|
This doesn't actually address any of your port 80 concerns, and whoever wrote it clearly doesn't realize that loopback traffic doesn't even touch iptables (which is common with shotgun-debugging types). Did you even try the last rules we gave you? Is denying all traffic to the internet necessary, or just port 80? Which one says there's an error on line 1?
|
#
?
Jul 15, 2015 15:26
|
|
|
|
| # ? Jun 7, 2024 14:30 |
|
|
evol262 posted:This doesn't actually address any of your port 80 concerns, and whoever wrote it clearly doesn't realize that loopback traffic doesn't even touch iptables (which is common with shotgun-debugging types). Seems I need to deny traffic, all traffic to the internet to the linux box, however, I do need to allow pretty much everything between the linux computer and another computer in terms of ports. Port 80/22 would allow me putty access and connection to nginx (not apache like I thought), but part of the web access seemingly needs other ports open because the connection to the site on the linux box wont resolve properly, such as ports that AMQP uses. (however If I open up the ports for that, amqp still complains that the target machine is actively blocking the connection, so that's kind of stumping me) I did try the rules you suggested, though iptables complains about a "bad built-in chain name" when trying to assign DROP to HTTP_OUTBOUND For the "error on line 1" is for the deny.ip file. Here is the unmodified current iptables I'm currently working with: code:Part of the problem was not converting the allow/deny files to unix EOL from windows  . However, when running the apply one, it gives me an error on COMMIT... ugh
GreenBuckanneer fucked around with this message at 16:20 on Jul 15, 2015 |
|
#
?
Jul 15, 2015 15:44
|
|
|
GreenBuckanneer posted:Seems I need to deny traffic, all traffic to the internet to the linux box, however, I do need to allow pretty much everything between the linux computer and another computer in terms of ports. Port 80/22 would allow me putty access and connection to nginx (not apache like I thought), but part of the web access seemingly needs other ports open because the connection to the site on the linux box wont resolve properly, such as ports that AMQP uses. (however If I open up the ports for that, amqp still complains that the target machine is actively blocking the connection, so that's kind of stumping me) So you need to allow local subnets and block outbound access? Or just one IP? GreenBuckanneer posted:I did try the rules you suggested, though iptables complains about a "bad built-in chain name" when trying to assign DROP to HTTP_OUTBOUND GreenBuckanneer posted:For the "error on line 1" is for the deny.ip file. Please list your actual requirements. All of them. With ports. It doesn't matter if it's nginx or apache. It matters if it's port 80 or not. And your distro, because that matters now. Is there an admin at your shop who actually has a clue? Can you ask him to do it?
|
|
#
?
Jul 15, 2015 16:37
|
|
|
The google capcha never trusts my linux. On windows I rarely ever receive the pictures pop up but on my gentoo install it shows up 100% of the time. Is this happening to anyone else?
|
|
#
?
Jul 16, 2015 13:38
|
|
|
Because linux users are either scripts or hackers.
|
|
#
?
Jul 16, 2015 14:23
|
|
|
I did use some program that made a huge amount of requests to google, that ended up blocking the access of the entirety of the big company I was working in as a 3rd party once a long time ago, so that holds true
|
|
#
?
Jul 16, 2015 14:28
|
|
|
Can I disable NX in Ubuntu 14.04+ without a kernel rebuild? I keep getting Wine errors on things that may JIT-generate code where it blows up with a page fault, and the instruction pointer equals the faulting address, and I want to see if turning NX off happens to make that problem go away.
|
|
#
?
Jul 17, 2015 08:19
|
|
|
I think you'd need to recompile wine, not the kernel. Maybe you could disable in your bios?
|
|
#
?
Jul 17, 2015 10:39
|
|
|
spankmeister posted:I think you'd need to recompile wine, not the kernel. e: and I think you're right, seeing as I didn't find any kernel options to disable re: NX protection; I assumed it was something that the ELF binary loader checked for in /proc or something. I'm gonna try rebuilding wine-staging with -fno-stack-protector -z execstack -O0 and see if any of my problems get any better e2: My issues aren't totally gone, but this user experience has gone from "loving awful" to "totally acceptable" with the rebuilt wine-staging. Yay! Vulture Culture fucked around with this message at 00:10 on Jul 18, 2015 |
|
#
?
