/srv/irclogs.ubuntu.com/2017/08/18/#ubuntu-server.txt

hehehesolved02:39
cpaelzergood morning05:30
jnollettehowdy05:36
lordievaderGood morning07:40
TafThornemorning07:41
lordievaderHey TafThorne, how are you doing?07:42
TafThorneTafThorne: OK thank you.  Busy, busy, busy at work but that is better than having nothing to do.  How are you?07:54
lordievaderDoing good here :) Busy too.08:02
cpaelzerHi TafThorne, nice to see you again08:15
cpaelzerthe day we are not busy will be boring08:15
cpaelzerso embrace it the way it is :-)08:16
TafThorneTafThorne: Hi.  I am often around, I just do not have much to say.08:20
lordievaderTafThorne: You know, you don't need to mention your own name ;)08:50
lordievaders/name/nick08:50
TafThorneops, that was meant to be a cpaelzer: :-D08:57
TafThorneTafThorne: Feels as if he should address statements  about TafThorne in the third person to help him stand out.08:59
cpaelzerhehe09:03
necrophcodrI'm not sure if this is the right place or not, but I am looking for a way of reading a LOT of files and applying programmatic rules to them. Is there an application that is suitable for this task?09:05
necrophcodrWe're talking millions of files ranging from few bytes to gigabytes. The rules I'm looking to apply are for determining wether the files contain specific sequences or strings matching regular expressions, but also on file metadata such as site, filetype even, and so on.09:07
TafThornenecrophcodr: grep will do that.09:14
rbasakpowersj: that's great. Thanks!09:14
TafThornenecrophcodr: I am not saying it is fast and when you start talking about filesystems with multiple GB of data you begin to find other interesting issues.  You might benifit from using GNU parallel to run your grep inside.09:15
necrophcodrTafThorne, grep won't do that unfortunately. Grep will go some of the way, but it will also take too long.09:15
TafThornenecrophcodr: it and sed will so that but it will take along time.  If your list of files is static you can save some time by getting "cached" lists of the filesystems and diving up the jobs and so forth.09:17
necrophcodrI think it's about 200GB of mixed data, and it's currently taking around 6-8 hours, depending on the data.09:17
necrophcodrThat's using yara for the file matching, but it's not doing a great job.09:17
necrophcodrThe filelist is not static unfortunately. I could probably run some jobs in parallel, but grep is out the window.09:18
necrophcodrI guess technically I could use grep but the amount of work to have it match all of our hundreds of rules would take a long time to implement properly.09:19
TafThornenecrophcodr: At my old job, that would be a small filesystem.  Buy a BlueArc or a HDS HNAS :-D  More seriously though, is this all stored on a single linear access disk?  Does the system doing the search (and edit?) have lots of RAM to store things in cache?  Is the disk networked or directly connected via SATA, eSATA, USB?09:19
necrophcodrIt's on a VM that's on a SAN system, and there's more than 100 of these servers with that kind of storage that I need to scan preferably in less than 5 hours per server.09:20
necrophcodrAnd as I mentioned, the file list is not static, nor is the content.09:20
TafThornenecrophcodr: Sounds like a horrible problem to solve.  Can you scan the files on creation and keep a list of hits?   Can you determine modified files since your last scan to make it so you just re-run your results?09:21
necrophcodrThose are all optimizations for later, I don't have a proper scanning system yet, which is what I'm looking for.09:22
TafThornenecrophcodr: The short answer is that I know nothing that will do that for you.  A server with a 100GB of RAM and direct storage access should not take that long to crunch the data.  You cannot always throw hardware at it though.  Sorry I cannot be of more help.09:22
necrophcodrI'm okay with having to develop one myself as well, but I'd need some idea of what to use, and I'm a bit stumped atm.09:22
necrophcodrTafThorne, it's no problem, I'm glad I got a quick response! That's not usually the case on some of the irc channels i frequent.09:23
necrophcodrAnd I can surely determine modified files and so on, that's part of the plan as well, but it's not yet feasible to do. It might turn out to not be a feasible optimization anyway, I'm not sure.09:24
necrophcodrOh, and determining the modification might not be possible with a date alone either, as the data can change but the metadata might be re-written to it's original state, so even the modified date could be reset.09:24
