***: woremacx has quit IRC (*.net *.split)
islandfox has joined #arpnetworks
woremacx has joined #arpnetworks
LT has joined #arpnetworks
schmir has joined #arpnetworks
[FBI] starts logging #arpnetworks at Wed Apr 28 03:23:01 2010
[FBI] has joined #arpnetworks
schmir has quit IRC (Quit: rcirc on GNU Emacs 24.0.50.1)
ziyourenxiang has joined #arpnetworks cedwards: they're watching! -: infrared undresses cedwards: uhh infrared: scared?
don't be shy
haha
ugh.. time for work cedwards: sounds more like chatroulette in here than irc bob^^: :/ cedwards: can anyone tell me how to use zfs for each jail? ***: Ehtyar has quit IRC (Ping timeout: 252 seconds)
vtoms has joined #arpnetworks
schmir has joined #arpnetworks cedwards: found this I thought I'd share: http://tuxtraining.com/2009/04/26/how-to-harden-freebsd
few things in there I hadn't considered before mike-burns: I don't understand that first one, about symlinking /tmp with /var/tmp. cedwards: yeah, that seemed odd. I didn't bother with that oen. mike-burns: Also not sure why he turned off X11 forwarding if X isn't even installed. RandalSchwartz: cargo culting :) mike-burns: I'm wary of an admin who uses nano ... cedwards: mike-burns: +1 ziyourenxiang: "blowfish is much better suited for passwords" than md5, sez he cedwards: or "open gedit and..." mike-burns: Ha. cedwards: ziyourenxiang: I do prefer blf over md5; i've been making that change long before I read that post. ziyourenxiang: well, i'm not really disagreeing, just pointing out that the author of that docu made that assertion without explanation... telling how without why is poor teaching mike-burns: Surprised /etc/mtree wasn't mentioned in here, what with all the chmod'ing. ziyourenxiang: , ok, actually i didn't point out anything in my earlier statement :-) RandalSchwartz: "I prefer capital letters to lowercase, since capital letters are more secure" DaCa: I wouldn't really trust security considerations from someone who runs 4.x and 5.x in 2009 :p mike-burns: Or whose domain name is tuxtraining.org. cedwards: now ya'll are making me feel bad for sharing the link :( mike-burns: com RandalSchwartz: "second half of the alphabet, even better!" bob^^: hah, tux training... for freebsd :/ -: RandalSchwartz trains his tux bob^^: lol, not entirely sure how adding a login banner improves security :/ RandalSchwartz: if it says "thank you for logging in to the FBI..." cedwards: yeah. i never bother with login banners anywhere but work, and that's because they told me to.
RandalSchwartz: way back when I was teaching Linux I had a student add a banner similar to that on his machine.
RandalSchwartz: made me double-take and re-check the IP I had connected to RandalSchwartz: heh bob^^: :) RandalSchwartz: first thing I do on getting a new login is "touch .hushlogin" :) cedwards: ++1
although that kills /etc/motd but not banners. i wish it did banners. RandalSchwartz: banner?
where's that? bob^^: i quite like the motd sometimes - we use it in work to keep notes about recent config changes on boxes etc mike-burns: The banner tends to say which version of FreeBSD it is, which is more information than no banner. cedwards: Banner directive in sshd_config is prior to login, which .hushlogin doesn't--cant--avoid. bob^^: indeed, it doesn't know what username you're going to enter until after the banner is sent :) RandalSchwartz: ahh cedwards: what is really annoying in when I bounce: ssh -t host1 ssh -t host2 ssh -t host3 and have to see three effing banners along the way. DaCa: you always pass a username when making a ssh-connection, I think you can disable it selectively with Match in sshd_config cedwards: DaCa: ohh that would be nice. /me tries. mike-burns: I just realized that this guide is running everything from a root shell instead of using sudo. bob^^: lol, i didn't even notice that :( DaCa: cedwards: just tested, works indeed cedwards: DaCa: what syntax did you use? I'm getting an error on Match DaCa: Match User blah
Banner none
to disable the banner only for user blah
you can also work with groups cedwards: Starting sshd: /etc/ssh/sshd_config: line 120: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options DaCa: too old sshd? cedwards: OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (CentOS 5) DaCa: yeah, probably too old cedwards: lame
now that everyone is awake I'll try this question again: how do I create sized-pools for use with ezjail? -: DaCa leaves for siesta :) cedwards: I know how to create: 'zfs create zroot/usr/jails/jailname', but I don't know how to make it a set size. RandalSchwartz: set a quota
or do you want to ensure that it already allocates from its parent
if so, there's something like "reservation size" cedwards: I just want to make sure it can't become larger than X RandalSchwartz: that's quota cedwards: zfs set quota=50G zroot/usr/jails/jailname ? RandalSchwartz: something like that yeah cedwards: do I need to do anything fancy with ezjail?
it says this in ezjail-admin(1):
Starting with ZFS version 13 in FreeBSD, the -c option allows to create a ZFS-backed jail with an optional ZFS filesystem-quota passed via the -s option. The filesystem is named after the jailname.
