10[00:05:14] <jim> I'm trying to get v4l2loopback to load
at boot... I installed a later github version, and did make install
to place it in /lib/modules/some5.6uname-r
11[00:05:45] <jim> what mechanism do packaged versions use to
load it at boot?
88[01:09:34] <chandoo> for some reason docker is not honoring
the /etc/docker/daemon.json changes
89[01:09:38] <chandoo> for data-root
90[01:09:50] <chandoo> any help is appreciated
91[01:11:20] <sney> did you confirm that the docker service was
stopped and that your config changes hadn't been overwritten,
before starting the service again?
109[01:29:02] <sney> that howto is from 2 years ago so it might
be outdated. ask in #docker
110[01:29:19] <chandoo> yes it is
111[01:29:36] <chandoo> i am moving from local filesystem to zfs
dataset
112[01:29:46] <chandoo> but it was mounted as regular file
113[01:29:50] <chandoo> but it was mounted as regular filesystem
114[01:29:55] <chandoo> sney, okay thanks
115[01:30:24] <sney> afaik docker can't tell the difference
between the filesystems its dirs are on, as long as they support
normal permissions, etc.
116[01:30:46] <sney> but if you're working with zfs then
you could set the dataset mount point to /var/lib/docker and let the
daemon keep its defaults.
118[01:31:23] <chandoo> i tried symlink but i am facing issue
119[01:31:37] <chandoo> after symlink if i do /var/lib/docker/
it works
120[01:31:40] <sney> not symlink, set the actual mount point
121[01:31:50] <chandoo> with out the tailing / it is not
122[01:32:04] <chandoo> sney, it was already mounted
123[01:32:17] <chandoo> you mean create as mount in fstab
124[01:32:44] <chandoo> default are working fine
125[01:33:12] <chandoo> the moment i specify data-root to other
folder it is failing opening volume
126[01:33:29] <sney> no, like 'zfs set
mountpoint=/var/lib/docker tank/datasetgoeshere', a normal zfs
thing.
127[01:33:40] <sney> then when you zfs mount -a (or reboot) it
just comes up in that spot
128[01:34:24] <sney> this is pretty standard zfs usage so
it's weird that you wouldn't know about it if you're
using zfs. but I guess all manuals have been replaced with
stackexchange.
129[01:35:34] <chandoo> sney, i know,
130[01:35:40] <chandoo> let me explain
131[01:35:49] <chandoo> i am running this in a vm
132[01:36:12] <chandoo> zfs is created outside of the vm and
attached to the vm
133[01:36:21] <sney> delegate dataset?
134[01:36:24] <chandoo> so no zfs datasets available in the vm
135[01:37:21] <chandoo> yes it is getting delegated to vm, and
vm sees it as just as a filesystem mounted
137[01:37:57] <sney> no, delegate datasets is a zfs thing where
the guest can see it too. I guess you're on a different kind of
hypervisor. better ask the original question in #docker then
138[01:38:17] <chandoo> i am using proxmox
139[01:38:22] <chandoo> okay
140[01:40:00] *** Quits: tagomago (~tagomago@replaced-ip) (Remote host closed the connection)
141[01:42:03] *** Quits: buffal0 (~buffal0@replaced-ip) (Quit: Computer has gone to sleep. ZZZzzz…)
319[05:21:41] <efloid> so the DisplayPort sound issue may be
related to DisplayPort version issue between monitor and computer.
am going to check BIOS settings later - there's sometimes a
DisplayPort version option that can be set
320[05:22:33] <efloid> also, what i though was an input audio
jack on the monitor was a headphone jack :-/ strange that there
would be one instead of an input
333[05:52:41] <dpkg> To clone a Debian machine using aptitude
(or install your favourite packages) use aptitude search
--disable-columns -F%p '~i!~M!~v' > package_list; on
the reference machine; xargs aptitude --schedule-only install <
package_list; aptitude install; on the other machine. This preserves
information about "automatically installed" packages that
other methods do not. See also <reinstall>, <things to
backup>, <debian clone>, <apt-clone>.
334[05:52:55] <hackers> i'm reading about dpkg
--get-selections, aptitude, apt-clone, etckeeper, dselect but am un
certain which solution(s) I want to use
336[05:53:16] <hackers> thanks alex11 I'll start there
337[05:53:27] <alex11> yeah maybe dpkg --get-selections is
easier
338[05:53:32] <alex11> it's not something i've looked
into super hard
339[05:54:29] <hackers> there's also the question of
preserving at lest some configurations I want to address
340[05:55:14] <hackers> I remember dpkg can detect standard pkg
config files that have been modified during installation of upgrades
(packages shipping new configs)
341[05:56:09] <hackers> do you know how I can run this process
manually against the output of, dpkg --get-selections or the
aptitude command you suggested I use to freeze installed package
list in order to identify configs that were modified after
installation?
343[05:58:25] <efloid> hackers: you can also use clonezilla to
make an exact image. it's an excellent tool.
344[05:59:51] *** Joins: valerius (~valerius@replaced-ip)
345[06:01:07] <hackers> efloid: that would probably cause me
issues, i'm wanting to clone a vm i use as a workstation
that's a compute engine instance with its own custom settings
346[06:01:34] <hackers> i would use the solution i'm trying
to build as a startup script for such instance
347[06:01:47] <efloid> hackers: why not use ansible?
414[07:19:42] <dpkg> [confold] dpkg --force-confold will force
dpkg to ignore any new versions of <conffiles> in packages,
e.g. «apt-get -o DPkg::Options::="--force-confold"
upgrade». Note that by ignoring changes to conffiles, you may
miss out important changes and packages may be left in a non-working
state afterwards.
456[08:35:42] <esm2> I'm switching from GNU screen to tmux
and I'm wondering if there's a command in tmux to
alternate between the last window (like screen's ^A^A) ?
457[08:38:21] <n4dir> esm2: looks like you asking for something
like the cheatsheet
replaced-url
459[08:38:41] <n4dir> though i use screen most basic and
haven't got the exact terms handy
460[08:38:57] <esm2> I looked at the man pages and cheat sheet.
