|
Bob Morales posted:irssi + screen That's just what I'm looking for. Thanks!
|
# ? Jun 30, 2011 20:01 |
|
|
# ? May 17, 2024 17:07 |
|
brc64 posted:God drat, scripting is like some kind of drug. Could you break it into simple-man terms on how you got the script to automatically email you? I wanted to write a small script that would snag the names of newly released DVDs from a website, and email me the names. I could never figure out how to handle the email. Of course, I have almost zero practical experience in linux.
|
# ? Jun 30, 2011 20:57 |
|
Ugh. Can some one tell me what all this poo poo in my error.log is? There is 5MB of this kind of stuff! http://pastebin.com/gwtxbsH8 Lots of people coming from that shaolinpirates.com domain, and that last google search referer is the servers IP (I changed it). What is more scary, is the poo poo in access.log. I don't even know where to begin :/. http://pastebin.com/1gr04d5K I am holding out a small hope that this is all some how "normal", but I can't imagine it is! Is it time to and remove php forever?
|
# ? Jun 30, 2011 21:41 |
|
Hughmoris posted:Could you break it into simple-man terms on how you got the script to automatically email you? I wanted to write a small script that would snag the names of newly released DVDs from a website, and email me the names. I could never figure out how to handle the email. The first recommendation was ssmtp because it's pretty simple. Of course, you still need to know your server information, and if you use Gmail (which I use), there are some other required settings. "ssmtp gmail" brings up some helpful guides. That said, I couldn't get ssmtp to work for me. From my searching, it looks like it chokes on sending special characters in passwords, so it would never actually authenticate. That led me to sendEmail (notice the E, completely different from sendmail). Once installed, that wouldn't work at first, complaining about some perl libraries needed for SSL. I figured out how to install those (libnet-ssleay-perl and libio-socket-ssl with apt-get install), then finally used a guide to send a test email. The main downside to this, which can probably be worked around somehow, is that my password is stored in plaintext in my script. Normally that would be a big deal, but since this is not a public facing server and I'm the only one with access, the convenience outweighs the concern.
|
# ? Jun 30, 2011 21:41 |
|
Kaluza-Klein posted:Ugh. Can some one tell me what all this poo poo in my error.log is? There is 5MB of this kind of stuff! I didn't read through it all thoroughly, but at a glance that's mostly normal. I get the same type of traffic to my web servers. It's just people doing drive by exploit testing. Be drat sure that you don't have any webapps with known exploits exposed to the internet, because they will end up biting you in the end.
|
# ? Jun 30, 2011 21:46 |
|
Kaluza-Klein posted:Ugh. Can some one tell me what all this poo poo in my error.log is? There is 5MB of this kind of stuff! That's all part of being on the internet. You can have your firewall not allow traffic from places like South America, China, and Russia and that will cut it down by quite a bit.
|
# ? Jun 30, 2011 21:48 |
|
I've been running Zimbra for email/calendar/etc for the past few weeks and it's been a total dream. Why have I never heard about it before? Does it just suck in the enterprise?
|
# ? Jun 30, 2011 22:24 |
|
BnT posted:This is probably a little more security than you're looking for. After running VPS systems for a number of years, I've decided that the only way to prevent the endless onslaught of brute-force SSH attempts while allowing me to travel and SSH in from random IP addresses is to disable password authentication in SSH, and ratelimit new SSH connections with iptables. Yeah I use pub/privkey auth as well. I configured SSH to only accept that type of authentication, I also disallowed root logins. For the bots ( it's quite amazing how bots seem to find your machine and start ssh attacks) I use fail2ban with -1 ban time (= unlimited, unfortunately the ban list doesn't survive reboots but the bots change ip adresses anyway)
|
# ? Jun 30, 2011 22:52 |
|
Speaking of pub/privkey auth, should I be using rsa or dsa, and how many bits should I specify? e: Also, if I'm SSH'd into a system and want to open a new tab, is there a way to do this without having to login again? That's what I'm doing right now so sometimes I'll have 5+ SSH connections to a single system, but I'm sure there must be a bette way to do this? Ziir fucked around with this message at 23:03 on Jun 30, 2011 |
# ? Jun 30, 2011 22:59 |
|
Ziir posted:Speaking of pub/privkey auth, should I be using rsa or dsa, and how many bits should I specify? 1024 bits should be fine for both RSA and DSA. 2K or 4K keys are fine too but only if you're really paranoid. Remember that the key is only used for authentication, after that a block cipher is used like AES, Blowfish or 3DES (usually AES).
