***: visinin has quit IRC ("word")
bobbyw has joined #arpnetworks sroute: up_the_irons: looks like more than just that one vm was affected, mine is down ***: sroute has quit IRC (Remote closed the connection)
sroute has joined #arpnetworks
bobbyw_ has joined #arpnetworks
bobbyw has quit IRC (Read error: 54 (Connection reset by peer))
bobbyw_ is now known as bobbyw
bobbyw_ has joined #arpnetworks
bobbyw has quit IRC (Read error: 54 (Connection reset by peer))
bobbyw_ is now known as bobbyw
heavysixer has joined #arpnetworks dj_goku: openbsd 4.6 was just released!! mhoran: Yee-haw! dj_goku: up_the_irons: you around? sroute: OpenBSD is only at 4.6? -: sroute fires up python sroute: 'FreeBSD 7.2 is %0.2f%% better than newly released OpenBSD ;-)' % ((7.2-4.6)/4.6*100)
'FreeBSD 7.2 is 56.52% better than newly released OpenBSD ;-)' -: sroute 's toungue is firmly planted in cheek... dj_goku: hehe ***: dj_goku has quit IRC ("leaving")
visinin has joined #arpnetworks
dj_goku has joined #arpnetworks
timburke has quit IRC ("Leaving")
timburke has joined #arpnetworks
dj_goku has quit IRC ("leaving")
bobbyw has quit IRC ()
vtoms has left
ballen has joined #arpnetworks
ballen is now known as ballen|away
ballen|away is now known as ballen
visinin has quit IRC ("out out")
ballen has quit IRC ()
ballen has joined #arpnetworks toddf: sroute: you forgot to take into calculation your maths about freebsd and security issues vs openbsd .. 2 in 12 years, beat that! *grin* jeev: any good movies just come out on dvd? sroute: toddf: I get that, no argument. But a BSD OS is more than the core... one can't just look there.
http://www.openbsd.org/security.html - a great many more than 2 security issues listed over the years when one looks at the total OS. -: sroute likes all BSDs but decommissioned last OpenBSD a couple years ago sroute: I just like managing one is all. jeev: i think he means by default install or something toddf: the record is about during a current release
aka if people updated as they should have
and also the 2 holes have to do with only remote root exploits
but still, if you compare remote exploits in the current release of openbsd through the years (2 total) vs any other os you still come up with quite a wide gap mhoran: Sure, but Apache 1.3.29 is pretty useless ... ballen: whats wrong with apache 1.3?
although .29 is pretty dated mhoran: No worker MPM, inferior mod_proxy, ... ballen: mofo's rock solid though mhoran: Sure, for serving static content. ballen: mod_perl mhoran: Hah.
Okay. ballen: ;-) mhoran: :)
Just saying. It's rock solid but not bleeding edge.
If you run the non bleeding edge stuff in FreeBSD, you'll be pretty safe as well. ballen: heh, yea I think it would be about the farthest from bleeding edge you can get
and still be using a support app mhoran: There are also more people running FreeBSD in production, which exposes more vulns (The BIND effect, etc.) ballen: supported* mhoran: Also, app performance on OpenBSD is horrid.
I think the lighttpd guys benchmarked it. Might have been someone else.
But it didn't scale at all.
But it's a great firewall!
(pf rocks.) ballen: yea pf is on FreeBSD though mhoran: Yup.
I wish m0n0wall used pf. ballen: even though I use ipfw
yea def a fan of FreeBSD over OpenBSD or NetBSD
and the few guys that I've met that work on or have worked on FreeBSD project are awesome
of course I've never met anyone that's worked on NetBSD or Open
so not much comparision mhoran: Yeha. There was a FreeBSD dev on the floor I was on while at Cisco but I never talked with him.