I don't see anything there.
461[08:40:19] <esm2> tmux lets you use ^B-n and ^B-p for
previous and next, but a see nothing for toggling to the last window
462[08:41:15] <n4dir> ah, then i did understand correct and that
was not what you are looking for. tmux probably has an irc channel.
Though many in #linux seem to use it too (as it is *so* much better
than screen). Anyway: good luck then
463[08:42:15] <ansimita> esm2: ^B-l ?
464[08:42:31] <n4dir> ctrl+b+p; ctrl+n+n was what i had in mind
though, looking at that cheat
465[08:43:01] <esm2> Ah, ^B-l looks like the command
466[08:43:43] <esm2> Oh, it's in the man page too! I was
confused by the terminology 'previous window'
467[08:43:46] <ansimita> esm2: next time u check bindings with
^B-? :)
468[08:46:09] <esm2> OK, will do. I'm just new to it and
needed a quick answer :)
469[08:46:12] *** Quits: b (coffee@replaced-ip) (Quit: Lost terminal)
470[08:46:45] *** Quits: dez (uid92154@replaced-ip) (Quit: Connection closed for inactivity)
495[09:52:52] <genr8_> Anyone have any experience with enabling
the kernel option SMB Direct support (Experimental) =
CIFS_SMB_DIRECT: Enables SMB Direct experimental support for SMB
3.0, 3.02 and 3.1.1
496[09:54:20] *** Quits: mibo (~mibo@replaced-ip) (Remote host closed the connection)
596[12:06:47] <jhutchins> Eryn_1983_FL: You should probably be
readin somethng like an installl guide, but if it's an iso, you
can simply dd/cp it to the raw device.
597[12:07:11] <Eryn_1983_FL> not debian just trying to burn a
dvd in debian,
598[12:07:20] <Eryn_1983_FL> ill just do brasero i dont have
good luck with dd...
630[12:44:06] <AnySomebody> Hi, does Debian 10 support the AMD
R3-4300U? How can I find this out? I already learned it depends on
what was backported into 4.19...
633[12:47:01] <ratrace> AnySomebody: you can use a newer kernel
from buster-backports, if you need it; as for your question
specifically, can't answer that.
655[13:05:29] <nvz> one way to know, is to boot the installer
and see what happens :P
656[13:06:15] <genr8_> Vega 5 iGPU
657[13:07:07] <nvz> the only big thing I've heard of lately
that plagues the install of stable on these modern machines is some
unsupported pcie nvme disks.. as long as you can get installed the
rest can be solved rather simply
658[13:07:18] <AnySomebody> Yeah, I'm indeed rather worried
about the iGPU...
659[13:07:30] <genr8_> i remember them adding stuff like that
into 4.20 "AMD Radeon Picasso + Raven2 support, and Vega20
enablement"
660[13:07:58] <another> 4300U is renoir
661[13:08:13] <AnySomebody> Now I'm wondering whether an
iGPU isn't part of the CPU ;)
667[13:11:18] <genr8_> and 5.7/5.8 adds more fixes
668[13:13:56] <AnySomebody> Hum... after I advised her to use
Debian and not to use the other distros she found on the internet
maybe I have to tell her that Debian won't work out of the box
and she maybe shouldn't use it... whereafter no distro is left
+)
669[13:14:45] <AnySomebody> Is it hard for a newbie to use a
newer kernel from the backports? Unfortunately I don't know too
much about Debian...
671[13:15:52] <genr8_> it needs following instructions and
typing commands, not clicking mouse buttons
672[13:15:57] <nvz> AnySomebody: its not terribly difficult and
we could help with it. You can install, login, put something like
irssi or weechat and screen or tmux on there.. come here and get
help
678[13:16:57] <nvz> AnySomebody: in any case that being said,
you'd probably want to use the firmware installer on a laptop
or system with wifi to ensure you can get additional packages and to
irc for support
696[13:23:38] <genr8_> or, if you're running a new device,
consider yourself a beta tester.
697[13:23:52] <nvz> typically its better when dealing with
inexperienced folk, that you do more than encourage, and if
you're gonna make recommendation you do it for them
698[13:24:21] *** Quits: uvolmer (~uvolmer@replaced-ip) (Remote host closed the connection)
700[13:24:30] <nvz> afterall most people have no experience
installing ANY operating system
701[13:25:04] <ratrace> linux was always for expert folks, by
sheer virtue of contributions being done by people to scratch a
particular itch, and not to make it super convenient for newbs,
unless that scratches someone's itch, but historically
hasn't been much of a case.
702[13:25:13] <genr8_> people also buy way too new hardware
built for windows. terrible proprietary devices. thats not really
their fault. the laptop industry is toxic, along with a ton of other
tech
704[13:25:45] <genr8_> its always an uphill battle. the fact it
works at all should not be taken for granted
705[13:26:08] <ratrace> ie. it requires reading and learning. no
clicky-clicky-it-all-works; even with ubuntu clicky clicky works
until it doesn't and then it's learning time!
706[13:26:11] <nvz> what I've always found disgusting is
many lower end budget machines arent really even spec'd enough
for the windows OS they put on it which I find downright criminal
707[13:27:22] <jarxv> Is there a snapshot of debian 4.4 kernel
??
708[13:27:53] <AnySomebody> Unfortunately I can only give
support remotely... but yeah, maybe I could do this via ssh or
whatever...
709[13:28:24] <nvz> AnySomebody: you could, yes, as the
installer (in expert mode) has remote install over ssh capability
710[13:28:43] <nvz> AnySomebody: you may want to familiarize
yourself with the process on your end first perhaps with a vm or
something
711[13:29:32] <AnySomebody> True, if so I should have a look
into it... on the other hand before I start such things I could
install Arch for her, was easier for me...
712[13:29:36] <nvz> AnySomebody: however these sorts of things
can sometimes also be difficult as they require more often than not
forwarding ports through a residential router which varies
significantly and is usually also beyond the skill of most users
713[13:30:07] <AnySomebody> Yes, this was the argument against
doing a remote install so far... the work on her side
716[13:30:53] <nvz> some ISPs if you use their equipment make
this a bit easier now using more advanced remote management of their
gateway hardware.. comcast for example has Xfi which can be
configured from your customer web portal or a mobile app
717[13:32:28] <genr8_> at the expense of them having total
ownership of your device. pwnd.
