|
Buttcoin purse posted:You can still just attach two IP addresses to a single interface too, without using VLANs, right? I mean if there are two separate IP networks on the same physical network. Yeah separate broadcast domains are for scrubs  .
|
#
?
Jul 31, 2016 13:48
|
|
Associate Christ
|
|
| # ? Apr 20, 2024 04:38 |
|
|
bobfather posted:Going to try and set up a secured Wordpress tomorrow. I hear iffy things about keeping Wordpress secure though. Any words of wisdom? Just remember any sort of web framework will require patching asap. Wordpress is fine same for Drupal, both will introduce a worker engine proxy that can be used for many frameworks. You will find some more permissions and more on Selinux contexts for rw content and maybe some boolean settings. What I would suggest now that you have the steps down is to work on learning how to implement these tasks in CM. Grab a copy of Chef or such and start a simple recipe.
|
|
#
?
Jul 31, 2016 14:13
|
|
|
telcoM posted:My first guess is, you're running sudo outside a terminal session. By default, sudo will refuse to work in that situation. Thats amazing, that's exactly what I needed. Thank you.
|
|
#
?
Jul 31, 2016 17:04
|
|
|
DeaconBlues posted:Is there a hard disk health reporting utility I can run on my little Ubuntu server?
|
|
#
?
Jul 31, 2016 17:59
|
|
|
Angelwolf posted:Only thing I cant seem to work out is how to run as root. Adding sudo doesn't help even though I've configured visudo to not make sudo require a password. mystes fucked around with this message at 18:05 on Jul 31, 2016 |
|
#
?
Jul 31, 2016 18:00
|
|
|
mystes posted:You probably shouldn't do what you're trying to do. At the very least, make a setuid wrapper script to the program that only your account can excecute and that only root can edit or something. This will still be insecure depending on the program though, but making sudo not require a password is like running as root all the time. (Although in practice if the account you use to sudo is compromised you're screwed anyway.) It helps protect things like a forgotten console login. I can't count the number of times I've logged into a console and found it logged in with someone else's account, or a DC tech has come to me asking what is going on.
|
|
#
?
Jul 31, 2016 18:23
|
|
|
Pablo Bluth posted:smartctl is the command line SMART utility ―wrap that in your favourite scripting language to record the data you want and do something useful such as fire off an email if there's an error found. Brilliant! I've installed smartmontools and I'll have a play with smartctl. Thanks.
|
|
#
?
Jul 31, 2016 19:43
|
|
|
I want to 3d render a new home I'm finalizing the sale of now. It's both for figuring out what furniture and paint colors make sense, and possibly designing expansions or additions. I'm honestly thinking of breaking out HL2's source tools and doing basic map making through that, as I'm a programmer by day and for some reason I'd like something I can hack on a bit. Also, as a programmer, I have no idea how to scope projects and think this will be easy.
|
|
#
?
Jul 31, 2016 20:51
|
|
|
Kaluza-Klein posted:Yeah separate broadcast domains are for scrubs Yeah I was kind of overwhelmed by the number of things I could say about why people don't normally do that, and gave up trying to think of what to write  I don't think we ever figured out what the OP was trying to do did we?DeaconBlues posted:Brilliant! I've installed smartmontools and I'll have a play with smartctl. Thanks. smartmontools comes with a daemon, smartd, which you might want to take a look at. I don't think it will actually do offline scans (which is what I think you were asking for) but it does do periodic checks for attributes and sends out mail when they change, for example. TimWinter posted:I want to 3d render a new home I'm finalizing the sale of now. It's both for figuring out what furniture and paint colors make sense, and possibly designing expansions or additions. I know the feeling, you're used to some game mapping tool and these 3D tools aren't easy to learn  I once came across BRL-CAD, which is open source, cross platform, and uses Constructive solid geometry (CSG) mapping as we're used to from our game engines (at least I think that's what HL uses from a quick web search), although I never actually got beyond installing it so I can't tell you if it is any good.
|
|
#
?
Aug 1, 2016 01:13
|
|
|
TimWinter posted:I want to 3d render a new home I'm finalizing the sale of now. It's both for figuring out what furniture and paint colors make sense, and possibly designing expansions or additions. Sketchup in wine is really king
|
|
#
?
