1308615256 M * WMP hmmmm: http://wklej.org/id/550052 1308615486 M * WMP hmmm 1308615501 M * WMP i make make install after reboot and worl 1308615502 M * WMP work 1308615507 M * WMP stupid... 1308617930 M * Bertl off to bed now ... have a good one everyone! 1308617936 N * Bertl Bertl_zZ 1308628135 Q * ard Ping timeout: 480 seconds 1308629473 Q * ryker Quit: Leaving. 1308630271 J * sannes ~ace@cm-84.209.81.224.getinternet.no 1308632206 Q * thierryp Remote host closed the connection 1308633309 Q * sladen Ping timeout: 480 seconds 1308633386 Q * FireEgl Ping timeout: 480 seconds 1308633686 J * sladen ~paul@starsky.19inch.net 1308634852 J * ard ~ard@gw-tweakb16.kwaak.net 1308635013 J * petzsch ~markus@dslb-088-075-160-221.pools.arcor-ip.net 1308635586 Q * arekm Quit: leaving 1308635589 J * arekm ~arekm@ixion.pld-linux.org 1308636718 J * ghislain ~AQUEOS@adsl2.aqueos.com 1308637957 Q * derjohn_mob Ping timeout: 480 seconds 1308639585 J * ryker ~Adium@c-76-16-115-27.hsd1.in.comcast.net 1308640600 Q * ryker Quit: Leaving. 1308641937 J * hijacker ~hijacker@87-126-142-51.btc-net.bg 1308642166 J * FireEgl ~FireEgl@173-16-9-3.client.mchsi.com 1308644572 J * kir ~kir@swsoft-msk-nat.sw.ru 1308644596 P * kir 1308645034 J * bzed_ ~bzed@devel.recluse.de 1308645361 Q * bzed Ping timeout: 480 seconds 1308645364 N * bzed_ bzed 1308645644 J * derjohn_mob ~aj@213.238.45.2 1308645772 Q * bzed Quit: Changing server 1308645802 J * bzed ~bzed@devel.recluse.de 1308646419 Q * nkukard Ping timeout: 480 seconds 1308649293 Q * hijacker Quit: Leaving 1308650768 J * thierryp ~thierry@zanzibar.inria.fr 1308651773 N * Bertl_zZ Bertl 1308651782 M * Bertl morning folks! 1308651869 M * WMP Bertl: hello 1308651883 M * WMP (from night): hmmmm: http://wklej.org/id/550052 1308651890 M * WMP i make make install after reboot and work 1308651895 M * WMP why? 1308651909 M * WMP after every restart i must make make install? 1308651943 M * Bertl restart means host reboot? 1308651961 M * WMP yes 1308651964 M * Bertl if so then you didn't enable the util-vserver runlevel scripts properly 1308651976 J * BenG ~bengreen@cpc12-aztw24-2-0-cust146.aztw.cable.virginmedia.com 1308652003 M * Bertl i.e. vprocunhide and util-vserver are the sysv scripts to be run at host startup) 1308652037 M * Bertl in addition you can run vserver-default to start guests with the 'default' mark 1308652062 M * WMP i have only vprocunhide init script 1308652793 M * Bertl kernel/patch/util-vserver version? 1308653915 J * ryker ~Adium@c-76-16-115-27.hsd1.in.comcast.net 1308654898 J * nkukard ~nkukard@41-133-248-130.dsl.mweb.co.za 1308656706 Q * BenG Quit: I Leave 1308658353 M * WMP Bertl: sorry for my afk 1308658371 M * WMP kernel: 2.6.38.8-vs2.3.0.37-rc17-vserver 1308658394 M * WMP vserver: 0.30.216-pre2981; 1308658441 M * Bertl and you are missing the runlevel scripts? 1308658451 M * WMP yes 1308658573 M * Bertl did you run 'make install-distribution' after building util-vserver from source? 1308658579 M * Bertl http://linux-vserver.org/Installation_on_Linux_2.6 1308658587 M * WMP yes 1308658613 M * Bertl then I do not know why you would be missing the runlevel scripts 1308658630 M * Bertl they are installed here when you do that 1308658636 M * WMP what is name this script? 1308658689 M * Bertl util-vserver, vprocunhide, and vservers-default 1308658720 M * WMP omg 1308658723 M * WMP i have this ;) 1308658727 M * WMP ... ;) 1308662611 J * hijacker ~hijacker@87-126-142-51.btc-net.bg 1308662794 Q * ryker Quit: Leaving. 