Jul 17, 2015 16:07
|
|
|
In Mate or anything else really is there a way to make the panel not show the names of open things? I'd like the active windows part of a panel to look and behave somewhat like in Windows 8. Google is telling me this is probably not going to happen.
|
|
#
?
Jul 18, 2015 14:02
|
|
|
Death Vomit Wizard posted:I am trying to hold back package foo from updating in Fedora 22. The literature says to add Well, just in case anyone was on the edge of their seat, I have this working now via the -x command line option. code:
|
|
#
?
Jul 19, 2015 05:40
|
|
|
Heran Bago posted:In Mate or anything else really is there a way to make the panel not show the names of open things? I'd like the active windows part of a panel to look and behave somewhat like in Windows 8. Google is telling me this is probably not going to happen. Not using Mate, but I have the same complaint about Cinnamon. If you don't care about either of those, XFCE is able to do just that.
|
|
#
?
Jul 20, 2015 15:21
|
|
|
evol262 posted:Is there an admin at your shop who actually has a clue? Can you ask him to do it? It's actually fine now, we found another way to solve what we were trying to do. It's not really something at a shop, it's testing a hw/software product before release for a bug we found in the wild. It was more of something we were trying to do to induce the bug (partially because the bug report didn't contain logs, or anything helpful...) and that was the best idea I had at the time given the resources. Thank you for the help tho overall.
|
|
#
?
Jul 20, 2015 23:51
|
|
|
midnightclimax posted:Not using Mate, but I have the same complaint about Cinnamon. If you don't care about either of those, XFCE is able to do just that. I read something about that, but after using xfce for a few minutes I just couldn't stand the default look of anything and couldn't find the themes. Thanks for the recommendation, maybe I'll try it again soon.
|
|
#
?
Jul 21, 2015 02:49
|
|
|
I'm looking at trying to get an infosec job when I get out of college, and literally everyone mentions learning Linux as a thing that's really important for me to do. I've already noticed a lot of tutorials and exercises assuming some Linux knowledge as well. I'm starting from absolutely zero knowledge, so will putting Gnome/Fedora on a virtual machine be enough to play with and learn the basics or should I just set up a dual boot with that or some other distribution?
|
|
#
?
Jul 21, 2015 04:18
|
|
|
Swagger Dagger posted:I'm looking at trying to get an infosec job when I get out of college, and literally everyone mentions learning Linux as a thing that's really important for me to do. I've already noticed a lot of tutorials and exercises assuming some Linux knowledge as well. There's not all that much that a native installation can do that a VM can't. But if you want to learn the OS, you may want to consider a "total immersion" strategy where you start using Linux as your daily driver, and only switch back if you desperately need to. Also note that most Linux distros these days go to great lengths to make things easy for you, so that you don't need to learn all the esoteric things that you'll want to be learning (i.e. command line stuff). Being able to browse the web in Iceweasel or play some music in Banshee isn't the kind of Linux knowledge they're talking about for security stuff.
|
|
#
?
Jul 21, 2015 04:55
|
|
|
I currently have 17 years of experience administering Solaris, AIX and RHEL/OEL systems, including scripting, patching, Jumpstart/Kickstart, and working with Tripwire and both Juniper and McAfee/Stonesoft firewalls. I'm not dissatisfied with my current job but we've had multiple reorgs lately and it occurred to me that having my resume polished up wouldn't be a bad idea. Aside from the actual references, are there any useful certifications that would be worthwhile for me to get if I were to shop myself around? I'm a bit out of touch with what employers are looking for these days.
|
|
#
?
Jul 21, 2015 05:01
|
|
|
fatherdog posted:I currently have 17 years of experience administering Solaris, AIX and RHEL/OEL systems, including scripting, patching, Jumpstart/Kickstart, and working with Tripwire and both Juniper and McAfee/Stonesoft firewalls. I'm not dissatisfied with my current job but we've had multiple reorgs lately and it occurred to me that having my resume polished up wouldn't be a bad idea. Aside from the actual references, are there any useful certifications that would be worthwhile for me to get if I were to shop myself around? I'm a bit out of touch with what employers are looking for these days. Have you ever got the Oracle, HP or Red Hat Certs? If anything, your experience should get you hired without a certification or even degree. EDIT: I feel like in ever Linux Sysadmin or even "DevOps Engineer" I see KickStart/Jumpstart explicitly mentioned. Gucci Loafers fucked around with this message at 05:14 on Jul 21, 2015 |
|
#
?
