Back to Home / #linode / 2006 / 02 / Prev Day | Next Day
#linode IRC Logs for 2006-02-03

---Logopened Fri Feb 03 00:00:38 2006
00:06<Zach>Do the Linode's often get hacked?
00:08<@mikegrb>not if you keep all the software up to date
00:08<@mikegrb>especially web based stuff
00:09<Zach>Can you recommend a good firewall script?
00:10<@mikegrb>don't use one myself
00:11<taupehat>Zach: iptables gives you all you need
00:11<taupehat>-P INPUT DROP with inbound ports that you want open
00:11<taupehat>add fail2ban to handle brute-force attacks
00:11<taupehat>and it's pretty darn tight
00:11<taupehat>but if you run any sort of dynamic web app, you'll still need to sit on it pretty tightly
00:11<taupehat>mod_security for apache can help
00:12<@mikegrb>what not just let uptables take care of it?
00:12<taupehat>it does
00:12<taupehat>but if you have a webapp you have to allow inbound port 80
00:12<@mikegrb>[00:11] <taupehat> add fail2ban to handle brute-force attacks
00:12<taupehat>mikegrb: some of us like to be able to ssh into our linodes =]
00:12<@mikegrb>iptables has stuff built in
00:13<taupehat>plus, fail2ban is not just for iptabls
00:13<taupehat>works neatly for smtp server, apache mod_auth, etc
00:13<@mikegrb>but that isn't what you were talking about
00:14<taupehat>go on...
00:14<@mikegrb>" add fail2ban to handle brute-force attacks "
00:14<@mikegrb>how often does it check you logs?
00:16<taupehat>from what I've seen, I think it just uses tail -F
00:16<@mikegrb>it doesn't
00:16<@mikegrb>it polls periodically
00:16<taupehat>it usually catches after 5 or 6 failed logins
00:16<@mikegrb>and how many are required to ban?
00:17[~]taupehat looks at conf
00:17<@mikegrb>here's the thing, I see one attempt a month or so that lasts longer then 60 seconds
00:17<taupehat>maxfailures = 5
00:17<@mikegrb>so limiting to 3 new ssh connection attempts in 60 seconds cuts the person off at 3
00:18<@mikegrb>and it doesn't add extra rules to the iptables chain each time
00:18<@mikegrb>each rule adds to connection latency
00:18<@mikegrb>plus, you have an extra daemon running eating up resources
00:19<@mikegrb>particularly io, checking the log files once a second (by default)
00:19<Zach>I can't update the kernel without messing up UML right?
00:19<@mikegrb>you can't update the kernel anyway
00:20<@mikegrb>the website lets you pick your kernel from a drop down list
00:20<@mikegrb>if you pick a 2.6 kernel, make sure you "mv /lib/tls /lib/tls-disabled" first
00:25<Zach>Good deal. Thanks!
00:26|-|Zach [] has quit [Quit: CGI:IRC (EOF)]
00:41|-|Dreamer3 [] has quit [Ping timeout: 480 seconds]
00:43|-|Dreamer3 [] has joined #linode
00:51|-|newguy [] has joined #linode
00:52<newguy>I was hoping to sign up but was asked to fax my licence and credit card.. which I attempted, but the fax line responds with "The number you have reached is temporarily unavailable. Please try again later"
01:01<@mikegrb>newguy: give me a couple of minutes
01:02<newguy>no worries
01:07<@mikegrb>newguy: all set
01:08<newguy>the fax should be working again?
01:09<@mikegrb>your account is activated
01:09<newguy>oh sweet
01:09<taupehat>welcome to linode =]
01:09<taupehat>so mikegrb, be glad tomorrow that you don't administer windows machines... I'm a wondering how ugly it's going to turn out to be.
01:09<newguy>I'm looking forward to my first virtual linux system
01:10|-|Newsome [] has quit [Quit: Linux: Now with employee pricing!]
01:10<newguy>I'm looking to run a mod_perl with Mason server
01:10<@mikegrb>doubt it will be a big deal
01:10<taupehat>probably not
01:10<newguy>so quite excited :)
01:10<taupehat>except for those who get it
01:10<@mikegrb>those who get it deserve to get it
01:10<taupehat>they'll enjoy total loss of documents, which is a pretty big deal for them
01:10<taupehat>you have to click on a link advertising porn to get it
01:11<taupehat>still, I'm thinking here most of the family computer with the teenager
01:11<newguy>yay mike I logged in ok to the member's area.. now to go home (it's Friday evening here in Sydney) and have a play!
01:11<@mikegrb>do you live in nz, work in sydney?
01:11<newguy>it's complicated..
01:12<taupehat>that'd be a bit of a commute
01:12<newguy>I have NZ/Aus citizenship.. have bankaccounts/mail in both countries
01:12<@mikegrb>(the IP/address mismatch is why you originally got the order status email)
01:12<newguy>lived last 10 years in NZ and spent last year in Aus.. so paying from Australia, but have my central mail in NZ.. intend to travel to UK in a couple of months.. want a central server that doesn't move as I move
01:13<newguy>NZ is a much cheaper country to store stuff in.. services are cheaper, etc.. so that's why I make it my base for some international stuff
01:13<newguy>anyway.. aus/nz are small fry compared to the large USA
01:14<newguy>get a lot of international customers mike?
