[00:47] Hey guys, which antivirus should I use for ubuntu 20.04? [00:48] clamav maybe. [00:48] I would like to make a full scan on my PC to discover not just virus but irregular services/software running - what should I use? I've heard of tronscript for WIN but not sure if it is OK for LINUX. I've used previously CLAMAV but did not like it [00:48] But it's not so important on linux than it can be on windows etc. [00:48] how come cartdrige ? [00:48] clamav is like the "cliché" for linux lol [00:48] but i find it basic [00:48] and easy to escape from [00:49] supremekai: mostly because defaults are different. and linux on the desktop is not really popular, which means writing viruses is not interesting [00:49] THere is a suite that is doing firewalling things etc, but i don't remember the name...vulnerability checker...maybe it's on BSD, i won't remember the name anyway. [00:52] clamav is the usual choice [00:52] there's a few proprietary things but they do *gross* things to try to work like windows that causes all kinds of problems [00:52] especially with how nowadays av works, they need to collect a lot of stuff [00:54] supremekai: Antiviruses aren't actually necessary on Ubuntu systems, because Ubuntu has well-defined and vetted software repos with info about what is and isn't safe right in the software installers. As opposed to Windows, where you get software from goodness-knows-where. [00:54] (That's a very basic overview of why Ubuntu doesn't need an antivirus in most instances, but that should be enough to get a basic idea.) [00:54] (There's tons of other reasons on top of that, but IMO, that's the core one.) === gabes9 is now known as gabes [00:58] i tried to get a virus to work once [00:58] I couldn't get it to go [00:58] lol, "I _want_ that the virus goes wild, but I couldn't" [01:08] sarnold: You did **WHAT?!?*** [01:09] I've had my devices pwned enough times that I'm usually somewhat paranoid about security. [01:11] arraybolt3[m], that is a myth lulz [01:11] linux not needing antivirus is like saying just because someone is a bodybuilder he/she does not need a medic [01:12] I guess it is precisely the contrary [01:12] open source sw is much more exploitable with 0-day due to the fact that the code is exactly open [01:13] supremekai: which is a myth, as closed source software, you have no idea if your software is patched or not [01:13] So, "OH, u use linux, so.. don't worry about an AV or Anti Malware or whatever" - Not needing a Anti-*ware is just a myth.. and a bad one.. most of the easily infected sys are linux ones.. [01:14] murmel, go to CVE and check the vulns of linux vs. win [01:14] lulz, data will change ur wrong perception of this pefect nix world lulz [01:14] arraybolt3[m]: I'd never seen a linux virus before and wanted to see what it did [01:14] supremekai: Fun fact, Linux antivirus programs are actually more geared toward detecting Windows viruses to protect other Windows systems connected to the Linux system. [01:15] arraybolt3[m]: so I tried to run it but it had been built with some bad assumptions somewhere and couldn't even start [01:15] arraybolt3, the problem is that now u have a lot of contributors on this snap store bs of nowadays and lot of channels.. ez to infect a lot of users.. not to talk about the npm used in its dev.. [01:16] The whole point of an antivirus is to protect you if you don't know what you're doing. The whole system of Ubuntu is geared toward keeping people who don't know what they're doing from causing easy damage. One is hopeful security by getting in the user's way at the last minute, one is constant security by making the user do things the right way by default. Ubuntu uses the latter method. [01:16] Windoze uses the former one. [01:16] and anti "virus" is kind of a way of expressing it.. u have anti virus, anti malware, anti bloatware.. and so on and so forth [01:16] supremekai: Most of us install our software through apt, also Snaps have publisher identifiers attached to them and will show a clear checkmark next to the publisher if they're trusted. So don't install Snaps from untrusted users. Problem solved. [01:17] arraybolt3, I would support that idea of Wind00z being the b0z0 in the old days [01:17] (This is if you're using the Snap command line interface.) [01:17] nowadays anyone can dev anything.. to much open source.. makes your pc ass too open as well [01:17] nowadays, I find wind00z more secure than linux [01:17] supremekai: This isn't really a support question any longer. Care to continue in #ubuntu-discuss? [01:17] why? [01:18] are u the boss around arraybolt3 ? [01:18] This channel is reserved for tech support, not discussion. [01:18] uhh [01:18] * supremekai an Ubuntu Boss :o [01:18] lulz [01:18] (No I'm not an admin, but I am a trusted Ubuntu Member, and also one of the admins, sarnold, is right here.) [01:18] so, call sarnold [01:18] you are trusted by who? [01:19] * supremekai requests arraybolt3 to show his/her/X badge of "trusted Ubuntu Member" [01:19] supremekai: Run /whois arraybolt3, you'll see the badge. [01:19] show me your creds [01:19] are u fbi? [01:19] u fed? [01:19] lulz [01:19] [20:19] [Whois] arraybolt3 is ~arraybolt@ubuntu/member/arraybolt3 (Aaron Rainbolt) [01:19] that is forged [01:19] !ops supremekai is disrupting the channel [01:19] if you have an NFT with that