freenode/#devuan/ Wednesday, 2019-07-03

onefanggolinux: now that I've woken up, I can answer your question.00:42
golinuxPlease do.00:43
onefangWhen a Devuan user requests a package form a Devuan mirror, if it's a Debian package the request is still sent to the Devuan mirror ...00:43
golinuxYes to merged00:44
onefangIf the Devuan mirror doesn't have it's own copy of a Debian mirror, it redirects that request to Debians mirror system ...00:44
onefangIf the Devuan mirror does have it's own copy of a Debian mirror, it merely returns the package as requested.00:44
onefangIs that what you mean by "connected"?00:45
golinuxSo it looks for a local debian mirror before going to the official debian repos?00:45
onefangSome of our mirrors have both, but it's a big lot of disk space, so some just do the redirect.00:46
golinuxI had never heard that in all the years I've been around here.00:46
onefangThat's up to the mirror admin how they arrange things.00:46
golinuxI thought it was up to amprolla.00:46
golinuxAnd that it always went to to the official Debian repos.00:47
onefangMy mirror is of the redirect variety, coz I don't have the space for a full Debian mirror.  But if I did, I'd have a separate Debian mirror available to Debian users, then just symlink it into the merged directory of my Devuan mirror.  Other options are available.00:48
golinuxWhat is the advantage of doing it that way?  Seems like just more to go wrong.00:49
onefangI know some of our mirrors supply Debian packages without the redirect, my mirror checker scripts probes the details of redirects on all our mirrors to try and find out if there's any problems with that process.00:49
onefangFor me the advantage is I don't have to buy more hard disk space to hold all of Debian.00:50
onefangFor others they have the flexibility to do things either way.  They might also not have disk space.00:50
onefangFor people that already had a Debian mirror before becoming a Devuan mirror, they can just do it all.  After all, they are running a Debian mirror to help spread the load for Debian.00:51
onefangA full Debian mirror is kinda huge.  B-)00:52
golinuxOK.  I get it.  I just had no idea that was possible so learned something new.00:52
* onefang smiles.00:53
lyubovp/win 201:06
fsmithredFatPhil, does it have to be simultaneous, or can you do it with two or three commands. I use these:01:07
fsmithredusermod -l $newname $oldname01:07
fsmithredusermod -d /home/$newname -m $newname01:07
fsmithredgroupmod -n $newname $oldname01:08
fsmithredI posted those out of order - I do the groupmod second01:08
fsmithredchange name, change group, change home01:09
fsmithredoh yeah, then there's this: for i in $(grep -r "/home/$oldname" /target/home/$newname/.config | awk -F":" '{ print $1 }'); do01:09
fsmithredsed -i "s/\/home\/$oldname/\/home\/$newname/g" "$i"01:09
FatPhilfsmithred: I'm  changind uid and gid (moving it out of a NIS serving range), rather than user/group names.01:34
fsmithredFatPhil, then you need the -u and -g options01:55
fsmithredfor usermod01:55
fsmithredyou might still need to change the home, too. files and dirs go by number, not name.01:56
se7enI am having trouble installing packages via a tor proxy07:58
se7eninterestingly this comes up when it is attempting07:58
se7en0% [Connecting to SOCKS5h proxy (socks5h://localhost:9050)]07:58
se7ensee that? that h?07:58
se7enI have in my sources.list the following with the only modification being -updates and so on, and then three lines of the same with deb-src07:59
se7endeb tor+http://devuanfwojg73k6r.onion/merged ascii          main07:59
xinomilose7en, does restarting tor help?10:23
se7ennI tried that10:29
drawkulado other things work via tor?10:46
xinomilothe "h" is normal btw10:46
xinomiloresolvs hostname via socks server10:47
drawkulayes here too a "h" and I just updated 2 VMs via tor10:47
xinomiloneeded for .onion10:47
drawkulatry torsocks ssh tyoqtejimniwumz6.onion10:48
drawkulajust abort when you see the password prompt...10:48
xinomiloit gets stuck here sometimes as well, but restarting tor helps.10:49
FatPhilcan anyone think of a reason why one minute I can ssh through my natting router to a remote machine fine, and then only minutes later I get: ssh_exchange_identification: read: Connection reset by peer11:11
gnarfaceso many possible reasons11:12
gnarfacenot many possible solutions11:13
FatPhilI've not changed anything at the far end. I can still get behind my router onto a different machine OK, so it's not the router failing. And from that machine, I can ssh to the one I actually want to be on. So it's not the target machine.11:13