|
# ? Jun 30, 2011 23:07 |
|
Ziir posted:I want to set up a permanently on/connected IRC client on my server and then somehow access it from other PCs by SSHing into it (irc client could exist purely in the terminal or be x11 based, doesn't matter) and starting the client. The idea is I want a single persistent connection so that I could move from PC to PC to my iPhone's SSH app and everything is still logged nice and neat in one place and nobody knows the difference). Not only is it possible, I've been doing it for years. For tty IRC clients such as weechat or irssi, screen is the program you want. For X11 clients, NoMachine NX is basically screen for X11 and is free for personal use (and free-as-in-GPL unofficial builds exist, too). Note that this will preclude the use of an iPhone to connect to it, since as far as I know there is no NX client (or X server software of any kind) for the iPhone. For anything, you could run it normally and then tunnel VNC (a remote desktop protocol) over SSH. This will give you worse performance than either ssh+screen or NX, though. There's also Quassel, which is an IRC client that's divided into client and server halves and would probably work for this; however, it's relatively new and I don't know how well it works.
|
# ? Jun 30, 2011 23:20 |
|
ToxicFrog posted:There's also Quassel, which is an IRC client that's divided into client and server halves and would probably work for this; however, it's relatively new and I don't know how well it works. doesn't beat screen and irssi though
|
# ? Jun 30, 2011 23:40 |
|
IRC dudes: You can use screen+irssi and if you set it up as a proxy, you can connect to your saved session with mIRC or whatever the gently caress you want.Ziir posted:Speaking of pub/privkey auth, should I be using rsa or dsa, and how many bits should I specify? A new 'tab'? You mean another console window? You could just make another screen session (assuming you're using screen).
|
# ? Jun 30, 2011 23:47 |
|
Bob Morales posted:A new 'tab'? You mean another console window? You could just make another screen session (assuming you're using screen).
|
# ? Jun 30, 2011 23:53 |
|
Zom Aur posted:You don't even need to make a new screen session, you could just make another window with ctrl+a and ctrl+c, then you can switch between them with ctrl+a and ctrl+a. That's what I'm talking about. Session, window, whatever.
|
# ? Jun 30, 2011 23:56 |
|
Ziir posted:That's what I'm doing right now so sometimes I'll have 5+ SSH connections to a single system, but I'm sure there must be a bette way to do this? An alternative is OpenSSH's control socket feature. For you first ssh session, run: code:
code:
Now, if you kill the first ssh session, all subsequent sessions die. One way around that is to open a terminal, run: code:
ExcessBLarg! fucked around with this message at 01:05 on Jul 1, 2011 |
# ? Jul 1, 2011 01:03 |
|
You can also add code:
All the ssh connections to the same host will run through the same socket with this. IIRC, you only have to login on the first one, but was a while since I used this.
|
# ? Jul 1, 2011 01:17 |
|
Why not just use key based authentication? I use public keys and ssh-agent to handle my private key file so I don't need to enter in my password when logging in anyway. I don't see how having all of your sessions dependent upon a single parent session is an upside. So you have less sockets open to the server... who cares? Not trying to be a dick about it, just curious if there's something I'm missing here.
|
# ? Jul 1, 2011 04:23 |
|
SynVisions posted:Why not just use key based authentication? I do use key based authentication. I just wasn't sure if relying on one connection was good or bad, but now that I think about it it doesn't seem to be that good of an idea.
|
# ? Jul 1, 2011 08:43 |
|
SynVisions posted:Why not just use key based authentication? I think you might save on some overhead by doing it this way, so if you have really limited bandwidth, it might make a small difference, but I don't actually know.
