rwp | onefang, I skimmed the contents page of that document and it didn't seem to be so bad to me. Do you have a specific complaint about it? | 00:21 |
---|---|---|
rwp | onefang, However I think those documents are doomed to be out of date from the moment they are saved. Things always change too rapidly for static docs like that to keep up. | 00:21 |
rwp | onefang, Also I believe the system is secure by default. Any insecurity by default is treated pretty strongly as a bug and fixed. | 00:22 |
rwp | In other words... I do not personally spend time "hardening" my Internet connected server systems. | 00:23 |
rwp | I take general precautions only. fail2ban, firewall, aide, logcheck, other similar things. | 00:23 |
se7en | After a system update, my computer now goes into hybernation/sleep when I close the lid. How do I disable this? | 05:48 |
se7en | Most of the web searches I find speak of editing logind from systemd settings. Ugh | 05:50 |
fluffywolf | you can edit /etc/elogind/logind.conf or remove elogind | 05:51 |
fluffywolf | it probably has HandleLidSwitch=suspend, change to HandleLidSwitch=ignore | 05:51 |
se7en | I'm not entirely sure what elongind does, or what it may be dependency for | 05:51 |
se7en | HandleLidSwitch=suspend is actually commented out | 05:52 |
fluffywolf | elogind is a dependency of KDE. if you don't actually use KDE, but use a couple kde programs, you can replace it with a dummy package and nothing seems to break. | 05:52 |
fluffywolf | the comments say the default. you have to uncomment it and change it to ignore | 05:52 |
se7en | Ok, is there any specific behavior as to how to do that | 05:52 |
se7en | I downloaded a bunch of packages from KDE's Academic suite, and that must be what did it. However, I don't know what the dummy package is | 05:53 |
se7en | So simply `apt remove elogind` produces a mega prompt for removing all that stuff | 05:53 |
fluffywolf | I used eqivs to generate a fake package | 05:54 |
se7en | bleh | 05:55 |
se7en | More work | 05:55 |
se7en | I never used equivs | 05:55 |
fluffywolf | http://paste.debian.net/1241350/ | 05:55 |
se7en | so I take this paste and run it in equivs-build? WHat is the syntax? I have never used equivs | 05:56 |
se7en | `equics-build -f file.equivs`? | 05:56 |
fluffywolf | I haven't used it recently enough to have it off the top of my head. | 05:56 |
se7en | For now, I think I'll just change the conf. Maybe I'll just part with those KDE packages a little later. I just get angry when I have software installed (especially at that level) which is not a real dependency at all | 05:58 |
fluffywolf | I already complained about this... the kde people really do not care, at all. | 05:58 |
se7en | It's KDE | 05:59 |
se7en | What do you expect? | 05:59 |
se7en | It's not like it's 1998 anymore. | 05:59 |
fluffywolf | and devuan doesn't have the manpower to fork more packages just to remove minor dependencies... | 05:59 |
se7en | I don't use any of these major default-bundled WM/DMs | 06:00 |
fluffywolf | volunteers are always helpful. hint, hint. :P | 06:00 |
se7en | I use FVWM2, and a conf file that originated from 1999 | 06:00 |
fluffywolf | icewm here | 06:00 |
yuadt | hi | 06:25 |
yuadt | I encrypted the drive. At boot after I enter the key the computer immediately shuts down. If i put a wrong key the computer immediately shuts down. If I just press enter it says nothing to read on input. It asks me for the key again. Repeat. | 06:29 |
yuadt | yesterday evertying was fine. I did not update, did not change anything system related as far as I can remember | 06:29 |
yuadt | Isn't all this very, very weird? | 06:31 |
gnarface | seems weird but maybe hardware related; symptoms match a failing power supply | 06:33 |
yuadt | gnarface, could be, but why I can just launch devuan installer and go around the installer with the system not shutting down once? | 06:36 |
yuadt | It is also strange that it fails at the exact instant I press enter. | 06:37 |
yuadt | I can decrypt the disk just fine from the devuan installer shell | 06:41 |
yuadt | it cannot be something that happens after decryption because it fails even if I put a wrong key | 06:42 |
rrq | did you boot that encrypted drive before? | 06:47 |
yuadt | rrq, yes | 06:48 |
yuadt | yesterday | 06:48 |
rrq | I mean after you had encrypted it .. (just so I understand) | 06:49 |
yuadt | rrq, I installed devuan a month ago or so. I installed it encrypted | 06:51 |
yuadt | just standard encryption with the installer | 06:51 |
rrq | ok. if you booted that previosuly then it suggests some h/w issue; can you verify the encryption code on the initial boot menu, or does it need decryption before that? | 06:56 |
yuadt | the boot menu you mean grub? No it's after that. It says it can't process lvm volumes than it asks me to unlock the disk. | 06:59 |
rrq | rhigh; you can select "c" (I think, or is it "e") for editing the command, and then make sure the password looks right there.. just to verify the keyboard | 07:01 |