FatPhilThe change of state has worked both ways. After a bunch of fails, it suddenly worked, and then started failing again.11:13
gnarfaceyes, you've confirmed that it is not your fault11:14
FatPhilNot my active fault, but am I just being dumb and overlooking something?11:14
gnarfacenothing comes to mind for me.  it sounds like there's a connectivity failure between you and the server.  it is unclear whether your ISP or the server hosting provider is at fault.11:15
gnarfaceyou can try some traceroutes when it is acting up11:15
xinomilossh -vvv host ?11:15
FatPhilother failure modes this morning did include simply timing out too. None of my connections to one of the firewalled machines has dropped, and I'm never refused access to that single one.11:16
gnarfacethere has been some big DDOS attacks going on lately, it could have something to do with that11:16
FatPhillast line from -vvv before the connection reset is: debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u811:17
gnarfacethe host isn't at cloudflare by any chance, is it?11:17
FatPhilthe host is my home/office network, hanging off a shitty ISP.11:17
gnarfacewell there could be some throttling or anti-DDOS filtering going on that they're still working the bugs out of, or it could just be regular incompetent routing11:18
gnarfaceif you run a traceroute *while* it's actually in the failure state, you might be able to see exactly at which hop the connection derails, then you have a better idea who to blame11:19
FatPhilthis is me failing from the viewpoint of the target's auth.log: Jul  3 12:21:50 bispaz sshd[3992]: refused connect from 90.190.251.x (90.190.251.x)11:20
gnarfaceit's not necessarily either ISP, it could be possibly one of dozens of other companies in control of nodes that connect the path11:20
FatPhilno other logs within minutes of that.11:20
gnarfacethe computer you're trying to connect TO logs the failure?11:21
gnarfaceas "refused connect" ?11:21
gnarfaceam i getting that right?11:21
gnarfacehmmm, well that sorta blows the theory about it being an intermediary ...11:21
gnarfaceyikes unless it's a failed MITM attack....11:22
gnarfaceoh boy11:22
r3bootFatPhil: do you have ssh keepalives configured?11:22
gnarfaceis there a chance this machine has more than one public IP?11:22
FatPhilArgh - pebcak - I modified hosts.allow11:23
r3bootsome asinine firewalls will drop idle connections, leading to the connection reset by peer message11:23
FatPhilor, worse, my deployment script failed to modify it11:23
FatPhilThe weird thing is that I didn't change the hosts.allow on the other machines I'm failing to get into (those might be timing out ones, not the rejected ones)11:27
FatPhiltrying to juggle too many changes on too many machines presently, sorry.11:27
FatPhilOK, that machine fixed, and NIS works, to this is progress11:28
FatPhilAny ideas how to force umount a fs from a machine that has apparently died (no pings)11:29
gnarfacemaybe with magic sysrq keys if you have local access...11:32
r3bootumount -l11:34
FatPhilr3boot: -l worked for some but not all, but now lunch time, and then to the office to get hands on (but making sure SSH worked from outside was one of my tasks this morning)11:46
r3bootCheck! Also, be sure to check if you have ServerAliveInterval configured in ssh_config11:47
FatPhilyup, at least on the home (not office) main box.11:48
FatPhilthanks for all your help today and yesterday - I've been in a bit of a panic!11:49
FatPhilTo add the cherry on top, my phone service provider stopped my cellular data a couple of days back, as well as 3 machines half-dieing in the office at the same time.11:50
FatPhilI've been planning on replacing 2 of them with a new box for ages, but never got around to it. And then the HD errors appeared. And the spontanious reboots. And whatever's wrong with the 3rd one...11:51
WalexFatPhil: the gods drive insane those they want to destroy :-) What have you done to get that? :-)13:28
FatPhilWalex: putting off essential preparations until too late - my own stupid fault. The servers have lasted 12 years, they'll last another couple of months, right?14:16
FatPhilat least some progress was made. Once I'd fudged with the router settings, incoming mail worked first time...14:17
FatPhilAnd by incoming mail, I mean a million spammers, and alas fail2ban doesn't seem to be working :(14:17
FatPhilAnnoyingly, fail2ban's changed how you configure it in the last few years, but that was a minor hiccup. It's now looking for the right things in the right files, but just not seeing them14:18
onefangI've noticed since ASCII fail2ban fails to ban.  B-(14:18
FatPhilI'm ascii on that machine.14:22