badge I will believe u lulz [01:19] !ops | supremekai is disrupting the channel [01:19] !ops arraybolt3 is disrupting the channel [01:19] supremekai is disrupting the channel: Help! Channel emergency! (ONLY use this trigger in emergencies) - CarlFK, DJones, el, Flannel, genii, hggdh, ikonia, krytarik, mneptok, mwsb, nhandler, ogra, Pici, popey, sarnold, tomreyn, Unit193, wgrant [01:20] !ops | arraybolt3 is disrupting the channel posing as an authority [01:20] arraybolt3 is disrupting the channel posing as an authority: Help! Channel emergency! (ONLY use this trigger in emergencies) - CarlFK, DJones, el, Flannel, genii, hggdh, ikonia, krytarik, mneptok, mwsb, nhandler, ogra, Pici, popey, sarnold, tomreyn, Unit193, wgrant [01:20] (How many times am I going to forget the | in the middle of that? This is the second time I've accidentally tried to redefine the !ops trigger...) [01:20] so.. keepin up.. do u have an NFT as a *trusted Ubuntu Member* or not? [01:21] if you have it, I will shut my mouth and stop my fingers [01:21] OpenSea.io do not count - those are fake NFTs.. totally centralized [01:21] supremekai: lol troll somewhere else, as even windows uses open source [01:21] murmel, ok [01:21] I like your nick [01:21] murmel: Just ignore, you're just encouraging him :P [01:21] so I will troll my way out [01:22] Y u mad arraybolt3 ? [01:22] p0s3r [01:25] !ping [01:25] pong! [01:25] Yay! [01:45] is screen tearing normal with a KVM switch? [02:39] i'm having a bit of a strange issue trying to install zoneminder on my ubuntu system... it's ubunto on WSL2... is this the place for that configuration? [02:40] when trying to apt-get remove xxx it's also wanting to delete other applications. how do i get it to only delete the single application? [02:40] forgotmynick: pastebin the full output [02:41] forgotmynick, those might be packages that are dependent upon the one you're removing... [02:42] they aren't dependant. it was installed yesterday and now it wants to delete other things. https://paste.nginx.org/r/d4 [02:42] so which package are you unhappy that it is removing? [02:42] proxmox-ve isn't in the ubuntu repos... [02:45] https://pastebin.com/yYvyRaek [02:46] how do i figure out why zoneminder isn't connecting with mariadb? [03:16] RingtailedFox: do you have systemd enabled? if I remember correctly otherwise mariadb wouldn't run in the background [03:16] yes, systemd's enabled and mariadb's running in the background [03:17] zoneminder was running fine until it said it needed to be upgraded... then the upgrade failed... tried uninstalling and re-installing it, but still nope [03:18] the problem with wsl is, that it does quite a bit different to normal ubuntu :S. so I assume that's one of the reasons why it bugs out [03:18] ohhh [03:18] for example up till a month or so, there wasn't systemd [03:19] really? because.. i've been testing systemd on WSL2 for like... nearly 3 years o.o [03:19] and WSL1 before that [03:20] RingtailedFox: https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/ [03:20] RingtailedFox: those don't have systemd [03:21] ... huh [03:21] okay [03:22] RingtailedFox: and as described, afaik, you still need to activate systemd in wsl to actually have it [03:23] alrihty [03:23] thanks [03:24] RingtailedFox: I would think through, if not an actual vm would make more sense [03:24] yeah.. [03:24] for something like zoneminder, as it's not intended for wsl (or the other way around also) [03:24] wsl is basically only for dev stuff [03:25] just use docker with wsl2 backend [03:26] Phr33d0m: for a gui tool? sure [03:27] nvm then [03:28] zoneminder seems to be a web tool... there's actually a docker image https://hub.docker.com/r/dlandon/zoneminder [03:29] huh, I thought it was something graphical as you do need to see the feed [03:30] who's building linux-only GUIs anyways? [03:31] Phr33d0m: as it's foss why not [03:32] I haven't seen a single FOSS project in a while that didn't have a windows build as well [03:33] there are a lot, but I agree, they are getting more "popular" [03:34] Where are the instructions for installing the rolling stable kernel? [03:34] randomusr: oO what is a rolling stable kernel? [03:34] yeah I like the idea... why it should be windows vs linux vs mac when it can be windows + linux + m... no, f- apple [03:35] "rolling" and "stable" hehe [03:36] murmel, latest kernel :P [03:36] Phr33d0m: at least they are not as hostile as MS [03:36] randomusr: download debs, apt install ./.deb [03:37] !mainline | randomusr [03:37] randomusr: The kernel team supply continuous mainline kernel builds which can be useful for tracking down issues or testing recent changes in the Linux kernel. More information is available at https://wiki.ubuntu.com/Kernel/MainlineBuilds [03:38] randomusr: remember, those kernels are for testing, not for daily driving them [03:38] some work better, some less so [03:40] got it. I was hoping for kernel 6.0 would I need to add a repo? I'm looking over the link your provided === feelingsreal is now known as Guest5507 [04:42] oooh... i'm on win10 though. can i... use the Windows Store version of WSL? [04:46] RingtailedFox, https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/ [04:46] i see [04:47] hmmm, the page says windows 11 and makes no mention of 10... but the windows store page for the preview shows