TafThornenecrophcodr: doodle?09:27
necrophcodrTafThorne, what do you mean?09:27
TafThornenecrophcodr: You are welcome to the quick response. Just happened to be a topic I had some scant knowledge of.09:27
TafThornehttps://linux.die.net/man/1/doodle09:28
TafThornenecrophcodr: I did some Googling and it suggested you might want to do some doodle(ing).09:28
necrophcodrTafThorne, thanks, but it doesn't allow me to set up complex rules09:32
necrophcodrI'll look into what can be done to do complicated rule matching on individual files at high performance09:32
lordievaderYou might want to write some perl script for that.09:46
lordievaderPerl is great at doing regex stuff.09:46
TafThornenecrophcodr: There are some possibilities in https://askubuntu.com/questions/29483/software-for-text-search-in-files too I think.09:47
TafThornenecrophcodr: doodled, the doodle daemon might do a lot of what you want https://linux.die.net/man/1/doodled  Initial indexing would probably be a pain but things might be OK afer that.   Although I can see the caviate that doodled " uses libfam and is thus limited to monitoring less than 1024 directories for changes" which might make it not suitable for you.  Manually re-running the stnadard `doodle -b <path_to_index>` does not include such a lim10:52
TafThorneLooks like a helpful command.  I'll probably make a lot of use of it.  Nice when trying to help others leads to learning sometihng useful for yourself.10:53
RabooIf anyone here is a junior sysadmin in Stockholm that is looking to change job, PM me..12:27
hateball:o12:28
=== JanC is now known as Guest43740
=== JanC_ is now known as JanC
=== dpawlik is now known as danpawlik_
=== danpawlik_ is now known as dpawlik_
=== drab_ is now known as drab
docmurHey guys, I'm trying to setup logstash and filebeat, when I run filebeat I'm getting ERR Failed to publish events caused by: read tcp 192.168.154.155:49128->192.168.154.168:5443: i/o timeout15:31
docmurI have the iptable entry to forward 5443 to the server from the client15:32
docmurI've disabled my firewall to test15:32
docmurand this is set net.ipv4.ip_forward=115:32
drabdocmur: have you tried to tcpdump at dst? do you see any traffic at all?15:46
docmurDoing that right nw :)15:46
drab:)15:46
docmurYep the dest is getting what it needs15:48
drabok, what about tcpdump on client? does it see any traffic back?\15:48
drabit may be a problem of SNAT15:48
drabin fact, what does dst see the traffic as coming from?15:48
docmur IP 192.168.154.155.49148 > elk-master.544315:50
docmurand the port from the src is changing15:50
drabeeer, that makes no sense... I was gonna say, ip looks ok, but yeah if the return pkts go to the wrong port that is indeed not going to work15:52
drabcan you pastebin your nat/fw rules?15:52
docmurHa, I was just going to do that :P https://pastebin.com/1dK7ik7615:52
drabbut yeah, also tcpdump on the client would be good, just to see if it sees the return traffic15:53
drab(even if it ends up discarding it because of unmatching port)15:53
docmurYa no traffic on the client :( at port 5443 at least15:54
drabyou mean the filter is source port 5443?15:55
docmurya tcpdump port 5443 on the client I'm sending the logs from15:55
drabwhat if you tcpdump for the dst host's ip?15:56
docmurI might see the issue actually15:56
docmurI think it's a host name configuraton issue :S15:57
docmurI just saw this15:57
docmurIP elk.domain.net.5443 > 192.168.154.155.49164: Flags [S.], seq 4047232613, ack 332584761, win 28960, options [mss 1460,sackOK,TS val 16123230 ecr 3165914291,nop,wscale 7], length 015:57
docmurit should come baack from elk-master15:57
docmurI thin kthe domain is mismatched15:57
drabmmmh, maybe, maybe not, if the ips are correct and there's no PTR verification or other TLS thing where the cn must match, then it shouldn't matter15:58
drabwhat if you run tcpdump without dns resolution?15:58
docmurya that was't the issue15:59
drabso the client, the fw and the elk-master are 3 diff boxes? on 2 diff networks?15:59
drabcan you share a little more about that pls15:59
docmurSo the client is the server itself (192.168.154.155), the elk setup is on a VM (192.168.154.168), I'm doing the routing on the server to the  VM16:00
docmurThe firewall is off right now on the serfver, I'm just using the iptables16:01
drabthe VM is on the same server?16:01
docmuryes16:01
drabso basically everything on the same hw box, correct?16:01
docmurIt's network interface is routed via br016:01
docmuryes16:01
drabI'm confused, why do you need iptables? aren't the VM and the server on the same subnet? ie, can't they talk to each other?16:03