720[13:33:13] <nvz> yeah.. though there are companies out there
making similar software and I expect to see such things in more
personally owned equipment in the future
723[13:34:12] <ratrace> nvz: looking at the installer now (I was
coincidentally installing some VMs), but I can't find the ssh
option in the expert mode
724[13:35:11] * nvz fires up a vm to see as its been awhile
725[13:35:12] <genr8_> i don't. I expect everything to be
fully controlled by the corporation that makes it in the future.
with the consumer having 0 agency over what software is being run.
726[13:35:44] <nvz> yeah well it is sad that what people want no
longer seems to matter anymore
727[13:35:46] <genr8_> and as far as "put your own software
on it" like DD_WRT, thats gonna be killed soon too.
734[13:37:48] <genr8_> yeah. itll just be "corporate
tech" and open source wont be able to work unless the open
hardware movement ramps up and gets to where open source is now.
735[13:37:56] <nvz> ratrace: seems after several clicks through
the usual initial language stuff in the expert mode, you need to
load installer components .. first usb-storage (when using
thumbdrive or such) to load the "cdrom" then it gives you
a larger list of installer components to load of which you need
network-console in order to continue remotely using ssh
736[13:38:03] <genr8_> even then, it will be 10 years behind.
737[13:40:08] <AnySomebody> Well, and the politics in the EU is
currently 20 years behind starting to fund open source stuff +)
738[13:40:27] *** Quits: Nokaji (~Nokaji@replaced-ip) (Remote host closed the connection)
739[13:40:48] <ratrace> nvz: blimey, that's not complicated
at all :)
740[13:41:03] <AnySomebody> -stuff +software
741[13:41:13] <AnySomebody> Maybe they should start with open
source hardware instead...
744[13:41:35] <nvz> ratrace: yeah it'll give you the
information you need to proceed when you then detect network
hardware, configure network, and choose the continue install remotel
using SSH
751[13:43:37] <nvz> ratrace: I've only actually used it
once that I recall
752[13:45:29] <ratrace> speaking of, does the kernel or some
userland network stack have a problem with particular MAC addresses
given to virtio NICs that are bound to taps on the host side?
753[13:45:55] <ratrace> because a windows VM has no issue with
the same (made up) MAC given
754[13:46:05] <ratrace> "13:37:B0:0B:69:69" for
example
755[13:46:59] * nvz shrugs
756[13:50:13] <ratrace> definitely does, because if I copy
default virtio mac given, and change the last digits for example,
all is well
757[13:51:10] <nvz> I've only ever done such things for vpn
and usually didnt concern myself with such details
758[13:51:49] <nvz> had a SBC that was for some odd reason
autogenerating its wifi's mac id.. and put a stop to that as it
was annoying
759[13:52:55] <ratrace> well I want to force separate MACs for
multiple VMs running on the same tap
824[14:37:42] <jaami_> nvz, the command did not work because it
depends upon other package i guess. but for tunately, a little
search gave hint about alacarte.
825[14:37:56] <jaami_> deabin already have alacarte installed
826[14:38:13] <jaami_> its very easy way i actually needed
exactly that
987[17:20:26] <Deknos> traefik can handle application routing
with nomad and consol, can be used for k8s, has letsencrypt support
with it (so you do not need extra stuff for letsencrypt).
988[17:20:29] <Deknos> it's pretty cool
989[17:20:51] <Deknos> sadly i am not very good at debian
packaging.. and packaging go stuff seems even harder for me.
990[17:20:56] *** Quits: n4dir (~n4dir@replaced-ip) (Remote host closed the connection)
1034[18:12:17] <RoyK> Deknos: I'd guess it will be nice for
low level traffic, but I somewhat doubt it'll be able to reach
the performance levels of varnish ;)
1053[18:29:27] <Deknos> well, i don't know about that. it is
used in multiple cloud environments. might be that varnish is a bit
better on the throughput side but as far as i see, varnish also has
not the same target audience as traefik
1127[19:05:40] <somiaj> Raito_Bezarius: My understanding is
though debian is fairly sane in defaults, it won't be fully
harded by default, and if you have a security model that requires
more hardening, you can edit the serverices in and place them in
etc.
1128[19:05:54] <Raito_Bezarius> somiaj: yes, sure, I was
wondering how much it was done by defaults
1129[19:06:07] <Raito_Bezarius> AFAIK, some of those hardening
comes at no cost
1136[19:08:05] <somiaj> but if you feel some package could use to
have that hardening at no cost to standard users, you can file a
wishlist bug
1137[19:08:22] <Deknos> would be neat to have some debian
packages which enforce certain settings
1138[19:08:35] <Raito_Bezarius> that's the kind of thing I
wonder if it'd be nice to fund some people to go around and
harden classical services
1139[19:08:48] <Raito_Bezarius> so that everyone's security
increase "trivially"
1140[19:09:14] <somiaj> Deknos: There is no single security
measure that fits all, one does need to access their risk model. One
should always analyze the services they want to use.
1141[19:10:24] <Raito_Bezarius> somiaj: sure, but I don't
believe that something like a IRC client require to modify its own
code in the RAM in general or to go change /etc/passwd :P
1142[19:10:27] <Deknos> somiaj, because of that i meant, let the
NORMAL state be and create some ADDITIONAL packages where the people
can decide what helps their risk model with "neat to havem some
debian packages which enforce..."
1143[19:10:40] <Raito_Bezarius> ah that'd make sense
1145[19:10:54] <Deknos> i certainly do NOT want to have that
enforced per default for everything and everyone
1146[19:10:59] <Deknos> that would be just awful
1147[19:11:24] <somiaj> but anyone can report a wishlist bug if
you think such a measure will improve a package, let the matainer
know (though you'll have to think about each package you want
to harden this way)
1148[19:11:26] <Raito_Bezarius> to be fair, some NixOS services
are hardened by default
1149[19:11:29] <cipherize> There are very few security controls
that could qualify as truly one-size-fits-all.