Jul 21, 2015 05:10
|
|
|
fatherdog posted:I currently have 17 years of experience administering Solaris, AIX and RHEL/OEL systems, including scripting, patching, Jumpstart/Kickstart, and working with Tripwire and both Juniper and McAfee/Stonesoft firewalls. I'm not dissatisfied with my current job but we've had multiple reorgs lately and it occurred to me that having my resume polished up wouldn't be a bad idea. Aside from the actual references, are there any useful certifications that would be worthwhile for me to get if I were to shop myself around? I'm a bit out of touch with what employers are looking for these days. There are still a lot of AIX / Solaris jobs out there but they're in stasis. It's the safe option; you'll slide right in because it hasn't changed in a decade. It's all "maintenance mode" of legacy software so there's no innovation happening there and the next time you hop jobs you risk being further behind the curve than you are now. Automation is hot hot hot and DevOps is your new master. The holy grail is push-button deploy, automated test chains and agile development. To support and enable all that, there is a ton of software that wraps or replaces kickstart, so your experience is valuable. IT is moving into virtualization in one form or another (minus DBs) and so many jobs are concerned with installing and managing the host OSes and then getting them into into an available pool in a repeatable way so you can then deploy your app on top of that quickly with a minimum of fuss. Sadly, unless you pick a favorite software there are no general certs, just books and on-the-job experience with the new hotness.
|
|
#
?
Jul 21, 2015 12:14
|
|
|
fatherdog posted:I currently have 17 years of experience administering Solaris, AIX and RHEL/OEL systems, including scripting, patching, Jumpstart/Kickstart, and working with Tripwire and both Juniper and McAfee/Stonesoft firewalls. I'm not dissatisfied with my current job but we've had multiple reorgs lately and it occurred to me that having my resume polished up wouldn't be a bad idea. Aside from the actual references, are there any useful certifications that would be worthwhile for me to get if I were to shop myself around? I'm a bit out of touch with what employers are looking for these days. Chiming in and saying the same thing as everyone else. I got my first cert last week, and only because it was free for me to take it, a mile from my house, and I wanted to see how the RHCSA review book I'm reviewing here compared to the actual test. With 17 years of experience, nobody should give a poo poo about certs. The last Solaris admin I know just slid into a devops Linux role. Company didn't care that he had no real Linux experience and figured he'd pick it up quickly. They were right. I'd probably avoid jobs that focus on traditional UNIX if it were me, but meh
|
|
#
?
Jul 21, 2015 17:43
|
|
|
evol262 posted:Chiming in and saying the same thing as everyone else. I spend most of my time on the firewalls and Tripwire these days, and since Solaris means dealing with Oracle now I'd just as soon avoid it anyway.
|
|
#
?
Jul 21, 2015 17:48
|
|
|
code:edit...actually, am I using the wrong value? code:fletcher fucked around with this message at 21:31 on Jul 21, 2015 |
|
#
?
Jul 21, 2015 21:22
|
|
|
Powered Descent posted:There's not all that much that a native installation can do that a VM can't. But if you want to learn the OS, you may want to consider a "total immersion" strategy where you start using Linux as your daily driver, and only switch back if you desperately need to. So would you suggest something like Arch or Gentoo to learn the hard way?
|
|
#
?
Jul 21, 2015 21:49
|
|
|
oaok posted:So would you suggest something like Arch or Gentoo to learn the hard way? Not necessarily. If you're starting from zero, like Swagger Dagger said he is, you're going to want the very basics. Off the top of my head, start with copying, renaming, finding, and editing files. Play with command pipelining -- start with piping cat into more, and from there, learn what grep and sed are for. Write a simple shell script, and learn how to do things like a "while true" loop as a one-liner. Install software, both the package manager and with ./configure; make; make install. Connect between boxes via ssh. Make a cron job. Install apache and serve up a hello world page. Start playing with netstat and iptables and whatnot. Until you've got these basics, doing a from-scratch gentoo build won't mean much to you -- you'll really just be blindly typing the commands from a tutorial without really understanding much. Any distro will work, so you may as well use something like Ubuntu or Mint that also provides a nice usable desktop. Alternately, get a raspberry pi and learn all this stuff on your way to making it into a cool project -- a time-lapse photo machine is always a good one.
|
|
#
?
