libera/#devuan/ Monday, 2020-11-23

gnarfaceyea that too, n4dir00:00
n4direven earlier, if i surely want to simply try apt, i have to use the del key to remove the - again. Well. Old dogs and all.00:00
clorti haven't seen a situation where apt-get install doesn't do the job00:02
n4diri had seriously shitty situtations where aptitude helped. But perhaps 3 times in 15 years. + or minus. apt has a nice output though.00:03
clort'mv'ing multi-gigabytes of files in linux still bogs things down in 202000:03
clortmight be related to ext400:04
clortmaybe rsync is gentler00:05
clortthis is new to me - after big copies: swapoff failed: Cannot allocate memory00:13
clorthttps://leizhilong.github.io/post/case-study-swapoff-cannot-allocate-memory/00:14
clortinteresting00:14
clortswapoff caused OOM and got killed00:28
clorttrying with a 2nd swap file00:28
systemdleteis it normal to see zombie scans coming from oftc.net port 6667 on my local system?01:05
systemdleteactually, I should probably ask THEM (OFTC)01:07
DHEthe irc network? pretty common for them to scan incoming clients to ensure they're not open proxies01:07
DHEeven freenode does this, or so they claim01:08
systemdleteOK.01:08
systemdleteJust checking.  Having some network issues here, so I thought I would inquire.01:08
flingCan I convert from ubuntu focal?02:10
gnarfacedunno, but it might work02:15
gnarfacepeople have reported ubuntu conversions working in the past02:15
flingShould be similar to conversion from buster?02:20
gnarfacemight be a little trickier because of differing package naming/versioning conventions02:21
gnarfacebut for the most part "uninstall then reinstall" such packages usually works with some massaging, if you know what you are doing02:22
gnarfaceno guarantees02:22
flinggnarface: I tried ubuntu to workaround this:02:34
fling[FAILED] Failed to start LXD - agent - virtio-fs mount.02:34
fling[FAILED] Failed to start LXD - agent.02:34
cynicfma116:53
ShorTieb417:38
debdogBINGO!17:42
sixwheeledbeastb517:46
sixwheeledbeastdid I sink a ship?17:46
masonThe last, best hope for peace?17:46
onefangThis is definitely #devuan-offtopic (hope I got that right).17:49
masononefang: It followed in the footsteps of #debianfork, being infused with right wing science-denialism.17:51
masonSadly.17:51
onefangAh, that'll be #reality-offtopic then.17:55
masonheh17:56
fsmithredmason, I think I got knockd working right. I had to use a config I got from a random website since the example in the man page didn't work.18:40
masonfsmithred: Ah, good. I find it immeasurably useful for log cleaning, which will allow real threats to be highlighted.18:41
DivanSantanahave this rather complicated disk setup on ascii. https://divansantana.com/using-ssds-as-a-cache-on-devuan/ Going to try upgrade to beowulf now and hope it boots :)18:52
clorti have a confuse.  why not just use a swapfule DivanSantana18:53
DivanSantanaclort: instead of ssds as a cache? How could a swapfile replace the ssds as a cache?18:54
clortwhat is it caching18:55
DivanSantanaclort: any writes to the disk. backups, cloud storage etc19:56
clortah ty19:56
fsmithredping mason - If there's a firewall in front of the remote host I want to knock, will that be a problem?21:50
fsmithredPort forwarding is set up for ssh on that router/firewall.21:51
masonfsmithred: Yeah, do the knockd on the firewall21:54
fsmithredno idea if I can do that. It's a cisco router, and I'm not the one who normally admins it.21:55
fsmithredbrb21:55
masonfsmithred: Or you can have ports passed back for the knocking.21:59
masonbrb also, chicken emergency21:59
fsmithredthat doesn't sound good22:00
fsmithred'ports passed back' means forwarding the ports I want to knock? Or is the router likely to support port knocking?22:08
n4dir without knowing what the problem is nmap comes to mind22:31
luser977fsmithred: ask the cisco admin to fwd all relevant ports, target port and the knock ones.22:40
luser977the latter as udp only probably, to prevent discovery22:41
fsmithredthey won't find udp ports on a port scan?22:42
fsmithredI'm assuming it has been scanned because whoever is trying knows to try ssh on a non-standard port22:42
n4dir-sU -> udp scan22:42
fsmithredyeah, that's kinda what I thought22:43
n4dirnot that i'd be in it, but nmap is pretty powerful22:43
fsmithredI might just move it to another port and see how long it takes them to find it22:43
n4diriirc going for a full scan, whatever that might be, instead of default, first thousand?, will take *really* long22:44
masonfsmithred: TCP or UDP, doesn't matter. Your server won't be answering on TCP ports, so they're going to look like closed ports. I use only TCP.22:44
masonfsmithred: They shouldn't see the ports, as they'll be closed. But knockd will see the attempt and register it.22:44
fsmithredyeah, if I can get to the server22:45
masonfsmithred: So, whatever's easiest to set up on the firewall.22:45
fsmithredI was only inside the admin panel once. I don't know if it has port knocking.22:45
masonfsmithred: Another option, albeit a tricky one, is to know somewhere else, and then transmit that in.22:45
masonfsmithred: It won't, almost certainly.22:45
masonknock somewhere else*22:46
fsmithredthat's not a feature on pro routers?22:46
fsmithredoh22:46
masonfsmithred: So, knock sequence on some other server, have it trusted, have it pass in a note saying "unlock for this IP"22:46
luser977should not afaik22:46
luser977find22:46
luser977port knocking can sometimes be arranged on ios22:47
masonIf the router does it, that'd be the best place.22:49
luser977https://community.cisco.com/t5/networking-blogs/you-can-t-try-it-if-you-don-t-knock-it/ba-p/310280622:51
luser977not for ios beginners and not in the web ui22:51
masonluser977: Nice, thank you. I'd looked and found nothing.22:52
masonBeen years since I've had to touch ios.22:52
mason...and I've never set up port knocking on it.22:52
luser977ios is ok but too much variance sometimes22:52
masonfsmithred: You could really even have a password-protected web page up somewhere where someone can hit that and have that trigger a rule on the target host.22:53
masonfsmithred: The only thing you really need is a relatively obscure/mildly protected way to capture an IP address that can be turned into a rule.22:54
luser977re: udp scan: udp scan only finds properly open udp server ports. knock udp ports are not such ports.23:10
luser977so a closed udp port can be faked, using icmp, I think knockd uses this. not sure.23:17
luser977i don't know why i keep dropping out. someone is playing deauth games with me. wifi drops.23:19
fsmithredluser977, 'knock udp ports' means a port on the server that I'm knocking?23:19
luser977yes23:20
fsmithredbut I have to get past a firewall23:20
luser977the router simply forwards those.23:20
fsmithredcan't someone clever figure out that the ports open on the router might be used for knocking?23:21
luser977fwding does not add detectability23:21
fsmithredok23:21
luser977n8 zzzz23:29
masonluser977: knockd doesn't actually open any ports, it looks at traffic that is destined for ports, whether the ports are open or not23:38

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!