|
# ? Jul 1, 2011 11:21 |
|
SynVisions posted:I don't see how having all of your sessions dependent upon a single parent session is an upside. So you have less sockets open to the server... who You don't have to authenticate/negotiate a connection each time. Probably more of an issue a long time ago on older, slower servers and clients.
|
# ? Jul 1, 2011 13:13 |
|
spankmeister posted:Yeah I use pub/privkey auth as well. I configured SSH to only accept that type of authentication, I also disallowed root logins. This little bit of iptables goodness has reduced the brute forcing attempts by quite a bit. It's funny, even though I don't accept password authentication people still try on a daily basis. code:
BnT fucked around with this message at 13:43 on Jul 1, 2011 |
# ? Jul 1, 2011 13:41 |
|
Is there anything in the default installation of Ubuntu 11.04 server that might stop outgoing LDAP connections? I've got a simple PHP script that's just trying to make an LDAP connection to my university's server. It works fine on my Mac running MAMP, but the script fails on an Ubuntu server (same subnet, subject to identical firewall rules). ldap_connect() is successful, but ldap_bind() gives the error "Can't contact LDAP server" in ldap_error(). At the command line, ldapsearch returns: code:
|
# ? Jul 1, 2011 15:07 |
|
ldapsearch -x -d5 ${whatever} Post results. Check ldap.conf to make sure it's not pointing at something stupid (like localhost). Is IPv6 enabled?
|
# ? Jul 1, 2011 15:20 |
|
SynVisions posted:Why not just use key based authentication? 2. Pubkey auth doesn't always play nice with single-sign on (e.g., Kerberos) systems. Ideally I already have Kerberos tickets on the machine I'm using, so any ssh connections are password-less anyways (GSSAPI auth). However, if I'm on an old machine whose ssh doesn't have proper GSSAPI support, or if I'm working on machines in two realms, sometimes it's easier to just use password auth then it is to use kpagsh to setup a second credentials cache. 3. When working with a temporary machine, or a machine that gets replaced about as often as I log into it, or some other infrequently used riff-raff hardware, it's easier to setup a control socket with password auth for the few minutes I need to do work on it, then it is to setup an authorized_keys file I'm never going to use again. 4. Key exchange is really slow on old Sun hardware, like "30 seconds" slow. Although I haven't had to use them in some years, any (secure) mechanism to avoid unnecessary key exchange is a blessing on these guys. Most of the time I do use pubkey or GSSAPI, and I don't really care about the number of sockets I have outstanding. But there are some odd-ball scenarios where having the ability to multiplex sessions is nice for whatever reason.
|
# ? Jul 1, 2011 15:22 |
|
BnT posted:This little bit of iptables goodness has reduced the brute forcing attempts by quite a bit. It's funny, even though I don't accept password authentication people still try on a daily basis. Great, I'll probably use that. BTW: If you put a rule with your own IP address with ACCEPT above those rules, it will always accept traffic from your IP and you won't lock yourself out anymore. (iptables uses a top-down approach and if a rule matches, it stops checking.)
|
# ? Jul 1, 2011 15:36 |
|
I've replaced hostnames/IP addressescode:
ldap.conf is all commented out: code:
|
# ? Jul 1, 2011 15:44 |
|
You'll probably want to actually configure ldap.conf, but does this look like a problem to you?quote:Some text Is there a cert out there somewhere from your university that you can grab?
|
# ? Jul 1, 2011 16:06 |
|
This isn't adequate security by itself, but: I changed my SSH port to a non-default port and I haven't had a log entry from an SSH bot in more than a year. Lockout rules and pubkey authentication are still the right idea, but it impressed me that one little change foiled 'em.
|
# ? Jul 1, 2011 16:29 |
|
bort posted:This isn't adequate security by itself, but: I changed my SSH port to a non-default port and I haven't had a log entry from an SSH bot in more than a year. Lockout rules and pubkey authentication are still the right idea, but it impressed me that one little change foiled 'em. It's basically just a really neat way to keep your logs from being flooded.