it'l work on win10... here's hopin'! [04:47] I use systemd with wsl, I can confirm that it works [04:47] :D [04:47] i just hope it works well on my win10 laptop [04:48] although, are you sure a simple docker container isn't enough for what you need? [04:48] i've thought of that, actually [04:48] RingtailedFox, https://gist.github.com/djfdyuruiry/6720faa3f9fc59bfdf6284ee1f41f950 [04:50] ravage I just added systemd=true to wsl.conf and it worked... is all this actually required at this point in time? [04:50] no idea [04:50] i dont run windows :) [04:50] oh lame, it just throws an error (but at least i can access bash otherwise) [04:51] (only in a VM) [04:52] Windows version 10.0.19044.2130 does not support the packaged version of Windows Subsystem for Linux. [04:52] For information please visit https://aka.ms/wslinstall [04:52] Press any key to continue... [04:53] sometimes when i start ubuntu in WSL, it shows "Sleeping for 1 second to let systemd settle" at the top... always has.. i wonder why that is [04:53] sounds like a question you have to ask the M$ support [04:54] * RingtailedFox nods [04:54] do you need all this just for the zoneminder thing? [04:59] Phr33d0m, i would like to test having the ability to view my security cameras under linux... eventually (well, by 2025) my laptop will be EOL since it doesn't support windows 11 (it only fails the CPU part)... so, i'd like to migrate it over to linux (hopefully somethign like ubuntu) and see if that works [05:00] you really shouldn't bother with wsl for this... just install docker desktop and use this https://hub.docker.com/r/dlandon/zoneminder [05:00] oooh! okie! [05:00] thanks [05:39] hi [05:57] Hi [06:01] just grab a laptop and install ubuntu LTS natively on it and call it a day, dont forget to keep it updated and backup important stuff every now and then (like once a week or so) [06:02] I have done similar with an entry system... installed vbox and windows10 within that to run the win32 software that the entry system needs [06:02] future entry systems we will buy are demanded to only use html5 as frontend [06:02] as in use whatever modern browser you wish on whatever os you wish [06:09] I'm planning to install 22.10 on an old laptop. It currently has 22.04. How long do I have to wait for the new version warning? [06:10] after October 20, I mean [06:14] LuckyMan, if you installed the system with 22.04 you will not get any notification about 22.10 as you are on the LTS update path [06:15] i would also suggest you stay on that path unless you really need any features of 22.10 [06:17] LuckyMan, if you really want to get the update notification you have to change it here: https://i.imgur.com/cOOhqst.png [06:30] thanks ravage === SteelRose_ is now known as SteelRose [07:05] hi. Why wont my ipsec VPN connect with 22.04. Same settings worked fine on 20.04. Here are the logs https://paste.ee/p/JEdNn [07:09] makara1: 'Timeout was reached' <-- can't you increment the timeout threshold? [07:10] SteelRose: no, its a hardcoded 10sec timeout. Clearly the remote is refusing to interact any further with my requests === guiverc2 is now known as guiverc [07:41] Friends, I have installed Brave through Snap, notifications in a website are set to allow, notifications of brave are allowed in Ubuntu but it still doesn't work. How come? [07:43] https://ibb.co/MgNGrrt here is the screenshot (in italian) of the alert it gives. Notis simply don't work in Brave. weird. [08:41] dante, https://community.brave.com/t/no-notifications-in-ubuntu-22-04-lts/437506 === BT is now known as Guest1522 [08:51] anyone know how to unbrick a phohne with ubuntu>? [08:52] lokisir, try one of the ubports channels ... https://ubports.com/de/contact/consumers [09:02] @ravage, yes I opened that topic. got no solution === EriC^ is now known as EriC^^ [09:50] hi [09:54] hello, curious to know if i can get some quick help/answers here... i boot with uefi and i see grub, then i see EFI stub: ... using dtb... EFI stub: Exiting boot services.... then all of the kernel output is missing. finally, after some time i see the login prompt on tty1 ... does anyone know how to print out the kernel messages after efi stub: completes and boots the kernel? i am expecting to see: [ [09:54] 0.0000] booting linux on cpu ..... [0.0000] linux verson 6.0-arm64 (ubuntu-kernel@blah) etc... === ViktorasCAM is now known as sinvet [10:27] tuxrage, edit /etc/default/grub, remove "quiet splash" from the commandline variable, run sudo update-grub, next reboot should show the messages (*if* your default console= points to the correct tty that is) [10:28] is there a solution for having 4k external monitor and 1080p laptop screen to work together with smooth mouse transitions? it's pretty annoying to move mouse from one screen to another if I am the wrong edge. === gacuxz1 is now known as gacuxz [11:34] Hi. In a fresh jammy docker container I have python3 and python3-pkgconfig installed. a configure script (libxml 2.10.3) fails with "configure: error: Package requirements (python-3.10) were not met:" I failed to find a working solution on $searchengine [11:37] Hi Vonor, we would most likely need to see that full message. [11:39] sure. https://pastebin.com/raw/ZejQWHCB [11:44] i get the same issue if i use python2 instead. the error messages changes from python-3.10 to python-2.7 