draboh, I think I see a possible problem16:04
docmurThere are other VM's that don't come into play that I'm routing to, so I added the rules to route the elk server ports.16:04
drabdocmur: look at your iptables, the SNAT part, shouldn't the POSTROUTING have a -s 192... you have -d16:05
drabso the postrouting is not matching16:05
drabat least if I remmber my iptables right, which I may not16:06
drabdon't mess with that stuff as often anymore16:06
drabdocmur: you can verify with counters, just do a -L -v with iptables and see if the numbers are incrementing as traffic is fired off, they shouldn't if there's no match16:07
drabor just try to change to -s and see if it works :P16:07
drabalso it's not --dport at that point, it's a source port16:08
docmuroh okay16:08
docmurchanging it to -s didn't seem to work16:08
drabdocmur: yeah chjange the --dport to --sport too16:09
docmurJust did that, trying it now16:10
docmurDidn't work :S16:12
docmurI might try the logstash forum16:13
docmurthanks for your help :)16:14
drabto be sure since it's all on the same server, the server isn't considering the elk router's ip as local, is it?16:14
docmurip r gives16:14
docmur192.168.154.0/24 dev br0  proto kernel  scope link  src 192.168.154.15516:14
docmurso now16:14
drabthat's it? no default route?16:15
docmurdefault via 149.56.240.254 dev eth0 onlink16:15
docmurMy default is the external ip16:16
drabk16:16
drabdo you have any other rules in the fw?16:16
docmurit's off right now actually just to be sure it's not cauing an issue16:16
drabso what I'd do to rule out any other problems is to just test with netcat16:18
docmurkk16:18
drabstop elk for a second, start netcat in listening mode on the server16:18
draband fireoff the client16:18
drabusing the same port on the server of course so that the firewall rules get tested16:18
draband you can run iptables -L -v -t nat before and after running netcat16:18
draband see if the counters have changes, ie if pkts went through those rules16:19
docmurdoing that now16:19
drabbtw I'm assuming that for other things connectivity with that box work just fine, correct? ie you can ssh to the VM from the server or something16:20
docmurI can ssh to it, telnet to port 5443, I can access it's webportal ,etc...16:20
docmurThe pkt counter is going up, about once per 30 seconds16:26
drabtbh I'm still not really understanding why iptables is involved...with that routing table/net scenario a pkt for 192.168.154.168 will be routed through the bridge where the VM's interface is also listeinng on and it'll just pick it up16:35
=== Guest75213 is now known as med_
docmurI culd remove it but that problem doesn't go away.  I have other VM's that are listening for an external port, which is why I have them in the first place16:42
draboh, I see, I didn't get that, this is just a testing setup16:42
docmurAnyway, thanks for the help, I posted on the logstash forum16:43
drabk, let me know ifyou figure it out, I'm curious now :)16:45
docmurya I'll totally post the solution :)16:45
drabif you can test with requests from an ip outside of that network, I think it may shed some light on it16:45
drabsomething I still have a feeling part of the issue is the contrived example16:45
drabthe other thing you could do is to setup another VM on say 192.168.153 or whatever, and use that as a client16:46
ahasenackah, lovely whitespace delta20:28
ahasenack Suggests: libnss-ldapd | libnss-ldap $20:28
ahasenack(output of cat -vet)20:29
ahasenackand here I was scratching my head why a patch wasn't applying20:29
ahasenack- Suggests: libnss-ldapd | libnss-ldap20:29
ahasenack+ Suggests: libnss-ldapd | libnss-ldap20:29
sarnoldset list   and   set listchars=tab:\ \ ,trail:$   in ~/.vimrc can make those stand out20:31
ahasenacknice20:33
hehehehi21:55
hehehedesktop wfi doez not work21:55
hehehelol21:55
heheheconnects and nothing21:55
heheheworks on a phone21:56
tomreynand that is an #ubuntu-servertopic because?21:57
michrHey guys, quick question -- our VPS has been going down intermittently throughout the day for 5 minutes at a time22:50
michrIs there anything I should be looking for to track what's causing the outage22:50
sarnoldlogs on both endpoints?22:51
sarnoldoh VPS not VPN.. uh..22:51
sarnoldlogs on the VPS? :)22:51
hehehefixthatshit.com22:52
hehehe:)22:52
michrI've looked at the logs and we're getting spikes of traffic, which is causing some of the requests to go into a queue, and that's what's pulling our server down22:52
michrI just haven't been able to track where the requests are coming from22:52
