[07:13] <lordievader> Good morning
[08:21] <munsking> Hello, why does my getty@tty1.service file keep getting overwritten? using ubuntu server 16.04.5 LTS
[08:41] <lordievader> What service file are you editing?
[08:42] <munsking> getty@tty1.service
[08:42] <munsking>  /etc/systemd/system/getty.target.wants/getty@tty1.service
[08:44] <lordievader> munsking: On 18.04 the `getty@` service is defined in `/lib/systemd/system/getty@.service`.
[08:44] <munsking> lordievader: and on 16.04.5?
[08:45] <munsking> oh it's the same, it's just a symlink
[08:45] <munsking> still, why does it get overwritten every week or so?
[08:46] <lordievader> Most likely in the same path. However, if you want to override the service definition, I'd put the overrides in `/etc/systemd/system/getty@.service.d/<name>.conf`.
[08:47] <munsking> all i really need is for tty1 to auto login, get a kerberos ticket and start a remote desktop application on a windows terminal server (camera surveillance)
[08:48] <munsking> right now i edit the getty@tty1.service file, change the execStart to 'agetty -a remoteUser %I $TERM' and then it works
[08:48] <munsking> so how would i get that part to stick?
[08:53]  * lordievader sent a long message:  < https://matrix.org/_matrix/media/v1/download/matrix.org/UDMsNYWzpncPLnTPUKtWLJHS >
[09:04] <munsking> lordievader: thanks, i'll give that a shot
[11:04] <ahasenack> good morning
[11:05] <OerHeks> hi ahasenack
[11:05] <ahasenack> hello OerHeks
[11:30] <lordievader> Hi ahasenack, OerHeks
[11:32] <ahasenack> hi there
[11:32] <OerHeks> good afternoon, as it is in my timezone :-D
[11:42] <ahasenack> indeed
[12:23] <ahasenack> rbasak: hi, could you please import pgaudit and add it to the whitelist?
[12:23] <rbasak> ack
[12:23] <ahasenack> it's from universe, but touched everytime postgresql is uploaded
[12:24] <ahasenack> in dep8 dependent tests
[12:24] <ahasenack> and it likes to fail
[12:24] <ahasenack> rbasak: thanks
[12:36] <rbasak> ahasenack: imported and pushed. As usual the whitelist change won't take effect until I next roll something through to the importer.
[12:36] <ahasenack> cool, thanks
[14:03] <ahasenack> cpaelzer: have you seen this pgaudit dep8 failure before, that only occurs on s390x? https://pastebin.ubuntu.com/p/ZkVpFhWgjT/
[14:12] <cpaelzer> ahasenack: doesn't ring a bell
[15:43] <die7> how to remove multiarch or disable it in preseed file?
[16:00] <tomreyn> die7: in case you're referring to amd64 (native) and i386 (foreign): dpkg --remove-architecture i386
[16:43] <die7> tomreyn: in preseed file?
[16:43] <die7> tomreyn: dpkg is not available during installation
[16:44] <tomreyn> die7: you could do it with the post installation script hook, i forgot the exact name. but i'm not sure this is the right approach, there may well be a better one.
[16:45] <die7> tomreyn: I found already solution, thank you...soultion can be solved with seed file at self
[16:45] <die7> tomreyn: d-i apt-setup/multiarch  string
[16:46] <tomreyn> much nicer
[16:46] <die7> tomreyn: if you leave befind string empty i386 will not be added
[16:48] <tomreyn> ok, good to know
[17:53] <beowuff> So, I see 16.04 is FIPS 140-2 compliant. Any idea if 18.04 will be?
[18:10] <beowuff> Woah, I didn't realize you could install windows 2016 headless... I wonder if that'll mess up security...
[18:11] <beowuff> oops, wrong window. XD
[18:50] <TheHonorableKitt> how do I create a new nic on Ubuntu Server 18.04LTS with no ip (as in accordance to this tutorial for Snort Inline IPS: http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/)?