so seems version inspecific. === Vonor96 is now known as Vonor [11:55] Iḿ in keyboard hell [11:56] I cant get this [11:56] ahhhhhh [11:58] I cant get this keyboard to write apostrophes and double qoutes [11:59] " ' [11:59] ctrl + c ctrl + v [11:59] :> [11:59] you probably have the wrong keyboard layout configured [11:59] look what itś doing to Iḿ and itś... [11:59] ogra: i will try with the console= [12:00] if you are on gnome/kde, go to settings and check the keyboard settings [12:00] . [12:00] Iḿ using gnome [12:01] Hi, I am using Ubuntu 22.04 64-bit. I am searching for an app similar to flux, but I am using Wayland and I am running into problems. Any recommendations/ [12:02] I'm it's [12:02] '@WE23"£ [12:02] looks good [12:02] ah yeah [12:03] just swapped to english uk [12:03] good work [12:03] thanks [12:12] Vonor, could it be it is actually looking for a binary called pyton-3.10 ? (note that the ubuntu binary python is called python3.10 (i.e. no dash) ... perhaps a symink in /usr/bin is sufficient ?) === hasley is now known as mahler [12:13] i have a symlink for python-3.10 already still fails. [12:14] ten it is not that indeed 😞 [12:15] *then [12:34] since i don't need the python bindings currently i worked around it by adding --without-python to the configure options. at least it compiles now [12:37] i'd grep though the surce though and see if you could easily change it and remove the dash === dd3my is now known as Guest8214 === Guest0_1 is now known as beaver [13:15] Hi all [13:37] Hey guys. I have a python-flask app made inside my Arch machine. Made --onefolder package with Pyinstaller and when i try to run the same in Ubuntu, it says; https://bpa.st/5PTA [14:38] Hello, my wifi card stopped working and I' [14:39] spent a month trying to solve it: https://askubuntu.com/questions/1429758/qualcomm-artheros-wifi-card-not-detected-stopped-working [14:39] any suggestions? [14:45] whatever543, well, if you know how to handle -proposed, there's a new version of linux-firmware, but i'am doubtful === Phr33d0m_ is now known as Phr33d0m [14:46] ioria yeah I don't know how to handle -proposed :/ [14:53] Hi let's say I have a script with the following line: `commandX | tee -a $LOG` [14:53] But now I want to catch the exit code of commandX in a variable, how can I do this? === fling is now known as narrator [14:57] Ecko, https://stackoverflow.com/questions/6871859/piping-command-output-to-tee-but-also-save-exit-code-of-command [14:57] ogra: you here? [15:04] lotuspsychje, yep [15:06] ogra: im stuck in a loop on a customers focal to jammy upgrade on FF snap [15:07] ogra: it keeps saying has “install-snap” change in progress”. [15:07] even when i abort ID it doesnt want to instal after [15:09] upgrade with do-release-upgrade ? or some cdrom way ? [15:09] customer did upgrade himself but aborted at some point, im on desktop now [15:09] hmm [15:09] via recoverymode [15:10] can you pastebin "snap changes" ? [15:10] but when trying to update, its stuck on deb to snap FF whatever i do [15:10] ubuntu boot get stuck at grub  if screen auto sleep after last shutdown,  any idea? [15:11] and if I manually turn off then turn on  the screen, then it works [15:12] ogra: termbin.com/n1xt [15:12] lotuspsychje, and "snap change 2" ? [15:13] (or 4, i bet they say the same) [15:14] ogra: termbin.com/d7qk [15:15] i tryed to purge snapd too, but no dice to skip FF [15:16] wll, is that machie offline ? it fails all its downloads it seems [15:16] no its up [15:16] lemme try on cable [15:17] 2022-10-19T17:05:14+02:00 ERROR the download has been cancelled: context canceled [15:17] can you check if "snap change 4" has anything different than that ? [15:17] could be that 2 is the one the customer canceled [15:24] ogra: think something changed after reboot + cable now [15:24] aha [15:26] ogra: im seeing locale FF deb/snap packages running now, think its gonna work [15:26] awesome [15:26] does the oter connection use a proxy or something by chance ? [15:26] *other [15:26] no i was on wifi here [15:26] weird [15:26] yeah [15:28] tnx for the think along anyway ogra [15:28] always happy to help 🙂 === justache is now known as justHaunted [16:21] Hi guys [16:22] Can l securely delete files on my windows 7 installation using a live cd? [16:24] benio: Live CD of what? [16:24] Ubuntu [16:24] benio: What is your requirement for "secure" deletion? [16:24] To make it most difficult to recover [16:25] benio: Seriously, what standard do you require? DOD or PCI? [16:25] benio: What attack vector are you defending against? [16:26] I'm not too savvy on the terms mate [16:26] benio: What audit standard do you have to meet? [16:27] benio: Is this just a home system? Are you worried about external access or about the hardware falling into hostile hands? [16:27] I'm just trying to delete my sensetive files so no one can recover it easy [16:27] Yes [16:27] It's a home system [16:27] Both [16:27] benio: Do you have encryption enabled on Windows? [16:28] No [16:28] The files can be accessed on linux [16:29] That's probably the first step. You may find something here: https://askubuntu.com/questions/57572/how-to-delete-files-in-secure-manner [16:30] benio: In order to access the files with linux, you would probably need physical access to either boot linux or physically mount the drive(s) on a linux