1150[19:11:29] <Raito_Bezarius> with sane hardening
1151[19:11:39] <Raito_Bezarius> and I always try to lockdown as
much as possible
1152[19:11:53] <Raito_Bezarius> opting-out of this is not really
difficult
1153[19:11:57] <somiaj> and in most cases if it only increases
local user security, this doesn't affect a lot of systems that
don't have local users.
1154[19:11:59] <cipherize> Raito_Bezarius: Even on a system that
just doesn't need that level of hardening?
1155[19:12:07] <Raito_Bezarius> cipherize: yes
1156[19:12:10] <cipherize> Raito_Bezarius: Why?
1157[19:12:19] <Raito_Bezarius> cipherize: well, this is the way
people initially wrote those services
1158[19:12:25] <Raito_Bezarius> and I see it more and more in
some services downstream
1159[19:12:36] <Raito_Bezarius> it creates little to no impact
1160[19:12:39] <Raito_Bezarius> so it's cheap ?
1161[19:12:45] <cipherize> Raito_Bezarius: You're treating
every system as if they're all the same risk classification.
The server hosting your lunch menu simply doesn't require the
same level of effort/hardening as the system holding your financial
documents.
1162[19:13:08] <Raito_Bezarius> if the effort is as simple as
saying "enable nginx", I don't see really the problem
1163[19:13:19] <Raito_Bezarius> now, if it creates real issues,
it's always possible to opt out
1164[19:13:39] <cipherize> Raito_Bezarius: Because it's not
that simple. enable nginx -> configure nginx -> nginx
isn't always compatible with web apps that expect Apache
functionality, etc.
1165[19:13:55] <Raito_Bezarius> hmm, do you have examples?
1166[19:13:55] <cipherize> Raito_Bezarius: You're
misrepresenting things in a way that makes your argument appear more
favorable.
1167[19:14:14] <cipherize> Raito_Bezarius: Sure. Look at the
effort required to run Wordpress on nginx.
1175[19:14:59] <Raito_Bezarius> running wordpress is as simple as
services.wordpress.enable = true;
1176[19:15:05] <Raito_Bezarius> sure, it uses httpd behind
1177[19:15:07] <cipherize> Raito_Bezarius: And it will pull in
Apache.
1178[19:15:13] *** Quits: dominic34 (~Thunderbi@replaced-ip) (Remote host closed the connection)
1179[19:15:14] <Deknos> and some php libraries
1180[19:15:21] <cipherize> Exactly. So your "just enable
nginx" argument is disingenuous.
1181[19:15:24] <Raito_Bezarius> but nothing prevent someone to
replace the httpd backend by a phpfpm + nginx thing
1182[19:15:29] <Raito_Bezarius> it's not that simple, true
1183[19:15:54] <Raito_Bezarius> but this problem generalize to
arbitrary PHP applications afaik
1184[19:16:05] <cipherize> And now you're expending that
level of effort without considering whether or not its WARRANTED
based on the risk classification of the system/app in question.
1185[19:16:07] <Deknos> i agree with cipherize and somiaj that
with security there's seldomly one fits for all, but there are
possibilities to improve in debian and different possibilities to do
that also..
1187[19:16:23] <cipherize> Raito_Bezarius: You've entered
this discussion with the presupposition that NixOS does things the
right way and that your argument is correct.
1195[19:16:50] *** Lord_of_Life_ is now known as Lord_of_Life
1196[19:17:06] <Raito_Bezarius> I ponder whether this is a thing
which should be "generalized" to a certain extent
1197[19:17:17] <cipherize> Deknos: pam_cracklib for passwords,
but that may negatively affect usability to an excessive degree for
a system that accepts no external connections.
1198[19:17:33] <Raito_Bezarius> There are multiple levels/layers
of hardening
1199[19:17:41] <cipherize> With Debian, the idea is to provide
the basic components with which to build a system to one's
requirements.
1200[19:17:44] <somiaj> Raito_Bezarius: also different oses have
different goals, policy, user base. As the Universial Operating
System, debian is going to have different goals than NixOS, so a
comparision may not fully be appropriate.
1201[19:17:56] <Raito_Bezarius> somiaj: I'm not trying to
draw a direct comparison
1202[19:18:02] <Deknos> cipherize, so you would deactivate
spectre mitigations on systems where only trusted code is running
and not connected to the web?
1203[19:18:06] <somiaj> so though yes it can be done, as if it
fits the debian echo system, it might depend a lot on the packge in
question.
1204[19:18:07] <Deknos> as an counterexample?
1205[19:18:12] <cipherize> Deknos: Yes.
1206[19:18:39] <cipherize> Deknos: If the performance improvement
is needed for that system to adequately perform its function. The
benefit to the requirement would, in general, outweigh the neglible
risk increase.
1207[19:18:48] <cipherize> negligible, rather
1208[19:18:49] <Deknos> then why does for example debian enable
stack protections in their kernel?
1209[19:18:55] <Deknos> i mean that also costs performance.
1210[19:19:01] *** debhelper sets mode: +l 1129
1211[19:19:26] <cipherize> Deknos: I would hazard a guess that
the overwhelming majority of Debian installations are 1. internet
connected and 2. running at least some not-entirely-trusted code.
1212[19:19:49] <Deknos> cipherize, so... also enable spectre
mitigations per standard on debian installations?
1213[19:20:14] <cipherize> Deknos: Given the performance impact,
I'd leave that to the administrator of the system.
1214[19:20:19] <cipherize> Deknos: It's a question of impact
vs. value.
1218[19:20:51] <cipherize> I do very little of importance on this
host. IRC and a few other random things that aren't sensitive.
1219[19:20:56] <Deknos> yeah, and i think (per service) there are
settings which should/could be enabled by default and send as
whishlist/bug to the maintainer
1222[19:21:29] <Raito_Bezarius> What's the expected level of
proficiency of the average Debian sysadmin?
1223[19:21:31] <cipherize> You're being dishonest, if I can
be frank. Your argument thus far has been "fully harden all the
things without regard to risk."
