[01:44] <Isla_de_Muerte> Hi, a quick n00b question. I've currently got 3 HDDs which are pointing at the same /datafolder through LVM but I've noticed that one of them is dying (according to HDSentinel) and it's the one with the Ubuntu installed on it. Is there a way to check which files are on that HDD and move them out somehow? Plus from my understanding (now..) LVM is not such a good idea after all?
[02:05] <compdoc> I never learned LVM because years ago utilities like clonezilla didnt work with it
[06:47] <lordievader> Isla_de_Muerte: How is the volume configured?
[10:40] <Isla_de_Muerte> lordievader, How can I show you? Really can't recall..
[10:41] <lordievader> Isla_de_Muerte: `lvdisplay -ma <path-to-logical-volume>` shows a lot of details.
[10:46] <Isla_de_Muerte> lordievader, here was a df -h a while back https://pastebin.com/TWz474TK (almost nothing changed) and here is lvdisplay https://pastebin.com/RGYtWnqj
[10:53] <lordievader> You have a very strange LVM setup. This volume is spread (linearly) over /dev/sda1, /dev/sdb1, and a logical volume /dev/ubuntu-vg/sdc3.
[10:55] <lordievader> Now you also need to figure out where the sdc3 LV is located. Then you can do some pvmove-ing to move the data off the bad disk. After doing that you can replace the bad disk.
[10:58] <Isla_de_Muerte> If I am not mistaken the sdc3 is the new HDD I've temporarily mounted to see what files it got
[10:58] <Isla_de_Muerte> Ah no, that is sdd1 nvm that
[10:59] <Isla_de_Muerte> The sdc3 got the ubuntu installation
[10:59] <lordievader> Could you provide the output of `sudo pvs`?
[10:59] <lordievader> Oh, and what is the bad disk?
[11:02] <Isla_de_Muerte> https://pastebin.com/nHzMZ6bV and the sdc is the problematic one
[11:04] <lordievader> You don't have free space in your volume group? Brr, this is going to be tricky.
[11:05] <lordievader> Essentially what you want to do is move the logical volumes ubuntu-lv and vg01-lv01 from sdc. That way you can replace disk.
[11:09] <Isla_de_Muerte> Yeah that thing is full -.-'
[11:09] <Isla_de_Muerte> Do you also recommend me to split them up or something? Because I read that if one of the HDDs die the whole lvm is useless :/
[11:11] <lordievader> Unless the underlaying storage is in raid one... yes, you would be in bad weather if one of the HDDs dies.
[11:11] <lordievader> Best case scenario you just loose the data which was on that particular drive.
[11:12] <lordievader> A better approach would be to bundle drives in twos and put the logical volumes in raid1 config.
[11:13] <lordievader> I personally have the strategy of keeping volumes as small as possible. This allows me to move things around if I need to.
[11:17] <Isla_de_Muerte> I backup the whole box, so I don't mind if I use the maximum capacity I can.
[11:17] <Isla_de_Muerte> I currently got an old backup though that's why I'm a bit worried..
[11:40] <lordievader> <Isla_de_Muerte "I backup the whole box, so I don"> But you do throw away your flexibility with this.
[14:12] <vlm> with iproute or ip command can make routed tunnels,is its possible to add some auth function to this?
[14:13] <sdeziel> vlm: auth as in authenticated peers?
[14:15] <vlm> sdeziel: like the HE tunnels ,a username and password for the tunnel itself,dont need different users dunno if that counts as a peer?
[14:16] <vlm> dont need many different users i ment,just need one username/pw
[14:18] <sdeziel> vlm: for HE tunnels, the username/password is only to allow yourself to whitelist/re-associate your IPv4 as your tunnel endpoint
[14:18] <Triffid_Hunter> vlm: https://backreference.org/2014/11/12/on-the-fly-ipsec-vpn-with-iproute2/ may interest you
[14:19] <vlm> sdeziel: ohh i got it all wrong then,i thought it was a means of authing the tunnel itself hmm,so i guess it might not be possible then?
[14:20] <sdeziel> vlm: what you describe sounds like a VPN to me
[14:20] <vlm> when i think of it it indeed does hehe
[14:21] <sdeziel> vlm: are your tunnel peers using static IPs that you know already?
[14:24] <vlm> sdeziel: i dont got it setup yet though,was just thinking about setup one,just that if i setup one i dont feel like sharing it about,id like to be the only user,but then again others trying to use it would have to know the network of the endpoint to be able to use it?
[14:27] <vlm> think ill have to do some more reading on the matter thanks for help atleast
[14:28] <sdeziel> vlm: yes, with static tunnels, both sides need to be aware of each others. With a VPN, the peering can be more dynamic
[16:37] <evit> If I'm using fail2ban and UFW can I use UFW rate limiting at the same time as fail2ban?
[17:25] <jdstrand> evit: yes
[17:26] <jdstrand> evit: it may be best to rely on fail2ban though since ufw's rate limiting isn't configurable (depends on if it works for you as is or not)
[17:26] <evit> But I can configure SSH server rate limiting on the daemon instead right?
