[00:17] <tomreyn> Tea: maybe the webserver is just not listening on those ports on the ipv6 address(es)?
[00:18] <Tea> It is configured to
[00:19] <tomreyn> does lsof -i :80 confirm it? are you able to connect to your ipv6 address locally?
[00:20] <Tea> Yes to both
[00:45] <Smokie> hey guys, i have a processer running when i run 'top', im trying to find its location on the system but i cannot do that
[00:46] <Smokie> using 'find', 'locate' and 'where' doesnt give me any results, is this normal?
[02:11] <kcuf> Smokie; the path /proc/<your process pid> has some info on your process if you know your process id - which top tells you
[02:17] <kcuf> readlink -f /proc/<pid>/exe
[02:17] <kcuf> or use htop
[09:08] <Smokie> hey guys, i have a processer running when i run 'top', im trying to find its location on the system but i cannot do that
[09:08] <Smokie> using 'find', 'locate' and 'where' doesnt give me any results, is this normal?
[09:15] <blackflow> Smokie: file /proc/PID/exe         where PID is the PID of the process
[09:16] <blackflow> it should be a symlink to the binary that spawned the process
[09:20] <Smokie> found it, thanks
[09:21] <Smokie> by killing the process and removing it it shouldnt run again, right?
[09:21] <blackflow> Smokie: incorrect. you have to find what started it.
[09:21] <Smokie> is there a way to trace how the server got rooted for someone to install it?
[09:21] <blackflow> Smokie: if you got pwned, nuke&pave is the only correct solution, unless you want to do forensics on the system.
[09:22] <blackflow> Smokie: well, you start with the most obvious. Public facing daemons and their logs. Logs in general. The filesystem inconsistencies (eg. binaries installed from packages that changed checksum or access rights), ...
[09:22] <Smokie> blackflow, i have backups and i will wipe the server out, but i'd like to find out how it happened so i make sure its not something im running that gets transferred with the backup
[09:23] <blackflow> Smokie: sure. btw, you can't run forensics on the computer itself. Mount the disk elsewhere.
[09:24] <Smokie> hard to do that, its a dedicated server running a webserver
[09:24] <Smokie> about 3-4 websites
[09:24] <blackflow> if you got wordpress there, chances are that's your intrusion vector.
[09:25] <blackflow> meanwhile, doing anything on the compromised computer is futile. you don't know what else is, and if you can trust the tools. can't trust the checksums, stat, well, pretty much anything.
[09:30] <Smokie> 3 of the 4 are wordpress actually
[09:37] <Smokie> blackflow, thanks for the info.. one last thing,
[09:37] <Smokie> 29834 ?        Sl   2119327:49 minerd --algo=yescrypt -o stratum+tcp://yescrypt.mine.zpool.ca:6233 -u 1RqhXsVq3vSHXVRyzjswHGhJbXatxvPEf -p x
[09:38] <Smokie> blocking the ip/hostname should stop it at least for sending the data, right?
[09:38] <blackflow> yes, also port.
[09:47] <Smokie> alright
[09:47] <Smokie> any other suggestion?
[09:48] <blackflow> for anylists or future?
[09:48] <Smokie> lets start with the future hehehe
[09:48] <Smokie> for prevention
[09:50] <blackflow> Smokie: well you've got plenty of tools. Start with systemd and its security-related options to harden the services.  https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
[09:51] <blackflow> The build and use AppArmor profiles to confine further, which files can be touched by the service, and in what way (read, write, exec). You most certainly do NOT want write + exec ability, ANYWHERE.
[09:51] <blackflow> firewall outbound packets too. preferably section individual outbound services into separate network namespaces and only allow what's minimally required.
[09:53] <Smokie> i assume its safer too to block all ports except whats needed by web, mailserver ?
[09:53] <Smokie> yeah
[09:53] <blackflow> consider running services without root privilege. eg. daemons like nginx can be made to. you give them ability to bind to <1000 port with CAP_NET_BIND_SERVICE, and have to be set up and configured not to require uuid change
[09:54] <blackflow> Smokie: your webserver has 0 business starting outbound connections. section off the mail server prefereably to a completely separate mchine or VM
[09:57] <Smokie> i might consider that if i drop cPanel
[09:57] <Smokie> its what i use to manage the server
[09:57] <blackflow> sigh... so this ain't Ubuntu, is it?
[09:59] <Smokie> oh shit.. this is the cpanel server, it is Not Ubuntu!! my other server is Ubuntu!
[09:59] <blackflow> and btw definitely yes. cPanel is a huge mess that you can NOT secure. if oyu try to fire up SELinux (which is the alternative to AppArmor on CentOS), oyu'll break cPanel.
[10:00] <blackflow> I'd stay away from cPanel like it's plague. I won't manage one even for monies. refused plenty of gigs like that. Just say no.
[10:01] <Smokie> thats good to know, ill take your advice on that, it'll save me money too i guess
[10:01] <Smokie> i just thought it would be easier to manage websites and tbh, easier to secure
[10:02] <Smokie> and i really totally forgot about it running on centos, i always use ubuntu thats why my head automatically clicked its ubuntu
[10:04] <blackflow> you cannot secure cPanel. it's architected that way from the era where information security was not even a term. its manual starts with "Disable SELinux".
[16:06] <pepperhead> o/
[16:09] <pepperhead> Network question: Server 18.04. I want to give each of the nic's in my server a staticIP. I see that it is configured in netplan, but the yaml says it wont affect across instances because of cloudinit. Should I disable cloudinit?
[16:09] <pepperhead> Unsure what cloudinit is or what it is doing for me
[16:09] <pepperhead> <<<< UbuntuServer NOOB
[16:10] <pepperhead> My goal is to play with LXC/LXD to learn the container system
[17:12] <_KaszpiR_> pepperhead read about cloudinit, then
[17:12] <_KaszpiR_> cloudinit is used to provision (mostly cloud based) systems
[18:01] <pepperhead> _KaszpiR_ TBH I am trying to learn Docker/LXC, if I dont need cloudinit, turning it off would save me one more tech to figure out.
[19:24] <_KaszpiR_> AFAIR lxc uses cloudinit
[19:24] <_KaszpiR_> cloudinit is pretty easy, you should be able to grasp it in 1h
[19:25] <_KaszpiR_> also it's optional, if you don't do anything then by default it does nothing
[20:55] <pepperhead> KaszpiR Thanks. I think what I need to do is configure the four ports, and "bind" to one of them for my host. I think LXC will take ownership of each as they are bound within the container. Researching "binding" now. Thanks again.