/srv/irclogs.ubuntu.com/2018/11/20/#ubuntu-server.txt

lordievaderGood morning07:13
munskingHello, why does my getty@tty1.service file keep getting overwritten? using ubuntu server 16.04.5 LTS08:21
lordievaderWhat service file are you editing?08:41
munskinggetty@tty1.service08:42
munsking /etc/systemd/system/getty.target.wants/getty@tty1.service08:42
lordievadermunsking: On 18.04 the `getty@` service is defined in `/lib/systemd/system/getty@.service`.08:44
munskinglordievader: and on 16.04.5?08:44
munskingoh it's the same, it's just a symlink08:45
munskingstill, why does it get overwritten every week or so?08:45
lordievaderMost likely in the same path. However, if you want to override the service definition, I'd put the overrides in `/etc/systemd/system/getty@.service.d/<name>.conf`.08:46
munskingall i really need is for tty1 to auto login, get a kerberos ticket and start a remote desktop application on a windows terminal server (camera surveillance)08:47
munskingright now i edit the getty@tty1.service file, change the execStart to 'agetty -a remoteUser %I $TERM' and then it works08:48
munskingso how would i get that part to stick?08:48
* lordievader sent a long message: < https://matrix.org/_matrix/media/v1/download/matrix.org/UDMsNYWzpncPLnTPUKtWLJHS >08:53
munskinglordievader: thanks, i'll give that a shot09:04
ahasenackgood morning11:04
OerHekshi ahasenack11:05
ahasenackhello OerHeks11:05
lordievaderHi ahasenack, OerHeks11:30
ahasenackhi there11:32
OerHeksgood afternoon, as it is in my timezone :-D11:32
ahasenackindeed11:42
ahasenackrbasak: hi, could you please import pgaudit and add it to the whitelist?12:23
rbasakack12:23
ahasenackit's from universe, but touched everytime postgresql is uploaded12:23
ahasenackin dep8 dependent tests12:24
ahasenackand it likes to fail12:24
ahasenackrbasak: thanks12:24
rbasakahasenack: imported and pushed. As usual the whitelist change won't take effect until I next roll something through to the importer.12:36
ahasenackcool, thanks12:36
ahasenackcpaelzer: have you seen this pgaudit dep8 failure before, that only occurs on s390x? https://pastebin.ubuntu.com/p/ZkVpFhWgjT/14:03
cpaelzerahasenack: doesn't ring a bell14:12
die7how to remove multiarch or disable it in preseed file?15:43
tomreyndie7: in case you're referring to amd64 (native) and i386 (foreign): dpkg --remove-architecture i38616:00
die7tomreyn: in preseed file?16:43
die7tomreyn: dpkg is not available during installation16:43
tomreyndie7: you could do it with the post installation script hook, i forgot the exact name. but i'm not sure this is the right approach, there may well be a better one.16:44
die7tomreyn: I found already solution, thank you...soultion can be solved with seed file at self16:45
die7tomreyn: d-i apt-setup/multiarch  string16:45
tomreynmuch nicer16:46
die7tomreyn: if you leave befind string empty i386 will not be added16:46
tomreynok, good to know16:48
=== tobias-urdin is now known as tobias-urdin_afk
beowuffSo, I see 16.04 is FIPS 140-2 compliant. Any idea if 18.04 will be?17:53
beowuffWoah, I didn't realize you could install windows 2016 headless... I wonder if that'll mess up security...18:10
beowuffoops, wrong window. XD18:11
=== tobias-urdin_afk is now known as tobias-urdin
TheHonorableKitthow do I create a new nic on Ubuntu Server 18.04LTS with no ip (as in accordance to this tutorial for Snort Inline IPS: http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/)?18:50
sarnoldTheHonorableKitt: this is probably the best starting point https://netplan.io/examples#bridging18:56
sarnoldTheHonorableKitt: try throwing in dhcp4: no dhcp6: no and not specifying addresses18:56
sarnoldlets see what happens ;)18:56
sdezielI would personally opt to disable_ipv6 on it too18:58
sdezielnot sure if netplan can do this natively18:58
sarnoldof course, if you don't specify *anything* probably the nics won't have addresses that way, too :)19:01
sarnoldbut finding some way to document and codify that they intentionally don't have addresses feels like a good idea19:01
sarnoldand if you're going to be using a bridge anyway, well, this knows how to make them19:01
TheHonorableKittlike this? https://paste.ubuntu.com/p/tvT3wHYG59/19:02
TheHonorableKittor maybe change 2 and 3 to 1 and 2?19:04
sarnoldyou've got an enp0s3 so having an eth0 eth2 and eth3 feels unlikely..19:04
TheHonorableKitthuh?19:05
sarnoldwhat are you NICs named now?19:05
TheHonorableKitterrrrr I don't know? eth0? this is a linode VPS19:05
sarnoldrun 'ip a'19:05
sarnoldthat'll show you the NICs on the system19:05
TheHonorableKitthttps://paste.ubuntu.com/p/Vd4wYKW8g9/19:08
TheHonorableKittthere are two 'docker' nicks that are down, and then l0 for loopback19:08
TheHonorableKittthis is the only useable eth nic19:08
sarnoldyou can fake up NICs using tun/tap stuff (often for VPNs or VMs) but I don't know an awful lot about how those things work19:12
sarnolddoes the management panel let you add more NICs?19:12
TheHonorableKittit lets me add "private ip address" but other than that, no19:12
