[02:55] <EvilAngel> can someone tell me how to remove the auditing going on in my dmesg log about apparmor? I've disabled it. I've removed it. I autoremoved it and I purged it yet like a damn virus it's still there
[02:56] <EvilAngel> does ubuntu make an iso without that nasty software?
[03:00] <sarnold> I think either security.apparmor=0 or just apparmor=0 on the kernel command line will disable it
[03:00] <sarnold> or security.selinux=1, security.tomoyo=1, security.smack=1, thta ought to do the trick too, if you'd rather use one of the other lsms
[03:02] <EvilAngel> oh
[03:02] <EvilAngel> ok, i hadn't found that in any of the docs i read online
[03:02] <EvilAngel> thanks sarnold
[03:09] <EvilAngel> sarnold: thanks again. that worked and survived the reboot
[03:09] <EvilAngel> with apparmor=0 security=""
[03:10] <sarnold> EvilAngel: sorry to hear it wasn't working out for you :(
[03:10] <sarnold> EvilAngel: glad to hear the solution worked though ;) heh
[03:10] <EvilAngel> well I don't know what happened
[03:10] <EvilAngel> I deleted my log but I saw a lower mem corruption immediately after apparmor
[03:10] <EvilAngel> in the logs
[03:10] <sarnold> o_O
[03:10] <sarnold> odd indeed
[03:10] <EvilAngel> and I have seen way to many audits going on  with it
[03:11] <EvilAngel> then I read one blogger I respect a lot say he disables it on all his servers first thing since a properly configured server really doesn't need it
[03:11] <EvilAngel> I do use selinux though
[03:11] <EvilAngel> but I know how to manage that one
[03:11] <EvilAngel> but I just don't need it on every system is all
[03:13] <sarnold> hehe by the same logic one might say a firewall isn't needed either, since properly configured software would't do anything you didn't want.
[03:13] <sarnold> I for one like all the belts and suspenders I can get
[03:13] <EvilAngel> that's true too
[03:13] <EvilAngel> and I do know ppl that don't use a fw
[03:13] <EvilAngel> not saying I'd go that route but if you know your system it can be done
[03:14] <EvilAngel> a firewall isnt' a soluton for a server exploit
[03:14] <EvilAngel> service*
[03:15] <sarnold> depends, if the exploited server has any control over the firewall, hehe
[03:15] <EvilAngel> that's true too
[03:15] <sarnold> the firewall's also nice for accidental misconfigurations
[03:16] <sarnold> and I like to think of apparmor as serving similar roles; it limits the damage of potential exploits, and limits the damage of accidentally run-amok software..
[03:19] <EvilAngel> it can also make trivial tasks take way too long if you're new to apparmor, selinux too
[03:20] <sarnold> aye
[03:20] <sarnold> that's very true :)
[03:21] <EvilAngel> i'm just lucky I got michael jang's rhcsa/rhce book and watched SELINUX for mere mortals on youtube
[03:21] <EvilAngel> lol
[03:21] <sarnold> also, a bit of misapplication of policy and *bam* you get to drive to the computer to let yourself back in :)
[03:21] <EvilAngel> dude, no doubt
[03:21] <EvilAngel> it's even worse when your server is accross the atlantic
[03:21] <sarnold> unfun drive :)
[03:22] <EvilAngel> lol
[05:59] <EvilAngel> drop of cable lube on the tip of a qtip works wonders on those tiny little balls in the logitech marble mouse
[05:59] <EvilAngel> random fact of the day...
[10:27] <mrtAkdeniz> Howdy!
[10:27] <mrtAkdeniz> Guys there are lots of "denied" relay logs on my server, mails are not sending from them, it is ok but they are making smtp server busy, so my mails are on delay
[10:28] <mrtAkdeniz> I don't know where to ask or what to do, any ideas?
[10:28] <mrtAkdeniz> it is like "1 seconds, 10 delayed"
[10:28] <blackflow> mrtAkdeniz: is that Postfix? those are always accompanied with IP address that attemptd to relay
[10:29] <mrtAkdeniz> blackflow, exim.. thanks to stupid cpanel
[10:29] <blackflow> so you can check if it's: a) some process in your network that failed to authenticate  or  b) external probes for open relays
[10:29] <blackflow> exim? cpanel? Is that ubuntu?
[10:29] <mrtAkdeniz> blackflow, idk, centos mb
[10:29] <blackflow> so ask in #centos, lol
[10:29] <mrtAkdeniz> That's why i asked for "what to do :("
[10:29] <mrtAkdeniz> lemme try it, thanks blackflow :)
[10:30] <blackflow> mrtAkdeniz: though my points a) and b) still stand
[10:31] <mrtAkdeniz> blackflow, from and to addresses are like "asdhfh123@hotmail.com" to "asdfjajsdf@gmail.com", so i'm sure it is an attack
[10:31] <mrtAkdeniz> and i don't know what is their ip and how to block them
[10:31] <mrtAkdeniz> there is just a domain, which is my domain
[10:31] <blackflow> open relay probe most likely. unless severely misconfigured, a cpanel server will not allow relaying without authentication
[10:32] <blackflow> it's a default config, I mean.
[10:32] <mrtAkdeniz> blackflow, that is the problem, they are being denied
[10:32] <mrtAkdeniz> but always makes busy, so delay on e-mail traffic :\
[10:32] <blackflow> can you see if same IPs are re-trying?