yuadt | rrq, the computer shuts down even if I intetionally put a wrong key | 07:01 |
rrq | you are obviously sure about the password, but maybe the keyboard has some "odd configuration" on cold start | 07:03 |
yuadt | I tried grub "c", the keyboard seems fine | 07:04 |
yuadt | It might be an h/w issue, It just so weird that it happens in that moment, and in that moment alone. | 07:05 |
rrq | yes. given you can boot up from the installer; it rather suggests some disk failure when it gets vectored to the on-dik decryption | 07:08 |
rrq | on-disk | 07:08 |
rrq | I know too little about the software involved but I would lean towards trying to reinstall | 07:09 |
rrq | of the encryption/decryption software | 07:10 |
yuadt | can I maybe give the key on the kernel command line? Just to see if it changes anything | 07:12 |
rrq | ah I thought you had full-disk encryption | 07:14 |
rrq | in any case you might need to wait for someone who knows better than me | 07:16 |
yuadt | rrq, yes, the kernel is unencrypted, it's not grub asking me the key | 07:22 |
rrq | what about pressing control-J instead of Enter at the end? | 07:25 |
yuadt | rrq, I tried it and it worked!! I reboot and now the issue doesn't exist anymore, I can also press Enter | 07:28 |
yuadt | this doesn't make any sense. Maybe the h/w issue only happens at times? | 07:29 |
rrq | great. apparently your keyboard had resorted to issuing C-M for Enter... I'm sure it can be explained | 07:30 |
yuadt | rrq, thank you. I'm going, if this happens again I'll throw the computer out of the window | 07:32 |
onefang | rwp: https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html was last updated in 2017. It mentions things like inetd (no longer exists), and after a quick look doesn't mention new things like nftables and systemd. Though for us Devuan users, lack of systemd is a good thing. I'm reading it now anyway. | 17:46 |
onefang | I'm putting together my standard Chimaera setup for all my systems, and I want to spend some more effort on hardening. Running fine on my desktop so far. After the hardening pass I'll put it on my servers. | 17:47 |
rwp | onefang, Ahem... I am still using inetd. It does still exist. Remember that this is Devuan not Debian/systemd. | 21:02 |
rwp | If not using inetd then there is no need to "harden" it by disabling services from it. But if one is then yes. So it still seems apropos. | 21:04 |
rwp | I disagree with the rhetorical statement in that document about inetd being only due to kernel deficiencies though. I use it for providing autossh with a shared echo service path. It's not a kernel deficiency as that should not be in kernel space but in userland space. | 21:07 |
onefang | Odd, I didn't find inetd as a package. | 21:07 |
rwp | And it is not insecure in that mode either. | 21:07 |
rwp | https://packages.debian.org/sid/xinetd | 21:07 |
onefang | Ah I didn't scroll all the way down in synaptic's search result. | 21:08 |
rwp | https://packages.debian.org/sid/openbsd-inetd | 21:08 |
rwp | xinetd provides with useful rate limit and other features for things accessible from the hostile Internet. | 21:09 |
rwp | openbsd-inetd is the tradition inetd suitable for services accessible internally such as my use with autossh. | 21:09 |
rwp | And the systemd folks can claim they invented it if they want but inetd has been around for far longer than they have been around. | 21:10 |
onefang | Anyway, I'm half way through reading it, and some of it is still relevant. | 21:10 |
rwp | Yes. | 21:10 |
rwp | Again for me IMNHO I think a lot of "hardening" is not needed and results in a system that is not truly less vulnerable to zero-day vulnerabilities but is harder for the local user and sysadmin to use themselves. | 21:11 |
rwp | I would always install hardening such as fail2ban, firewall, aide, and if one can deal with the noise from it logcheck. | 21:12 |
onefang | That's why I'm checking this stuff on my desktop (and VMs if needed) before rolling it out to my servers. I'll do what's right for me. | 21:13 |
rwp | logcheck requires aggressive noise filtering. No doubt. But if one commits to doing it then it is very useful. But not for the timid. | 21:13 |
onefang | I know, I installed logcheck recently, it's waaay to noisy. Though just installed logcheck-database wich might help. | 21:13 |
onefang | I'm considering using nftables directly, not using a separate firewall front end. | 21:14 |
rwp | My local filtering rules that I keep updated as needed has more than 8,000 lines of filter rules. | 21:14 |
rwp | For logcheck filter rules. | 21:14 |
onefang | And as I always say "the problem with fail2ban is that it fails to ban". It has issues, I hope the Chimaera version has less issues. | 21:15 |
rwp | I consider iptables, nftables, shorewall, ufw, all of those to be in the category "firewall". | 21:15 |
onefang | iptables and nftables are the backends that shorewall and ufw are the front ends for. | 21:16 |
rwp | I have a handful of custom fail2ban rules, mostly for use with http attacks. The default is set up for ssh and mostly seems sufficient. | 21:16 |