Not sure if Ron ever met him ... ballen: no idea
he's never mentioned it to me
I met one at Google who was a core dev up until FreeBSD 4 or so
left the project because they added Periodic when they were already using Cron ***: Nat_RH has quit IRC (Remote closed the connection)
Nat_RH has joined #arpnetworks sroute: I used to be a commerical unix guy (DG/UX); even though it was Sys V R4 I grew to like FreeBSD quickly. I like how it is managed... is why I never went the Linux route. toddf: you should give OpenBSD a spin ... pkg_add -uri is hard to beat ;-) sroute: when I left DG an 8 core box cost a few hundred thousand. Ah, the good ol' days. toddf: heh ballen: toddf, FreeBSD has pkg_add -r <pkg_name>
if you're so inclined sroute: I'm sure I'd like OpenBSD but I do more app wrangling now and the broad availability of ports is often handy. Can't disregard app performance either. ballen: yep FreeBSD ports is the shiznas sroute: must admit I do prefer pf to ipfw ballen: yea either or
pf is more advanced sroute: nice that fbsd has it now; auto blocking brute force attackers is so simple in pf ballen: sroute, or you just turn off password auth ;-) sroute: ballen: I do, except for one account - a backdoor toddf: did freebsd ports ever make packages then install from packages or does the Makefile in the ports tree still do manual mucking? ballen: toddf it makes a pkg first
does a staged install
then installs from the pkg sroute: ballen: I use my blocking config to block them to ALL services, not just ssh. ballen: aahhh toddf: thats new, they didn't used to do that, openbsd did that for years first .. ;-) ballen: that makes more sense
make package or make pkg toddf: so you could have one freebsd system build packages for a farm of servers? ballen: will put a .pkg file in the port dir
you could sroute: I even have a fake HyperVM listener running on some boxes and accounts - back when the HyperVM exploit was making the news in VPS hosting land, a few chinese dudes were trying to hack em... of course I don't run it here. ballen: hah
why? sroute: because I can; mostly was interested to see how active the bad dudes were over that one. ballen: fair enough sroute: not very it turned out.
I think I ended up blocking 4 IPs in the past few months.
vs hundreds aimed at ssh ballen: yea ssh brute forcing is constant sroute: silly morons ballen: must be getting in somewhere
or just script kiddies sroute: right now someone is trying to gain access to PlcmSpIp = some sort of ip phones I think ballen: anyone know of a simple script that will poll snmp for a single item and update a graph with the data over time
specifically for the os x platform sroute: last word on blocking- I notice less of this offending activity on my VM at arp -- believe Garry is doing some filtering up stream ballen: yea he filters ssh brute forcing
or at least limits the connection rate ***: bobbyw has joined #arpnetworks jeev: fuck man
wayport/starbucks/att internet fucking sucks
always nasty lag ballen: hmm
ever try VPN'ing somewhere? jeev: sroute, that's what my polycom has in it's phone log
huh ballen
i am vpn'd ballen: ah
just wondering if they were shaping traffic jeev: it's 400ms-600ms ballen: and if a UDP vpn would get past it jeev: i have to call every fucking time i'm here
i dont understand how they dont know there's a problem
and why then they always say "i spotted the probme" ballen: its not that they don't know... its that they could give a flying fuck jeev: well.. i know having 150 servers aint anything close to the nodes att has
but i can detect an issue on my server within a minute
i dont know how they let this go on so long ***: sentabi has quit IRC (pratchett.freenode.net irc.freenode.net)
sentabi has joined #arpnetworks
dj_goku has joined #arpnetworks ballen: gawd damn Vim's master site is down
ports could def set the timeout on downloads to be a lot faster
also FYI: IGNORE_MASTER_SITE_VIM=YES in /etc/make.conf
and it will fetch it directly from freebsd.org jeev: heh
yea the timeout issue is stupid
i wish while cvsuping, you could get a real0time working list
real-time
i wonder if there are precompiled ports packages for updated ports
ahh, if running -stable ballen: that the hell is wrong with fetch...
/usr/bin/fetch -4ApRr -T 2 -S 2611 http://ftp.vim.org/pub/vim/patches/7.2/7.2.052
why does that not timeout after 2 seconds jeev: wish fetch showed progress too..
can't tell if sometimes ports are working or slow downloads
the downloads that is ballen: -T seconds Set timeout value to seconds. Overrides the environment
variables FTP_TIMEOUT for FTP transfers or HTTP_TIMEOUT for
HTTP transfers if set.
the vim port is such a pain in the nuts
freaking 150+ patchsets it needs to download jeev: vim sucks ballen: solution is:
add IGNORE_MASTER_SITE_VIM=YES
and set FETCH_ARGS="-4ApRr"
forcing fetch to use IPv4 and freebsd.org
for whatever reason it fails randomly when using ipv6
SOLID
and we're up to patch set 239
not hard to release a gawd damn new version dj_goku: up_the_irons: how do upgrades work? can I reinstall myself? jeev: dj_goku, there are ways you could but he'd probably hvae to start your vps with the cdrom mounted and you'd have to connect via console dj_goku: I don't need a cdrom I can do it all remotely through ssh actually. ballen: freebsd-update ? dj_goku: I just want to keep it as standard so if I need help up_the_irons can help me.
ballen: I use openbsd. ballen: awwww
download the tar balls and extract them? dj_goku: yaifo
is a kernel + sshd ballen: is there anything special he had todo the obsd kernel to get it to run in KVM? dj_goku: no idea.
probably not.