1224[19:21:39] <Raito_Bezarius> What is risk here?
1225[19:21:45] <Raito_Bezarius> Does hardening thing create
risks?
1226[19:21:59] <cipherize> Yes.
1227[19:22:03] <hmuller> any troubleshooting tips for an
unresponsive tmux session?
1228[19:22:03] <Raito_Bezarius> What kind of risks?
1229[19:22:09] <cipherize> Availability IS a component of
security.
1230[19:22:18] <nvz> hmuller: use screen
1231[19:22:21] * nvz hides
1232[19:22:26] <hmuller> lol
1233[19:22:28] <nvz> heh
1234[19:22:35] <cipherize> If the extent of hardening creates the
possibility that the system becomes unavailable when needed, then
you've harmed your security posture in one way to benefit
another.
1235[19:22:37] <Raito_Bezarius> cipherize: does your concept of
security takes in account the business security or something?
1236[19:22:50] <cipherize> Raito_Bezarius: No, my concept of
security is literally the textbook definition used the world over.
1241[19:23:20] *** Quits: treeview (~treeview@replaced-ip) (Remote host closed the connection)
1242[19:23:27] <Deknos> i agree with that.
1243[19:23:29] <cipherize> It's always a balancing act.
1244[19:23:32] <Raito_Bezarius> I agree that hardening can create
risk
1245[19:23:33] <Deknos> i has to make sense.
1246[19:23:37] <Deknos> it*
1247[19:23:38] <Raito_Bezarius> But I feel like there is a
balance and low hanging fruits
1248[19:23:41] <Raito_Bezarius> In hardening stuff
1249[19:23:43] <nvz> hmuller: I'd maybe try strace and also
see if by any other means I could deduce if its the session or just
a process inside it causing the problem
1250[19:23:44] <cipherize> You're being dishonest again.
1272[19:26:09] <Raito_Bezarius> I'm not trying to convince
you of something cipherize
1273[19:26:14] <Raito_Bezarius> I'm trying to understand
your point of view
1274[19:26:36] <Raito_Bezarius> I don't think I had goal
post from the start, I tried to expose my view and get educated, if
what I said does not make any sense
1275[19:26:39] <cipherize> Raito_Bezarius: I've made it
quite clear. Maximum hardening is a bad default course of action.
1276[19:26:53] <hmuller> nvz: and it has nothing to do with
Ctrl-x, I'm thinking of taking screen for a spin =)
1277[19:26:59] <Deknos> Raito_Bezarius, you should read about
risk management, then you would understand his/her viewpoint
1278[19:27:02] <hmuller> Ctrl-s
1279[19:27:02] <nvz> hmuller: hmm.. well the only thing I can
think of is that there is some kinda terminal character that locks
up a screen regardless if you're multiplexing or not
1280[19:27:03] <cipherize> Consider the actual risks to the
system. If this host gets compromised, fine. I'll just blow it
away and redeploy from a new template.
1281[19:27:34] <nvz> hmuller: you could try ^q or the control
char and ^q I think it is that usually terminates this
1282[19:27:46] <hmuller> nvz: yeah, already did that
1283[19:27:46] <cipherize> The worst case scenario for this
system is that someone has a joyride on my IRC nick and gets me
booted from a few channels.
1284[19:27:47] <Deknos> none the less, i like that feature.
1285[19:28:19] <Deknos> cipherize, well no, the person could post
childpornography and you end up in some investigation
1286[19:28:31] <Deknos> identity theft could be hefty if it is an
targeted attack at you
1287[19:28:51] <cipherize> Deknos: That's not really a risk,
though. Identity theft is annoying, but fairly easily resolved.
I've had it happen, it was hardly consequential.
1288[19:29:10] <cipherize> Deknos: And if someone posts CP from
this host, I'm happy to land them behind bars from a moral
perspective.
1289[19:29:20] <nvz> hmuller: all I know is that tmux has more
features than screen and that it could stand to reason that perhaps
in a multiplexer the particular window you're on, whatever is
running in that is what locked up and is making the whole session
seem locked up
1290[19:29:21] <Deknos> cipherize, first you would have to prove
it was not you.
1291[19:29:29] <Raito_Bezarius> Deknos: I actually read about
risk management; maybe I misexplained my view but I said
"maximum hardening under constraints", which is not the
same as "maximum hardening", now, I agree that hardening
can itself introduce bugs
1293[19:29:36] <cipherize> Deknos: Incorrect. I live in the US.
Law enforcement would have to prove that is IS me.
1294[19:29:42] <Deknos> that could be quite hard, depending on
the case
1295[19:29:52] <Raito_Bezarius> but on a desktop, I actually
don't want that firefox access to other stuff that its folder
and downloads folder for instance
1296[19:30:02] <nvz> hmuller: if that particular program frozen
on the screen is something you could stand to lose, if nothing else
perhaps killing what you see frozen might get things moving again
1297[19:30:05] <Deknos> you are quite confident in your law
enforcement. i do not share that sentiment :D
1298[19:30:06] <Raito_Bezarius> and more generally, that applies
to most of the software I use
1299[19:30:24] <Raito_Bezarius> cipherize: well, you're
lucky; in France, identity theft creates a lot of issue
1300[19:30:35] <nvz> hmuller: but if I were gonna start stracing
I'd start first with looking at that process.. and perhaps its
state in htop/ps output
1301[19:30:39] <cipherize> Deknos: You're welcome to your
feelings on the matter. I'm happy to cooperate with law
enforcement in such cases. Just dump my full system logs and hand it
over. Go to town.
1302[19:30:40] <Raito_Bezarius> and it can take up to 10 years to
resolve it correctly
1303[19:31:01] <nvz> hmuller: usually when shtf runnin htop and
looking at the machines vitals and whats using the most resources is
my first step
1304[19:31:02] <Deknos> i want firefox to have access to those
folders when i want to upload something. that was always quite
troublesome, when firefox is hardened too much
1305[19:31:03] <cipherize> Raito_Bezarius: For me, it was a
simple matter of reporting it to the police and keeping the police
report on hand. The occasional phone call or email and issues were
promptly resolved.