system. [16:30] Well l loaded a live cd and l can access my main 7 os [16:30] Win 7 [16:31] benio: You have to weigh the value of your information to a hostile party vs. the difficulty in breaking the security. [16:31] There are some files which l want shreddrd [16:32] benio: You can overwrite the contents of the file before deleting it. [16:32] Well lm mostly trying to prevent the local geek from accessing and recovering my files [16:32] My computer is going to be put in the cliset [16:32] Closet [16:33] benio: I would suggest encryption from the Windows side, and for specific files copy /dev/null over them, or /dev/random. [16:33] Will it be strong enough? [16:34] benio: That's always relative to how hard your opponent is willing to work. Writing over the data will defeat a casual attacker. It requires forensic techniques to recover the data. [16:35] benio: You might want to learn about data recovery techniques to understand what is still vulnerable. Encryption + overwrite is pretty difficult to crack. [16:36] benio: Encryption will overcome most casual recovery tools because there is nothing recognizable as a file. [16:36] A large stick and a sign that says "Don't mess with my files" can also be helpful. [16:37] I don't care about the forensiccs [16:37] Lol l got nothing they'd care about [16:38] Unless they're theived [16:38] Theives [16:38] benio: Good point. Measure your efforts accordingly. [16:39] benio: DOD is the U.S. Department of Defense, they have published standards for deleting data from storage devices (drives) that are being disposed of. They vary with the level of security of the data. === diskin is now known as Guest6755 === diskin_ is now known as diskin [16:41] benio: PCI refers to the security standards for the Payment Card Industry. It's not a system you need, but scanning the standards can give you a good model for how to approach security. [16:46] benio: Something that would probably address all of your concerns would be simply setting a boot password on the computer, so someone couldn't bypass the basic Windows security; couldn't boot to a Linux image. === lotuspsychje_ is now known as lotuspsychje [17:20] hi, i'm trying to wrap my head around the different network management tools. eg, netplan vs NetworkManager vs ip vs ifconfig vs brctl ( am I missing anthing?). Was wondering if someone here could give me their understanding. [17:20] i guess networkd is another thing [17:20] networkd is just a backend you usually do not touch by hand [17:21] netpan creates configs for networkd on systems that di not have NetworkManager [17:21] *netplan [17:21] s/di/d👋 [17:22] ip is simpy the successor of the deprecated ifconfig [17:23] (and i need a new keyboard for this laptop 😞 ) [17:23] thank you! so changes using ip should not expected to be persisted across reboots? [17:24] right [17:25] on a server you'd edit the config in /etc/netplan/ ... on a desktop you either use the network-manager gui or something like nmtui to set it up [17:25] so when I do 'netplan apply' assuming networkd backend, then it is presumably generating some networkd config files somewhere and asking networkd to reload? [17:25] yes [17:25] and a good hint is: dont use apply, use "netplan try" [17:27] oh yeah.. i saw that.. just in case you hose your connection to the server it will revert, right? [17:27] it applies the new confg but rolls back to the old one if you do not confirm [17:27] pretty much like the resoution switching for the desktop ... it counts down and reverts if you do not say it is okay [17:38] ogra: So /etc/network/interfaces is deprecated/obsolete/doesn't work any more? [17:38] since several years ... [17:38] That's ifupdown or ifupdown2, it still works fine in ubuntu 22.04 [17:39] sure, but it is not installed 🙂 [17:39] True. It's also the default in Debian :D [17:39] doesnt help much given the installer will set up somethig completely different (why would you change to something unsupported instead of altering the existing config) [17:41] Each one of these has its own quirks; and there's a learning curve; so it's understandable that some sysadmins stick to the tools they know until they get completely removed from the archives :D [17:41] but yeah, ifupdown2 is in universe and if you insist you can even run an ubuntu system with it (have fun removing all the default bits to avoid clashes) [17:41] I'm trying to redirect non-www URL to a www URL in apache2 on Ubuntu 22.04.1 LTS and not having any luck with my googlefu. Any suggestions? [17:41] AFAIK upgrading from older Ubuntu's doesn't automatically remove or disable ifupdown... [17:41] right [17:42] ifupdown2 is dead [17:42] 2 too ? [17:42] that was short lived then [17:42] 2 is dead [17:58] ogra: Supported + $5 will get you a cup of coffee. === diskin is now known as Guest9274 === diskin_ is now known as diskin === Ringtailed-Fox is now known as RingtailedFox === kirill_ is now known as Guest1841 [18:25] hello from Ukraine [18:26] hey [18:32] can anyon help me figure out why my Apache server is getting bombarded by requests, even though my UFW rulles should only allow acces to it from my LAN and one other public IP address? https://pastebin.com/3wbPgAe6 [18:34] That pastebin shows my rules by my apache server-status page shows up to 150 requests from random ip addresses. [18:50] I've recently