[18:56] <sarnold> TheHonorableKitt: this is probably the best starting point https://netplan.io/examples#bridging
[18:56] <sarnold> TheHonorableKitt: try throwing in dhcp4: no dhcp6: no and not specifying addresses
[18:56] <sarnold> lets see what happens ;)
[18:58] <sdeziel> I would personally opt to disable_ipv6 on it too
[18:58] <sdeziel> not sure if netplan can do this natively
[19:01] <sarnold> of course, if you don't specify *anything* probably the nics won't have addresses that way, too :)
[19:01] <sarnold> but finding some way to document and codify that they intentionally don't have addresses feels like a good idea
[19:01] <sarnold> and if you're going to be using a bridge anyway, well, this knows how to make them
[19:02] <TheHonorableKitt> like this? https://paste.ubuntu.com/p/tvT3wHYG59/
[19:04] <TheHonorableKitt> or maybe change 2 and 3 to 1 and 2?
[19:04] <sarnold> you've got an enp0s3 so having an eth0 eth2 and eth3 feels unlikely..
[19:05] <TheHonorableKitt> huh?
[19:05] <sarnold> what are you NICs named now?
[19:05] <TheHonorableKitt> errrrr I don't know? eth0? this is a linode VPS
[19:05] <sarnold> run 'ip a'
[19:05] <sarnold> that'll show you the NICs on the system
[19:08] <TheHonorableKitt> https://paste.ubuntu.com/p/Vd4wYKW8g9/
[19:08] <TheHonorableKitt> there are two 'docker' nicks that are down, and then l0 for loopback
[19:08] <TheHonorableKitt> this is the only useable eth nic
[19:12] <sarnold> you can fake up NICs using tun/tap stuff (often for VPNs or VMs) but I don't know an awful lot about how those things work
[19:12] <sarnold> does the management panel let you add more NICs?
[19:12] <TheHonorableKitt> it lets me add "private ip address" but other than that, no
[19:14] <sdeziel> TheHonorableKitt: Linode VMs only have a single NIC AFAIK so is that what you want to feed to snort?
[19:14] <TheHonorableKitt> yes, but snort needs to have more than one nic to work for inline mode
[19:16] <sarnold> are you intending to feed it via VPNs?
[19:16] <TheHonorableKitt> no? I'm running my websites on the same server as my snort setup
[19:16] <sdeziel> inline mode seems to be for creating transparent bridges
[19:17] <TheHonorableKitt> so long as I have two (or three?) nics, snort inline mode bridges them for me
[19:17] <TheHonorableKitt> but that's where I'm stuck, I don't know enough about linux to properly create two new nics
[19:17] <TheHonorableKitt> I know it can be done, but I'm not understanding how
[19:17] <TheHonorableKitt> as you can see here: http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/, that's the case, but it doesn't elaborate in this particular portion of the instructions
[19:18] <sdeziel> TheHonorableKitt: is your end goal to inspect the traffic hitting your web server?
[19:18] <TheHonorableKitt> yes
[19:18] <TheHonorableKitt> I have snort working for IDS already, but I want more than an IDS, and to get an IPS, I need more nics
[19:18] <sdeziel> TheHonorableKitt: then inline mode doesn't seem like a good fit, unless you run it on a machine that's not your web server itself
[19:19] <TheHonorableKitt> I don't think there's a way to get an IPS without inline mode
[19:19] <sdeziel> TheHonorableKitt: I don't think you require more NICs
[19:19] <TheHonorableKitt> errr hm?
[19:19] <sarnold> sure, it could just pcap packets on the one nic you've got..
[19:19] <sdeziel> you can probably have NFQUEUE setup in iptables so that snort decides of the faith of the packets
[19:20] <TheHonorableKitt> yeah I haven't even got a clue how to do that
[19:20] <sarnold> sdeziel: dude. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html#SECTION00254000000000000000
[19:20] <sdeziel> sarnold: yes?
[19:21] <TheHonorableKitt> nice 404 error?
