[00:21] <hehehe> genii do you use ossec?
[00:21] <hehehe> many tutorials suggest to run it as root
[00:22] <hehehe> there is some workaround but I wonder if it worth to change it so it runs under local user
[00:38] <hehehe> https://groups.google.com/forum/#!topic/ossec-list/UI6Yng70wh0
[00:56] <hehehe> sarnold: is there any issue with installing ossec from a root dir on an ossec server
[00:56] <hehehe> I dont see any
[00:57] <hehehe> since it runs as root it does not matter where its located
[01:32] <hehehe> also while I am in ssh session I changed firewall to block custom ssh port yet my session did not ds
[01:32] <hehehe> so it applies to new sessions only?
[01:58] <hehehe> seems so
[01:58] <hehehe> \nice
[01:58] <hehehe> :D
[04:52] <maco> I've got a VPS running 16.04, and today I installed updates (probably first time in 2 months) and rebooted. Now I'm repeatedly getting system hangs with "task blocked for more than 120 seconds" — is this an issue with recent updates? (Or a coincidence?)
[04:54] <eatingthenight> not an issue with recent updates
[05:02] <maco> Alright, thanks. More log digging says it started 2 hours ago and happens at 15 & 35 past the hour. Weird.
[05:02] <eatingthenight> that is strange
[05:02] <eatingthenight> is that the message in syslog?
[05:03] <maco> Which task is blocked semi-alternates between jdb2/vda1-8 and mysqld
[05:03] <maco> But I grepped that "120 seconds" in syslog
[05:04] <eatingthenight> did you have an increase in traffic refently?
[05:04] <eatingthenight> *recently
[05:06] <maco> I added another site to my WordPress multisite install about 30 hours ago. Only one person knows about it though, so I doubt that's it. Most popular site on the server has higher traffic than this regularly (podcast episode every other week--this is an "off" week)
[05:07] <maco> I mean unless the sheer existence of that new site is the issue? But it was fine for 28 hours...
[05:08] <eatingthenight> is this hosted on aws?
[05:08] <maco> Cron hourly is 17 minutes after the hour not 15
[05:08] <maco> No, it's Dreamhost's openstack setup
[05:10] <eatingthenight> have you tried tuning kernel params at all yet?
[05:13] <maco> Nope
[05:13] <maco> I forgot that phrase even existed
[05:14] <eatingthenight> overall it's going to be real hard to debug that without more info as it's just general system tuning that is specific to your workload and environment. Stack overflow should be able to point you in the right direction for how to start narrowing it down.
[05:15] <maco> Ok here's something
[05:15] <maco> I see app armor denies for mysqld right before the first time it happens
[05:17] <maco> Oh never mind. That's the last thing in the logs before it, but a half hour passes
[05:19] <maco> Ugh. Ok so I see stuff in openstack help about this being caused by storage problems after rebooting
[05:19] <maco> Rebooting a VM shouldn't cause storage issues
[05:23] <maco> Possible solution found. If it works, I'll post the link here to satisfy any curiosity you may have eatingthenight
[06:23] <lordievader> Good morning
[09:36] <nisargjhaveri> Hello!
[09:36] <nisargjhaveri> I'm trying to setup ldap authentication on Ubuntu server 16.04, using `nss-pam-ldapd`
[09:36] <nisargjhaveri> I think the ldap auth part works, but when I try to login, auth.log says "fatal: initgroups: username: Invalid argument"
[09:36] <nisargjhaveri> If I set map gidNumber to 100, auth.log says "fatal: seteuid userID: Invalid argument"
[09:37] <nisargjhaveri> I recently setup another server using `libpam-ldap`, I didn't encounter any similar errors there..
[09:37] <nisargjhaveri> Any ideas?
[12:14] <Pascal__> hi i haven an problem with apache ... i want to create an subdomain but my subdomain redirects serverside to my domain. subd.server.my.domain.com => server.my.domain.com any idea?
[12:26] <lordievader> How does your configuration look like?
[12:30] <Pascal__> https://pastebin.com/Z9rwXJzc
[12:31] <lordievader> Do both addresses resolve to the same ip address?
[12:32] <lordievader> Else you need to add the (sub)domain as server name.
[12:32] <Pascal__> same ip
[12:38] <Pascal__> but when i type essen.vm-doku.my.domain.de ist shows the index of /var/www and not of /var/www_2
[12:48] <lordievader> And that is with the servername setting?
[12:50] <lordievader> Pascal__: What does `sudo apache2ctl -S` return?
[12:51] <Pascal__> https://pastebin.com/wmwK2Pa9
[12:53] <lordievader> Both vhosts are names localhost. Hence apache cannot distinguish them.
[12:53] <lordievader> Have you set the servername correctly?
[12:58] <Pascal__> this is my /etc/hosts : 127.0.0.1	localhost 127.0.0.1	vm-doku.eva.evapolda.de	vm-doku 127.0.0.1	essen.vm-doku.eva.evapolda.de essen.vm-doku
[12:59] <lordievader> Pascal__: That is not what I asked for. What ServerName is set in the apache config of the websites?