FatPhilThat really is a 8-(((((( for me - my domains are spam-magnets, I need all the help I can get.14:23
FatPhillooks like fail2ban's changed significantly between jessie and ascii:
djphFatPhil: fail2ban wouldn't necessarily do anything about email...15:05
djphFatPhil: I mean, if the "login" is perfectly fine, it's just going to pass it along to your MTA15:05
FatPhildjph: It doesn't get in the way at all, that's not how it works. it scans log files for troublesome error messages that imply a brute force attack, or a known exploit attempt, etc.15:20
FatPhile.g. this fokker should have been banned hours ago: /var/log# grep -o AUTH.* mail.log | sort | uniq -c | sort -n | tail -1 236 AUTH from unknown[]15:21
xinomilofail2ban-regex can help figure out the problem15:22
Human_G33khello there are some trouble with repositories ?15:23
onefangWhat sort of problem are you having?15:25
FatPhilxinomilo: thanks - that shows me that with '^%(__prefix_line)s' at the start of the regexp it does not match the lines in the logs, but if I skip that bit, it matches hundreds of lines.15:28
FatPhilI'll backup the conf, and strip that bit out.15:28
Human_G33konefang, find old address15:28
Human_G33kwith http15:29
FatPhilI presume it's read all the conf files and has expanded that variable identically to the program itself.15:29
Human_G33kbut .onion15:29
Human_G33kstill not working15:29
onefangI can't help with .onion stuff, I think someone mentioned that before, but I wasn't paying attention then.15:33
FatPhilxinomilo: a dozen probes seen visually in the logs that match the simpler regexp, but still fail2ban seems to have not noticed anything15:36
xinomiloare these recent? findtime variable?15:37
FatPhiloooh, not strictly true, it's just noticed one dodgy customer, after a hundred or so things from a dozen or so attackers.15:38
FatPhileverything's recent, the mail server and fail2ban have only been active a couple of hours.15:40
FatPhilIt does seem to be detecting one of the log lines now, I'll try to work out why it spots that one, but not the others (I'll put the dodgy prefix back into that regexp, and see if it still matches)15:41
xinomilodefault filters didn't work out of the box? usually it does..15:47
xinomilofail2ban.log can be a friend too15:48
FatPhilI tried shortened versions of the filters, and they do match, but the full ones seem not to15:48
FatPhile.g. withouth the 'proto=ESMTP' bit, I find 18 hits, but only 2 match that.15:51
xinomilowhich filter are you trying? name?15:53
xinomilofail2ban 0.10?15:53
FatPhilpostfix, vanilla ascii apart from 1 additional regexp added.15:54
FatPhilfail2ban-regex /var/log/mail.log '^%(__prefix_line)s.*<HOST>'15:54
FatPhilLines: 3478 lines, 0 ignored, 0 matched, 3478 missed15:55
FatPhilThat prefix bit is toxic, it's making nothing match (just '<HOST>' matches all 3478 lines)15:55
xinomilofail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf16:02
FatPhilxinomilo: 139 matches for the new regexp I just added, and 20 for the stock one I tweaked from ESMTP to E?SMTP.16:07
FatPhilCurrent score, stock fail2ban 2 - 140 FatPhil16:07
FatPhilAnother regexp added and I'm matching nearly 1000 lines now, and fail2ban has started to notice them.16:12
FatPhiland we have 5 strikes! 2019-07-03 16:33:59,292 fail2ban.actions        [21012]: NOTICE  [postfix] Ban
FatPhilSo it was just shitty filters that were the problem, nothing more.16:13
fsmithredHuman_G33k, what's happening? Can you do 'apt updtate'?16:14
FatPhilxinomilo: a million thanks for the fail2ban-regexp suggestion - that was a life saver!16:14
xinomilonp :)16:14
FatPhilonefang: I think we have the tech to fix your fail2ban problems now, if it still matters.16:16
Human_G33kfsmithred, for tor repo yes16:17
Human_G33kbut can t install16:17
onefangI wasn't really paying attention, but you are only fixing the detection side?16:17
FatPhilonefang: yes16:17
fsmithredok, I just did an update with tor repos, now I need to think of something to install16:17
onefangThat side was working fine for me, it's the actual banning that's not working for me.  As I said, fail2ban is failing to ban.16:18
fsmithredHuman_G33k, I just installed mousepad with no problem.16:19
fsmithredI did have trouble running the update until I restarted tor, then it was ok.16:19
FatPhilAh, OK. I was failing to ban too, because I was failing to detect :-I16:19
FatPhilBut I guess I should check my iptables, and verify that banning has occured16:19
xinomiloonefang, what's banaction? tried banning something manually?16:26
onefangJust the defaults.16:26
onefangI'm trying to concentrate on something else right now.16:27

Generated by 2.17.0 by Marius Gedminas - find it at!