Aug 1, 2016 05:15
|
|
|
bobfather posted:Going to try and set up a secured Wordpress tomorrow. I hear iffy things about keeping Wordpress secure though. Any words of wisdom? oh hey, my wordpress sites get hacked all the time. Some wordpress-specific lessons that are finally sinking in: * Keep WP and all plugins updated * Use as few plugins as possible and try to stick to those that are well-maintained * Don't call your admin user "admin" * Don't author posts / pages with your admin user and disable /author/ listing pages so that your admin username isn't easily discoverable * Change the login url from /wp-admin/ to something else (there are plugins that can do this) * Disable xmlrpc.php unless you know you definitely need it (you almost certainly don't) * Disable write access to everywhere except wp-content/uploads if you can get away with it (but an annoying number of plugins need write access to random folders in wp-content/) * Disable php execution in wp-content/uploads/ * Install a security plugin like Wordfence or iThemes Security. BUT, pay attention to what it is actually doing, especially how it is banning hosts after failed logins. I thought iThemes was taking care of bans for me, but turns out it was just writing new rules to an .htaccess file, which my server wasn't implementing anyway because I was using nginx. * If you're getting a lot of brute force login attempts, just rename wp-login.php to wp-login.php.disabled for a while Server specific stuff I've started doing because I'm paranoid now: * Watch the WP directory for new or modified php files. Check for files that contain "eval" or "base64_decode", or which have a very long first line * Watch server logs for suspicious POST requests (basically to any file other than wp-login.php, admin-ajax.php and wp-cron.php)
|
|
#
?
Aug 1, 2016 14:06
|
|
|
evol262 posted:Sketchup in wine is really king This is the best solution.
|
|
#
?
Aug 1, 2016 14:53
|
|
|
fuf posted:oh hey, my wordpress sites get hacked all the time. Don't if you are the guy, there was somebody on this forum who runs WP as a hoster an he also had some good tips. Like making the whole WP dir readonly etc. Can't seem to find the post anymore though.
|
|
#
?
Aug 1, 2016 15:35
|
|
|
Mr Shiny Pants posted:Don't if you are the guy, there was somebody on this forum who runs WP as a hoster an he also had some good tips. Nah I'm just the guy who shows up every few months saying "help all my wordpress sites got hacked again and I have no idea what I'm doing"  I get a little better each time though. Making the WP directory read only is ideal if it's your own site and you're the only one who updates it, but it's less feasible when you're hosting for clients who want to install their own plugins etc. You also have to come up with some way to turn on write access when WP needs to update itself.
|
|
#
?
Aug 1, 2016 15:47
|
|
|
Some time ago I had Transmission installed on my home server (Ubuntu 14.04 LTS if it changes anything). It worked fine. The daemon was always on and I had the web interface up (I honestly don't remember if I could access it outside the LAN, probably yes). For whatever reason, I was checking active connections on the machine and noticed a whole bunch of incoming connections from different parts of the world, including some sketchy ones like Iran and Russia (also "normal" countries like the US, et al). Netstat pointed to Transmission as the destination so I freaked out and uninstalled it and the connections stopped for good. I understand how torrents work, but when the connections were active there were no active torrents, which is why I got worried. Is it normal for Transmission to have open connections while the daemon is open and I was just worrying about nothing? Could it have been bruteforcing attempts at the Transmission web interface and if so, can I get around it by using fail2ban or should I just not have it up? Edit: I've since moved over to a new disk and a fresh CentOS 7 install with selinux set to enforcing.
|
|
#
?
Aug 1, 2016 16:25
|
|
|
Mr Shiny Pants posted:Don't if you are the guy, there was somebody on this forum who runs WP as a hoster an he also had some good tips. Making the WP dir readonly is good idea if you setup a cron job with permissions to update it regularly, otherwise you are better off turning on wordpress auto update feature Really common way to get owned is to download pirated wordpress themes.
|
|
#
?
Aug 1, 2016 19:32
|
|
|
I'm having issues with Evolution's calendar. Specifically, it's attached to the MS Exchange Server at work, and it's all out of sync. It simply doen't match what's in my Outlook 365 calendar (old, deleted meetings show up, meetings that have moved are in original place, etc.), and I can't delete or add things to make it match. I wanted to detach Evolution from Exchange and re-attach, but the only way I see to do that is to delete the calendar, which Evolution says will delete it from the server. I very much don't want to do that. I guess I can uninstall evolution, reinstall it, and hope I can re-attach it to exchange properly and that everything will just work, but is there any less drastic way to re-sync the calendar? Part of the problem may be that I'm trying to deal with three different calendars (I ran into trouble while trying to consolidate down to just one).
|
|
#
?
Aug 1, 2016 21:57
|
|
|
fuf posted:oh hey, my wordpress sites get hacked all the time. Thanks! I just did all of these things. Most of them were even doable with plugins. I now have a LEMP stack running Wordpress on CentOS 7 with selinux intact! Turns out keeping selinux up wasn't so bad. I just had to get real used to grep-ing /var/log/audit/audit.log for denied entries, then use audit2allow to approve them one by one. Thanks for all the great advice everyone!
|
|
#
?