01:14<@mikegrb>a fair bit
01:16|-|newguy [] has left #linode []
02:49|-|newguy [] has joined #linode
02:49<newguy>just wondered if I was doing something silly.. I just installed new dist (debian) and ssh'd into lish, and typed "boot" and when I type "status" it says "Powered off"
02:50<@mikegrb>it will take a moment for the boot to go through
02:50<newguy>seconds? minutes?
02:50<@mikegrb>a minute
02:50<newguy>hmm ok
02:50<@mikegrb>I'm looking into it right now
02:51<newguy>oh thanks
02:51<@mikegrb>have you booted from the website?
02:52<newguy>no, from lish
02:52<newguy>I went to the website, to the distro wizard
02:52<newguy>installed the distro
02:53<@mikegrb>I believe the first boot has to be issued from the website, as boot in lish boots the last used profile, so if it hasn't booted from the website it doesn't know what profile to boot
02:53<newguy>oh ok
02:53<@mikegrb>I've issued a boot for you and it looks like it is up
02:53<newguy>thankyou muchly
02:53<@mikegrb>not a problem
02:53<newguy>awesome I can confirm status is "Runing"
02:54<@mikegrb>if you hit enter you should get the console
02:54<newguy>I've got ssh so I'm very happy
02:54<@mikegrb>lish can come in handing if you mess up a firewall rule or somesuch
02:54<newguy>oh true
02:55<@mikegrb>many people don't realize it is there, or forget that it is there once they have a problem
02:55<newguy>console access is really smart
02:55<newguy>I'm impressed
02:56<newguy>the images automatically know the time/date?
02:57<newguy>I guess they get the clock off the super os
02:57<newguy>but if the user sets the time it doesn't affect the parent os?
02:57<newguy>ah good :)
02:57<@mikegrb>it stores the local time as a delta from the host
03:04|-|Dreamer3 [] has quit [Quit: Leaving]
03:05|-|Dreamer3 [] has joined #linode
03:36|-|Internat [] has joined #linode
03:36<Internat>anyone know if u can speicify the static output directory for awstats in the config file? ie that the output direcotry would be for instance /home/hosting/domain.tld/www/stats/
03:39<@mikegrb>be surprised if you couldn't
03:39<Internat>thatd suck
03:39<Internat>i know u can do it with a commandline option
03:41<Internat>looks like ill just have to make my own script up
03:50<Internat>god it takes ages to pass through the log files :/
04:05<Internat>hmms i think im going to have to make sepearte sections for different months anyways
05:02|-|newguy [] has quit [Quit: newguy]
05:28|-|BB [] has quit [Read error: Connection reset by peer]
05:29|-|BB [] has joined #linode
06:27|-|jekil [] has joined #linode
06:42|-|linville [] has joined #linode
06:58|-|jekil [] has quit [Quit: Leaving]
07:12|-|BB [] has quit [Quit: Moo]
07:13|-|BB [] has joined #linode
07:33|-|BB [] has quit [Read error: Connection reset by peer]
07:33|-|BB [] has joined #linode
07:34|-|Redgore [~Redgore@] has joined #linode
08:46|-|Internat [] has quit [Ping timeout: 480 seconds]
09:49|-|spr [] has joined #linode
11:18|-|D[a]rkbeholder [] has joined #linode
11:18|-|darkbeholder [] has quit [Read error: Connection reset by peer]
11:26|-|jekil [~alessandr@] has joined #linode
11:54|-|Newsome [] has joined #linode
12:42|-|Dreamer3 [] has quit [Ping timeout: 480 seconds]
12:45|-|Dreamer3 [] has joined #linode
12:56|-|FireSlash [] has joined #linode
13:49|-|besonen__ [] has quit [Ping timeout: 480 seconds]
14:27|-|besonen [] has joined #linode
14:29|-|FireSlash [] has quit [Quit: Leaving]
15:07<warewolf>man that is so very it.
15:07<[|^__^|]>here it comes
15:08<warewolf>I'm starting my comparison between apache and lighttpd now.
15:13<warewolf>caker/mikegrb- around?
15:14<kvandivo>are you accusing them of being obese?
15:14<Beirdo>no comment
15:15<Beirdo>be too much like living in a glass house and chucking stones for many of us
15:15<warewolf>I'm going to rtfm on both, and present facts
15:15<warewolf>because I'm tired of the zealotism
15:16<kvandivo>luckily, everyone will accept your statements as absolute fact. that makes things a lot easier
15:16<warewolf>kvandivo: I'll document references
15:16<warewolf>kvandivo: behold, the power of the world wide web :)
15:17<warewolf>kvandivo: everyone will be able to check my facts, and come to their own decisions
15:18<warewolf>.. good .. lighttpd doesn't have two "stable" branches liek apache does.
