/srv/irclogs.ubuntu.com/2017/07/07/#ubuntu-server.txt

hehehehmm00:04
hehehealso Err http://mirror.pw trusty/main amd64 Packages00:04
hehehe  400  Bad Request00:04
hehehethat does not seems like any legitimate mirror site00:04
heheheand i see thats while 16.04 box is poodle safe 14.04 is not https://access.redhat.com/articles/123212300:05
hehehehttps://access.redhat.com/security/cve/CVE-2014-356600:06
hehehebut I did not had any redhat stuff00:06
hehehelets encrypt certbot maybe?00:06
hehehehttps://www.youtube.com/watch?v=ghJ6yAtnyg800:09
heheheok done00:55
=== lxtahr294461 is now known as loop64
=== Epx998- is now known as Epx998
cpaelzergood morning04:51
lordievaderGood morning06:22
heheheheya09:57
hehehelordievader:  will it work to tar dir and all thats in it?09:57
hehehetar cvpzf put_your_name_here.tar.gz .09:57
heheheincluding . files09:57
hehehehey pekkari09:59
pekkarihello10:00
lordievaderhehehe: yes, tar can compress entire directories.10:24
ahasenackrbasak: around?11:39
ahasenackcpaelzer: you?11:39
rbasakahasenack: o/11:41
ahasenackrbasak: hey, workflow question :)11:41
rbasakSure!11:41
ahasenackrbasak: http://pastebin.ubuntu.com/25038821/ lines 7 (adds the patch) and 5 (removes it)11:41
ahasenackrbasak: in this case, the upstream fix was different than the patch, so I don't get a conflict during the merge11:42
ahasenackrbasak: how would I "cancel these out"? Where would I put the "empty commit"?11:42
ahasenackI just drop bc595c3 during rebase, and e4cf75b becomes the empty commit about the drop?11:43
ahasenackthat's git log, btw, not git rebase (the pastebin)11:43
ahasenackso read it from bottom to top11:43
ahasenackI can push the branch if you prefer11:44
rbasakahasenack: I would drop both commits during a rebase and make a note elsewhere that you've dropped it, for noting in the changelog when you prepare it later.11:44
rbasakahasenack: oh, hang on11:45
rbasakahasenack: which step are you on exactly?11:45
ahasenackrbasak: I rebased on new/debian11:45
ahasenackthat's the bit that drops the patch11:45
ahasenackI'm just before merge-finish11:45
rbasakahasenack: so the commit in line 5 is the inverse of the commit in line 7?11:45
ahasenackyes11:45
rbasakI think you've gone too far ahead.11:45
rbasakI'd expect those to not appear at all when viewing the logical tag.11:46
ahasenackI only detected that this patch is unecessary after getting the new package version11:46
rbasakDrop them while preparing the logical.11:46
rbasakBecause logically they aren't there.11:46
ahasenackwell, I didn't know that at that time11:46
ahasenackduring logical I still didn't have the new samba version11:46
ahasenackat the samba version where the logical tag is added, that patch is necessary11:46
rbasakOh11:47
ahasenackit's a case of "fix applied upstream, but in a different way"11:47
rbasakSo logically it was there for that previous version, and the dropping of the patch didn't exist?11:47
ahasenackright11:47
rbasakOK, sorry.11:47
ahasenackthe dropping came as a consequence of updating the package to a new upstream version11:47
rbasakSo rebasing onto new/debian was successful, and still included that patch, but that causes the patch to no longer apply?11:47
ahasenackbut upstream took another approach to the fix11:48
ahasenackno, the patch applies11:48
rbasakBut the patch is now wrong?11:48
ahasenackbut given that upstream fixes in a very different way, the patch is incorrect now11:48
ahasenackyes11:48
rbasakI see.11:48
ahasenackI'm full of corner cases :)11:48
ahasenackthis is all about how it appears in d/changelog :/11:49
ahasenackso much work for that11:49
ahasenackthe way it is now, merge finish adds the patch in "remaining changes" and under "* Drop:"11:49
rbasakI think the commits you have are correct then, and no need to change them.11:49
rbasakAnd you'll need to fix up the changelog by hand. I'm not sure tooling can ever be capable of understanding this kind of thing. Too many edge cases.11:49