[10:32] <blackflow> if so, something like fail2ban would help tho cpanel has its own mechanism which I'm not familiar with.
[10:32] <mrtAkdeniz> blackflow, there is no IP, just domain.. and it is my domain
[10:33] <blackflow> there's always IP, check the message ID back in teh log, there should be a connect
[10:33] <blackflow> (string)
[10:33] <mrtAkdeniz> let me check again
[10:34] <blackflow> I don't remember Exim specific log lines any more, but I do remember it logs IPs that connected and attempted something. a transaction ID must be logged. so anywa it has "cphulk" which you should investigate and see if it can help.
[10:34] <blackflow> if this was Ubuntu + Postfix, it'd be very easy to apply fail2ban.
[10:34] <blackflow> (consider switching to :)   )
[10:34] <mrtAkdeniz> blackflow, not my own servers, the companies which i'm working on :\
[10:35] <blackflow> cpanel has helpful forums, and I don't know if they're present with a chan on Freenode.
[10:36] <blackflow> centos guys won't help you, come to think of it, cpanel compiles its own software and heavily modifies it.
[10:36] <blackflow> (unless there's someone in #centos familiar with cpanel and its internals)
[11:00] <mrtAkdeniz> blackflow, they told exactly same "we are not cpanel help" but i don't think it is related to cpanel.. it is a common server and security problem and I don't know what to do :3
[11:00] <blackflow> it is very much related to cpanel because cpanel compiles its own software and modifies it.
[11:01] <mrtAkdeniz> blackflow, btw, there is an IP, which is server's IP, and domain is server's domain.. I think something like wordpress extensions are doing that, but have no time to check all of them.. so not my problem anymore :P
[11:01] <blackflow> at the very least, it's the question of how to configure exim to log these denials in a way that would allow you to ban the IPs. or maybe even exim has some tarpitting features where it would throttle down IPs
[11:01] <mrtAkdeniz> blackflow, so even exim is cpanel's product in that case.. i see :\
[11:02] <blackflow> if it was a WP extension, you'd see that in the logs, it'd be local transport of sorts. "pickup" if this was Postfix.
[11:02] <mrtAkdeniz> It is almost 2017, why the hell people still need cpanel or whm IDK.. even 12-years-old's sysadmin novadays :P
[11:03] <mrtAkdeniz> by the way, thanks for your time and ideas blackflow
[11:03] <blackflow> cpanel compiles its own software because they made the decision to run on CentOS only, but then CentOS "stability through age of software" turned out to be a very bad business idea because customers wanted latest. So they compile their own. which then kinda removes the "stability" from CentOS, but that's anotehr story. :)
[11:04] <mrtAkdeniz> blackflow, true. there is a inverse proportion between stability and up-to-date
[11:05] <blackflow> mrtAkdeniz: nah, the 12yr olds you mention are not sysadmins. They're owners of pwned boxes because unless something or someone does it for you, you have to secure it yourself which nobody is doing :) just look at the whole docker movement.   Ranting. Will stop now :)
[11:06] <blackflow> mrtAkdeniz: that's why I like Ubuntu, it's the sweet spot between long term and edge
[11:06] <mrtAkdeniz> blackflow, that was sarcasm :P They think that "apt-get install" is enough for being SysAdmin..
[11:07] <mrtAkdeniz> blackflow, exactly! I've arch on my computer but using ubuntu for my development environment
[11:13] <blackflow> mrtAkdeniz: btw, just a heads up, there's a vulnerability in Exim that will be announced in the next 2-3 days, so keep an eye on that. cPanel will produce an update asap but that will probably require manual intervention, I never trusted cpanel's "auto-update"
[11:14] <mrtAkdeniz> blackflow, I never trusted cpanel :) thanks for information, probably I'll force them to make a fresh server install without cpanel or whm or any shit.
[13:19] <Genk1> hello all
[13:19] <Genk1> I have a special rsyslog question. I want to create a template that send a specific log format via HTTP
[13:20] <Genk1> The normal command I use for such things is :  curl -XPOST http://ip:5155/gelf -p0 -d '{"short_message":"Hello there", "host":"example.org", "facility":"test", "_foo":"bar"}'
[13:20] <Genk1> I want to translate this in syslog nomenclature
[14:10] <blackflow> Genk1: I'm not aware of rsyslog being capable of sending out json via http in any shape or form
[14:11] <Genk1> blackflow, so I need an agent like logstash then ?
[14:11] <blackflow> Genk1: syslog-ng might be capable:  https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-destination-http-nonjava.html
[14:11] <blackflow> or yea use any log parsing program
[14:12] <blackflow> Genk1: if you know how to, you can pipe out from rsyslog to a program of choice that then forwards via http. something could be whipped up in perl with a few lines of code or maybe even bash but do note it's not going to perform well
[14:13] <Genk1> blackflow, hmm yes I was thinking about the same thing I was looking for an rsyslog module for talking to external process
[14:17] <Genk1> blackflow, thanks a lot I will try all of those
[18:02] <macskay> hi guys, im trying to set my PS1 env-variable but when setting it nothing happens: https://www.refheap.com/124376
[18:02] <macskay> why does that happen?
[19:10] <blackflow> macskay:    export PS1="..."
[22:00] <Seveas> macskay: you probably have a $PROMPT_COMMAND which overrides $PS1