sdezielTheHonorableKitt: Linode VMs only have a single NIC AFAIK so is that what you want to feed to snort?19:14
TheHonorableKittyes, but snort needs to have more than one nic to work for inline mode19:14
sarnoldare you intending to feed it via VPNs?19:16
TheHonorableKittno? I'm running my websites on the same server as my snort setup19:16
sdezielinline mode seems to be for creating transparent bridges19:16
TheHonorableKittso long as I have two (or three?) nics, snort inline mode bridges them for me19:17
TheHonorableKittbut that's where I'm stuck, I don't know enough about linux to properly create two new nics19:17
TheHonorableKittI know it can be done, but I'm not understanding how19:17
TheHonorableKittas you can see here: http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/, that's the case, but it doesn't elaborate in this particular portion of the instructions19:17
sdezielTheHonorableKitt: is your end goal to inspect the traffic hitting your web server?19:18
TheHonorableKittyes19:18
TheHonorableKittI have snort working for IDS already, but I want more than an IDS, and to get an IPS, I need more nics19:18
sdezielTheHonorableKitt: then inline mode doesn't seem like a good fit, unless you run it on a machine that's not your web server itself19:18
TheHonorableKittI don't think there's a way to get an IPS without inline mode19:19
sdezielTheHonorableKitt: I don't think you require more NICs19:19
TheHonorableKitterrr hm?19:19
sarnoldsure, it could just pcap packets on the one nic you've got..19:19
sdezielyou can probably have NFQUEUE setup in iptables so that snort decides of the faith of the packets19:19
TheHonorableKittyeah I haven't even got a clue how to do that19:20
sarnoldsdeziel: dude. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html#SECTION0025400000000000000019:20
sdezielsarnold: yes?19:20
TheHonorableKittnice 404 error?19:21
sarnoldsdeziel: I had a a vague idea that there was probably something better than pcap but couldn't have named it ;) but there it is, nfqueue :)19:21
sdezielTheHonorableKitt: I'm a little more familiar with suricata so here's an example with multi-nics: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux19:21
sdezielTheHonorableKitt: should be easily adaptable for a single NIC for your use case where the web server is local to the IPS19:21
sdezielsarnold: hehe19:22
TheHonorableKittlet me take a look real quick :)19:22
TheHonorableKittI guess what's confusing to me is how snort handles the data. It pics up on eth0, but is it supposed to loop back around and drop it back off on eth0 again? wouldn't that cause an endless loop? I think it's supposed to pick up on eth0, bridge eth1, and drop it off on eth119:23
sdezielTheHonorableKitt: in fact, it touches on the "host" scenario too19:23
TheHonorableKittat the bottom of that writeup, it requires two nics19:24
TheHonorableKitteth0 and eth119:24
sdezielTheHonorableKitt: the transparent bridge is for a different use case19:24
sdezielTheHonorableKitt: the link covers 2 scenarios, search for "host" aka scenario #219:25
sdezielTheHonorableKitt: in the host scenario, you work with INPUT/OUTPUT instead of FORWARD19:26
TheHonorableKittoh hmm19:26
sdezielthey even mention TCP/80 handling ;)19:26
TheHonorableKittah ok, I see. they just didn't separate the two scenerios into two portions, they're kind of mentioned together a bit19:28
TheHonorableKittthat's where I was confused :P19:28
TheHonorableKittI think the issue now is...how do I get this to work with snort?19:28
TheHonorableKittlet me look at this: http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/19:30
sdezielsuricata is compatible with snort rules IIRC ;)19:30
TheHonorableKittI'm not using suricata :)19:31
TheHonorableKittI am so incredibly confused19:39
TheHonorableKittIf I run these iptables configs for nfqueue, will it kill my network connection? I'm not sure if there's a config I need to have setup in snort to make sure it's filtering them, because I *think* if it's not actively filtering, then the connections are all just dropped19:40
sdezielTheHonorableKitt: I would suggest to only send TCP/80 to snort, not the whole thing19:41
TheHonorableKittI'm hosting a lot more than TCP 80 on my server19:41
sdezielI'd start with TCP/80 then and ramp this up as you gain confidence in the setup19:42
TheHonorableKittI'll do that, but better to use 443 than 80, since my server only works with 44319:42
TheHonorableKittit's auto-re-reouterd to 443 from 8019:42
sarnoldwhat exactly will snort read out of TLS streams?19:42
sdezielwell, what is it that you want to inspect on TLS?19:42
sdezielold proto/ciphers?19:43
sdezielvery little is worth looking at on TLS, and this will only shrink as TLS 1.3 is deployed19:44
sdeziel(I'm looking at your OpenSSL 1.1.1 backport to 18.04)19:44
sdeziels/your/you/19:44
sarnold:)19:44