ahasenacknish watches the commits vs changelog lines like a hawk :)11:50
rbasakAs for how to do the changelog, I think it's subjective and I'd accept anything that explains it unambiguously, accurately and without misleading.11:50
rbasakI would probably not mention it in any standard section, but add a separate bullet explaining exactly what happened.11:51
ahasenackI'd would just remove it from "remaining changes" in d/changelog and leave the "Drop" entry with the explanation11:51
rbasakThat's fine too11:51
ahasenackthis is how it shows up under * Drop:11:51
ahasenack        - d/p/winbind_trusted_domains.patch: the correct fix was committed11:51
ahasenack          to upstream in https://github.com/samba-team/samba/commit/e084c42311:51
ahasenack          [ the correct fix was committed to upstream in11:51
ahasenack            https://github.com/samba-team/samba/commit/e084c423 ]11:51
ahasenackwhich I just see is duplicated11:51
rbasakI suppose it is straightforwardly a drop!11:51
rbasak(in the end)11:51
ahasenackI'd restore the original message that adds the patch,11:51
ahasenackand leave the [ explanation ]11:51
rbasakI think that's fine11:52
ahasenackok, thx11:53
jdstrandhehehe: hey, went offline. re egree> typo. meant 'egress' (ingress filtering is incoming, egress is outgoing)12:06
jdstrandhehehe: oh, I see s arnold already responded :)12:06
Epx998Day 2 of trying to get my netboot initrd.gz created with everything i need16:36
pmatulisdoes an SSH login decrypt home directories (encryption option available during ISO install)? providing, of course, you've implemented a workaround for SSH login for encrypted home!16:55
dpb1what? :)16:57
naccpmatulis: i think not by default, it needs some tweaking16:57
naccpmatulis: see "Troubleshooting" at https://help.ubuntu.com/community/SSH/OpenSSH/Keys16:58
naccpmatulis: basically, setup your keys to be outside the home dir16:59
naccpmatulis: if so, then (i believe) pam will unlock your home dir16:59
pmatulisnacc, ok thanks16:59
naccthe i believe being for pam being the mediator of that decrypt, i'm not 100% on if it is17:00
pmatulisright, me either, hence my question17:00
=== Epx998- is now known as Epx998
Epx998Is there a way to change the default kernel installed from netboot?18:09
naccEpx998: installed or used to netboot?18:10
Epx998nacc: I changed the kernel used in in netboot, but I am seeing whats installed is different, older.18:11
naccEpx998: you'd need to presumably do it manually -- unless you mean you're using a newer ubuntu kernel?18:11
Epx998nacc: maybe the mirror its installing from is old18:11
naccEpx998: could be18:12
Epx998nacc: I was hoping that whatever kernel I used in my netboot would be installed to the server, but I was wrong there.18:12
naccEpx998: no, they are unrelated18:12
naccEpx998: you would need to preseed that, if you want it18:12
Epx998nacc: that is what we were doing, was hoping to eliminate that step.  Do you know if the latest ubuntu mirrors used the latest kernel thats available for the distro?  or is a set kernel used regardless?18:13
naccEpx998: well, they should be current, but you would also need to make sure you're telling your install to update from the mirror (there's a distinction between grabbing the iso files over the network when netbooting and performing upgrades after install)18:14
Epx998hmm18:17
Epx998nacc: you mean just an apt-get upgrade in late commands or something?  I do not see anything updates looking in the d-i options.18:19
naccEpx998: i'm not 100% right now (and working on some other stuff)), but iirc, there is a prompt in the interactive install like 'download updates during install?'18:21
Epx998nacc: not shown in the preseed d-i options, I am not setting it and its not asking.  Ill test against an updated mirror and see what that gets me18:24
naccEpx998: i mean, it should be pretty easy to preseed (as a late-command) something like `sudo apt update; sudo apt full-upgrade; sudo apt autoremove`18:27
