|
Grump posted:Because I just want to idk. This isn't like a production server with valuable stuff on it. Is it for like ansible testing or what? You can sudo to root. I get it’s for fun but like let us help you show you the right way to do this for production stuff.
|
# ? May 12, 2018 03:38 |
|
|
# ? May 4, 2024 00:10 |
|
Should I just turn off password authentication and root user login in the sshd_config file then?
|
# ? May 12, 2018 03:55 |
|
Grump posted:Should I just turn off password authentication and root user login in the sshd_config file then? Ideally yes. You login as your user and sudo when you need root. Try to do as much as you can as your user. You’ll see you can do a bunch of stuff as your user. Being root all the time is a bad habit.
|
# ? May 12, 2018 04:01 |
|
Maybe I won’t go as far as disabling password auth because it’s still a nice fallback when you don’t have your laptop or workstation handy but yeah disable root. Look at your auth log. You’ll see millions of failures of logging in via ssh as root. Assuming this is a public server.
|
# ? May 12, 2018 04:04 |
|
maybe edit sudoers to prevent root shell at all so you have to use the sudo command for all root commands.
|
# ? May 12, 2018 04:05 |
|
RFC2324 posted:maybe edit sudoers to prevent root shell at all so you have to use the sudo command for all root commands. ouch. that's too far.
|
# ? May 12, 2018 04:37 |
|
Good habit though. Horribly frustrating but a good habit
|
# ? May 12, 2018 04:42 |
|
There are so many things you have to exclude to fully prevent it, though. All the various shells, plus anything that can execute arbitrarily. Vim is a great example. If I can sudo vim, from inside I can :!bash, and now I'm in a root shell. I mean, yes, it's a good practice, but it's impractical and doesn't actually gain you anything but frustration.
|
# ? May 12, 2018 05:34 |
|
I'm completely lost in regards to running a cron job in crontab to auto renew my SSL. I'm currently running this command 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew and I can see that it's run in the cron logs, but I don't have any mail server set up, so I can't see if there's any errors. Is there some way to easily email myself the logs in the command line without having a mail server set up?
|
# ? May 12, 2018 06:32 |
|
G-Prime posted:There are so many things you have to exclude to fully prevent it, though. All the various shells, plus anything that can execute arbitrarily. Vim is a great example. If I can sudo vim, from inside I can :!bash, and now I'm in a root shell. I mean, yes, it's a good practice, but it's impractical and doesn't actually gain you anything but frustration. it breaks the habit of becoming root. if you are going for security instead of just breaking bad habits, then there are better ways of locking root down.
|
# ? May 12, 2018 06:53 |
|
Grump posted:I'm completely lost in regards to running a cron job in crontab to auto renew my SSL. I'm currently running this command Try typing mail when you’re root. It probably went to a mbox on your server.
|
# ? May 12, 2018 06:53 |
|
Hot take: if you're connecting to a remote server and then always immediately sudoing I personally fail to see how that's particularly more secure than just directly logging in as root. It feels sort of like how curl | bash is somehow inexplicably considered worse than downloading a random binary and running it without verifying it in any way.
|
# ? May 12, 2018 14:40 |
|
The immediate advantage I can see to SSH in then sudo rather than SSH in as root is that you could do pubkey auth to SSH in and then require a password to sudo, as means of doing MFA root access. Though, at that point I don't really know why you wouldn't just use PAM's OTP support for it.
|
# ? May 12, 2018 14:48 |
|
mystes posted:Hot take: if you're connecting to a remote server and then always immediately sudoing I personally fail to see how that's particularly more secure than just directly logging in as root.
|
# ? May 12, 2018 14:54 |
|
Use Kerberos, the principal and account accessed get put in system logs. For even more auditing look up HISTTIMEFORMAT.
|
# ? May 12, 2018 15:02 |
|
jaegerx posted:Try typing mail when you’re root. It probably went to a mbox on your server. I changed the MAILTO to my personal email. But if I don't have a mail server set up, this won't function at all, correct? e: I was thinking about logging to a file and then deleting that file once a month for the time being until I get mailing capabilities. Looks like all my crons are functioning correctly teen phone cutie fucked around with this message at 15:55 on May 12, 2018 |
# ? May 12, 2018 15:41 |
|
mystes posted:Hot take: if you're connecting to a remote server and then always immediately sudoing I personally fail to see how that's particularly more secure than just directly logging in as root. Spicy. But auditing and ssh keys are the right answer to protect from drive bys, along with not sharing the password, easy changes by adding/removing LDAP users to a group authorized to sudo, configuration management control of sudoers rules, etc. This is the same reason many businesses use powerbroker or other audit tools. curl | bash is garbage because you have no idea what that script is doing unless you actually look at it, and GitHub (until very recently) allowed ghosting of popular projects. Grabbing a binary/rpm from sourceforge isn't necessary safer, but at least you can checksum that and match against a known checksum before you install it with Ansible or whatever
|
# ? May 12, 2018 17:03 |
|
Grump posted:I was thinking about logging to a file Just a handy tip, bash scripts can redirect themselves: code:
|
# ? May 12, 2018 18:32 |
|
Okay cool got that working. My last big task to complete is figuring out email. On my site, I have a mail form that previously just used php’s mail() function, but with this new box I don’t have a mail server set up. I was looking into PHPMailer as an alternative, but is getting a mail server up a must?