I must be getting the syntax wrong though. I'm not getting the results I exect.
ezjail-admin create -i -f example -s 2G -c zfs bodie 10.0.0.10
I _think_ that worked. ***: lll_ has quit IRC (Quit: leaving)
lll has joined #arpnetworks
LT has quit IRC (Quit: Leaving) cedwards: would anyone know why I'd get this error when trying to launch screen:
fork: Resource temporarily unavailable
mkfifo /tmp/screens/S-dlord/22809.pts-3.bodie failed
(inside a jail) ***: nbari|away has quit IRC (Remote host closed the connection)
nbari|away has joined #arpnetworks
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
residual has quit IRC (Ping timeout: 258 seconds) cedwards: figured that one out (because you care)
now I get:
Apr 28 10:25:08 bodie bitlbee[1900]: Unable to create UNIX socket: Protocol not supported
Apr 28 10:25:08 bodie bitlbee[1900]: Warning: Couldn't write PID to `/var/run/bitlbee.pid' ***: nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Write error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
aem has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks
nbari|away has quit IRC (Read error: Connection reset by peer)
nbari|away has joined #arpnetworks aem: yo yo dxtr: http://pastebin.com/ZS8J4Lqw <- Got that in the mail. Sounds legit. aem: yeah nice email ***: nbari|away has quit IRC (Remote host closed the connection) dxtr: aem: I think I'll give it a go
Who doesn't have 1,850,000 USD laying around? aem: heheh
might as well, what you go to lose!?
money? psh, that grows on trees! dxtr: :D
Btw, aem. How did the DNS work out? ***: nbari|away has joined #arpnetworks
aem_ has joined #arpnetworks
aem has quit IRC (Ping timeout: 245 seconds) cedwards: I guess FreeBSD doesn't use /etc/skel for adduser, but /usr/share/skel? dxtr: good question :D
Never thought about it
I added maildirs to /etc/skel though
but don't ask me if it actually worked mike-burns: `man pw' says that -k and -m changes it, but I can't see where it's set. cedwards: I'm trying to add a few files to my new user /home but it's not quite working
./etc/skel seems to be ignored, and /usr/share/skel is ro in jails aem_: yeah it uses /usr/share/skel/ cedwards cedwards: aem_: I created an adduser.conf and changed it to /etc/skel.
aem_: see if that'll allow me to customize it's contents on a per-jail setting. aem_: cedwards: wth some fiddling with /etc/profile and that you can probably get something work I'm sure
good luck :)
lemme know what you do if it works cedwards: adduser -C, follow prompts. this generates an adduser.conf.
edit adduser.conf to point to /etc/skel. cp -a /usr/share/skel/* /etc/skel/
done
...at least it seems to have worked :) dxtr: Uhm, guys
I don't remember... How do I get xterm to work with irssi (or vice/versa)? :)
Can't use alt-numbers :( cedwards: esc-number is what I use
always used, actually. dxtr: cedwards: True. Might have to learn that then ;) cedwards: muscle memory is a fickle mistress dxtr: I'm lucky alt-arrows still work though
Could ofcourse set XTerm*metaSendsEscape: true mike-burns: Or try weechat. dxtr: Using xterm now o cedwards: I prefer uxrvt over xterm, but I'm currently using Konsole dxtr: I'm using (X)ubuntu with full disk encryption :)
And yes, I do prefer xterm over urxvt cedwards: full disk encryption is nice. tell me, do you encrypt your disk & your home folder?
dxtr: I ask because I think it is funny how home-folder encryption can be handled separately, so even when you encrypt all you still get prompted. dxtr: No I'm not ***: Ehtyar has joined #arpnetworks
schmir has quit IRC (Remote host closed the connection)
fink has joined #arpnetworks
amdprophet has quit IRC (Ping timeout: 276 seconds)
vtoms has quit IRC (Quit: Leaving.)
aem has joined #arpnetworks
aem_ has quit IRC (Ping timeout: 245 seconds)
aem has quit IRC (Ping timeout: 240 seconds)
aem has joined #arpnetworks
aem_ has joined #arpnetworks
aem has quit IRC (Ping timeout: 240 seconds)
aem_ has quit IRC (Remote host closed the connection)
schmir has joined #arpnetworks
trapdoor has joined #arpnetworks
schmir has quit IRC (Ping timeout: 258 seconds)
jjpickle has joined #arpnetworks
jjpickle has quit IRC (Quit: leaving)
jjpickle has joined #arpnetworks jjpickle: is there a garry here DaCa: jjpickle: his nick is up_the_irons jjpickle: thanks ***: jjpickle has left
homosaur has joined #arpnetworks
schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 265 seconds)
j3m has quit IRC (Read error: Operation timed out) homosaur: can anyone recommend a lightweight forum software? not happy with the built in drupal forus infrared: yeah... CESSMASTER: vanilla seems to work ok mhoran[jUaReZ]: Thumbs down to Drupal. ***: DaCa has quit IRC (Ping timeout: 260 seconds)
DaCa has joined #arpnetworks
j3m has joined #arpnetworks cedwards: I used MyBB and bbpress
don't _love_ either, but they get the job done ***: homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
hsbt has quit IRC (Ping timeout: 252 seconds)
Shazaum has joined #arpnetworks
trapdoor has quit IRC (Quit: Leaving)
hsbt has joined #arpnetworks
aem has joined #arpnetworks aem: hello fink: hi aem ***: Shazaum has quit IRC (Quit: Saindo) cedwards: g'nite all aem: g'night cedwards sleep well
sup fink how are you fink: aem: ok ***: lll_ has joined #arpnetworks
lll has quit IRC (Remote host closed the connection)
lll_ is now known as lll
lll has left
lll has joined #arpnetworks
fink has quit IRC (Ping timeout: 245 seconds)
fink has joined #arpnetworks
fink has quit IRC (Quit: fink)