naccEpx998: i thought the updates was preseedable, but maybe it's not (or maybe it's only a prompt on the desktop iso)18:27
Epx998ha while downloading installer components, I get the message "no kernel modules found because installer is using a kernel version different from whats available in the archive" sheesh18:31
naccEpx998: yeah, that can happen with using a custom kernel18:32
Epx998nacc: I just used 3.13.0-66 on the installer, guess i can try older.18:32
Epx998guess I have to do this with 3.2.0-23-generic18:34
naccEpx998: 12.04?18:34
nacc-66 seem like it's neither 12.04.5 or 14.04.118:35
Epx998sadly.. by end of summer we'll finally be on 1418:35
Epx998I am using 3.13.0-66 on the installer18:35
tarpmanEpx998: there are installers with HWE kernels included, aren't there? you shouldn't need to roll your own18:35
Epx998tarpman: not sure, I am just trying to match the installer with what I end up with18:36
tarpmanEpx998: ubuntu-12.04.5-server-amd64.iso is running 3.13.0-32-generic18:37
Epx998tarpman: we have some new servers with intels x550 10gb cards, that need an more uptodate ixgbe driver, was hoping to build it into the netboot first and see the installer would transfer it over (if the start/finished) kernels matched.18:37
coreycbcpaelzer: fyi https://launchpadlibrarian.net/327345908/libvirt_2.5.0-3ubuntu10_2.5.0-3ubuntu11.diff.gz18:38
tarpmanEpx998: oh, yeah. nacc's right, there's a preseed to tell it whether to install the original kernel or a HWE one. let me see if I can find that18:43
tarpmanEpx998: or do you mean something even newer than -32?18:43
Epx998tarpman: I am using something newer, but I can use any version really18:45
Epx998I was trying to 0-66 since that was seemingl the latest, aside from the jump to 11718:46
Epx998tarpman: end goal is to get my compiled 5.1.3 ixgbe driver into the installer and os kernel modules, so far the driver seems to compile fine regardless - so any kernel can be used, though we run 0-44 or later on our build servers18:48
Epx998I see the installer deploying 3.2.0-92, so this mirror must be old that its using.  i dont know who maintains it, to get it updated either.18:49
tarpmanEpx998: did you try a HWE netboot image i.e. http://archive.ubuntu.com/ubuntu/dists/precise-updates/main/installer-amd64/current/images/trusty-netboot/ ? I *think* that ought to both boot and install the trusty HWE kernel18:49
Epx998let me check18:50
tarpmannote that's /trusty-netboot/ not /netboot/18:50
Epx998I see its in the precise-updates, so its a trusty netboot that deploys precise?18:51
tarpmanit's a precise netboot running the trusty kernel18:51
tarpmanor rather the lts-trusty kernel.18:51
Epx998oh nice18:51
Epx998ill test it out, afk for lunch18:51
sarnoldmm lunch18:52
tarpmanI think that ought to work. the preseed in there is18:53
tarpman# If we're booting using the backported Trusty kernel, install it too.18:53
tarpmand-ibase-installer/kernel/altmetastring lts-trusty18:53
tarpmanwhich is the incantation I was trying to remember18:53
tarpmanbeen a few years since I had to think about netboot stuff :)18:53
Epx998ok let me check this out\19:58
Epx998ah ok the 3.13.0-32-generic kernel20:00
Epx998oh hey - this has an updated version of the ixgbe driver20:09
Epx9985.0.5 this might fix all my issues20:10
Epx998its also installing the 3.13.0-66 kernel20:12
Epx998hmm the final deploy has an older ixgbe driver, while it appeared netboot has a newer20:21
Epx998datascenter visit to test further20:22
tarpmanthat doesn't make any sense20:22
Epx998guess i was wrong, ixgbe is still the old 3.1520:42
Epx998this driver that ubuntu is shipping is from 201320:44
sarnoldquite the surprise that a disitrubtion from 2014 is shipping a driver from 2013 :)20:47
* sarnold runs20:47
sarnoldseriously though, no luck with the trusty HWE installers? :(20:47
hehehehelllo sarnold21:01
sarnoldafternoon hehehe21:01
heheheis there any sense in auditing changes in files?21:01
hehehewont attacker disable it and delete logs?21:01