1308666768 Q * petzsch Quit: Leaving. 1308667968 Q * thierryp Remote host closed the connection 1308668172 J * dowdle ~dowdle@scott.coe.montana.edu 1308668527 Q * ncopa Quit: Leaving 1308668893 J * petzsch ~markus@dslb-088-075-160-221.pools.arcor-ip.net 1308670945 J * kbad ~Adium@pool-108-38-208-174.lsanca.fios.verizon.net 1308671011 M * kbad Is /etc/vserver/$foo/sched only for the old token bucket cpu scheduling? 1308671447 Q * petzsch Read error: Connection reset by peer 1308671993 M * Bertl kbad: yep 1308672041 M * kbad perfect, thanks! 1308672063 M * Bertl np 1308672427 J * bonbons ~bonbons@2001:960:7ab:0:a972:3f81:629a:ee55 1308674371 J * petzsch ~markus@dslb-088-075-160-221.pools.arcor-ip.net 1308674910 Q * petzsch Read error: Connection reset by peer 1308675051 M * Bertl off for now ... bbl 1308675055 N * Bertl Bertl_oO 1308675255 P * kbad 1308676117 Q * derjohn_mob Ping timeout: 480 seconds 1308676129 J * derjohn_mob ~aj@p4FFD2EEC.dip.t-dialin.net 1308676496 Q * nicholi Quit: leaving 1308676627 J * hparker ~hparker@2001:470:1f0f:32c:beae:c5ff:fe01:b647 1308676753 J * nicholi ~nicholi@12.232.116.66 1308676754 Q * nicholi 1308676803 J * nicholi ~nicholi@12.232.116.66 1308677173 M * chrissbx Wondering whether there's something like fail2ban that would work in vserver guests. 1308677212 M * chrissbx Maybe I just shouldn't worry about those ssh pw hack attempts, though. 1308677259 M * chrissbx (I don't have any pw's set in the guest(s), anyway) 1308677301 M * nicholi well the promise is that even if the guest is compromised...the rest of the system and the other guests are fine right :) ? 1308677337 M * chrissbx Uh, I wouldn't trust on that. A local breakin is pretty severe in any case. 1308677366 M * chrissbx Once someone's in, he/she just has to wait till the next kernel hole is revealed. 1308677397 M * nicholi could be said of any software loophople/exploit though 1308677424 M * chrissbx I think there's less chance of a hole in a single daemon like ssh than in the kernel. 1308677448 M * nicholi one would hope 1308677458 M * chrissbx The kernel is just too complicated, has too many attack surfaces for local processes. 1308677546 M * chrissbx But if you're insisting on local security, what are you using to *detect* breakins so that you have a chance taking actions *before* the attacker learns about the next local hole? 1308677617 Q * derjohn_mob Ping timeout: 480 seconds 1308677624 M * chrissbx I find most tools are too complicated, not really useful for vservers hosts, or involve some PHP interface or other oddity that just makes me conclude I don't want to use it. 1308677665 M * chrissbx I love knowing how a tool works fully when it comes to security. 1308677808 M * nicholi currently i have nothing in place to discern breakin from legitimate logins, but i do use passwords :) 1308677858 M * nicholi wouldn't you be able to simply have fail2ban point to the log files from the host directly? and still take action via iptables? 1308677903 M * chrissbx Just to be sure, when I said I don't have any pw's set I meant, really non, not the empty passwords. 1308677914 M * chrissbx *none 1308677927 M * chrissbx Dunno, maybe. 1308677989 M * chrissbx It would be nicer (less risk for screwup) and easier (just apt-get install) if there would be something that works out of the package. 1308677989 M * nicholi oh i see what ya mean, using keys instead ? 