instead of your one. | 04:52 |
| thmbssfruit | iDanoo i am on windows pc | 04:52 |
| thmbssfruit | http://pastebin.com/NKEgV3qT | 04:53 |
| thmbssfruit | see please | 04:53 |
| iDanoo | Yeah, it doesn't look like it's hitting your ssh server and failing. | 04:53 |
| iDanoo | It looks like it's hitting your router/modem instead. | 04:53 |
| iDanoo | Some have a setting with portforwarding like "LAN Loopback". | 04:54 |
| thmbssfruit | you know about fortigate? | 04:54 |
| iDanoo | I don't sorry | 04:54 |
| iDanoo | But I would assume it's not actually a server problem. | 04:54 |
| iDanoo | If you tried from a different network - it will probably let you log in | 04:54 |
| thmbssfruit | outside? | 04:55 |
| iDanoo | Yeah a different internet connection. | 04:55 |
| iDanoo | You could even try from your phone, and turn off wifi for example. | 04:55 |
| thmbssfruit | ok | 04:56 |
| lordievader | Good morning | 09:09 |
| === Mobutils_ is now known as Mobutils | ||
| === binia_ is now known as binia | ||
| ElinKattunge | Hi | 14:42 |
| ElinKattunge | Does anyone have trouble with mosh sessions stayings open for eternity on your servers? | 14:43 |
| ElinKattunge | The max login should've been 2 sessions, but I had to hire it for a customer because I couldn't kill their mosh sessions. I've used skill -KILL -u <username>, I've used skill -KILL -v /dev/pts/x (where x is a number) | 14:44 |
| andol | ElinKattunge: Isn't that the expected/unavoidable behavior when you have unclean client shutdowns? | 14:44 |
| ElinKattunge | I've also tried using pkill and kill to kill the mosh processes on their user with no sucess | 14:44 |
| ElinKattunge | andol: Yes | 14:44 |
| ElinKattunge | the user is on a very unstable HP chromebook | 14:45 |
| ElinKattunge | where the wifi drops out a lot | 14:45 |
| ElinKattunge | andol: who claims they are logged in tho | 14:46 |
| ElinKattunge | andol: Reboots usually clear problems up, but it's not a solution | 14:47 |
| ElinKattunge | This is a server, it must stay up! | 14:47 |
| andol | Perhaps do something where you sort mosh-server processes per UID, and only allow the N most recent, killing the older ones? | 14:48 |
| ElinKattunge | andol: Do you have a solution on how to implement that? | 14:51 |
| andol | You could write a shell script, and loop over the following ps command | 14:53 |
| andol | ps --no-headers --sort=start_time -C mosh-server -o user,pid | 14:53 |
| andol | Or some version of it | 14:54 |
| ElinKattunge | andol: I also found something weird | 14:54 |
| ElinKattunge | On one system SFTP reported to the customer "Message too long", which I know is to do with long echo statements in bashrc and profile | 14:55 |
| ElinKattunge | and it was vague to me, it wasn't explaining a problem at all, so I SFTPed into that user, on my own system and it said what I expected which was max logins exceeded for that user, so I highered the security limits and it fixed both errors... | 14:56 |
| ElinKattunge | I was banging out head hard on the desk, because that first error message just simply made no sense to me. | 14:57 |
| andol | Well, I think the original error message is more about *any* echo statement leaking into sftp, rather than a too long one. | 14:58 |
| ElinKattunge | I just came in here for a sysadmin to sysadmin chat on things, you know? Broaden my insight on things! | 14:58 |
| ElinKattunge | andol: I disagree | 14:58 |
| ElinKattunge | I login successfully via SFTP all the time as long as the echo statements aren't too long | 14:58 |
| andol | Ok, I might very well be wrong on that account then. | 15:00 |
| ElinKattunge | andol: The error has confused me too at times | 15:04 |
| andol | Except that I suspect that I'm right after all :-) Putting the following in my ~/.bashrc was enough to trigger the too long | 15:06 |
| andol | echo "hello" | 15:06 |
| andol | Perhaps you have something like this in your ~/.bashrc, and had your echo afterwards? | 15:06 |
| andol | [ -z "$PS1" ] && return | 15:06 |
| ElinKattunge | andol: Well, no | 15:11 |
| ElinKattunge | again, I don't understand why the error was thrown on my customers computer | 15:12 |
| ElinKattunge | yet a different error on mine | 15:12 |
| ElinKattunge | The error appearing on my friends computer was all to do with echo statements, there are non on that account, but on my system the error was about the maximum number of logins exceeded and the second error made perfect sense to me (I know my systems), so I highered the login limit and it cleared both errors. | 15:13 |
| ElinKattunge | So there are things about the first error which aren't documented, or it was triggered by a fluke | 15:13 |
| ElinKattunge | andol: Most accounts on this server just hold PHP scripts and webspace, nothing more. | 15:14 |
| ElinKattunge | Capprentice: Are you an Apprentice? | 15:28 |
| Capprentice | Yes. Curious Apprentice. | 15:28 |
| Capprentice | ;) | 15:28 |
| ElinKattunge | Capprentice: Good, doesn't what, I hope you are enjoying it! | 15:28 |
| ElinKattunge | *doing | 15:28 |
| Capprentice | Yep! | 15:28 |
| Capprentice | Have you ever set up a squid cachhe in bridge mode? Im trying to do that! Feeling frustrated... | 15:29 |
| ElinKattunge | Capprentice: Recently, I set a squid proxy with, 8 privoxy proxies sitting behind it as slaves | 15:32 |
| Capprentice | With Tproxy? | 15:32 |
| ElinKattunge | If T means transparent then no, however I have set transparent ones up in the past | 15:32 |
| ElinKattunge | Capprentice: Is this part of your learning on the job? | 15:33 |
| Capprentice | yes. | 15:33 |
| ElinKattunge | hmm | 15:33 |
| ElinKattunge | Well, I am self taught since 2007, been ill for 5 year and waiting to hit a job myself | 15:33 |
| ElinKattunge | I was about to tell them that there is a squid channels for that which might help them better! | 15:35 |
| === mpo is now known as mpo42vr | ||
| === evade_ is now known as evade | ||
| === JanC_ is now known as JanC | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!