hehehe@tracing attack to see how it was done21:01
heheheto fix holes21:01
sarnoldhehehe: most sites ship audit logs and syslog and so forth off to a log server21:02
heheheyes21:02
hehehehowever if say someone gets in21:02
heheheall you see is ip connection hmm21:03
heheheon a certain port21:03
heheheok I am wrong21:03
heheheif there is some exploit - before attacker gets root he would need to modify some files right?21:04
sarnoldsometimes21:04
hehehebut then logs have to be shipped every 3 seconds21:04
sarnoldcontinuously, not batched21:04
heheheelse if logs are shipped say once per hour attacker can delete them21:04
heheheyou mean every update is send as it happen?21:04
hehehe*sent21:05
sarnoldyes21:05
heheheok that makes sense21:05
hehehesarnold: what you mean by sometines21:05
hehehesometimes21:05
sarnoldnot all exploits require modifyign files21:05
heheheok 1 would be guessing root passd21:06
hehehepasswd21:06
hehehewhat else?21:06
heheheroot passwd guessing can be traced via syslog21:06
heheheI can send you some blackberries by post :D21:06
heheheI have some some here21:07
hehehethey are way nicer than bluberries21:07
heheheand what if I use https://subgraph.com/sgos/ and install nginx  on it - making it a server21:08
Epx998sarnold: its using a old version of the ixgbe driver.21:08
hehehefolks question is - can all exploits be analysed and understood via audit logs?21:09
heheheand yes how to set them up in a such way :D21:09
sarnoldEpx998: which one, the original trusty kernels or even the HWE kernels?21:09
hehehei might make fake crypto coins exchange21:09
sarnoldEpx998-: which one, the original trusty kernels or even the HWE kernels?21:09
heheheas honeypot :D21:09
Epx998-sarnold: I used the netboot installer that I was pointed to21:10
Epx998-sarnold: maybe I missed something that was said?21:10
sarnoldEpx998-: I had just hoped that e.g. 14.04.5 installer would have an updated-enough driver for you; you'd stand a chance anyway..21:10
hehehesarnold: u dont now?21:11
heheheknow :D21:11
Epx998-sarnold: yeah it was running 3.15 which is the same as the older precise kernels21:11
Epx998-I thought I had seen a 5.0.5 version, but during the install I loaded the ixgbe driver and it was the old one21:12
sarnoldhehehe: no, I don't know, I only have one 10gb nic in the house, so finding the best drivers for it isn't exactly a priority. :)21:12
=== Epx998- is now known as Epx998
Epx998a bit frustrting - id think adding in a self compiled driver to netboot wouldnt be as undocumented as it is21:14
Epx998im kind of curious as to if 16 has an updated driver21:14
hehehesarnold: what drivers!21:14
hehehe:D21:14
hehehesarnold: I asked about setting audit logs in a way that detects all exploits21:14
hehehe100% :D21:15
sarnoldhehehe: oh I thought you asked about Epx998's problem21:15
hehehenooo :D21:15
Epx998:D21:15
sarnoldEpx998: does this help? it's from a random xenial kernel, not necessarily an installer kernel.. http://paste.ubuntu.com/25041712/21:15
hehehewhats the hardware details?21:15
hehehesarnold: so do u know or you dont? :D21:16
heheheand where are da rest of the people? in the bar? :)21:16
sarnoldhehehe: it's impossible to write tight-enough audit rules to find all exploits21:16
hehehesarnold: can you explain logic behind this statement?21:16
Epx998xenial ships with 4.x, latest from intel is 5.x21:17
heheheto me it seems possible - we need to break all exploits in classes21:17
hehehethen its easier to analyse21:17
sarnoldhehehe: it's a hunch based on the turing halting problem21:17
hehehehunch...21:18
heheheI prefer 100% logic21:18
heheheto gain root access - people need to login to the server - so there will be login record with some ip - them something will happen21:19
hehehetime stamps can match stuff21:19
sarnoldyour view of 'root access' is too limited :)21:19
hehehewell go ahead and contribute21:19
heheheinstead of saying its impossible21:20
hehehe100% hack proof server is reality I think21:20
