[10:40] <Blohsh> oerheks, Hi there, PSAD is for incoming but we got issue of outgoing port scans problem
[10:42] <lotuspsychje> Blohsh: mayve scan your whole system with lynis, see if you can find any troubles from inside
[10:42] <lotuspsychje> !info lynis
[10:42] <ubottu> lynis (3.0.7-1, jammy): security auditing tool for Unix based systems. In component universe, is optional. Built by lynis. Size 222 kB / 1,612 kB
[10:47] <Blohsh> lotuspsychje, users abuse port 80 and 443, blocking it is making things worse like wget, ping and api not working. 
[10:48] <Blohsh> https://i.imgur.com/DpAdQMF.png
[13:39] <teward> Blohsh: this is where you start auditing what processes are running, lock down access to the server, and run things like lynis to identify irregularities.  and consider nuking and rebuilding from scratch.
[14:07] <lotuspsychje> +1 teward 
[14:09] <Blohsh> teward, it is a dedicated server used for providing nat vps
[14:10] <teward> and?
[14:10] <Blohsh> "nuking and rebuilding"
[14:10] <Blohsh> will remove all servers?
[14:11] <teward> so your system runs many VPSes is what you are saying and they are nat'd through this box?
[14:11] <Blohsh> yup
[14:12] <teward> then its time for you as an MSP (managed service provider) to audit all then VPSes and ID which one is doing the port scanning and terminate the services for ToS violation
[14:12] <teward> the same investigative process applies regardless of the server use case
[14:12] <Blohsh> that is the problem we are unable to identify which user is doing that.
[14:13] <teward> so its time to start logging network traffic
[14:13] <teward> and then id trends that correspond to the abuse reports
[14:14] <teward> if no users trigger any notices and lynis on the host reports nothing unusual then you have a larger problem on your hands
[14:14] <teward> one that this channel wont be able to help solve
[14:15] <teward> the problem of network auditing is NOT a new one.  and things like ptrg and such *can* be set on the internal network to detect scans - incoming to host gateway port before being nat'd out is an 'incoming' sca 
[14:15] <teward> psad* too
[14:15] <teward> *yawns, then seeks coffee*
[14:16] <Blohsh> teward, psad is for incoming not outgoing
[14:17] <Blohsh> the problem i have is of outgoing
[14:17] <teward> incoming and outgoing is relative
[14:17] <teward> to the directionality of the network port
[14:17] <Blohsh> outgoing makes server locked
[14:18] <teward> i need coffee if i am going to continue this conversation back in a few
[14:19] <Blohsh> teward, https://i.imgur.com/DpAdQMF.png
[14:21] <teward> Blohsh: start then by explaining the networn setup on $HOST.  Are your VPSes directly bridged to the internet uplink or do they have separate private IP mappings internally?
[14:21] <teward> Blohsh: i dont care for hetzners logs right noe
[14:22] <teward> heads up i do network security for a living so this kind of thing is something i encounter regularly and havr advanced experience on so unless i ask for hetzners logs which you already posted previously i dont need them
[14:37] <ahasenack> rbasak: I'm doing an nfs-utils SRU for another bug, and was wondering if I should include this fix with it: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1980095
[14:37] <ubottu> Launchpad bug 1980095 in nfs-utils (Ubuntu) "libnfsidmap built without hardening flags" [Undecided, Fix Released]
[14:37] <ahasenack> wdyt?
[14:38] <ahasenack> I'll also ask security, but they will probably say "yes" :)
[14:43] <teward> Blohsh: also keep in mind I do MSP stuff as well - I run servers for clients on VMs with mappings for /28s inbound and outbound - I have one public IP assigned to each internal system when it goes out the door, dedicated for those specific VMs.  Along with network traffic logs, I can ID what a system is doing and isn't doing at a glance.  If your system has only one IP and numerous internal IPs then I don't know how you're doing VPS.
[14:43] <teward> Blohsh: if you're doing multiple public IPs to multiple VPSes internally then you should ideally have a 1:1 mapping of public IP to VPS
[14:44] <teward> and that's how you ID traffic behavior for a specific user
[14:44] <teward> if you're not doing that you need to adapt and configure your system accordingly - and `psad` is for 'incoming' scans, but if the VPSes have to talk to the Gateway (your main server first) before going out the door then you configure the iptables, etc. logs properly so that traffic from the *internal* interface at your gateway gets pointed at psad, and then psad sees 'incoming' traffic on that port and then can ID scans.
[16:38] <rbasak> ahasenack: remind me which bug you were talking about updating the apparmor profile for please? Because bug 1703821 is in the queue for Bionic.
[16:38] <ubottu> Bug 1703821 in apparmor (Ubuntu Bionic) "Dovecot and Apparmor complains at operation file_inherit" [Undecided, New] https://launchpad.net/bugs/1703821
[16:40] <ahasenack> rbasak: that's not the one we were talking about
[16:40] <ahasenack> ah, you mean to add the fix to this one
[16:40] <rbasak> Was your case for Bionic?
[16:41] <ahasenack> checking
[16:41] <ahasenack> rbasak: no, jammy: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1979879
[16:41] <ubottu> Launchpad bug 1979879 in samba (Ubuntu Jammy) "Apparmor profile in 22.04 jammy - fails to start when printing enabled" [Undecided, Triaged]
[16:41] <rbasak> OK so no benefit in merging them.
[16:41] <ahasenack> and jammy only, yeah
[16:43] <rbasak> This one's in complain mode only AIUI
[16:45] <ahasenack> the one I linked? Yes, after you install apparmor-profiles, you get samba in complain mode, so no failures, just log noise
[16:49] <rbasak> This one too I think. I've asked for further justification in the log.
[16:49] <rbasak> in the bug
=== nuccitheboss1 is now known as nuccitheboss