Aug 2, 2016 03:59
|
|
|
audit2allow -a will scan the log and generate rules for you, if that's easier
|
|
#
?
Aug 2, 2016 04:32
|
|
|
bobfather posted:Thanks! I just did all of these things. Most of them were even doable with plugins. And this makes my 9 beers in rear end love linux logs even more. 
|
|
#
?
Aug 2, 2016 04:38
|
|
|
Is there a way for me to send a magic packet to my computer at work every morning (say from my home network or whatever) for wake on lan, when I have no control of the network at work? I'm pretty sure the answer is no right?
|
|
#
?
Aug 2, 2016 07:44
|
|
|
Boris Galerkin posted:Is there a way for me to send a magic packet to my computer at work every morning (say from my home network or whatever) for wake on lan, when I have no control of the network at work? I'm pretty sure the answer is no right? You need something on that network. Alternatively you might have a BIOS option to turn on at a certain time of day.
|
|
#
?
Aug 2, 2016 16:20
|
|
|
Boris Galerkin posted:Is there a way for me to send a magic packet to my computer at work every morning (say from my home network or whatever) for wake on lan, when I have no control of the network at work? I'm pretty sure the answer is no right? If the network admins at your work are at all competent, the answer should be "haha no". When your computer at work is off, it won't answer to ARP requests. As a result, it won't be reachable by its ordinary IP address: if you try, the packet will go as far as the gateway of the segment containing your work computer. Then the gateway will see that its ARP table entry for that IP address is expired, and will fire off an ARP request. After getting no answer for that, you might get a "host not found" ICMP message back (unless some firewall is blocking those in order to prevent outsiders from mapping your work network just like that). So, you would have to send the WoL magic packet as a directed broadcast to the network segment that is known to contain your work computer. This is certainly possible, technically. The problem is that directed broadcasts used to be mostly known for Smurf attacks, Windows Messenger Service pop-up spam and other kinds of nuisance, and there is no "universally accepted and useful" service that would use directed broadcasts for anything. As a result, "block all directed broadcasts at every router ever" is standard practice and part of Network Firewalls 101. The standard ways to use Wake-on-LAN seem to be either: a) set up something in each network segment that can send WOL packets for hosts in that segment as necessary (a RasPi would be more than adequate for this job), or b) choose one or two special network management servers/workstations and set up the necessary special firewall rules to allow them to send WOL packets anywhere inside an organization's network.
|
|
#
?
Aug 2, 2016 16:48
|
|
|
Boris Galerkin posted:Is there a way for me to send a magic packet to my computer at work every morning (say from my home network or whatever) for wake on lan, when I have no control of the network at work? I'm pretty sure the answer is no right? telcoM's answer covered WoL. But an alternative that may work for you is to not shutdown your computer. Just put it to sleep and configure your NIC's Power Management settings in such way that it is allowed to wake your computer. Then even just a ping should be able to wake the computer from sleep. It's been years since I last tried this, but in my testing you could take a RDP connection to a sleeping computer and you didn't even notice any delay. The biggest shortcoming is that anything may wake up the computer, for example your company's management system trying to contact it.
|
|
#
?
Aug 2, 2016 23:04
|
|
|
Couldn't find a megathread, and all my email stuff runs linux, sorry if this is the wrong place: If I've got SPF TXT records for my domain and I add a TXT record with DMARC data and set p=none, will receiving email servers continue to check the SPF records?
|
|
#
?
Aug 3, 2016 01:01
|
|
|
Any sed gurus here? I need to replace an entire line based on the string it begins with. Example: From: >system.log arg1=xyz arg2=xyz arg3=xyz To: >system.log blah7=bla blah8=bla blah9=bla so if I were looking to just replace arg1='s name I could just s/arg1/arg2/, but I want to change the entire line's contents. Essentially I will be replacing the line with something completely different except for the ">system.log" lead-in. The contents of the line I want to replace will be static so I don't need to do any sub-field replacements. Essentially I want to tell sed to: sed "replace any line you find that starts with '>system.log' (I don't care what follows) with '>system.log new=content is=here'"
|
|
#
?
Aug 5, 2016 15:53
|
|
|
Martytoof posted:Any sed gurus here? code:anthonypants fucked around with this message at 16:06 on Aug 5, 2016 |
|
#
?
Aug 5, 2016 16:03
|
|
|
Martytoof posted:Any sed gurus here? 's/arg\(.\)=[[:alnum:]]\+/blah\1=bla/g'
|
|
#
?