Jul 21, 2015 22:20
|
|
|
oaok posted:So would you suggest something like Arch or Gentoo to learn the hard way? I mean, we don't need to go over this again, really, but doing real stuff teaches you something. Gentoo and Arch have you blindly googling and typing things you don't understand in to shotgun debug, and even if something works, you'll have no idea why it does. Make your system do something meaningful.
|
|
#
?
Jul 21, 2015 22:26
|
|
|
I'm wary to give advice since I'm a newbie too, but here's what helped me: Almost everything you'll touch in Linux is a text file, so you're going to have to get good at finding them and editing them before you do anything productive. You'll also need to know file permissions. Once you're there, some good early projects are: -Remove root login from SSH (bonus: change the default port from 22 to something above 1000) -Install Samba file server and configure a file share from a folder in your home directory. Connect to it with Windows (samba uses SMB, a filesharing protocol supported on Windows) -Install Apache, find the webpage that it's serving, and edit it. Connect from another device on your network -Create a simple python script like "Hello World" and execute it -Install a program, from your package manager, that isn't in your distribution's official software repository. Plex Media Server is a good one. Youtube is good for all of the above. Even if you're blindly following along at first, you'll start to recognize a lot of familiar locations where things tend to be and the tools that you use to change them. In a perfect world, Linux uses a universal file hierarchy, so you always know where to look for certain programs or configuration files. Not always the case but it's usually accurate. The key for me, which is being echoed in this thread, was to learn by doing. Think of an actual service that you want to run on your network then make it happen - there's media servers, file servers, torrent clients, network services like DNS and DHCP, etc.
|
|
#
?
Jul 22, 2015 00:59
|
|
|
Roargasm posted:The key for me, which is being echoed in this thread, was to learn by doing. Think of an actual service that you want to run on your network then make it happen - there's media servers, file servers, torrent clients, network services like DNS and DHCP, etc. This is probably the best advice. Have a project. Make up a project. Think about things that would be neat, then see if you can implement them and get them to work. One of my more recent examples is that I wanted to parse an API each day at the same time, once a day (-> cron), for which I need to download its data (-> curl), parse it (-> json, sed), sort it (-> sort, uniq) output it (-> redirection, sed), glueing it all together (-> pipes) and putting all of it in a repeatable form that works both via cron and interactively (bash). The basic project required a whole bunch of useful knowledge, and I learned something more about BASH arrays in the process. On top of that, it now even pushes the data automatically to a git repository, so there are a bit of git, a watcher programme (via inotifywait) and a systemd service file involved as well. Many of these things are probably much more useful than installing Arch and wondering why your WLAN or backlight or whatnot is not working.
|
|
#
?
Jul 22, 2015 13:52
|
|
|
Posted something about this a few months ago, but no progress has been made so I figure it's time for some inspiration. I'm _not_ an IT guy but a bioinformatician building / running the infrastructure for a major genomics project. So I have to be an IT guy, above and beyond my skills. (Local sysadmin resources - me.) We've based the infrastructure in AWS, which has been a big win. Deploy an app with ElasticBeanstalk and get scaling and easy config? Awesome. However, with various different systems and web services, it would be nice to have a single identity and login system across them all. Of course, not all the software can use the same auth systems (LDAP, Shibboleth, OpenID, etc.). But the intricacies of auth systems has me running around in circles, tangling with Amazon Directory Services, getting horribly confused over LDAP. It's frankly beyond my skills, I can't get anything to just work, and I'm looking for an easy way out. Any advice? This has consumed a huge amount of my time that I frankly don't have.
|
|
#
?
Jul 22, 2015 15:33
|
|
|
outlier posted:Posted something about this a few months ago, but no progress has been made so I figure it's time for some inspiration. It might be easier to go with something like hosted AD via Azure, or something from https://www.pingidentity.com Amazon Directory is a great idea, but I don't think its mature enough yet. I've been hoping there would be something simple for my own company because we don't have anything set up other than the ADFS server I installed for our devs to test our own app with. It wasn't that bad because amazon has a cloud formation template available that sets up the AD server for you, and then you could configure that to talk to Amazon Directory. They also have http://login.amazon.com for developers to use for an SSO system, so I am hoping they make something that is just a one click easy setup because I don't want to have to deal with it beyond adding a user every now and then.
|
|
#
?