1306[19:31:23] <Raito_Bezarius> Deknos: my folders where I want
to upload stuff are more than often correctly identified, so it
works more or less fine
1307[19:31:24] <hmuller> nvz: yeah, i just killed the session.
I'll give that a look the next time it freezes
1308[19:31:33] <Deknos> cipherize, they could still argue you
falsified that logs to protect yourself :)
1309[19:31:38] <Raito_Bezarius> but I have documents that I want
to assume that no soft will exfiltrate
1310[19:31:41] <cipherize> Deknos: And then they'd have to
prove it.
1318[19:32:43] <cipherize> Anyway, this conversation has long
since gone off the rails in terms of what's topical for this
channel.
1319[19:32:44] <hmuller> nvz:^^^
1320[19:32:47] <Raito_Bezarius> cipherize: in France, reporting
it to police is not enough; you have to prove a lot of things and
even those proofs are somewhat disregarded and you have to wait for
a court to rule on your case… which makes you unable
meanwhile to perform a lot of actions
1321[19:32:47] <Deknos> they have prove that it originated from
your computer/VM and ignore the other stuff. such stuff has
happened. but ymmv
1323[19:32:55] <Raito_Bezarius> Thanks for your point of view
cipherize
1324[19:33:09] <cipherize> Raito_Bezarius: That's
France's problem, not mine. Innocence until proven guilty
beyond a reasonable doubt is quite a powerful legal standard.
1325[19:33:45] <nvz> hmuller: ssh is tcp, which means it has to
synchronize.. and can timeout.. and ssh has no means of dealing with
or monitoring lag for the most part
1326[19:33:53] <Raito_Bezarius> It's more complex than that,
but let's not get into this
1327[19:33:55] <cipherize> mosh is a godsend.
1328[19:34:29] <cipherize> The only whine I have about mosh is
that it doesn't gracefully handle IP stack changes. If your
original connection is via IPv4 and you transition to a network
that's dual-stack, you get stuck.
1330[19:34:44] <nvz> hmuller: mosh is a solution.. it connects
over tcp via ssh then establishes a mosh udp connection which is
immune to everything from lag to network hops, and it monitors for
lag.. notifies you when its lost contact and continues to echo
locally even when its not echoing back from the server
1338[19:39:43] <nvz> I just used a single port but thats probably
why I could only have one mosh connection and why I had to ssh in
and killall mosh-server if I somehow lost that connection by like
killing the client while I was not in contact with the server
1339[19:40:30] <nvz> but I run most everything on non standard
ports to minimize abuse
1340[19:41:11] <nvz> in my experience anytime you run ssh on
default port you get people always trying random crap :P
1345[19:44:58] <cipherize> As long as we all understand that
changing default ports is NOT a security measure.
1346[19:45:47] <genr8_> it helps
1347[19:46:37] <cipherize> Not really. Just helps minimize log
spam. Remember that god knows how many bots are portscanning the
internet. See also 'shodan.'
1348[19:46:39] <yanmaani> What to use for mobipocket ebooks
(.mobi) on Linux?
1349[19:46:47] <yanmaani> No DRM. Not using KDE.
1350[19:46:54] <nvz> yes it does help minimze the spam in logs
from random idiots
1366[19:50:04] <cipherize> genr8_: But hey, if being
condescending because someone disagrees with you is how you find
happiness, rock on.
1367[19:50:05] <genr8_> mine tells me the opposite
1368[19:50:07] <hmuller> nvz: I believe I may have tracked the
problem to low current on usb. I have 2 commands frozen in
uninterrutible sleep on the target. both commands are targeting an
external usb hard drive.
1369[19:50:20] <cipherize> genr8_: I strongly doubt that.
1370[19:50:26] <genr8_> im over this.
1371[19:50:39] <hmuller> nvz: going to increase current to usb
and see if I still have problems.
1375[19:52:46] <b_jonas> Xorg doesn't load the intel driver
for me. I suspect the problem is that this CPU is too new, and the
intel driver in debian 10 doesn't yet support it. So I'll
have to look for how to install a newer driver.
1376[19:53:24] *** Quits: akp55 (~akp55@replaced-ip) (Disconnected by services)
1397[19:59:03] <somiaj> hyiltiz: they just seem to be links, I
don't have ooffice, but all the others point to the same binary
1398[19:59:06] <hyiltiz> not the reason; what's the
difference?
1399[19:59:17] <hyiltiz> they are not links; they are individual
binaries with different size
1400[19:59:21] <timur_davletshin> hyiltiz, no difference.
1401[19:59:27] <somiaj> hyiltiz: mostly just name changes,
libreoffice is a fork of openoffice which was an open sourced
version of star office (based on the old wordstar)
1402[19:59:39] <somiaj> hyiltiz: what version of debian are you
running?
1403[19:59:48] <timur_davletshin> hyiltiz, they symlinks, check
ls -l /usr/bin/*office
1404[20:00:15] <somiaj> well loffice isn't a link, it is a
shell script that does the same thing as a link
1405[20:00:23] <somiaj> at least here on debian 10
1408[20:00:47] <hyiltiz> loffice and soffice are independent
binaries tho
1409[20:01:04] <hyiltiz> oh really; never really tried to open it
1410[20:01:19] <somiaj> hyiltiz: loffice is a shell script that
runs /lib/libreoffice/program/soffice "$@"
1411[20:01:26] <hyiltiz> just saw that thx
1412[20:01:34] <hyiltiz> so they are literally the same thing...
1413[20:01:57] <somiaj> hyiltiz: anyways, they are just backwards
comadability. Seems in all of the changing from staroffice (soffice)
to open office to libre office, the actual binary never chnaged its
name from soffice, and the other names were just links
1414[20:02:43] <b_jonas> yeah. the ooffice command used to work
too, and I used to run that, but there's no such symlink
anymoer.
1415[20:03:02] <timur_davletshin> Libreoffice has a lot of old
crap for compatibility. Like using star office font names in
templates or providing soffice binary. Both fonts and even
StarOffice file format are no longer supported.