[13:00] <Pascal__> for essen.vm-doku.my.domain.de is essen.vm-doku and for vm-doku.my.domain.de is vm-doku
[13:01] <lordievader> Could you show me your config again?
[13:02] <Pascal__> https://pastebin.com/7Vw9kKVC
[13:03] <lordievader> The ServerName needs to be a fqdn.
[13:05] <Pascal__> ive set that with fqdn ... now it says at essen.vm-doku.my.domain.de ... DNS-Name not found
[13:06] <lordievader> Is it a valid fqdn?
[13:07] <Pascal__> i think so, our (windows)-Dns has both forward-addresses
[13:07] <lordievader> Can you resolve it?
[13:11] <Pascal__> now, after reboot of the DNS-Server, yes but now i also become the index of /var/www at essen.vm-doku
[13:12] <lordievader> Could you paste the output of `sudo apache2ctl -S` again?
[13:13] <Pascal__> https://pastebin.com/FRKsFFJS
[13:16] <lordievader> Both do use a different config, 000-default.conf for vm-doku and essen.conf for essen.vm-doku ;)
[13:17] <Pascal__> yup i've pasted it together to reduce spam
[13:19] <lordievader> If you look in the access logs, do they reflect the right thing? I.e. when going to essen it is logged to access_essen.log?
[13:20] <Pascal__> but i've found the problem it was the <VirtualHost fqdn:80> after i changed that to <VirtualHost *:80> it works fine
[13:20] <Pascal__> but also thanks for your help :)
[13:21] <lordievader> Nice, good to hear :)
[13:46] <vimart> is ubuntu server 16.04 ready to run php,python  CGI?
[13:49] <lordievader> vimart: What do you mean exactly?
[13:50] <vimart> lordievader: to run simply scripts in php or python?
[13:52] <vimart> For example I'd like to have contact form on www
[14:01] <lordievader> vimart: If you install the necessary stuff, sure.
[15:40] <vimart> lordievader: I've noticed that PHP probably is comming with ubuntu server but I don't see python, what should I install to run python? cgi?
[15:41] <lordievader> Python (2.7) is installed by default.
[15:43] <nacc> lordievader: PHP is not installed by default either
[15:43] <nacc> lordievader: sorry, vimart --^
[15:43] <nacc> vimart: but python is
[15:44] <lordievader> Hence the 'if you install the necessary stuff' ;)
[15:45] <nacc> lordievader: yep, i meant in relation to vimart's last comment
[15:46] <lordievader> Yes, indeed.
[15:55] <jonah> hi, any friendly folks around that could please help. my server is taking a beating from a spammer/ddos. Not sure how to get things straight if anyone would be kind enough to lend a hand please?
[17:08] <tomreyn> jonah: still looking for help?
[17:18] <tomreyn> looks like both your hosting company website and its blog are online so i guess that's no longer an issue.
[17:37] <jonah> tomreyn: hey thanks, sorry i got a bit tied up there
[17:37] <tomreyn> i can imagine
[17:38] <jonah> tomreyn: it seems to have all come from backscatter, but on a large scale with clamscan going nuts scanning tens of thousands of email bounce backs coming in
[18:08] <sarnold> nacc: any suggestions for 1703752 ?
[18:08] <tomreyn> i see, so it was / is your mail server that was being overwhelmed. that's luckily a lot easier to fix than a web based ddos
[18:09] <sarnold> yeah if nothing else, "just turn it off" isn't a bad start
[18:09] <nacc> sarnold: looking
[18:12] <nacc> sarnold: i'll pick it up -- there seem to be a few bugs here
[18:13] <sarnold> nacc: thanks; normally I'm content to say "yeah bad php can use trusty" but if it's something we shipped anyway, it'd be nice to at least warn folks if it won't work. or something. :/
[18:14] <nacc> sarnold: yeah, we have done some fixes and iirc, i think my cursory usage did work
[18:14] <nacc> sarnold: so this is probably something > cursory
[18:14] <sarnold> somehow I'm not surprised roman would hit a 'logout' button that you might not :) hehe
[18:18] <nacc> sarnold: yeah
[18:18] <nacc> sarnold: i was more concerned with "does the UI display"
[18:18] <sarnold> "doesn't seem badly misfunctional"
[18:19] <nacc> sarnold: yeah -- which it admittedly was, at first
[18:20] <sarnold> heh
[20:07] <hehehe> https://www.vultr.com/docs/how-to-install-modsecurity-for-nginx-on-centos-7-debian-8-and-ubuntu-16-04
[20:07] <hehehe> does it work?
[20:07] <hehehe> or whats your setup for ubuntu 16.04 nginx and mod security
[20:38] <ahasenack> nacc: an opinion here, please
[20:38] <ahasenack> nacc: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1531622/ is it worth fixing for 16.04, since it's just a config change?