hehehewell beef up server22:53
heheheor host with ddos protection22:53
michrI updated it to 4 cores from 222:53
michrit's still having outages, just not as frequently22:53
hehehejust see who is flooding you22:54
heheheor its legit traffic?22:54
michrcould it be possibly that we have malware or spyware that's doing this?22:54
hehehenah22:54
hehehecheck access.log22:54
heheheand see22:54
hehehestop inventing22:54
sarnoldit's certainly possible that you've been compromised; maybe the provider would have network usage graphs that could indicate if you're joined a botnet or something similar22:56
heheheseems like many dns servers under attack22:56
hehehehehe22:56
hehehehad to switch to fucking google22:56
heheheatm22:57
michrI'm checking the access.log now22:57
sarnoldgoogle's servers have the advantage of doing lookups for 250M users. that means whatever you want is probably already cached.22:57
sarnoldhot dns servers are happy dns servers22:57
hehehe 58.6.115.42 was down22:57
heheheand 4322:57
hehehemost issues arent  a hack22:58
heheheits a bug22:58
hehehe99% is bug 1% hack22:58
ubottubug 1 in Ubuntu Malaysia LoCo Team "Microsoft has a majority market share" [Critical,In progress] https://launchpad.net/bugs/122:58
heheheinstant fixes of all22:58
sarnoldmichr: if there's nothing obvious in logs or hosting provider's usage graphs, you could fire up smokeping to make sure it's still online, collect netstat and similar stats periodically, and try to find patterns when it has trouble22:59
hehehedude sarnold sometimesw people simply ddos22:59
heheheor more visitors22:59
heheheseems free dns servers are under attack23:01
hehehe:D23:01
hehehecomodo is up23:02
trippeha site I operate periodically have 1-2 minute spikes every hour even ~64 cores + cloudflare doesnt fix ;)23:02
hehehecloudfare is shit23:02
heheheits just waf + cdn23:02
heheheand as someone said servers rangers can be determined easily23:02
hehehefor ddos etc23:02
trippehfor most setups, yes23:03
trippehpeople leak addresses everywhere23:03
heheheyou can use aws they got waf too now  :D23:03
hehehecheaper23:03
trippehmost ddosers never get to that stage however23:03
hehehewtf23:03
hehehewhy are they so dumb lol23:04
hehehewell in fact I met police today also not much smarter23:04
hehehe:)23:04
heheheso ye its cool23:04
heheheI think soon I will simply use ram only cd r  os and keeppasx on air gapped phone23:05
hehehedont have to worry about browser exploits etc :)23:05
trippehwe had to blacklist a ton of datacenter/VPS operators, so many abusive bots23:05
michr@sarnold, @hehehe thanks guys. Gonna try to see if I can figure out what the heck is going on here23:05
trippehtoo bad about people rolling their own vpns23:05
hehehemichr:  post access.log here23:05
sarnoldmichr: good luck23:05
hehehealso do u have fail2bank23:06
hehehefail2ban23:06
heheheand which firewall you use?23:06
hehehedid you check syslog and firewall log?23:06
heheheI have to say I am pretty new to linux, just applying common sense23:07
hehehetrippeh: many people are angry23:09
heheheand been passive agressive they do bots etc23:10
heheherun scripts23:10
heheheit will only get more and more23:10
hehehewho dont want to deal with some 0 days :D23:11
heheheas I said before ram only no write access OS like tails or subgraph seems to be sufficient for most desktop users23:11
hehehetrippeh:  I wonder whats going on with my box lol23:12
hehehe DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=1843 DF PROTO=2 blocked23:12
heheheand without it dns resolving does not work lol23:12
heheheemm23:12
trippehthats just multicast, and you prob have mdns enabled23:13
RoyKjust allow multicast in ufw23:13
RoyKit won't hurt you23:13
hehehecool23:14
heheheI usually allow 53 80 44323:14
hehehethats it :D23:14
RoyKwell, multicast is a set of addresses on ipv4 and ipv6, not port numbers23:15
RoyKsomething like ufw allow to ff00::/823:17
RoyKand similar to 224.0.0.0/423:17
RoyKthose won't cross a router boundary without igmp snooping23:17
hehehety23:18
hehehesudo ufw allow out proto tcp to 224.0.0.1 + udp works now23:18
hehehealso folks any ideas how to figure site hidden api?23:18
hehehemy next project :)23:18
RoyKno idea - pretty vague question23:19
hehehe1 moment and I will solidify it23:19
heheheit seems to be client side js site23:21
hehehehttp://www.gregreda.com/2015/02/15/web-scraping-finding-the-api/23:25
hehehe:)23:25
hehehewell I guess I just to read output more carefully23:26
hehehe:D23:27

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!