[17:27] <jdstrand> evit: (ie, just use ufw allow <thing> instead of ufw limit <thing>)
[17:27] <evit> jdstrand, Yes, I understand
[17:28] <evit> jdstrand, UFW doesn't seem to allow a lot of options on rate limiting SSH. I will do some more tweaking in ssh server config. I've already locked it down quite a bit. Just want to make a cybercriminal run home to mommy crying. =)
[17:29] <jdstrand> evit: the sshd_config MaxStartups has potential for DoS. it is a little inflexible
[17:30] <jdstrand> evit: fail2ban has threshold settings iirc that you can tune flexibly
[17:31] <jdstrand> if using fail2ban with ufw, I suggest updating the ufw rules to use 'ufw prepend' if it isn't already doing so
[17:31] <jdstrand> (fyi)
[17:32] <jdstrand> (eg, in /etc/fail2ban/action.d/ufw.conf; instead of ufw insert...)
[17:33] <jdstrand> :q
[17:33] <jdstrand> whoops
[17:34] <evit> jdstrand, So make sure the fail2ban config recognizes I'm using UFW vs IPtables?
[17:39] <evit> jdstrand, What would you recommend for Maxstartups?
[17:40] <jdstrand> evit: I was just saying, if you are going to use the ufw action, make sure it uses 'ufw prepend'. the iptables one is fine to use so long as you use the default ufw config of MANAGE_BUILTINS=no from /etc/default/ufw
[17:42] <jdstrand> evit: as for Maxstartups, I find it too difficult to use in production and rely on fail2ban. it takes a while to get Maxstartups set correctly for typical usage and even when you do, someone could dos you
[17:42] <jdstrand> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Rate-limit_the_connections discusses that a bit
[17:43] <jdstrand> s/and rely/and suggest relying on/
[17:43] <evit> jdstrand, I understand
[17:43] <evit> ooops
[17:46] <evit> jdstrand, Thanks
[17:47] <jdstrand> yw
[17:48] <evit> jdstrand, I use Public Key Auth but wish Ubuntu server had latest SSH version. I'd love to use MFA. It's not perfect either but hey...
[17:53] <evit> FIDO/U2F support in 8.2 https://www.openssh.com/releasenotes.html
[17:53] <jdstrand> evit: Ubuntu 20.04 LTS is just around the corner :)
[17:54] <evit> jdstrand, Yes, and I will be upgrading then. =)
[17:54] <evit> later this year, Q3 or 4
[17:54] <jdstrand> it still has 1:8.1p1-5, but hopefully it will be new enough for you
[17:55] <jdstrand> hopefully focal will be updated and new enough for you*
[17:55] <evit> jdstrand, It would be good to have FIDO/U2F support in 8.3
[17:57] <evit> But I understand the desire for a focus on stability vs. new features so I can wait if need be
[17:59] <evit> jdstrand, Thanks again, enjoy your weekend!
[17:59] <jdstrand> you too! :)
[18:17] <sdeziel> I believe the plan is to have OpenSSH 8.2 included in 20.04
[18:41] <rbasak> sdeziel: on the nginx IPv4 mapped logged, am I right in thinking that the full IPv6 address cannot be reconstructed from the IPv4 mapped address? I have been assuming so because it doesn't have enough bits.
[19:00] <sdeziel> rbasak: hmm, I don't think we are referring to the same thing. I'm talking about addresses represented like that: "::ffff:192.0.2.1". Those are legitimate IPv4-mapped IPv6 where the first 96 bit uses a known prefix and then the last 32bit represents the IPv4
[19:37] <rbasak> sdeziel: oh
[19:37] <rbasak> In reverse to what I had assumed. My mistake.
[19:37] <rbasak> That's not so bad.
[19:38] <rbasak> As what I had been thinking it was.
[19:38] <sdeziel> cool
[19:38] <rbasak> That might be a reasonable change to make in a new Ubuntu release.
[19:38] <rbasak> (though not in a stable release)
[19:38] <sdeziel> are you drawing the line before or after 20.04 ?
[19:39] <rbasak> I'm open to doing it in 20.04, subject to others' opinions.
[19:39] <rbasak> Any other risks?
[19:41] <sdeziel> I'm not qualified to asses that but there must be a reason why upstream sets ipv6only=on by default. I also can't explain why they default to listening on IPv4 only...
[19:41] <sdeziel> I have not contacted them
[19:41] <rbasak> That's a good point.
[19:41] <rbasak> We should ask them.
[20:13] <DammitJim> do you guys have any recommendations on anti malware software for Ubuntu 18 servers?
[20:15] <rbasak> DammitJim: clamav is in main in Ubuntu
[20:15] <rbasak> Is that sufficient for you?
[20:15] <DammitJim> I'll take a look
[20:15] <DammitJim> I need to know if there is centralized management for it
[20:15] <rbasak> I'm not sure what form that would take.
[20:15] <rbasak> What sort of management do you mean?
[20:16] <DammitJim> so that I have a dashboard to ensure all my servers are up to date with definitions, agent versions, scan results, etc
[20:16] <DammitJim> and possible infections
[20:16] <rbasak> I'm not aware of that kind of thing being integrated in the package we ship.
[20:16] <rbasak> But I think there's enough access to the pieces that you can do what you need.
[20:16] <DammitJim> thanks!
[20:17] <DammitJim> what do you mean by access to the pieces?
[20:18] <rbasak> I mean that clamav definition updates can be scripted, and their status can be accessed via script, etc
[20:18] <rbasak> Also I see that monitoring-plugins-basic (in universe) has a check_clamd plugin
[20:19] <rbasak> For scan results, I expect clamav logs in one of the usual ways
[20:19] <rbasak> So it should integrate with most usual status monitoring and log monitoring systems.
[20:19] <DammitJim> thanks rbasak ... sounds like a project, but an option nontheless
[20:20] <rbasak> You're welcome. Hope it works out!
[20:20] <DammitJim> ty