upgraded and I'm having trouble getting Apache/2.4.41 on Ubuntu 22.04.1 LTS to redirect a non-www url to a www url. Any suggestions. [18:50] ? [18:51] BCB: pastebin your config? maybe someone can spot the problem [18:51] wolfravenous: maybe you should disallow all too [18:51] mod_rewrite ? [18:51] BCB: I once spent hours trying to solve a problem with apache that boiled down to including a / at the end of an url when it shouldn't have been there -- or the other way around. I can't remember. [18:52] wolfravenous: what's the default rule? are you dropping by default? are the packets matching *other* input rules? have the packets been NATted or something and thus actually do look like they're coming from the LAN? === heart1 is now known as heart [18:57] sarnold: I was under the impression with UFW the default is to deny all traffic unless explicitly allowed. My other input rules are for other ports that are not managed by Apache and specify the port, so I don't think they would be involved... However i can paste my full rule set if that is helpful. And I don't know how to check if the packets have been NATed? [18:58] wolfravenous: i dont think it denies all by default [18:58] wolfravenous: I'm not sure which is the default, I am sure that your output doesn't include what the default is :) [18:59] when setting it up they always make you create the ssh rule first so you don't lock yourself out if sshing into the terminal so I just figured it was drop all by default. [19:00] wolfravenous: not sure about the default, but maybe worth doing "ufw default deny incoming" [19:01] nevermind seems it does deny by default [19:01] sudo ufw status verbose should show you the current settings [19:02] the terminal replied: Default incoming policy changed to 'deny' (be sure to update your rules accordingly).... so maybe it wasn't set to deny by default. [19:05] wolfravenous: by default it's deny, but if you deny it again, it will comply by changing it to deny ;) [19:06] I used that command "sudo ufw default deny incoming" and restarted ufw. Then I started apache and within 30 seconds, my ip is bombared by apache requests from random ip's It is like my IP is in some kinda bot swarm... and UFW doesn't love me at all. [19:08] wolfravenous: which ports are open? [19:08] ahh saw the link [19:09] wolfravenous: are your random ips in the local network or outside? [19:09] aka internet [19:09] Here are my rules: https://pastebin.com/qDBtJscD [19:10] the random IP's are all outside IP's none of them are LAN addresses [19:11] the verbose output of UFW status says Default: deny (incoming) so that is correct. [19:11] wolfravenous: can you dump the actual rules within (nft/iptables) to see if some random rule is added [19:12] Here is a list of all the IP's that are hitting me within 30 seconds of turing on apache: https://pastebin.com/xMXEZYt1 [19:12] murmel: how do I dump those rules? [19:13] Not going to a pastebin site, but what is it you're expecting? [19:13] wolfravenous: iptables -L // nft list ruleset [19:13] There's hundreds of thousands of crawlers hitting everything with 80/443 open at any time. [19:13] bougyman: are you sure, that it should hit 80/443 if it's not allowed in the fw [19:13] (firewall) [19:14] murmel: the firewall is broken, in that case. [19:14] bougyman: since I only allow access on port 80 and 443 to my LAN and one public IP address I don't expect anything by my traffic [19:14] bougyman: that's why we want to see what's going on [19:14] wolfravenous: have you put a dump of your rules somewhere yet? (not pastebin, please). [19:14] this is what i right now asked [19:15] see log [19:15] For a rule dump, I personally prefer iptables-save -n [19:15] (for iptables, not for nft) [19:15] mumel that commend returned: iptables v1.8.7 (nf_tables): Invalid rule number `nft' [19:16] nft's sane with list ruleset. [19:16] wolfravenous: `iptables-save -n` [19:16] huh, i thought 22.04 switched over to nft [19:16] Oh woops, -n is not valid anymore. [19:17] swore it used to be. So just `iptables-save` [19:17] murmel: he typed the whole thing you typed. [19:17] % sudo iptables -L // nft list ruleset [19:17] iptables v1.8.7 (nf_tables): Invalid rule number `nft' [19:18] :) [19:18] Oh Crap! there is a lotta mess from that iptables-save command... if not pastebin where should I dump it? [19:18] termbin, paste.debian.net [19:18] eh termbin.cm [19:18] com [19:19] just a sec [19:19] I like ix.io, but they use termbin here a lot. [19:19] basically anything but pastebin, hah. [19:19] wolfravenous: pastebin.com had issues with malware (distributing) and their ads :S [19:19] bougyman: yeah because you can just | nc termbin.com 9999 [19:19] murmel: yeah that's handy. [19:19] so `sudo iptables-save | nf termbin.com 9999` [19:20] ugh. [19:20] s/nf/nc/ [19:20] bougyman: he probably won't want to do it that way, as he doesn't want to expose one of the ips from his work [19:21] well he could that out. [19:21] Here ya go. https://paste.debian.net/1257636/ [19:22] I realize that it has a ton of Fail2ban mess in that paste from the iptables-save command.... is there something neater for output? [19:22] There's nothing more complete. [19:22] And complete is kinda what we need. [19:24] Hey, I just saw something in that paste, line 173 from where I was setting up geo ip blocking... it has 80 and 