Aug 5, 2016 16:15
|
|
|
Apparently it has some to light that the RAID5/6 code in BTRFS is a total clusterfuck. Am I the only one who finds it amusing that after all those years, BTRFS is still this in this Heisenberg-ish state, when meanwhile some FOSS keep creating storms in a tea cup in regards to shipping ZoL included in distros?
|
|
#
?
Aug 5, 2016 17:31
|
|
|
Bless you, generous sed gurus. I am a fairly competent linux mans but when it comes to anything beyond basic sed or regex I fall to pieces.
|
|
#
?
Aug 5, 2016 17:34
|
|
|
Martytoof posted:Bless you, generous sed gurus. Well good news, it's the weekend and you have free time to go through all of the puzzles on https://regexcrossword.com/. I recommend all of my tier 1s go through that. Once you see regex/sed/awk as a puzzle, it all falls into place. At least it did for me.
|
|
#
?
Aug 5, 2016 18:59
|
|
|
Tigren posted:Well good news, it's the weekend and you have free time to go through all of the puzzles on https://regexcrossword.com/. I recommend all of my tier 1s go through that. Once you see regex/sed/awk as a puzzle, it all falls into place. At least it did for me. FFS, I was doing ok until I got to this:  Some of those aren't even in the loving cheat sheet agggggh .?.+: = any character (none or once), any character (1 or more times) .+ = (any character (1 or more times) [*]+ = ?????? (is this the same as [.+] ) /* = ???????????????? (what the gently caress is that forward slash) dpkg chopra fucked around with this message at 20:05 on Aug 5, 2016 |
|
#
?
Aug 5, 2016 19:57
|
|
|
* is a literal character when used inside a character class.
|
|
#
?
Aug 5, 2016 20:12
|
|
|
Ur Getting Fatter posted:FFS, I was doing ok until I got to this: ** // e: you're gonna love experienced #4 anthonypants fucked around with this message at 20:43 on Aug 5, 2016 |
|
#
?
Aug 5, 2016 20:13
|
|
|
My change request to update our Linux servers is finally getting approved, but my boss wants a rollback plan. So, if I wanted to generate a list of pending updates and cross-reference those with the current version, is there a flag I can add to yum check-update to do that or will I have to run yum list installed and compare them by hand?
|
|
#
?
Aug 5, 2016 22:50
|
|
|
Combat Pretzel posted:Apparently it has some to light that the RAID5/6 code in BTRFS is a total clusterfuck. Am I the only one who finds it amusing that after all those years, BTRFS is still this in this Heisenberg-ish state, when meanwhile some FOSS keep creating storms in a tea cup in regards to shipping ZoL included in distros? I don't think raid56 has ever been claimed to be other than very experimental, and not recommended outside of testing. It's just new that it's been very definitely confirmed that that it will almost certainly eat data during rebuild. raid1/0 has been for a good while, and is still considered, safe
|
|
#
?
Aug 5, 2016 22:56
|
|
|
I need a tool to monitor things like CPU, disk, network, jvm (tomcat), etc for a few dozen machines. I was thinking of setting up Cacti but I was wondering if there's any other tools I should consider before going down that route. Cacti just seems old and ugly, I think it would get the job done though. One of the main criteria is that I can run it and host it myself, so I can retain my historical data as long as I want fletcher fucked around with this message at 00:08 on Aug 6, 2016 |
|
#
?
Aug 5, 2016 23:59
|
|
|
fletcher posted:I need a tool to monitor things like CPU, disk, network, jvm (tomcat), etc for a few dozen machines. I was thinking of setting up Cacti but I was wondering if there's any other tools I should consider before going down that route. Cacti just seems old and ugly, I think it would get the job done though. Grafana + InfluxDB + collectd There's other choices for InfluxDB/collectd that are good too
|
|
#
?
Aug 6, 2016 00:11
|
|
|
Yeah Grafana and Influx is kinda hot. I like Munin a lot too, sorta depends on what you do or don't care about. Prometheus sounds neat, but I've never used it, it just barely missed the cut, last time I was picking a monitoring thing. Mao Zedong Thot fucked around with this message at 17:05 on Aug 6, 2016 |
|
#
?
Aug 6, 2016 02:17
|
|
|
|
| # ? Apr 20, 2024 04:38 |
|
|
collectd looks pretty cool! Gonna play with it some more on Monday. Looks like it has plugins for pretty much everything I'm looking for. So that collects the stats, InfluxDB stores them, and Grafana to display them? How much fiddling does it take to get them all to play nicely with each other?
|
|
#
?
Aug 6, 2016 02:26
|
|