[20:39] <ahasenack> it's quite probable that dpkg will prompt about a config file change during the upgrade, so just installing the update won't fix it in all cases
[20:40] <ahasenack> but looks like people want it
[20:40] <ahasenack> got a duplicate bug even, for 16.04
[20:46] <nacc> ahasenack: i think it is probably worth pursuing -- not sure i follow the 'won't file in all cases' comment?
[20:47] <ahasenack> nacc: sorry, I dropped just after mentioning the duplicate bug, where is that comment?
[20:48] <ahasenack> nacc: that being said, the new option doesn't work :P (upstream bug)
[20:48] <ahasenack> the error was silenced, but the kernel messages also :P
[20:50] <nacc> ahasenack: your comemnt itself earlier: "... so just installing the update..."
[20:51] <ahasenack> nacc: I mean if the user made an unrelated change to rsyslog.conf, installing the update won't fix the broken config option
[20:51] <ahasenack> dpkg will prompt the user, saying the config file changed, and ask for help, right?
[20:51] <ahasenack> keep, overwrite, diff, etc
[20:52] <ahasenack> or are we expected to detect this in postinst somehow and fix it for the user?
[20:52] <nacc> ahasenack: it feels like something we should detect if it was a valid config before and now is not
[20:52] <nacc> ahasenack: is that the case here?
[20:53] <ahasenack> nacc: no, we introduced a bug when we changed how the klog module is loaded
[20:53] <ahasenack> we should also have changed how its options are set
[20:53] <ahasenack> what we have currently in xenial is a mix: new style loading, old style option setting
[20:53] <ahasenack> that's the bug
[20:54] <ahasenack> this was fixed in yakkety: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1531622/
[20:55] <ahasenack> yakkety+ is fine (except for the upstream part: https://github.com/rsyslog/rsyslog/issues/477)
[21:00] <nacc> ahasenack: ok
[21:00] <nacc> ahasenack: sorry, i'm kind of deep in some git-ubuntu stuff. Your judgment seems reasonble to me
[21:00] <ahasenack> I'm just wondering if a config file change is worth for an SRU, given that the user might very likely be prompted to edit the file anyway during the upgrade
[21:00] <ahasenack> or maybe that's not so likely
[21:01] <nacc> ahasenack: it might be worth an e-mail to ubuntu-devel-discuss if you can't decide (or ubuntu-devel)
[21:02] <ahasenack> ok
[21:02] <ahasenack> it would fix new installs at least
[22:01] <trippeh> hum. acpid dropped /etc/acpi/events/powerbtn in artful because "since the script is a no-op when systemd-logind is running and systemd-logind is now *always* running". this is not true as dbus is required by logind but dbus is not yet mandatory.
[22:02] <trippeh> Condition: start condition failed at Wed 2017-07-12 17:47:47 CEST; 6h ago
[22:02] <trippeh>            └─ ConditionPathExists=/lib/systemd/system/dbus.service was not met
[22:02] <braziercustoms> First time I've been back to this snap install conjure-up --edge and every time I run conjure-up.lxc list I get different results showing different status for all. Sometimes have up sometimes not...
[22:03] <nacc> stokachu: --^
[22:03] <sarnold> trippeh: how'd you get a system without dbus? I thoguht that was basically mandatory in order to use systemd for init
[22:04] <trippeh> sarnold: these images are built using debootstrap, very similar to ubuntu base or whatever it is called nowadays
[22:04] <trippeh> most of systemd works fine without dbus
[22:04] <stokachu> braziercustoms: I bet if you run journalctl -f you'll see snap services restarting..
[22:04] <stokachu> I'm not sure why that happens though
[22:05] <trippeh> I may just give in and start adding dbus, even if I'm not stoked about the attack surface ;)
[22:06] <sarnold> trippeh: aha
[22:06] <braziercustoms> :/  looks like it is
[22:08] <trippeh> then again if someone gets access to these vms in a manner that gives access to dbus it is usually game over anyway
[22:08]  * trippeh scratches beard
[22:09] <braziercustoms> Stokatchu it is :/   how is this setup started?
[22:10] <stokachu> There are snap services in /etc/systemd
[22:11] <braziercustoms> Stokachu how many?
[22:13] <trippeh> (I also realize using debootstrap means I'm mostly on my own :p)
[22:14] <trippeh> oh well *adds the powerbtn stuff back using ansible*
[22:15] <trippeh> it is just some config files after all
[22:17] <braziercustoms> Stokatchu I'm sure you are familiar with the errors. But I got "Not restarting into /snap/core/current/usr/snap/bin/snap" older than error.. flooding
[22:26] <braziercustoms> And kernel audit about apparmor profile does not exist for neutron agents. Why didn't it do this after first reboot?
[22:27] <trippeh> sarnold: even networkd works without dbus ;)
[22:27] <sarnold> trippeh: ha :D
[22:53] <braziercustoms> Stokatchu I can't proof of concept on the "proof of concept version" :D
[23:08] <braziercustoms> Stokatchu it stabilizes? It seems to have stopped... how can I follow this issue?