1416[20:03:05] <somiaj> maybe hyiltiz has an older version of
debian, or some older package that installed ooffice, but I
don't have that any more either.
1417[20:03:45] <hyiltiz> No I didn't have ooffice binary; I
was checking firejail profiles for libreoffice and found ooffice as
well
1418[20:03:57] <hyiltiz> but i had no office binary so that
profile did nothing
1446[20:22:43] <somiaj> tmux is another alternative that many
like as well.
1447[20:23:18] <nvz> we were speaking of tmux, which they already
use
1448[20:23:20] <somiaj> I swtiched from tmux from screen, mostly
as I find it 'more modern' for whatever that means (screen
is good, but hasn't changed much in years, which for many is
what they like)
1449[20:23:24] <somiaj> ahh
1450[20:23:33] <somiaj> *switched to tmux from screen
1451[20:24:35] *** Quits: grummund (~unknown@replaced-ip) (Remote host closed the connection)
1452[20:25:22] <hmuller> I thought I was having a tmux issue, but
it looks like the ARM64 SBC I had ssh'd into needed to increase
power to USB (for an external hard drive).
1453[20:25:56] <hmuller> I had two uninterruptible process, both
were performing commands on the usb external hard drive.
1468[20:38:16] <dostoyevsky> how can it be that I can do `apt
install rxvt' but I can't ping 8.8.8.8 and "curl
replaced-url
1469[20:39:06] <somiaj> was the cwd that tmux was run in on this
usb drive, I don't see screen acting any better. Though if it
is a bug, tmux development is fairly active and would be interested
1470[20:39:56] <somiaj> dostoyevsky: is apt using a proxy?
1471[20:40:12] <somiaj> dostoyevsky: could be some firewall issue
on your network not giving you full access to the internet
1472[20:40:51] <somiaj> dostoyevsky: also maybe check out ap
route, are your routes for all traffice resonable?
1473[20:41:11] <dostoyevsky> somiaj: It's so odd it happens
when building a docker container...
1474[20:41:22] <dostoyevsky> (which built fine many times)
1476[20:41:36] <somiaj> maybe somethign changed with how the
docker container attaches to the network.
1477[20:42:00] <somiaj> but sounds like a routing/firewall issue.
I don't know enough to be of any real help, maybe ##networking
could give some pointers if no one else here joins in
1478[20:43:41] <dostoyevsky> where would one configure a proxy
for apt?
1479[20:44:01] <somiaj> what are your sources? can you ping
deb.debian.org for instance?
1482[20:44:52] <dostoyevsky> Destination Net Unreachable
1483[20:45:05] <somiaj> it could be something docker is doing,
but looks like you can configure it in /etc/apt/apt.conf.d/ and the
file is probably named proxy.conf but doens't have to be look
for Acquire::http::Proxy and Acquire::https::Proxy
1484[20:45:16] <somiaj> dostoyevsky: what do your sources.list
say your sources are?
1495[20:49:32] <somiaj> sounds like you have some issue with yoru
networking in your container, but I don't know docker or
networking details enough to give much more info than that.
1496[20:49:51] <dostoyevsky> # apt update # -> All packages
are up to date.
1506[20:52:58] <somiaj> dostoyevsky: well I just made noise,
seems you did all the work. Things working fine now?
1507[20:54:07] <dostoyevsky> somiaj: Nope... but I can see I can
curl certain urls and for others I get Destination net
unreachable... so must be some firewall setting
1508[20:54:35] <somiaj> traceroute help?
1509[20:55:26] <dostoyevsky> somiaj: I got to ask my brother
about this mac here... so not really related to debian any more
1602[22:27:38] <HelloShitty> Hello guys. I need some urgent help.
My laptop is complaining about free space running out. Are that any
tools I can use to check which folders have more used space and try
to see if I can delete any content
1644[22:35:26] <sponix> HelloShitty: Yes, I would guess your
machine is the victim of brute force ssh attempts repeating over and
over trying to break in
1663[22:38:31] <sponix> It can be done at the rig, at the router,
or both
1664[22:39:01] *** debhelper sets mode: +l 1136
1665[22:39:27] <sponix> I also use "fail2ban" that uses
iptables/netfilter/nftables or whatever to BLOCK access to anything
attempting more than a few times
1672[22:43:19] <sponix> Yeah, it requires a little setup.
swapping the port to something other than the default of 22 is
editing one line in /etc/ssh/sshd_config and restarting it
1686[22:48:19] <sponix> HelloShitty: well it is easy to do the
port thing, still use it, and it keeps _most_ of the attackers away.
That takes less than 5 minutes and next to no effort
1687[22:48:55] <HelloShitty> but that's for someone used to
mess with that stuff, which is not my case, sponix
1688[22:49:12] <LtL> HelloShitty: change port and use keys!
don't lock yourself out.
1689[22:49:25] <HelloShitty> yeah, need to investigate a bit
about this
1690[22:49:27] <karlpinc> Or turn off sshd (systemctl stop sshd
;systemctl disable sshd) and then start it (systemctl start sshd)
when you need it. (Of course, once you're remote you can't
reach the box to start it.)
1691[22:49:33] <sponix> LtL: Key auth only is GREAT, but hell
just the port is a big step
1692[22:49:45] <LtL> very true
1693[22:50:03] <karlpinc> Key auth. But that won't stop the
cracking attempts.
1694[22:50:08] <HelloShitty> gonna check which port is in
sshd_config
1695[22:50:14] <sponix> HelloShitty: run that stop, sudo nano
/etc/ssh/sshd_config and change the port from 22 to something else.
then run the start command he listed -- done
1696[22:50:31] <sponix> HelloShitty: I already told you, it
defaults to 22 :)
1697[22:50:35] <karlpinc> HelloShitty: But don't
"disable" or it won't start at boot.
1698[22:50:36] <HelloShitty> I'm almost sure 22 is not the
port being used
1699[22:50:41] <HelloShitty> I always change it
1700[22:50:43] <LtL> karlpinc: no it won't, the port change
reduces attempts by 90+ per cent
1701[22:50:47] <HelloShitty> But I'll oble check
1702[22:51:02] <sponix> HelloShitty: you wouldn't be getting
that many hits if it was on a good alt port IMHO
1703[22:51:13] <sponix> Not enough to have a 22GB auth.log LOL
1704[22:51:44] <karlpinc> LtL: I use pf on openbsd to rate-limit
and block such cracking.