|
# ? May 12, 2018 19:57 |
|
Postfix + nexthop sender transport to a service that uses SMTP authentication. Disable “mynetworks” from smtpd_auth_restrictions to provide some audit trail either through the local pickup service or SASL authentication for mail that originates from the server. Edit: formatting... phone, rotting in a Dillard’s. Save me Late edit: and use iptables to restrict SMTP access to postfix uid/mail gid. nem fucked around with this message at 23:26 on May 12, 2018 |
# ? May 12, 2018 21:43 |
|
nem posted:Postfix + nexthop sender transport to a service that uses SMTP authentication. e: loving BBCode is automatically formatting my links. I ended up trying to install Postfix with Dovecot, but I hosed everything up and now somehow https://www.mysite.com and mysite.com have two different document roots, so I uninstalled all the mail server stuff I set up and I'm still having this issue. I have https://www. going to var/www/html/mysite.com/public_html and mysite.com going to var/html My httpd config file looks like this code:
teen phone cutie fucked around with this message at 23:52 on May 13, 2018 |
# ? May 13, 2018 23:48 |
|
I'll preface this with saying I'm a Linux novice: I installed 18.04 on a virtualbox. When trying to use apt-get to install some packages, I'm being informed that it can't be installed because I'm missing python. Now I'm guessing that is because python3 is now the default for 18.04. I'm unsure on how to go about safely fixing this so I can install packages that depend on python2.
|
# ? May 14, 2018 19:48 |
|
Hughmoris posted:I'll preface this with saying I'm a Linux novice:
|
# ? May 14, 2018 19:59 |
|
anthonypants posted:Can you post the whole error message? Here is what I get when I try: sudo apt-get install atom code:
|
# ? May 14, 2018 20:07 |
|
Did you try what it suggested? (apt --fix-broken install)? a very short google session suggests it's likely some broken dependencies on your end. are you masking packages or anything?
|
# ? May 14, 2018 20:11 |
|
I just tried the --fix-broken install, and it appears to have worked. Not masking any dependencies that I know of (not sure I would know if I was), just a clean install of 18.04. Thanks for the help.
|
# ? May 14, 2018 20:14 |
|
Grump posted:httpd.conf I hate tutorials, because they explain what to do not why you do it. DO's incentivization structure to exchange tutorials for hosting credit is creating an absolute mess by diminishing the role of system administrator resulting in half-rear end setups such as what they're recommending. It's broken because of virtualhost resolution. Apache will match a hostname:port to its corresponding virtualhost container. With this configuration both mysite.com:80 and www.mysite.com:80 will serve content from /var/www/html/mysite.com. Because you don't have a separate virtualhost container setup for *:443 with both mysite.com and www.mysite.com as a ServerAlias, it'll default to your system DocumentRoot setting in httpd.conf that is outside any <virtualhost>...</virtualhost> container. Setup a another virtualhost container, use the same config, add SSLEngine On, setup your SSL* directives, and that should do it. Utilizing a nested document root structure is considered bad practice too. If foobar.com serves from /var/www/html, then you can unintentionally leak mysite.com by accessing foobar.com/mysite.com/whatever. Put your subordinate domains under /var/www/<domain> and your primary under /var/www/html. Plus it causes problems with htaccess rule inheritance as mysite.com under /var/www/html/mysite.com will check for and inherit any directives in /var/www/html assuming AllowOverride is set for /var/www. quote:The tutorial I was using told me to add an MX record of mysite.com with a higher priority than mail.mysite.com? Could that be the issue? nem fucked around with this message at 21:06 on May 14, 2018 |
# ? May 14, 2018 21:03 |
|
So I have a bunch of PCs that are old enough to drink in the US and I'd like to throw some Linux on them for some basic internet functionality because I can and I'm a masochist (Ask me about my 80's Chrysler). I do know a moderate amount of Linux already so I can deal with installing packages and editing configs. Does anyone know any current distros that would run smoothly on the below (UI preferred): -CPUs ranging between 120Mhz Cyrix 5x86 and 650mhz AMD Athlon, there are 2 400mhz dual PIIs too. -Ram ranging from 128mb to 512mb at 33-100mhz. -Hard drives from 1.5-40GB. Some have the 2GB bios limit -Video cards range from a Trident SVGA to S3 Virge to a NVidia Geforce 420MX. Lots of ATI rage cards on hand. -Sound cards are all either actual Sound Blaster 16s or compatible. -Iso preferably small enough to burn onto a CD. USB booting is possible for those that have USB but it requires a floppy disk. -All systems have at least a 10mb NIC. -Chipsets are either VIA or stuff like the 440BX that is commonly emulated in VMs. As for why I don't just buy a raspberry pi, well I own these and have the monitors/kb/mice etc and none of it would even connect to a PI since it's all like PS2/AT/Serial/VGA etc. A few of them can run windows 7 poorly so don't let me down goons.