I recompiled other than 1 blip, I didn't change anything. ballen: yea dj_goku: ballen: all I can think of is the user that is created. ballen: http://scie.nti.st/2009/10/4/running-openbsd-4-5-in-kvm-on-ubuntu-linux-9-04 dj_goku: yup ballen: k dj_goku: I haven't ever upgraded openbsd so I don't know how to do that. ballen: well dj_goku: If I did I would probably do that. ballen: what I used todo
was litterally go download the new .tgz files
from the mirror
and extract them dj_goku: on what distro? ballen: over the system
openbsd
thats all the installer does dj_goku: right. ballen: you may want to back up /etc though
as its a rather blunt way of upgrading
http://www.openbsd.org/faq/upgrade36.html dj_goku: if there were a way to say download click this and be ugpraded I would love that :)
http://www.openbsd.org/faq/upgrade46.html ballen: meh way over complicated these days dj_goku: haha
Or I can backup /etc /home and reinstall :) ballen: i liked my tar -xf base36.tgz
yea thats basically what you're doing, just in place
bring up a new vm, and migrate dj_goku: 4 minutes to reinstall
I already moved my router over to openbsd 4.6 ballen: mmk have fun dj_goku: My router is a VM, :D
esxi FTW ballen: yea I do love esxi
run the fucker on a 1gb sd card
use normal local disks for the storage pool dj_goku: I have always wanted a via board, since it has the crypo chip on-board. ballen: yea if you're going for low power
pretty slow chips though dj_goku: who cares its a router ballen: in that case checkout: http://www.liantec.com/product/lpc/LPC-5842.htm dj_goku: a home router none the less ballen: and if you happen to figure out how to get one of the boxes in the US let me know
I know you can import than directly from Taiwan
them*
but its rather expensive dj_goku: ballen: I have a am2 system that I use as my esxi host, I don't plan on buying a mini-atx system. ballen: ah
those boxes are quite good for throughput / watt consumption dj_goku: *shrug* its currently running a total of 4vms, openbsd (router), openbsd (dev), win2k3, win2k8, xp sroute: I just build vim from scratch from cvs/svn sources. dj_goku: I just use emacs :) -: dj_goku runs sroute: emacs hurts my hands ;) ballen: get your emacs' loving crap outta here sroute: vim hurts my head but I use it anyway LOL ballen: yea should just use ee sroute: actually... not. You know you are adicted when you do ESC:wq in a text box on a web page ballen: yea I've done that dj_goku: echo/cat works too. sroute: lol ballen: better yet :wq at the end of an IM dj_goku: hehe
I still do that.
though it is nice that a lot of the emacs shortcuts are used in other apps.
I like that I can use emacs CTRL + A now that I am using tmux instead of screen. sroute: ... like tmux too dj_goku: anyone using opensmtpd in here? I don't think I will ever run my own mail server again since I use google. ***: bobbyw has quit IRC () toddf: wrt openbsd 'bsd -c' or 'config -ef /bsd' and 'disable mpbios' is `the trick to get openbsd current/4.6 to run on kvm'
opensbsd starting with 4.5 and better with 4.6 has 'sysmerge' to merge /etc and such dj_goku: toddf: so are you a fan of upgrade or clean installs? toddf: I most definately am for upgrades dj_goku: I can see the benefit, but it seems like a lot of work :) toddf: clean installs tend to suggest something in the (massivly simplified) upgrade process is borked, aka the cheating way out
for me, if I'm doing a reinstall
I have to do lots of customization afterwards
while I do have siteXY.tgz and my own custom packages to help
it is so much easier to just upgrade it isn't funny
I use afs and kerberos and such so my experience may be different than most
fresh installs also tend to blow away any existing data
backing up /etc and re-installing then getting /etc back and merging it by hand is by far a more painful procedure than doing the upgrade of the base sets, then sysmerge the conf files and finally 'pkg_add -uri' ;-) jeev: wow man
i've said it before, i have over a hundred servers easy
i've been updating ports on 3 all day.
this is killing me an dpissing me off
freebsd die ina fire dj_goku: jeev: diaf is easier :) jeev: i hate acronyms, except the old school ones dj_goku: lol ***: ballen is now known as ballen|away
ballen|away is now known as ballen
sroute has quit IRC ("WeeChat 0.3.0")
sroute has joined #arpnetworks
sroute has quit IRC (Client Quit)
sroute has joined #arpnetworks