443 and ACCEPT... is this the root of my issue... [19:25] wolfravenous: yes [19:25] Looks like it. [19:25] I was using geo blocking cause this is just a home server, and the only people that need any access are me and my family, no commerce so was not wanting it open world wide.. [19:25] and honestly, geoip is imo not _really_ helpful as IPs are nowadays sold outside their respective country (I assume US is still better than "random country" but still) [19:26] Also, noticed that all those IP addresses that are bombarding me are actually in US... [19:26] Yeah, still never know where the person _using_ that IP is from. [19:26] I'm in Mexico right now but using an IP in Maine. [19:27] True, I guess it is easy enough to setup proxies on AWS, Azure and hosting sites like that, most even offer free trials, heehe [19:27] Cloudflare has a great free plan. [19:27] You'd never need more. [19:27] wolfravenous: especially oracle [19:27] And they do create spam/ddos prevention out of the box. [19:27] Just enabled that check that you see in your browser when you get to cloudflare sites (checking browser, blah blah). [19:27] Of course that makes curl and most scripts impossible to use. [19:27] So that's sometimes a downside. [19:28] Okay let me see if I can nuke that rule that was on 173 and see if that helps... will post back my results. [19:28] wolfravenous: depending on your needs think about vpn setups. i do it with wireguard and android where it's always connected [19:31] is there a tool to know which nvidia modules I need for a given card? [19:32] StyXman: ubuntu-drivers devices [19:32] should at least tell you which devices need drivers === withered_wolf is now known as thought_fu === thought_fu is now known as withered_wolf [19:34] murmel: tx [19:34] wolfravenous: Without looking at your pastes: What port are you running sshd on? [19:34] jhutchins: iptables had a rule to allow 80 from US ;) [19:35] Well, 80, 443, and 22 are the main targets. [19:38] Trying to remember why I didn't see brute force attacks on the web server ports ... [19:38] I think it was because delivering a 404 was less load than denying an ssh login. [19:39] Besides, we were tuned and ballanced for HTTP. [19:39] but wouldn't https negate the "advantage"? tls _is_ quite heavy on hw [19:39] not that much anymore, but when talking about ddos [19:40] I nuked that rule related to geoip in /etc/ufw/before.rules and now things are as expected. No apache traffic except from me. [19:40] For some reason I only remember legitimate load bogging down the site, and it managed to keep serving, if slowly. I guess Apache's built to que and service large volumes of requests. SSHD not so much. [19:40] Thanks SO MUCH for assisting on this big win for me! [19:41] wolfravenous: yw :) [19:41] I take it there isn't actually a public ssh port. [19:41] nope [19:41] jhutchins: yeah sounds reasonable that apache is more robust for high load [19:42] i mean sshd won't often get 100000 req/s [19:42] It is all about being aware of what I was doing.... I locked everything down the way I wanted it but then when I tried to add the GeoIp to it, I actually messed up what was probably working before, LOL. [19:43] wolfravenous: imo it's always helpful to see the rules in iptables/nft, as that's how they are processed (top to bottom) [19:43] which means if you allow first something then reject it in the next line, it will always get allowed [19:44] reject/deny depends on your needs [19:45] first rule has priority, got it! this also solved the random bots hitting ssh port that was showing up when I would run lastb command. [19:46] is ubuntu /usr-merged? [19:46] sjdns: yes [19:46] Well guys, I am heading out to the woods! Thanks again for everyones help... I am about half a century and IRC seems like for decades has always been the best place to get help! [19:47] when did that happen? [19:47] wolfravenous: hf, and yes, it's where the old guys sit ;) [19:47] wolfravenous: enjoy :) [19:47] I just had a weird issue with /usr/bin/grep missing [19:48] sjdns: disco for new installs [19:48] so 19.04 [19:50] sjdns: so very old install or is something broken? [19:52] Hi [19:52] Is there any good secure wipe software for Ubuntu? [19:52] I'm trying to wipe an ssd [19:53] with ssds you can _never_ be sure that it's actually wiped [19:54] Hmm [19:54] I see [19:54] that's why you use encryption or never sell/use it again [19:55] What do you suggest? [19:55] for what? [19:55] To destroy it [19:55] philwong: a sledge hammer ;P [19:55] hm, take it to the gun range, burn it, keep it in a safe. there are quite the options depending on where you live [19:56] oh yeah sledgehammer is also a good idea [19:56] but please don't burn it [19:56] all the chemicals :( [19:56] I know [19:56] I thought that as well [19:57] i mean there is a reason why most companies keep hdd/ssd/ram and/or pay __a lot__ of money to other companies to destroy it [19:57] If l reinstall a os and then encrypt it and wipe it would that work? [19:57] philwong: no [19:57] why not [19:58] EriC^^: because we don't know what the ssd controller does [19:58] SSDs are notorious for possibly leaving shreds of important data around in spots like the overprovisioning areas. [19:58] It's a mess. They're great for storage, not so great for deletion. [19:58] Really with any modern storage