1705[22:51:55] <HelloShitty> yeah, port is not 22
1706[22:52:02] <sponix> HelloShitty: Wow
1707[22:52:03] <karlpinc> LtL: Something centralized is
"best".
1708[22:52:17] <sponix> karlpinc: I do fail2ban for similar on
Linux
1709[22:52:22] <HelloShitty> sponix: what you mean
"Wow"?
1710[22:52:45] <sponix> HelloShitty: I just suspected you were
Wrong, and it was actually on port 22 anyway
1733[22:59:13] <sponix> karlpinc: I'm gonna have to run lsof
| wc -l to see how many thousands of lines that produces on my
rig... I ran just lsof and it just now finished
1734[22:59:37] <HelloShitty> sponix: yeah, here too. I just
cancelled it
1735[22:59:47] <HelloShitty> gonna change the port an restart the
servie
1736[23:00:22] <sponix> HelloShitty: I gotta take the wife to
work, but after I can walk you through fail2ban if you like
1737[23:00:40] <sponix> I only use it on my ssh, but should be
putting it into place for my apache also
1738[23:01:00] <HelloShitty> I would appreciate sir. Thank you
sponix
1739[23:01:05] <karlpinc> If I enable debian on my cromebook can
I cut-and-paste with the mouse out of the linux side and into the
chromebook side? I forget.
1740[23:01:06] <HelloShitty> I'll be around for probably 2
more hours
1741[23:01:37] <sponix> I will be gone for less than 20 minutes
1742[23:01:59] <HelloShitty> I have no idea karlpinc ... What I
know is that I also have lots of problems using copy/paste from host
to VMs and from temrinal windows to other places
1743[23:02:03] <HelloShitty> etc
1744[23:02:07] <karlpinc> I'm trying to get Microsoft Teams
invitation urls sent by email off my imap server onto the cromebook
where I will try to use MS teams.
1745[23:02:18] <HelloShitty> ok, I'll be around sponix
1746[23:02:36] <karlpinc> I suppose I could put a dirt-simple web
email interface on my imap box. Any recommendations?
1747[23:03:02] <karlpinc> (I've resisted a web email
interface for years....)
1748[23:03:23] <karlpinc> There's always a flash drive. But
that's annoying.
1757[23:06:19] <karlpinc> I guess the first step is to try MS
Teams on the cromebook. It won't seem to run at all reliably
using chromium on a Asus Aspire One running Debian. (Not too
suprising, given how slow the box is. But still, a little strange.)
1761[23:09:13] <karlpinc> sqwebmail (courier webmail) seems to
use the local mailboxes in Maildir format. (?) Which means accssing
the box with a Unix-level password rather than the imap password.
(yes?) I want to go through imap (or pop, if I had to).
1763[23:10:37] <karlpinc> I bet emacs on the chromebook would
work. :) Then all I need to do is be able to cut-and-paste between
the Linux side and the cromebook side.
1764[23:10:48] * karlpinc wonders if emacs is in the app store
1766[23:12:53] <karlpinc> Interesting. emacs is in the app store.
But it does not seem to be maintained. (And who knows if it has the
full emacs network access etc.)
1767[23:13:54] * sponix wonders why anyone would punish themselves with
emacs when vi exist
1768[23:14:03] <sponix> HelloShitty: Welcome back
1769[23:14:22] <HelloShitty> I'm here
1770[23:14:50] <HelloShitty> But I'm getting here an error
but it's not related to lack of disk space. Because now I have
some free space an the error still coming up
1771[23:14:56] <HelloShitty> but this is another matter
1772[23:15:08] <HelloShitty> I think it might be related to some
irssi plugin I'm using
1773[23:15:31] <HelloShitty> Because the error is showing up on
status window and also in one of my plugins window
1774[23:15:39] <HelloShitty> anyway
1775[23:16:48] <HelloShitty> I'll be around waiting for you
1826[23:32:26] <HelloShitty> I remember I checked the first this
happened to me
1827[23:33:10] <HelloShitty> I tried to repeat the ssh login to
port 22 like 50 times the fastest I could but no log in that
auth.log file I just created
1829[23:33:17] <sponix> HelloShitty: So, do you want to just ride
with this alt port in place for a bit and see if you are good. Or do
you want to install and configure fail2ban also ?
1830[23:33:27] *** Quits: Grldfrdom (uid391113@replaced-ip) (Quit: Connection closed for inactivity)
1831[23:33:38] <HelloShitty> Let's see for how long this
stays quiet
1832[23:33:52] <HelloShitty> tomorrow I'll check again
1833[23:34:02] <sponix> HelloShitty: sysemctl service sshd
restart
1834[23:34:12] <HelloShitty> oki
1835[23:34:14] <sponix> HelloShitty: see if that works, I know
very little of systemd
1836[23:34:23] <sponix> If it fails, I will have to google it lol
1856[23:39:12] <genr8_> the person named cipherize did not agree
with the practice, and I was pointing out that it is in fact a
useful practice by your real world example, not 1 hour later
1857[23:39:15] <HelloShitty> mkae no output in auth.log
1858[23:39:46] <HelloShitty> sponix: aut.log was a typo here
1859[23:39:53] <sponix> HelloShitty: the "syslogd" or
rsyslog or whatever might need a respawn also... So a reboot might
work
1860[23:40:09] <HelloShitty> reboot laptop?
1861[23:40:25] <sponix> HelloShitty: might want to "cd
&& /var/log" and "ls -l" to see that the
user:group and permissions are correct
1862[23:40:45] <sponix> genr8_: I do a LOT of things people
don't agree with, that just WORK despite what they say LOL
1863[23:41:51] <HelloShitty> most of the files in /var/log/ are
owned by root
1864[23:42:18] <sponix> HelloShitty: and the new auth.log that
you did "touch /var/log/auth.log" with ? you ran that
command as root, correct ?