libera/#devuan/ Thursday, 2022-05-19

rwponefang, I skimmed the contents page of that document and it didn't seem to be so bad to me.  Do you have a specific complaint about it?00:21
rwponefang, However I think those documents are doomed to be out of date from the moment they are saved.  Things always change too rapidly for static docs like that to keep up.00:21
rwponefang, Also I believe the system is secure by default.  Any insecurity by default is treated pretty strongly as a bug and fixed.00:22
rwpIn other words...  I do not personally spend time "hardening" my Internet connected server systems.00:23
rwpI take general precautions only.  fail2ban, firewall, aide, logcheck, other similar things.00:23
se7enAfter a system update, my computer now goes into hybernation/sleep when I close the lid. How do I disable this?05:48
se7enMost of the web searches I find speak of editing logind from systemd settings. Ugh05:50
fluffywolfyou can edit /etc/elogind/logind.conf or remove elogind05:51
fluffywolfit probably has HandleLidSwitch=suspend, change to HandleLidSwitch=ignore05:51
se7enI'm not entirely sure what elongind does, or what it may be dependency for05:51
se7enHandleLidSwitch=suspend is actually commented out05:52
fluffywolfelogind is a dependency of KDE.  if you don't actually use KDE, but use a couple kde programs, you can replace it with a dummy package and nothing seems to break.05:52
fluffywolfthe comments say the default.  you have to uncomment it and change it to ignore05:52
se7enOk, is there any specific behavior as to how to do that05:52
se7enI downloaded a bunch of packages from KDE's Academic suite, and that must be what did it. However, I don't know what the dummy package is05:53
se7enSo simply `apt remove elogind` produces a mega prompt for removing all that stuff05:53
fluffywolfI used eqivs to generate a fake package05:54
se7enbleh05:55
se7enMore work05:55
se7enI never used equivs05:55
fluffywolfhttp://paste.debian.net/1241350/05:55
se7enso I take this paste and run it in equivs-build? WHat is the syntax? I have never used equivs05:56
se7en`equics-build -f file.equivs`?05:56
fluffywolfI haven't used it recently enough to have it off the top of my head.05:56
se7enFor now, I think I'll just change the conf. Maybe I'll just part with those KDE packages a little later. I just get angry when I have software installed (especially at that level) which is not a real dependency at all05:58
fluffywolfI already complained about this...  the kde people really do not care, at all.05:58
se7enIt's KDE05:59
se7enWhat do you expect?05:59
se7enIt's not like it's 1998 anymore.05:59
fluffywolfand devuan doesn't have the manpower to fork more packages just to remove minor dependencies...05:59
se7enI don't use any of these major default-bundled WM/DMs06:00
fluffywolfvolunteers are always helpful.  hint, hint.  :P06:00
se7enI use FVWM2, and a conf file that originated from 199906:00
fluffywolficewm here06:00
yuadthi06:25
yuadtI encrypted the drive. At boot after I enter the key the computer immediately shuts down. If i put a wrong key the computer immediately shuts down. If I just press enter it says nothing to read on input. It asks me for the key again. Repeat.06:29
yuadtyesterday evertying was fine. I did not update, did not change anything system related as far as I can remember06:29
yuadtIsn't all this very, very weird?06:31
gnarfaceseems weird but maybe hardware related; symptoms match a failing power supply06:33
yuadtgnarface, could be, but why I can just launch devuan installer and go around the installer with the system not shutting down once?06:36
yuadtIt is also strange that it fails at the exact instant I press enter.06:37
yuadtI can decrypt the disk just fine from the devuan installer shell06:41
yuadtit cannot be something that happens after decryption because it fails even if I put a wrong key06:42
rrqdid you boot that encrypted drive before?06:47
yuadtrrq, yes06:48
yuadtyesterday06:48
rrqI mean after you had encrypted it .. (just so I understand)06:49
yuadtrrq, I installed devuan a month ago or so. I installed it encrypted06:51
yuadtjust standard encryption with the installer06:51
rrqok. if you booted that previosuly then it suggests some h/w issue; can you verify the encryption code on the initial boot menu, or does it need decryption before that?06:56
yuadtthe boot menu you mean grub? No it's after that. It says it can't process lvm volumes than it asks me to unlock the disk.06:59
rrqrhigh; you can select "c" (I think, or is it "e") for editing the command, and then make sure the password looks right there.. just to verify the keyboard07:01
yuadtrrq, the computer shuts down even if I intetionally put a wrong key07:01