15:22<[|^__^|]>documenting sources doesn't make you immune to fallacy
15:23<[|^__^|]>special pleadings, for a start
15:23<[|^__^|]>I have little experience with lighthttpd, but it strikes me that many of the pro-lighthttpd arguments I see vs apache tend to be either a little misinformed or out of date or both.
15:24<[|^__^|]>so I would welcome a balanced analysis
15:25<[|^__^|]>I used to run boa for static content (images etc)
15:25<[|^__^|]>but then I realized that apache's intelligent caching made it a win over boa
15:26<[|^__^|]>if configured properly
16:25|-|linville [] has quit [Quit: Leaving]
17:08<JasonF>warewolf: lighttpd is simply easier, imo
17:08<JasonF>it's not a matter of faster
17:17|-|marc_in_lux [] has joined #linode
17:17<marc_in_lux>good evening
17:17<[|^__^|]>JasonF: well, some folks hoist up the lighttpd microbenchmarks as big fodder
17:17<marc_in_lux>trouble with host10?
17:21|-|marc_in_lux [] has quit [Quit: ]
17:21|-|FireSlash [] has joined #linode
17:23|-|FireSlash [] has quit [Quit: ]
17:38|-|FireSlash [] has joined #linode
17:39|-|besonen_ [] has joined #linode
17:39|-|Shaun2 [] has quit [Read error: Connection reset by peer]
17:45|-|besonen [] has quit [Ping timeout: 480 seconds]
17:47|-|spr [] has quit [Quit: Spoon!]
18:01|-|jekil [~alessandr@] has quit [Ping timeout: 480 seconds]
18:27|-|thin [thin@] has joined #linode
18:27<thin>has linode switch over to xen yet?
18:28<thin>boy am i excited about the upcoming freebsd 6.1 with full xen 3.0 support
18:42|-|OvrLrd-Q [] has joined #linode
18:52<thin>caker mikegrb, do you guys think you'll use freebsd 6.1? the benchmarks seems to indicate freebsd handles the i/o load better
18:58<OvrLrd-Q>which 'benchmarks' ?
18:58<linbot>New news from forums: DNS Set-up: Debian 3.1 / Godaddy / in Linux Networking <>
18:58<thin>OvrLrd-Q: actually there's only one out there afaik heh
18:59<thin>for xen 3.0
19:22<@caker>thin: hello
19:24<@caker>thin: probbaly not for the host OS, and not likely for guest OSs until better tools exist for managing filesystems that *bsd can utilize
19:45<thin>why not for the host OS?
19:46<thin>or does that prevent the linux guests from using ext2/3/reiserfs ?
19:46|-|FireSlash [] has quit [Read error: Connection reset by peer]
19:51<fo0bar>thin: it would make it harder, but not impossible I would assume. last time I checked, the BSD tools for managing ext3 weren't that good, and reiserfs support is nonexistent
19:52<thin>well i guess i was expecting that the guest OSs would be running inside images
19:52<thin>with their own filesystems of choice
19:52<thin>in fact, i don't think there would be that much overhead if any, if it was done that way?
19:54<thin>i wonder why *BSD haven't bothered developing reiserfs support?
19:55<[|^__^|]>do you really?
19:56<[|^__^|]>surely the BSDs already have more than enough wonky unstable experimental filesystems to fuss over
19:56<[|^__^|]>Log Filesystem I'm looking at you
19:57<thin>i'm only aware of the one filesystem that BSDs use heh
20:03|-|thin [thin@] has quit [Quit: leaving]
20:03|-|Newsome [] has quit [Quit: Linux: Now with employee pricing!]
20:04|-|OvrLrd-Q [] has quit [Quit: ]
20:27|-|nybble [] has joined #linode
21:07|-|Newsome [] has joined #linode
21:08<tronix>thin: ffs was introduced in 4.1b by Kirk McKusick
21:08<tronix>before 4.1b, there was 1BSD, 2BSD, 2.9/10, 3BSD, etc
21:08<tronix>oddly enough, I can't remember the fs used in these
21:09<tronix>I do have 3BSD somewhere around here... SIMH emulator can run it for the VAX-11/780 emulation
21:15|-|Netsplit <-> quits: J[SS]
21:15[~]tronix frowns
21:17|-|Netsplit over, joins: J[SS]
21:18<tronix>well, I'm supposed to get some CDs soon with every BSD release ever done by the CSRG @ UCB
21:32|-|FireSlash [] has joined #linode
22:03|-|Newsome [] has quit [Quit: Linux: Now with employee pricing!]
22:11|-|nybble [] has quit [Quit: Leaving]
22:24|-|spr [] has joined #linode
22:48|-|Zach [] has joined #linode
22:59|-|VS_ChanLog [] has left #linode [Rotating Logs]
22:59|-|VS_ChanLog [] has joined #linode
23:18|-|FireSlash [] has quit [Quit: Leaving]
23:42|-|Ty [] has quit [Quit: :o]
23:42|-|Zach [] has quit [Quit: CGI:IRC (Ping timeout)]
---Logclosed Sat Feb 04 00:00:20 2006