[19:21] <sarnold> sdeziel: I had a a vague idea that there was probably something better than pcap but couldn't have named it ;) but there it is, nfqueue :)
[19:21] <sdeziel> TheHonorableKitt: I'm a little more familiar with suricata so here's an example with multi-nics: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
[19:21] <sdeziel> TheHonorableKitt: should be easily adaptable for a single NIC for your use case where the web server is local to the IPS
[19:22] <sdeziel> sarnold: hehe
[19:22] <TheHonorableKitt> let me take a look real quick :)
[19:23] <TheHonorableKitt> I guess what's confusing to me is how snort handles the data. It pics up on eth0, but is it supposed to loop back around and drop it back off on eth0 again? wouldn't that cause an endless loop? I think it's supposed to pick up on eth0, bridge eth1, and drop it off on eth1
[19:23] <sdeziel> TheHonorableKitt: in fact, it touches on the "host" scenario too
[19:24] <TheHonorableKitt> at the bottom of that writeup, it requires two nics
[19:24] <TheHonorableKitt> eth0 and eth1
[19:24] <sdeziel> TheHonorableKitt: the transparent bridge is for a different use case
[19:25] <sdeziel> TheHonorableKitt: the link covers 2 scenarios, search for "host" aka scenario #2
[19:26] <sdeziel> TheHonorableKitt: in the host scenario, you work with INPUT/OUTPUT instead of FORWARD
[19:26] <TheHonorableKitt> oh hmm
[19:26] <sdeziel> they even mention TCP/80 handling ;)
[19:28] <TheHonorableKitt> ah ok, I see. they just didn't separate the two scenerios into two portions, they're kind of mentioned together a bit
[19:28] <TheHonorableKitt> that's where I was confused :P
[19:28] <TheHonorableKitt> I think the issue now is...how do I get this to work with snort?
[19:30] <TheHonorableKitt> let me look at this: http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/
[19:30] <sdeziel> suricata is compatible with snort rules IIRC ;)
[19:31] <TheHonorableKitt> I'm not using suricata :)
[19:39] <TheHonorableKitt> I am so incredibly confused
[19:40] <TheHonorableKitt> If I run these iptables configs for nfqueue, will it kill my network connection? I'm not sure if there's a config I need to have setup in snort to make sure it's filtering them, because I *think* if it's not actively filtering, then the connections are all just dropped
[19:41] <sdeziel> TheHonorableKitt: I would suggest to only send TCP/80 to snort, not the whole thing
[19:41] <TheHonorableKitt> I'm hosting a lot more than TCP 80 on my server
[19:42] <sdeziel> I'd start with TCP/80 then and ramp this up as you gain confidence in the setup
[19:42] <TheHonorableKitt> I'll do that, but better to use 443 than 80, since my server only works with 443
[19:42] <TheHonorableKitt> it's auto-re-reouterd to 443 from 80
[19:42] <sarnold> what exactly will snort read out of TLS streams?
[19:42] <sdeziel> well, what is it that you want to inspect on TLS?
[19:43] <sdeziel> old proto/ciphers?
[19:44] <sdeziel> very little is worth looking at on TLS, and this will only shrink as TLS 1.3 is deployed
[19:44] <sdeziel> (I'm looking at your OpenSSL 1.1.1 backport to 18.04)
[19:44] <sdeziel> s/your/you/
[19:44] <sarnold> :)
[19:45] <TheHonorableKitt> It might be important to know what snort is actually for, it's an intrusion detection system, and in inline mode, an intrusion prevention system. The rules in snort far exceed that of http and https. So, it needs to be a global system. No point in doing port 80 since it's auto-forwarded to 443 anyway, so I don't know, maybe I can do port 22 then or
[19:45] <TheHonorableKitt>  better yet icmp
[19:46] <sdeziel> encrypted protocols are less interesting to look at
[19:47] <TheHonorableKitt> I'd honestly rather someone who knows what they're doing to look at this for me, as I'm completely clueless on how to even use snort, or for that matter, how to configure linux network information.
[19:48] <sarnold> if you want to go whole-hog, feel free. the worst that can happen is you wind up having to hit the 'delete vm' button and start over :)
[19:49] <TheHonorableKitt> not a change, I always make backups ;)  :D
[19:49] <sdeziel> on Linode you have a remote serial console available (LISH is the name IIRC) so hopefully the snort deployment won't go that bad
[19:49] <sarnold> oh sweet
[19:49] <sarnold> that makes it way less likely you'll need the 'delete vm' button :)
[19:49] <TheHonorableKitt> :P  it's sweet when I'm not at work hehe
[19:50] <TheHonorableKitt> I'm at work right now, only way I can even terminal in is with a webssh tool
[22:00] <coreycb> jamespage: we should have everything core + dashboards uploaded for stein now except horizon itself. i pushed all the updates i made but it needs django-debreach which will be a new package. component-mismatches should be fixed up now too.