rrqyou are obviously sure about the password, but maybe the keyboard has some "odd configuration" on cold start07:03
yuadtI tried grub "c", the keyboard seems fine07:04
yuadtIt might be an h/w issue, It just so weird that it happens in that moment, and in that moment alone.07:05
rrqyes. given you can boot up from the installer; it rather suggests some disk failure when it gets vectored to the on-dik decryption07:08
rrqon-disk07:08
rrqI know too little about the software involved but I would lean towards trying to reinstall07:09
rrqof the encryption/decryption software07:10
yuadtcan I maybe give the key on the kernel command line? Just to see if it changes anything07:12
rrqah I thought you had full-disk encryption07:14
rrqin any case you might need to wait for someone who knows better than me07:16
yuadtrrq, yes, the kernel is unencrypted, it's not grub asking me the key07:22
rrqwhat about pressing control-J instead of Enter at the end?07:25
yuadtrrq, I tried it and it worked!! I reboot and now the issue doesn't exist anymore, I can also press Enter07:28
yuadtthis doesn't make any sense. Maybe the h/w issue only happens at times?07:29
rrqgreat. apparently your keyboard had resorted to issuing C-M for Enter... I'm sure it can be explained07:30
yuadtrrq, thank you. I'm going, if this happens again I'll throw the computer out of the window07:32
onefangrwp: https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html was last updated in 2017.  It mentions things like inetd (no longer exists), and after a quick look doesn't mention new things like nftables and systemd.  Though for us Devuan users, lack of systemd is a good thing.  I'm reading it now anyway.17:46
onefangI'm putting together my standard Chimaera setup for all my systems, and I want to spend some more effort on hardening.  Running fine on my desktop so far.  After the hardening pass I'll put it on my servers.17:47
rwponefang, Ahem...  I am still using inetd.  It does still exist.  Remember that this is Devuan not Debian/systemd.21:02
rwpIf not using inetd then there is no need to "harden" it by disabling services from it.  But if one is then yes.  So it still seems apropos.21:04
rwpI disagree with the rhetorical statement in that document about inetd being only due to kernel deficiencies though.  I use it for providing autossh with a shared echo service path.  It's not a kernel deficiency as that should not be in kernel space but in userland space.21:07
onefangOdd, I didn't find inetd as a package.21:07
rwpAnd it is not insecure in that mode either.21:07
rwphttps://packages.debian.org/sid/xinetd21:07
onefangAh I didn't scroll all the way down in synaptic's search result.21:08
rwphttps://packages.debian.org/sid/openbsd-inetd21:08
rwpxinetd provides with useful rate limit and other features for things accessible from the hostile Internet.21:09
rwpopenbsd-inetd is the tradition inetd suitable for services accessible internally such as my use with autossh.21:09
rwpAnd the systemd folks can claim they invented it if they want but inetd has been around for far longer than they have been around.21:10
onefangAnyway, I'm half way through reading it, and some of it is still relevant.21:10
rwpYes.21:10
rwpAgain for me IMNHO I think a lot of "hardening" is not needed and results in a system that is not truly less vulnerable to zero-day vulnerabilities but is harder for the local user and sysadmin to use themselves.21:11
rwpI would always install hardening such as fail2ban, firewall, aide, and if one can deal with the noise from it logcheck.21:12
onefangThat's why I'm checking this stuff on my desktop (and VMs if needed) before rolling it out to my servers.  I'll do what's right for me.21:13
rwplogcheck requires aggressive noise filtering.  No doubt.  But if one commits to doing it then it is very useful.  But not for the timid.21:13
onefangI know, I installed logcheck recently, it's waaay to noisy.  Though just installed logcheck-database wich might help.21:13
onefangI'm considering using nftables directly, not using a separate firewall front end.21:14
rwpMy local filtering rules that I keep updated as needed has more than 8,000 lines of filter rules.21:14
rwpFor logcheck filter rules.21:14
onefangAnd as I always say "the problem with fail2ban is that it fails to ban".  It has issues,  I hope the Chimaera version has less issues.21:15
rwpI consider iptables, nftables, shorewall, ufw, all of those to be in the category "firewall".21:15
onefangiptables and nftables are the backends that shorewall and ufw are the front ends for.21:16
rwpI have a handful of custom fail2ban rules, mostly for use with http attacks.  The default is set up for ssh and mostly seems sufficient.21:16