TheHonorableKittIt might be important to know what snort is actually for, it's an intrusion detection system, and in inline mode, an intrusion prevention system. The rules in snort far exceed that of http and https. So, it needs to be a global system. No point in doing port 80 since it's auto-forwarded to 443 anyway, so I don't know, maybe I can do port 22 then or19:45
TheHonorableKitt better yet icmp19:45
sdezielencrypted protocols are less interesting to look at19:46
TheHonorableKittI'd honestly rather someone who knows what they're doing to look at this for me, as I'm completely clueless on how to even use snort, or for that matter, how to configure linux network information.19:47
sarnoldif you want to go whole-hog, feel free. the worst that can happen is you wind up having to hit the 'delete vm' button and start over :)19:48
TheHonorableKittnot a change, I always make backups ;)  :D19:49
sdezielon Linode you have a remote serial console available (LISH is the name IIRC) so hopefully the snort deployment won't go that bad19:49
sarnoldoh sweet19:49
sarnoldthat makes it way less likely you'll need the 'delete vm' button :)19:49
TheHonorableKitt:P  it's sweet when I'm not at work hehe19:49
TheHonorableKittI'm at work right now, only way I can even terminal in is with a webssh tool19:50
coreycbjamespage: we should have everything core + dashboards uploaded for stein now except horizon itself. i pushed all the updates i made but it needs django-debreach which will be a new package. component-mismatches should be fixed up now too.22:00
TheHonorableKittso what I did earlier really screwed up my setup, I need to get someone to help me and look at my iptables rule file (I have it save persistently, so just rebooting won't help). I need to manually remove whatever is screwing up my system. Can someone please volunteer to help me?23:22
tewardTheHonorableKitt, might be useful to restate the core problem as well23:30
tewardsince not all of us know the actual problem you are facing right now23:30
TheHonorableKittsure thing, so I was trying to set SNORT into inline IPS mode, but I only have one IP (well, now I can have three, I might need it). anyway, someone said I can just add a few iptables rules for NFQEUE and snort will run those23:32
TheHonorableKittI added those rules, and it killed my entire box's connection. now I can't figure out how to remove them23:32
tewardhow did you add them?23:36
TheHonorableKittiptables -I INPUT -j NFQEUE23:37
TheHonorableKittand23:37
TheHonorableKittiptables -I OUTPUT -j NFQEUE23:37
tewardandyour iptables ruleset currently is what?  (and where on the system)23:37
tewardif you can share your iptables rulesets in a pastebin I can take a look23:37
tewardand ID what rules you have to remove to get traffic working again23:37
tewardnot sure if you can do that easily though if you have no networking23:38
TheHonorableKitti'll share the file with you directly, I don't want to paste it here23:38
tewardi can't DCC here on IRC currently23:41
tewardand I didn't say paste it here23:41
tewardi said use a pastebin23:41
tewardand then PM me the link :P23:41
TJ-TheHonorableKitt: if you use "iptables --line-numbers -nvL" you can use the line-number of the rule to delete it with "iptables -D <chain> <line-number>"23:49
tewardTJ-, he's not got it in his stored rulesets all he has to do is iptables-restore < ... the ruleset23:49
tewardand it would then get rid of the nfqeue rules heh23:50
TJ-Ahhh23:50
TJ-line-numbers is useful info anyhow; many folks don't realise it's there23:51
tewardmhm23:51
tewardnot sure why he won't share his rulesets since there's nothing secret in those rulesets that'd ID his box as a target anyways but meh23:51
tewardTJ-, woah that's a THING?23:51
teward*learned a new thing*23:52
TheHonorableKittI generally try to be as secure as I can, I fail a lot, but good practice means good I suppose23:52
TheHonorableKittso the iptables-restore command, what should I run with that? never ran this before23:53
tewardi assume this ruleset is stored in a file on disk, yes?23:53
TheHonorableKittyeah23:53
tewardsudo iptables-restore < /path/to/ruleset/file/on/disk23:54
TheHonorableKitt/etc/iptables/rules.v4 and rules.v623:54
tewardand that's it23:54
tewardso then: sudo iptables-restore < /etc/iptables/rules.v423:54
tewardand: sudo ip6tables-restore < /etc/iptables/rules.v623:54
tewardand you're done23:54
TheHonorableKittalrighty, I might lose connection in a sec ;) lol we'll see23:54
TheHonorableKittok, ufw is enabled, looks like I'm all good23:56
TheHonorableKittphew23:56
TheHonorableKittso linode gave me two additional ip slots, should I use them to get snort inline IPS to work?23:57
tewardif you added NFQEUE rules into the ufw configs find them and yank them out23:57
TheHonorableKittor do I not need them?23:57
TheHonorableKittit was only in iptables23:57
tewardotherwise your box should talk to the internet fine23:57
tewardgood23:57
Greyztarthe iptables and restore ive also used,however someway ruleset alway get reset on reboot,now im using systemd script with iptables-restore command,any tip on what might cause this?23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!