media, the safest way to delete everything on it is to physically obliterate the device. [19:58] EriC^^: because of compression and other stuff you never know what it does to speed up your experience [20:00] philwong: dd if=/dev/urandom of=/dev/whatever bs=1024k [20:00] i see, thanks [20:00] philwong: as arraybolt3[m] it'll leave some stuff in the slop areas, but it's a good start [20:00] hmm, I wonder if one of the partitioning tools has an easy way to trim the entire thing [20:01] honestly, I would just destroy the ssd, and restart with a new one, but that depends heavily on what kind of data we are talking about [20:01] You could also hit it with a Secure Erase command. [20:01] arraybolt3[m]: which we don't know what it does ;) [20:01] philwong: blkdiscard(8) [20:02] murmel: Valid point. [20:03] If l hammer it and put it in vinegar and let it sit for a week [20:03] Maybe that helps [20:03] definitely ;) [20:03] what is the name of this tool? https://i.stack.imgur.com/itfVN.png I don't have it installed [20:04] philwong: That sounds like a fairly effective method of doing it. Might also roll over it with a truck. [20:04] but honestly selling tech gets more and more impossible. just to give an example: bought a used laptop, and when I installed win to update a few firmware blobs, it literally showed me what the prior persion bought on the microsoft store etc [20:04] StyXman: software-properties-gtk [20:05] philwong: donate it to a clueless friend or family member [20:05] Blunt force alone will still leave data in the microchips? [20:05] Even if it breaks [20:05] philwong: Yes but you can't get at that data unless you can somehow reassemble the crushed chips. [20:06] I mean at that point you might could try to get some data out of it, but the equipment, time, and cost would be insane. [20:07] murmel: tx; FYI there's also software-properties-qt :) [20:07] StyXman: yeah, source package is called software-properties ;) [20:07] anyways, reboot time [20:18] Sarnold dd is the Linux command right [20:18] y [20:18] I'm gonna run it on livemode [20:18] Liveusb [20:19] Does it come pre-installed? [20:20]  Or do l have to download the utility from the utility software center [20:20] philwong: dd is probably available in the live mode [20:21] Ok [20:22] it's definitely preinstalled [20:31] https://dban.org/ [20:32] jhutchins: do you know how it verifies that the data is gone on ssds? [20:32] murmel: It has the options to be fully DOD compliant. That should be enough for you. [20:33] jhutchins: just asking, as I don't want to delete data _that_ bad ;) [20:33] but sounds legit then thanks [20:34] murmel: It also has some lighter options. If I have to leave old drives functioning it's what I use. Not fast. [20:34] As in launch it at the end of your day and come back tomorrow. [20:36] jhutchins: I wonder how expensive the full version is, as one of the companies, which are like "if you don't ask, you can't afford" [21:20] is there a way to setup a proxy before installing ubuntu desktop? [21:23] maybe booting in live mode first [21:24] i guess if you export http_proxy=http://10.0.0.0 this may apply [21:24] thanks will try out. problem is that it downloads stuff even when selecting not to download updates :S [21:25] maybe what it downloads aren't updates then [21:25] what is it then? I assume the iso should have everything it needs to install a desktop [21:26] maybe it's testing whether apt repositories are reachable or something, i don't really know. [21:26] installing right now, will see what the logs say, I only ever saw that it tries to reach repos for packages [21:36] so it is safe to remove /bin? [21:36] no [21:37] a lot of programs assume specific tools are in specific directories, rather than searching through PATH to find them, and removing the symlink would break those programs [21:37] tomreyn: lol you were right, it just populates the database. I assume I saw that apt downloads the Packages file, and assumed it downloads Packages :S [21:38] that /bin folder is not a Recycle Bin. [21:39] tomreyn: grml, it _does_ download packages [21:41] you can always pull the plug, if there are plugs involved [21:41] or just not bring it online, or bring it offline instead, or change the default gateway. [21:41] at least there is a virtual plug, still annoying to always go into vm settings [21:41] great, the merging of /bin is done [21:43] where should /lib64 point to? [21:45] sjdns: /usr/lib64? [21:45] sjdns: sysop@x2204mini:~$ ls -al /lib64 >> lrwxrwxrwx 1 root root 9 Aug 26 18:37 /lib64 -> usr/lib64 [21:46] weird, here to /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 [21:46] why would a dir point to a file oO [21:47] its the file in the dir? [21:47] opendir() is gonna fail pretty hard when pointed to a file though [21:48] oohh, I misunderstood you as we were talking about /lib64 [21:48] not the file in it :) [21:50] Any idea why file_put_contents is getting a failed to open stream: Permission denied on Ubuntu 22.04.1 LTS ?? [21:50] it does not have permission? [21:51] just a wild guess === robert_ is now known as Guest7347 [21:55] BCB: that's pretty thin information to go on -- is it a snap? if so, do you need to connect interfaces? [21:57] * tomreyn is guessing on https://www.php.net/file_put_contents [21:57] but then we still don't know anywhere close to enough