onefangShorewall is what I used to use, but it's not getting updated for nftables, which I want to switch to.21:16
rwpUnfortunately, because I really like shorewall, but it is not updated for nftables and unlikely it will ever be updated to nftables.  Would love it if it were otherwise.21:16
onefangExactly.21:17
onefangMy main problem with fail2ban is that when it decides to lift ban, it lifts the ban, even if I have told shorewall to ban it permanently.  So that IP can now get through.21:18
onefangBack to reading.21:19
rwpFor your default banaction are you using iptables-multiport or are you using the shorewall action?21:19
rwpThere are some problems with the interaction of the two.  I forget now exactly what.  I decided to use the default iptables-multiport and accept the not exactly correct behavior.21:19
onefangNot using anything yet in chimaera, and no longer care for the old Beowulf version that is still running on the servers.21:20
rwpBut I believe what you say is true if you use the shorewall ban action.  Because then fail2ban uses shorewall both for banning and unbanning.  And then it... unbans via shorewall.21:20
onefangSo as I said, no firewall front end is what I'll try, pure nftables is the plan.  So shorewall will be out of the picture either way.21:21
rwpI will claim that using nftables directly *IS* using a firewall.  Why would it not be a firewall?21:21
onefangRead what I said before.  lol21:22
onefangiptables and nftables are the BACKends that shorewall and ufw are the FRONT ends for.21:23
rwpI will miss Shorewall.  But will likely write something with nftables directly too.  I do not like the way ufw works.  It's just not for me.21:23
rwpI feel that your distinction is a distinction without merit because the result is a firewall either way.  Sorry.  Not wanting to sound like a jerk.  But can't phrase it softer.21:23
rwpI don't care if it is a frontend, backend, middleware, written on Tuesday, or whatever.  If it results in a firewall then it is a firewall.21:24
onefangThe distinction is that the front ends work by sending commands to the backends.  So shorewall needs iptables to do the actual work, but you can do the same by sending iptables commands directly.21:25
rwpOf course.21:25
onefangShorewall wont work without iptables.21:25
used____I have tons of libreoffice related apparmor messages clogging dmesg on Beowulf. Is there a way to disable the noise? I understand that booting with audit=0 on kernel cli can do it but I would not go that far.21:26
rwpThis is a distinction without merit.  And any further debate on the topic should be in #devuan-offtopic where I would gladly continue it if desired.  But I don't desire it.21:26
* onefang goes back to reading docs.21:26
used____Ref I found for problem, seems to be libreoffice and kernel version dependent https://askubuntu.com/questions/1066956/libreoffice-apparmor-messages-issue21:26
used____tia21:27
rwpused____, I do not use apparmor and so have no advice for you.  (Humorously above I was just saying that I don't use extra "hardening", such as apparmor, because I felt it resulted in a harder to use system, which you have just proved my point, but IMNHO did not result in enough benefit.)21:28
rwpused____, I am NOT advising you to do this, but on my system I "dpkg --purge apparmor" and avoid the apparmor issues entirely.  Due to problems such as you describe.21:30
used____rwp I'll look into what else needs it. Agree about purging it if not essential. It probably provides some "peace of mind" vs Libreoffice's habit to have huge holes and access system files it should not.21:56
used____I see openssl + libssl have upgrades again. These things should really be tested since they are basic security related. Obviously far too complex by now to ever become "stable". Time to look for other solutions?21:58
used____(where?)21:58
rwpI installed those ssl libs yesterday uneventfully.  No issues of any sort.  (I see used____ has already left.)22:07
NeverAloneHello23:01
plasma41NeverAlone: Greetings23:03
NeverAloneNew devuan user here I'm planning to upgrade to unstable but my question is how is it called daedalus?23:05
golinuxdaedalus is testing23:08
NeverAloneOh? What's the name of unstable then?23:08
fsmithredceres23:08
NeverAloneOr unstable doesn't exist23:09
fsmithredand that never changes23:09
fsmithredlike sid23:09
golinuxhttps://www.devuan.org/os/releases23:09
NeverAloneOh!23:09
NeverAloneThanks!23:09
golinuxNeverAlone: Enjoy init freedom!23:09
plasma41Devuan Daedalus is to Debian Bookworm as Devuan Ceres is to Debian Sid.23:10
NeverAlonegolinux: Thank you!23:12

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!