|
# ? May 14, 2018 23:41 |
|
Debian at least still has an up to date i386 installation distributed on CD. That should get you basic X windows and a place to start. even when your hardware was current linux support was kind of the wild wild west so depending on graphics card and such there may be many hours of research involved in making everything work. EDIT: Comedy answer: Setup external compilation for gentoo on your other systems and compile everything from scratch. SoftNum fucked around with this message at 01:52 on May 15, 2018 |
# ? May 15, 2018 01:47 |
|
I'd use BSD 10 times out of 10 on those
|
# ? May 15, 2018 02:13 |
|
nem posted:Edit: automatically parse URLs That's odd that the Let's Encrypt tutorial never mentioned this at all. I had no idea HTTPS listens on a different port - I'm an absolute Linux noob
|
# ? May 15, 2018 11:43 |
|
HTTPS using a different port is an HTTPS thing, not a linux thing.
|
# ? May 15, 2018 12:54 |
|
HTTP and HTTPS are (by default anyway) set to be ports 80 and 443, respectively. That's not to say it's impossible to run HTTPS over port 80. But you'd be in for a world of hurt as every browser that tried visting your page would try HTTP when visiting, while you'd be serving HTTPS.
|
# ? May 15, 2018 13:13 |
|
home come starttls didn't get tacked on for http like it did for other protocols anyway?
|
# ? May 15, 2018 14:29 |
|
The fun part about port 80 is it serves no purpose anymore but handing out a permanent redirect to 443. It should be a single line option in httpd.conf at this point.
|
# ? May 15, 2018 14:44 |
|
Grump posted:I'm an absolute Linux noob Everyone is at one point. Best advice I can give you is pick up a book on Apache and read cover to cover. It provides the foundation of many critical RFCs that provide opportunities to learn further. Compile a kernel from source and learn too what the options under Processor features/General setup do at a bare minimum. You can use tutorials as a starting point, but buy a book to flesh out your knowledge unless you want your server to runaway and join the Syrian Liberation Army or Palestinian cause or Free Tibet or #notmypresident or whatever the fun ephemeral internet casus belli is this week. Tutorials only provide for shallow learning and on that level it’s not worth learning at all. The rest of what folks say around here is because we’ve got a killer porcelain tan and that takes many years of practical experience.
|
# ? May 15, 2018 15:02 |
|
Books are kinda questionable when you can google literally every administrative task you would ever need for a linux machine. If that's your preferred type of learning not trying to talk anyone out of it, but it's not the One True Way(tm) to become competent.
|
# ? May 15, 2018 15:04 |
|
Technical books are the only book format that don’t put me to sleep As long as the material is comprehensive you can use it. Just not tutorials. Red hat publishes some great, thorough documentation.
|
# ? May 15, 2018 15:07 |
|
nem posted:Everyone is at one point. Best advice I can give you is pick up a book on Apache and read cover to cover. It provides the foundation of many critical RFCs that provide opportunities to learn further. Compile a kernel from source and learn too what the options under Processor features/General setup do at a bare minimum. I recommend that for people get familiar with linux is that they get ahold of an old laptop and install Fedora on it. Then get everything (I mean everything) to work, this includes: 1) media keys 2) hibernating/sleep function and buttons properly 3) wifi 4) wifi on/off switches 5) all function keys 6) screen dimming 7) webcam 8) closing lid making it properly go to sleep or hibernate or both And then use it as your daily laptop. If you need a Windows app for work or a VPN, get that to work. For Windows setup WINE or a Windows VM. If something doesn't work, figure it out. And just do it. You'll learn the ins and outs of dealing with the interesting problems of linux. Now, the next few posts (as commonly occurs when I post this) will be responses that most of those things work out of the box with linux now, but I promise you it will be a frustrating adventure into madness to get it all working right to the point where you can start using the laptop 100%. If you want to learn Linux you have to use it for real, and this is a real darn good way to start.
|
# ? May 15, 2018 15:09 |
|
|
# ? May 4, 2024 00:10 |
|
Should also add "Docking" to that list (if applicable). On my current laptop everything on that list worked 100% out of the box. But not the tunderbolt-dock. That needed BIOS-configuring.
|
# ? May 15, 2018 15:30 |