Jul 22, 2015 17:50
|
|
|
I have two apps that need to connect to a MySQL server via two different methods: one uses a socket and another uses tcp. I've been using the following socat command to bring the tcp connection to a socket. It works ok, but it fires up a bajillion socat processes and I can hear my fan freaking out. code:
|
|
#
?
Jul 22, 2015 18:41
|
|
|
Using fedora 22, mounting NFS filesystems at boot makes it very slow (systemd-analyze blame shows Netmanager taking a good 8ish seconds). Enter autofs. The client is 192.168.1.2, the server 192.168.1.10. Excerpt from client's fstab (actually 4 mountpoints, following the same structure with different directories on the server): code:code:code:code:code:Anyone?
|
|
#
?
Jul 22, 2015 23:13
|
|
|
Marinmo posted:Using fedora 22, mounting NFS filesystems at boot makes it very slow (systemd-analyze blame shows Netmanager taking a good 8ish seconds). Enter autofs. Marinmo posted:
Marinmo posted:
Marinmo posted:RE: Configuring autofs:
|
|
#
?
Jul 23, 2015 00:29
|
|
|
If I were to set up an LDAP server for my windows boxes to auth against, how difficult is it to set up, and does windows cache these credentials the same way they do with AD logins? Not looking for alot of detail, just figured I would ask about the challenge level and if it would really be feasible before starting to dig in(and commit my network against a server that is usually powered down)
|
|
#
?
Jul 23, 2015 00:40
|
|
|
From the recently released RHEL 6.7 notes, can someone explain what the following entails? It's a little hard to google and the sudo documentation doesn't really explain anything except compilation instructions.quote:The sudo command is now built with zlib support which enables sudo to generate and process compressed I/O logs.
|
|
#
?
Jul 23, 2015 01:44
|
|
|
hifi posted:From the recently released RHEL 6.7 notes, can someone explain what the following entails? It's a little hard to google and the sudo documentation doesn't really explain anything except compilation instructions.
|
|
#
?
Jul 23, 2015 02:47
|
|
|
RFC2324 posted:If I were to set up an LDAP server for my windows boxes to auth against, how difficult is it to set up, and does windows cache these credentials the same way they do with AD logins? AD is kerberos+LDAP+DNS+ntp+dhcp. Not all components are required, but kerberos requires time sync and working DNS/rdns, so tying dhcp and DNS in is just easier. I'd auth against LDAP+krb5, but I'd also just use IPA or another solution which handles it for you, because it's honestly a mess. Use smb4 if you insist, because Microsoft worked with them and it's a fully compliant AD controller. Do not auth against LDAP without kerberos. LDAP for user info (homedirs, uids, etc), kerberos for auth
|
|
#
?
Jul 23, 2015 05:09
|
|
|
JHVH-1 posted:It might be easier to go with something like hosted AD via Azure, or something from https://www.pingidentity.com Almost immediately after posting, I thought of that (authentication via SAAS). I reckon I could get my bosses to pay for it, if I found the right solution. You're right that AD doesn't quite seem mature and it does seem like there is a space for a SSO service in Amazon's offerings. Hell, they've got a lot more weird and strange stuff there, why not offer a proper directory. Anyone have suggestions about an SSO / auth SAAS?
|
|
#
?
Jul 23, 2015 09:06
|
|
|
Well, the big question is: which auth providers do you need? Ex: Do you need openid, or did you use it as an example? It's easier to answer with specifics
|
|
#
?
Jul 23, 2015 14:59
|
|
|
Doesn't Azure do hosted AD?
|
|
#
?
Jul 23, 2015 15:12
|
|
|
|
| # ? Jun 7, 2024 14:30 |
|
|
spankmeister posted:Doesn't Azure do hosted AD? Azure AD is a Directory Service but doesn't necessarily do everything you'd expect a standard directory to perform - can't add devices, no GPOs, no Kerberos.
|
|
#
?
Jul 23, 2015 15:48
|
|