hehehebut having said that btc-e.com got hacked many times but mostly minor hacks21:20
heheheat very least I do have ideas - replicate database often21:21
Epx998I can hack proof any server21:21
Epx998<unplugs power>21:21
heheheu are such sceptical people21:22
heheheboth of u :D21:22
PosterI would say you are irrationally optimistic21:22
hehehewell it can only be determined in a course of detailed howto discussion21:23
heheheelse its guesssing21:23
hehehefor example ubuntu 16.04 + html page21:23
hehehehack than is tricky21:23
hehehenginx did not have any zero days yet21:23
heheheso nginx can be added21:23
hehehemaria db I am not sure if they did had zerodays exploits21:24
Posteryou're going under the assumption that all vulnerabilties are widely known, which is not always true21:24
heheheI know they are not known widely21:24
heheheand some folks wont disclose them21:24
heheheI did ask some hackers around too :)21:24
Posterhow is it you expect to protect yourself from a vulnerabilty that you nor the software vendor is aware of?21:25
heheheone insisted he can hack into almost any site21:25
hehehePoster: pay company IT guys to check code21:25
hehehesecurity audit in house21:25
Posteryeah that gets done by many, but that team cannot find nor imagine everything21:26
sarnolddefenders need to be perfect every time21:26
sarnoldattackers just need to get lucky once21:26
hehehelike me21:26
hehehewell perfect logic :D21:26
heheheand then they cant get lucky ever21:27
dpb1solution: 1) become and attacker 2) ??  3) profit!21:27
PosterI think your logic is flawed with perceptions of infallible programmers and/or code auditors21:28
hehehewell crypto currency exchanges need to have hot wallets21:28
hehehecoinbase and bitrexx and btc e hot wallets werent breached21:28
hehehethey would be amongst top wanted targets21:29
Posteryou can certainly run with it, but assuming you are capable of perfection is not a good mindset if you are protecting anything important21:29
heheheno need to assume, have to have a logical tested solution21:29
Posteryou're assuming you can think of everything21:30
hehehethat may be fact21:30
hehehei dont know yet21:30
hehehebut as I said no  one hacked coinbase21:30
hehehehow are they doing it?21:30
Posterprobably many layers of security, monitoring and dilligence about keeping services updated21:31
Posterintrustion detection/prevention21:31
hehehei would say monitoring probably21:31
heheheand intrusion monitoring live21:32
Posterthere's no magic switch you flip21:32
sarnoldmonitoring may be enough to let you write a really nice post-mortem when you apologize to your users21:32
hehehesarnold: coinbase is not hacked21:32
hehehe:P21:32
PosterI don't see how that means they only monitor21:32
heheheunlike swiss cheese sony21:32
sarnoldnor would I be bold enough to ever make that claim about any service anywhere ever21:33
naccyeah, what are you basing that off of, hehehe ?21:33
nacca good hack is undetected still, possibly21:33
hehehehot wallets - blockchain cant be altered21:33
Posterand for all we know they have breakins constantly but their layers of protection and monitoring stops them before they get too far21:33
heheheif hot wallet is accessed - blockchain will show it21:34
heheheand they cant alter blockchain easily :D21:34
heheheor - if any site can be hacked - maybe do min security and thats it?21:35
hehehealso for example in ecommerce setup - payment gateway can allow auth only transcations21:36
Posterit's just a matter of finding a weakness somewhere, it could be server code, it could be dynamic code on a website, it could be a service unknowingly left open, it could be a default password somewhere21:36
PosterIf you aspire to be in information security professionally, your current attitude will probably not let you be hired21:36
hehehethen u have to login to payment gateway site with factor 2 and manually approve charge :D21:36
hehehelol hired?21:36
