=== JanC is now known as Guest61812
=== JanC_ is now known as JanC
EvilAngelcan someone tell me how to remove the auditing going on in my dmesg log about apparmor? I've disabled it. I've removed it. I autoremoved it and I purged it yet like a damn virus it's still there02:55
EvilAngeldoes ubuntu make an iso without that nasty software?02:56
sarnoldI think either security.apparmor=0 or just apparmor=0 on the kernel command line will disable it03:00
sarnoldor security.selinux=1, security.tomoyo=1, security.smack=1, thta ought to do the trick too, if you'd rather use one of the other lsms03:00
EvilAngelok, i hadn't found that in any of the docs i read online03:02
EvilAngelthanks sarnold03:02
EvilAngelsarnold: thanks again. that worked and survived the reboot03:09
EvilAngelwith apparmor=0 security=""03:09
sarnoldEvilAngel: sorry to hear it wasn't working out for you :(03:10
sarnoldEvilAngel: glad to hear the solution worked though ;) heh03:10
EvilAngelwell I don't know what happened03:10
EvilAngelI deleted my log but I saw a lower mem corruption immediately after apparmor03:10
EvilAngelin the logs03:10
sarnoldodd indeed03:10
EvilAngeland I have seen way to many audits going on  with it03:10
EvilAngelthen I read one blogger I respect a lot say he disables it on all his servers first thing since a properly configured server really doesn't need it03:11
EvilAngelI do use selinux though03:11
EvilAngelbut I know how to manage that one03:11
EvilAngelbut I just don't need it on every system is all03:11
sarnoldhehe by the same logic one might say a firewall isn't needed either, since properly configured software would't do anything you didn't want.03:13
sarnoldI for one like all the belts and suspenders I can get03:13
EvilAngelthat's true too03:13
EvilAngeland I do know ppl that don't use a fw03:13
EvilAngelnot saying I'd go that route but if you know your system it can be done03:13
EvilAngela firewall isnt' a soluton for a server exploit03:14
sarnolddepends, if the exploited server has any control over the firewall, hehe03:15
EvilAngelthat's true too03:15
sarnoldthe firewall's also nice for accidental misconfigurations03:15
sarnoldand I like to think of apparmor as serving similar roles; it limits the damage of potential exploits, and limits the damage of accidentally run-amok software..03:16
EvilAngelit can also make trivial tasks take way too long if you're new to apparmor, selinux too03:19
sarnoldthat's very true :)03:20
EvilAngeli'm just lucky I got michael jang's rhcsa/rhce book and watched SELINUX for mere mortals on youtube03:21
sarnoldalso, a bit of misapplication of policy and *bam* you get to drive to the computer to let yourself back in :)03:21
EvilAngeldude, no doubt03:21
EvilAngelit's even worse when your server is accross the atlantic03:21
sarnoldunfun drive :)03:21
EvilAngeldrop of cable lube on the tip of a qtip works wonders on those tiny little balls in the logitech marble mouse05:59
EvilAngelrandom fact of the day...05:59
=== BioKee is now known as Guest83793
=== smb` is now known as smb
=== smb is now known as Guest58912
=== amoralej|off is now known as amoralej
=== Guest58912 is now known as smb
=== BioKee is now known as Guest47551
mrtAkdenizGuys there are lots of "denied" relay logs on my server, mails are not sending from them, it is ok but they are making smtp server busy, so my mails are on delay10:27
mrtAkdenizI don't know where to ask or what to do, any ideas?10:28
mrtAkdenizit is like "1 seconds, 10 delayed"10:28
blackflowmrtAkdeniz: is that Postfix? those are always accompanied with IP address that attemptd to relay10:28
mrtAkdenizblackflow, exim.. thanks to stupid cpanel10:29
blackflowso you can check if it's: a) some process in your network that failed to authenticate  or  b) external probes for open relays10:29
blackflowexim? cpanel? Is that ubuntu?10:29
mrtAkdenizblackflow, idk, centos mb10:29
blackflowso ask in #centos, lol10:29
mrtAkdenizThat's why i asked for "what to do :("10:29
mrtAkdenizlemme try it, thanks blackflow :)10:29
blackflowmrtAkdeniz: though my points a) and b) still stand10:30
mrtAkdenizblackflow, from and to addresses are like "asdhfh123@hotmail.com" to "asdfjajsdf@gmail.com", so i'm sure it is an attack10:31
mrtAkdenizand i don't know what is their ip and how to block them10:31
mrtAkdenizthere is just a domain, which is my domain10:31
blackflowopen relay probe most likely. unless severely misconfigured, a cpanel server will not allow relaying without authentication10:31
blackflowit's a default config, I mean.10:32
mrtAkdenizblackflow, that is the problem, they are being denied10:32
mrtAkdenizbut always makes busy, so delay on e-mail traffic :\10:32
blackflowcan you see if same IPs are re-trying?10:32
blackflowif so, something like fail2ban would help tho cpanel has its own mechanism which I'm not familiar with.10:32
mrtAkdenizblackflow, there is no IP, just domain.. and it is my domain10:32
blackflowthere's always IP, check the message ID back in teh log, there should be a connect10:33
mrtAkdenizlet me check again10:33