1308677994 M * chrissbx yes 1308678003 M * nicholi planning to move over to that next 1308678054 M * nicholi i'm guessing there is not, at least for blocking the incoming connectino at the interface...since the guest has no real hardware access 1308678088 M * chrissbx I know, but sshd itself could refrain from taking connections, or you could use a proxy in front of sshd. 1308678158 M * chrissbx (Or s.o. might write a virtual firewalling setup, like replace the iptables command with one that feeds the commands to the host, which checks/filters/adapts them.) 1308678264 M * WMP Bertl_oO: mount -t cgroup -ocpu none /dev/cgroup mount: special device none does not exist 1308678267 M * WMP Bertl_oO: why? 1308678290 M * nicholi cgroups enabled in kernel ? 1308678307 M * WMP yes 1308678315 M * WMP before reboot work 1308678318 M * WMP after no ;) 1308678389 M * nicholi chrissbx: what about denyhosts? that looks simple enough, and should work in a guest 1308678678 J * tomreyn__ ~Piet__@28IAAB5VU.tor-irc.dnsbl.oftc.net 1308678678 M * _are_ chrissbx: I suggest running fail2ban on the host and making the VServers log the relevant log somewhere the host-fail2ban can check them instead of running fail2ban within the guest. It is iptables anyway and iptables is host-work 1308679009 J * petzsch ~markus@dslb-088-075-160-221.pools.arcor-ip.net 1308679091 Q * Piet_ Ping timeout: 480 seconds 1308679942 Q * hparker Quit: Quit 1308680537 J * hparker ~hparker@2001:470:1f0f:32c:beae:c5ff:fe01:b647 1308683067 Q * hparker Quit: Quit 1308683155 J * _are__ ~quassel@vs01.lug-s.org 1308683249 J * emcepe ~mcp@wolk-project.de 1308683263 J * PowerKe_ ~tom@94-226-105-27.access.telenet.be 1308683266 J * daniel_hozac_ ~daniel@c-923071d5.08-230-73746f22.cust.bredbandsbolaget.se 1308683268 J * nospoonuser_ ~nospoonus@shell.net23.de 1308683271 J * Marillio1 ~dirk@178.63.150.30 1308683273 J * julius_ ~julius@217.20.127.15 1308683281 J * n01101111x ~nox@host.noxlux.de 1308683285 J * karasz_ ~karasz@shell.opensde.net 1308683290 J * ensc|w_ ~ensc@www.sigma-chemnitz.de 1308683292 J * [Guy] ~korn@elan.rulez.org 1308683321 J * LuckyLuk1 ~luca@host65-83-static.228-95-b.business.telecomitalia.it 1308683435 J * ccxCZ_ ~ccxCZ@193.209.forpsi.net 1308683491 Q * daniel_hozac reticulum.oftc.net magnet.oftc.net 1308683491 Q * ensc|w reticulum.oftc.net magnet.oftc.net 1308683491 Q * ccxCZ reticulum.oftc.net magnet.oftc.net 1308683491 Q * LuckyLuke reticulum.oftc.net magnet.oftc.net 1308683491 Q * _are_ reticulum.oftc.net magnet.oftc.net 1308683491 Q * wurtel__ reticulum.oftc.net magnet.oftc.net 1308683491 Q * julius reticulum.oftc.net magnet.oftc.net 1308683491 Q * PowerKe reticulum.oftc.net magnet.oftc.net 1308683491 Q * Marillion reticulum.oftc.net magnet.oftc.net 1308683491 Q * Guy- reticulum.oftc.net magnet.oftc.net 1308683491 Q * mcp reticulum.oftc.net magnet.oftc.net 1308683491 Q * ignaz reticulum.oftc.net magnet.oftc.net 1308683491 Q * nospoonuser reticulum.oftc.net magnet.oftc.net 1308683491 Q * jeroen_ reticulum.oftc.net magnet.oftc.net 1308683491 Q * nox reticulum.oftc.net magnet.oftc.net 1308683491 Q * karasz reticulum.oftc.net magnet.oftc.net 1308683491 N * Marillio1 Marillion 1308683491 N * n01101111x nox 1308683492 N * ccxCZ_ ccxCZ 1308683492 N * emcepe mcp 1308683935 J * ignaz ~ignaz@85-126-150-194.work.xdsl-line.inode.at 1308683940 J * jeroen_ ~jeroen@imap.powerinternet.eu 1308683962 N * karasz_ karasz 1308683982 J * wurtel__ ~paul@gw-office.telegraaf.net 1308685039 Q * hijacker Quit: Leaving 1308685467 N * Bertl_oO Bertl 1308685469 M * Bertl back now 1308685567 Q * AndrewLee Read error: Connection reset by peer 1308685568 J * AndrewLee ~andrew@n201.enc.hlc.edu.tw 1308686659 Q * petzsch Quit: Leaving. 