[23:22] <TheHonorableKitt> so what I did earlier really screwed up my setup, I need to get someone to help me and look at my iptables rule file (I have it save persistently, so just rebooting won't help). I need to manually remove whatever is screwing up my system. Can someone please volunteer to help me?
[23:30] <teward> TheHonorableKitt, might be useful to restate the core problem as well
[23:30] <teward> since not all of us know the actual problem you are facing right now
[23:32] <TheHonorableKitt> sure thing, so I was trying to set SNORT into inline IPS mode, but I only have one IP (well, now I can have three, I might need it). anyway, someone said I can just add a few iptables rules for NFQEUE and snort will run those
[23:32] <TheHonorableKitt> I added those rules, and it killed my entire box's connection. now I can't figure out how to remove them
[23:36] <teward> how did you add them?
[23:37] <TheHonorableKitt> iptables -I INPUT -j NFQEUE
[23:37] <TheHonorableKitt> and
[23:37] <TheHonorableKitt> iptables -I OUTPUT -j NFQEUE
[23:37] <teward> andyour iptables ruleset currently is what?  (and where on the system)
[23:37] <teward> if you can share your iptables rulesets in a pastebin I can take a look
[23:37] <teward> and ID what rules you have to remove to get traffic working again
[23:38] <teward> not sure if you can do that easily though if you have no networking
[23:38] <TheHonorableKitt> i'll share the file with you directly, I don't want to paste it here
[23:41] <teward> i can't DCC here on IRC currently
[23:41] <teward> and I didn't say paste it here
[23:41] <teward> i said use a pastebin
[23:41] <teward> and then PM me the link :P
[23:49] <TJ-> TheHonorableKitt: if you use "iptables --line-numbers -nvL" you can use the line-number of the rule to delete it with "iptables -D <chain> <line-number>"
[23:49] <teward> TJ-, he's not got it in his stored rulesets all he has to do is iptables-restore < ... the ruleset
[23:50] <teward> and it would then get rid of the nfqeue rules heh
[23:50] <TJ-> Ahhh
[23:51] <TJ-> line-numbers is useful info anyhow; many folks don't realise it's there
[23:51] <teward> mhm
[23:51] <teward> not sure why he won't share his rulesets since there's nothing secret in those rulesets that'd ID his box as a target anyways but meh
[23:51] <teward> TJ-, woah that's a THING?
[23:52] <teward> *learned a new thing*
[23:52] <TheHonorableKitt> I generally try to be as secure as I can, I fail a lot, but good practice means good I suppose
[23:53] <TheHonorableKitt> so the iptables-restore command, what should I run with that? never ran this before
[23:53] <teward> i assume this ruleset is stored in a file on disk, yes?
[23:53] <TheHonorableKitt> yeah
[23:54] <teward> sudo iptables-restore < /path/to/ruleset/file/on/disk
[23:54] <TheHonorableKitt> /etc/iptables/rules.v4 and rules.v6
[23:54] <teward> and that's it
[23:54] <teward> so then: sudo iptables-restore < /etc/iptables/rules.v4
[23:54] <teward> and: sudo ip6tables-restore < /etc/iptables/rules.v6
[23:54] <teward> and you're done
[23:54] <TheHonorableKitt> alrighty, I might lose connection in a sec ;) lol we'll see
[23:56] <TheHonorableKitt> ok, ufw is enabled, looks like I'm all good
[23:56] <TheHonorableKitt> phew
[23:57] <TheHonorableKitt> so linode gave me two additional ip slots, should I use them to get snort inline IPS to work?
[23:57] <teward> if you added NFQEUE rules into the ufw configs find them and yank them out
[23:57] <TheHonorableKitt> or do I not need them?
[23:57] <TheHonorableKitt> it was only in iptables
[23:57] <teward> otherwise your box should talk to the internet fine
[23:57] <teward> good
[23:59] <Greyztar> the iptables and restore ive also used,however someway ruleset alway get reset on reboot,now im using systemd script with iptables-restore command,any tip on what might cause this?