|
# ? Jul 1, 2011 17:21 |
|
bort posted:This isn't adequate security by itself, but: I changed my SSH port to a non-default port and I haven't had a log entry from an SSH bot in more than a year. Lockout rules and pubkey authentication are still the right idea, but it impressed me that one little change foiled 'em. Yes, but my main use for it is surfing at work without anybody putting their nose into what I look at. (Not looking at anything shocking, I just like my privacy) Since I'm behind a corporate firewall that basically only lets through certain ports (20/21, 22, 80, 443 + some others) I am "stuck" using a well known port. I can switch to 443 or something but I'm sure the bots'll find me just as easily there.
|
# ? Jul 1, 2011 18:12 |
|
If you are using apache and really want to secure it, you can put on mod_security. You just have to get a decent started ruleset and then allow exceptions for whatever particular web app you are running. It would prevent some vulnerabilities you otherwise may be exposed to till you are aware and update/patch that particular piece of code. The phpmyadmin thing was common. The scanners started showing up 6 months after they had already fixed it, but a lot of people still had older self installed copies of phpmyadmin sitting on their sites.
|
# ? Jul 1, 2011 20:04 |
|
Does anyone know of a program that will help me with this: I've got a VM, which runs on a SAN pair using iSCSI. I have been making the SAN more reliable and testing its failover and I'd like to get a good visual indication of the disc activity from the perspective of the VM. What program can I use which will let me test and visualise the disc activity whilst I'm failing the SAN over? Something that tries to write to disc every 0.5s and displays 1 symbol on success, or another on failure. Is that possible?
|
# ? Jul 2, 2011 18:00 |
|
Anjow posted:Does anyone know of a program that will help me with this: Uhm well there's iotop and you can use bonnie++ for load testing I guess.
|
# ? Jul 2, 2011 18:03 |
|
I'm currently experimenting with Ubuntu 11.04 in preparation for migrating from Mac OS X to Linux. I've got 11.04 installed on a Gigabyte P67A-UD4-B3 and it's working great except for one thing: the network connection appears to drop for 10-120 seconds every 10 minutes or so. I'll run constant pings of the router on this machine and on another machine on the same network, side by side, and the Ubuntu machine will drop out whilst the other machine is fine. I've tried googling the issue but I haven't found anything like this. Searching with respect to the motherboard or NIC chipset yields nothing. How should I go about troubleshooting this?
|
# ? Jul 3, 2011 01:18 |
|
xPanda posted:I've tried googling the issue but I haven't found anything like this. Searching with respect to the motherboard or NIC chipset yields nothing. How should I go about troubleshooting this? Nothing in the log files (/var/log/messages)? Nothing in "dmesg"? That is strange indeed. I'd try to swap cables if you don't have any logged messages, if that doesn't fix it maybe try to force the speed and duplex settings on the NIC with ethtool/mii-diag. I guess my next step would be making your own logs with ethtool to see if link is actually dropping or what. As root: code:
|
# ? Jul 3, 2011 01:58 |
|
Network manager is scanning and dropping the connection
|
# ? Jul 3, 2011 06:20 |
|
Bob Morales posted:Network manager is scanning and dropping the connection Probably yeah. I loving hate network manager. As above, only check /var/log/syslog for ubuntu (and debian I guess) Just to be sure, a simple ifconfig will tell you if there are problems with your cable or anything. code:
spankmeister fucked around with this message at 10:10 on Jul 3, 2011 |
# ? Jul 3, 2011 10:08 |
|
evol262 posted:You'll probably want to actually configure ldap.conf, but does this look like a problem to you? I connected with LDAP:// instead of LDAPS:// and it worked
|
# ? Jul 4, 2011 10:55 |
|
|
# ? May 17, 2024 17:07 |
|
ryo posted:I connected with LDAP:// instead of LDAPS:// and it worked When you want bind with SSL you usually need to get the certificate from the server and install it in a specific way.
|
# ? Jul 4, 2011 12:44 |