1308686840 Q * nicholi Remote host closed the connection 1308687382 J * nicholi ~nicholi@12.232.116.66 1308687683 Q * nicholi Remote host closed the connection 1308688352 M * WMP Bertl: mount -t cgroup -ocpu none /dev/cgroup mount: special device none does not exist 1308689770 M * Bertl looks like your mount is different, works perfectly fine here, assuming that it isn't already mounted 1308689792 M * Bertl (in which case it complains with already mounted or busy) 1308689809 M * Bertl note that util-vserver already mounts that for you if your kernel is reasonably recent 1308689815 M * _are__ WMP: I encountered similar error messages when I added cgroup types that actually weren't in the kernel 1308689821 M * Bertl (and util-vserver as well) 1308689842 N * _are__ _are_ 1308689852 M * WMP but work before reboot 1308689878 M * _are_ WMP: then it is probalby what Bertl said: already mounted by util-vserver 1308689899 M * Bertl should be easy to verify with 'cat /proc/mounts' 1308689901 M * Bertl (please use paste.linux-vserver.org for everything longer than 3 lines) 1308689932 M * WMP but: http://wklej.org/id/550648 1308689988 M * Bertl different problem, it just means that the memory cgroup is not in place 1308690016 M * WMP Bertl: but before reboot work good 1308690044 M * Bertl maybe you rebooted with the wrong kernel then? 1308690063 M * WMP no 1308690070 M * Bertl then let 1308690077 M * WMP 2.6.38.8-vs2.3.0.37-rc17-vserver 1308690079 M * Bertl 's start with the proc/mounts info 1308690124 M * WMP http://wklej.org/id/550651 1308690178 M * Bertl so no cgroup filesystem mounted there, which already looks suspicious 1308690257 M * Bertl try 1308690259 M * Bertl mount -t cgroup none /dev/cgroup/ 1308690267 M * WMP work 1308690276 M * WMP none /dev/cgroup cgroup rw,relatime,blkio,freezer,devices,memory,cpuacct,ns,cpuset 0 0 1308690293 M * Bertl so there is no 'cpu' cgroups subsystem 1308690305 M * WMP this is memory 1308690322 M * Bertl as you can see, the memory subsystem is now mounted 1308690336 M * WMP yes 1308690344 M * WMP vserver-stat 1308690346 M * WMP open(memory.usage_in_bytes): No such file or directory 1308690439 M * Bertl you need to restart the guests 1308690467 M * Bertl but as I said, the util-vserver script usually mounts the cgroup fs for you 1308690480 M * WMP Bertl: and after reboot i shoud run /etc/init.d/util-vserver ? 1308690481 M * WMP ok 1308690485 M * Bertl i.e. I presume your host startup is still not using those scripts 1308690521 M * WMP yes 1308691102 Q * bonbons Quit: Leaving 1308691966 Q * sannes Remote host closed the connection 1308692031 J * thierryp ~thierry@home.parmentelat.net 1308692114 J * nicholi ~nicholi@12.232.116.66 1308692533 J * ryker ~Adium@CF3840C2.endinfosys.com 1308693808 M * nicholi any specific parameters i should pay attention to while building util-vserver? besides just pointing it to dir locations i want 1308693835 M * Bertl no, just make sure you are building with dietlibc and a working toolchain 1308693940 M * nicholi yeah, got --enable-dietlibc 1308695428 Q * bzed Ping timeout: 480 seconds 1308695515 J * bzed ~bzed@devel.recluse.de 1308696845 J * derjohn_mob aj@88.128.224.190 1308698270 Q * imcsk8 Quit: Leaving 1308698784 Q * ryker Quit: Leaving. 1308698838 N * ensc Guest5575 1308698848 J * ensc ~irc-ensc@p5DF2F210.dip.t-dialin.net 1308699074 Q * ghislain Quit: Leaving. 1308699257 Q * Guest5575 Ping timeout: 480 seconds