hehehei simply want to secure boxes - 0 to do with been hired21:37
Posterassuming 2 factor authentication will keep someone out is also not a good assumption21:37
heheheit cant be breached21:37
heheheif you use old - not smart phone21:38
hehehe:)21:38
heheheunless they use fake mobile mast21:38
Posteryou're assuming that there is no vulnerability in the authentication system AND no other vulnerable service on the authentication system21:38
Posteror some other way in21:38
PosterI hope you bring your head out of the clouds21:38
nacc"cant be breached" is such bravado and has been proven false in the field so many times21:38
Posterbest of luck21:38
hehehePoster: ok fair enough21:39
hehehebut in coding and i dont know much about coding yet - they should be absolute logic?21:39
hehehelike print hello world21:39
hehehethat cant be hacked21:39
heheheidea is to have code that follows absolute logic21:40
naccif you mean the resulting binary21:40
naccand it's written in C21:40
naccand someone has already rooted your system, they can do all sorts of fun stuff21:40
hehehemaybe write code  in assembler then21:40
heheheall of it21:40
nacchehehe: ok, i think you're (again?) trolling a bit21:40
hehehedude I am sure there is code that is 100% logical21:40
heheheand 100% safe21:41
hehehenot all and not in all scenarioes21:41
hehehescenarios21:41
nacchehehe: you seem to think security is either already solved or easy; and I don't know why you think that21:41
hehehewell why do u think otherwise?21:41
nacchehehe: because neither is true in the real world21:41
hehehefor example pgp 100% secure21:41
heheheso already 1 valid example21:42
naccgood thing there weren't any security updates to gnupg (hint there were)21:44
heheheor https://null-byte.wonderhowto.com/forum/website-is-never-100-secure-0158383/21:44
hehehe:)21:45
hehehewell21:45
hehehethey should be smarter21:46
heheheso write ideal code21:46
hehehe*to21:46
nacchehehe: alright, you are 100% a troll, i'm done.21:46
hehehenah21:46
heheheu just dont get it21:46
hehehelike people did not get tesla inventions21:46
hehehein math its absolute21:46
heheheabsolute logic is possible mathematically21:47
heheheplus dont u feel interested in such stuff?21:47
hehehemany people simply code to get paid - hence bugs21:47
heheheor to get some fame, recognition21:47
dpb1you need to start here http://www.infosectoday.com/Articles/Intro_to_Cryptography/Introduction_Encryption_Algorithms.htm, or here https://gpgtools.tenderapp.com/kb/how-to/introduction-to-cryptography21:59
Epx998getting very frustrated with this damn driver22:00
hehehefor example - if there is 1 version of ubuntuserver22:09
heheheand all volunteers 100% work on discovering bugs22:09
heheheand its not like even top hackers can come up with 0 days exploits often22:09
hehehethey may use it and lose it22:09
heheheif they use more than 5 or 6 they may have nothing left :D22:10
hehehecollective IQ is power22:10
hehehebut many coders want to write new code instead of securing existing one22:11
hehehealso AI beat some top chess players - it can also be tasked to analyse all potential holes22:11
dpb1you are off in fantasy land now.  hope it's nice there! :)22:18
patdk-lapthat isn't even the issue22:36
patdk-lapthe issue is the coders write new code cause they don't know how to secure the code22:36
patdk-lapso you get even more insecure code22:36
patdk-laplike most things on the web, verify your input data, how many times do we keep having injection vaunerabilities?22:36
patdk-lapkindof the same things with buffer overflows and stuff22:37
Epx998I think I got it working23:13
sarnoldyeah?23:14
Epx998yeah maybe need to test with netboot on the 10gb card, but i saw the module with the 5.1.3 version of the driver at the kernel netboot post23:17
Epx998hmm i can change the interface at d-i23:18
hehehefolks23:28
hehehehttps://diablohorn.com/2017/05/21/quantum-insert-bypassing-ip-restrictions/23:28
hehehe:)23:28

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!