onefang | Shorewall is what I used to use, but it's not getting updated for nftables, which I want to switch to. | 21:16 |
rwp | Unfortunately, because I really like shorewall, but it is not updated for nftables and unlikely it will ever be updated to nftables. Would love it if it were otherwise. | 21:16 |
onefang | Exactly. | 21:17 |
onefang | My main problem with fail2ban is that when it decides to lift ban, it lifts the ban, even if I have told shorewall to ban it permanently. So that IP can now get through. | 21:18 |
onefang | Back to reading. | 21:19 |
rwp | For your default banaction are you using iptables-multiport or are you using the shorewall action? | 21:19 |
rwp | There are some problems with the interaction of the two. I forget now exactly what. I decided to use the default iptables-multiport and accept the not exactly correct behavior. | 21:19 |
onefang | Not using anything yet in chimaera, and no longer care for the old Beowulf version that is still running on the servers. | 21:20 |
rwp | But I believe what you say is true if you use the shorewall ban action. Because then fail2ban uses shorewall both for banning and unbanning. And then it... unbans via shorewall. | 21:20 |
onefang | So as I said, no firewall front end is what I'll try, pure nftables is the plan. So shorewall will be out of the picture either way. | 21:21 |
rwp | I will claim that using nftables directly *IS* using a firewall. Why would it not be a firewall? | 21:21 |
onefang | Read what I said before. lol | 21:22 |
onefang | iptables and nftables are the BACKends that shorewall and ufw are the FRONT ends for. | 21:23 |
rwp | I will miss Shorewall. But will likely write something with nftables directly too. I do not like the way ufw works. It's just not for me. | 21:23 |
rwp | I feel that your distinction is a distinction without merit because the result is a firewall either way. Sorry. Not wanting to sound like a jerk. But can't phrase it softer. | 21:23 |
rwp | I don't care if it is a frontend, backend, middleware, written on Tuesday, or whatever. If it results in a firewall then it is a firewall. | 21:24 |
onefang | The distinction is that the front ends work by sending commands to the backends. So shorewall needs iptables to do the actual work, but you can do the same by sending iptables commands directly. | 21:25 |
rwp | Of course. | 21:25 |
onefang | Shorewall wont work without iptables. | 21:25 |
used____ | I have tons of libreoffice related apparmor messages clogging dmesg on Beowulf. Is there a way to disable the noise? I understand that booting with audit=0 on kernel cli can do it but I would not go that far. | 21:26 |
rwp | This is a distinction without merit. And any further debate on the topic should be in #devuan-offtopic where I would gladly continue it if desired. But I don't desire it. | 21:26 |
* onefang goes back to reading docs. | 21:26 | |
used____ | Ref I found for problem, seems to be libreoffice and kernel version dependent https://askubuntu.com/questions/1066956/libreoffice-apparmor-messages-issue | 21:26 |
used____ | tia | 21:27 |
rwp | used____, I do not use apparmor and so have no advice for you. (Humorously above I was just saying that I don't use extra "hardening", such as apparmor, because I felt it resulted in a harder to use system, which you have just proved my point, but IMNHO did not result in enough benefit.) | 21:28 |
rwp | used____, I am NOT advising you to do this, but on my system I "dpkg --purge apparmor" and avoid the apparmor issues entirely. Due to problems such as you describe. | 21:30 |
used____ | rwp I'll look into what else needs it. Agree about purging it if not essential. It probably provides some "peace of mind" vs Libreoffice's habit to have huge holes and access system files it should not. | 21:56 |
used____ | I see openssl + libssl have upgrades again. These things should really be tested since they are basic security related. Obviously far too complex by now to ever become "stable". Time to look for other solutions? | 21:58 |
used____ | (where?) | 21:58 |
rwp | I installed those ssl libs yesterday uneventfully. No issues of any sort. (I see used____ has already left.) | 22:07 |
NeverAlone | Hello | 23:01 |
plasma41 | NeverAlone: Greetings | 23:03 |
NeverAlone | New devuan user here I'm planning to upgrade to unstable but my question is how is it called daedalus? | 23:05 |
golinux | daedalus is testing | 23:08 |
NeverAlone | Oh? What's the name of unstable then? | 23:08 |
fsmithred | ceres | 23:08 |
NeverAlone | Or unstable doesn't exist | 23:09 |
fsmithred | and that never changes | 23:09 |
fsmithred | like sid | 23:09 |
golinux | https://www.devuan.org/os/releases | 23:09 |
NeverAlone | Oh! | 23:09 |
NeverAlone | Thanks! | 23:09 |
golinux | NeverAlone: Enjoy init freedom! | 23:09 |
plasma41 | Devuan Daedalus is to Debian Bookworm as Devuan Ceres is to Debian Sid. | 23:10 |
NeverAlone | golinux: Thank you! | 23:12 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!