blackflowI don't remember Exim specific log lines any more, but I do remember it logs IPs that connected and attempted something. a transaction ID must be logged. so anywa it has "cphulk" which you should investigate and see if it can help.10:34
blackflowif this was Ubuntu + Postfix, it'd be very easy to apply fail2ban.10:34
blackflow(consider switching to :)   )10:34
mrtAkdenizblackflow, not my own servers, the companies which i'm working on :\10:34
blackflowcpanel has helpful forums, and I don't know if they're present with a chan on Freenode.10:35
blackflowcentos guys won't help you, come to think of it, cpanel compiles its own software and heavily modifies it.10:36
blackflow(unless there's someone in #centos familiar with cpanel and its internals)10:36
mrtAkdenizblackflow, they told exactly same "we are not cpanel help" but i don't think it is related to cpanel.. it is a common server and security problem and I don't know what to do :311:00
blackflowit is very much related to cpanel because cpanel compiles its own software and modifies it.11:00
mrtAkdenizblackflow, btw, there is an IP, which is server's IP, and domain is server's domain.. I think something like wordpress extensions are doing that, but have no time to check all of them.. so not my problem anymore :P11:01
blackflowat the very least, it's the question of how to configure exim to log these denials in a way that would allow you to ban the IPs. or maybe even exim has some tarpitting features where it would throttle down IPs11:01
mrtAkdenizblackflow, so even exim is cpanel's product in that case.. i see :\11:01
blackflowif it was a WP extension, you'd see that in the logs, it'd be local transport of sorts. "pickup" if this was Postfix.11:02
mrtAkdenizIt is almost 2017, why the hell people still need cpanel or whm IDK.. even 12-years-old's sysadmin novadays :P11:02
mrtAkdenizby the way, thanks for your time and ideas blackflow11:03
blackflowcpanel compiles its own software because they made the decision to run on CentOS only, but then CentOS "stability through age of software" turned out to be a very bad business idea because customers wanted latest. So they compile their own. which then kinda removes the "stability" from CentOS, but that's anotehr story. :)11:03
mrtAkdenizblackflow, true. there is a inverse proportion between stability and up-to-date11:04
blackflowmrtAkdeniz: nah, the 12yr olds you mention are not sysadmins. They're owners of pwned boxes because unless something or someone does it for you, you have to secure it yourself which nobody is doing :) just look at the whole docker movement.   Ranting. Will stop now :)11:05
blackflowmrtAkdeniz: that's why I like Ubuntu, it's the sweet spot between long term and edge11:06
mrtAkdenizblackflow, that was sarcasm :P They think that "apt-get install" is enough for being SysAdmin..11:06
mrtAkdenizblackflow, exactly! I've arch on my computer but using ubuntu for my development environment11:07
blackflowmrtAkdeniz: btw, just a heads up, there's a vulnerability in Exim that will be announced in the next 2-3 days, so keep an eye on that. cPanel will produce an update asap but that will probably require manual intervention, I never trusted cpanel's "auto-update"11:13
mrtAkdenizblackflow, I never trusted cpanel :) thanks for information, probably I'll force them to make a fresh server install without cpanel or whm or any shit.11:14
Genk1hello all13:19
Genk1I have a special rsyslog question. I want to create a template that send a specific log format via HTTP13:19
Genk1The normal command I use for such things is :  curl -XPOST http://ip:5155/gelf -p0 -d '{"short_message":"Hello there", "host":"example.org", "facility":"test", "_foo":"bar"}'13:20
Genk1I want to translate this in syslog nomenclature13:20
=== amoralej is now known as amoralej|lunch
=== amoralej|lunch is now known as amoralej
blackflowGenk1: I'm not aware of rsyslog being capable of sending out json via http in any shape or form14:10
Genk1blackflow, so I need an agent like logstash then ?14:11
blackflowGenk1: syslog-ng might be capable:  https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-destination-http-nonjava.html14:11
blackflowor yea use any log parsing program14:11
blackflowGenk1: if you know how to, you can pipe out from rsyslog to a program of choice that then forwards via http. something could be whipped up in perl with a few lines of code or maybe even bash but do note it's not going to perform well14:12
Genk1blackflow, hmm yes I was thinking about the same thing I was looking for an rsyslog module for talking to external process14:13
Genk1blackflow, thanks a lot I will try all of those14:17
=== iberezovskiy is now known as iberezovskiy|off
=== devil is now known as Guest50447
=== amoralej is now known as amoralej|pto
macskayhi guys, im trying to set my PS1 env-variable but when setting it nothing happens: https://www.refheap.com/12437618:02
macskaywhy does that happen?18:02
blackflowmacskay:    export PS1="..."19:10
=== petevg is now known as petevg_happyholi
=== petevg_happyholi is now known as petevg_holidays
=== JanC is now known as Guest57833
=== JanC_ is now known as JanC
Seveasmacskay: you probably have a $PROMPT_COMMAND which overrides $PS122:00

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!