1313626838 J * chrissbx ~chrissbx@bas1-montreal07-1176435050.dsl.bell.ca 1313626872 Q * Radiance Ping timeout: 480 seconds 1313627058 M * chrissbx Hi. I've already been using vserver on and off for like 5 years, mostly for servers. 1313627065 M * chrissbx Now I'm considering using it another purpose: security. 1313627082 M * chrissbx Host based intrusion detection. 1313627127 M * chrissbx Idea being, that the host context would run intrusion detection software (maybe run it in a separate context), analyzing the files in the guests. 1313627181 M * chrissbx Using vserver would make it a bit harder for a hacker that gets access to a guest to take over the kernel, 1313627198 M * chrissbx and thus intrusion detection could also run more safely. 1313627222 M * chrissbx Has anyone done that? Pointers? 1313627237 M * chrissbx Opinions? 1313627284 M * Bertl yep, was already done a few times over the last 10 years 1313627334 M * Bertl works fine, but usually you want to run the intrusion detection on the host (so that it has access to everything) and make damn sure the host itself is secure :) 1313627337 M * chrissbx (Another idea is that if the IDS finds a suspected intrusion, the respective guest could be SIGSTOPped, until the admin comes around checking what's wrong, could just issue SIGCONT if it was nothing.) 1313627430 M * chrissbx (Iff that's workable at all... needs to check which processes already where in STOP state, and analyze the dependency to prevent sigchild signals being issued.) 1313627444 M * chrissbx Cool, do you have any pointers? 1313627505 M * Bertl what kind of pointers do you have in mind? 1313627562 M * chrissbx Just if you remember anyone reporting something particularly interesting about it, where it was. 1313627568 M * chrissbx I'm checking the website right now. 1313627580 M * chrissbx I guess I'll have to search the ml, too :) 1313627584 M * Bertl not really, AFAIR, it worked like a charm 1313627612 M * chrissbx What I'm primarily interested in is hints for IDSs that work well for this purpose; 1313627626 M * chrissbx i.e. easily configurable for the different guests, 1313627655 M * Bertl i.c. well, sorry, no idea about that 1313627662 M * chrissbx also preferably that are Debian aware (.deb checksum checks, avoid signalling alerts for upgrades) 1313627733 M * Bertl but yes, the ML is probably a good place to search 1313627804 M * chrissbx An installation procedure (or even script) or deb for installation on the host would be perfect :) 1313627933 M * chrissbx BTW I plan on running this on my main work (desktop/laptop) machines, i.e. X11 with intel graphics in a guest. 1313628499 Q * chrissbx Ping timeout: 480 seconds 1313629185 J * chrissbx ~chrissbx@bas1-montreal07-1176435050.dsl.bell.ca 1313629262 Q * dowdle Remote host closed the connection 1313630460 Q * ensc Quit: Lost terminal 1313636603 Q * arekm Ping timeout: 480 seconds 1313636912 J * FireEgl FireEgl@2001:470:e056:1:89ad:fae0:23b1:4123 1313637873 Q * _Shiva_ Ping timeout: 480 seconds 1313638073 J * _Shiva_ shiva@whatcha.looking.at 1313639576 M * Bertl off to bed now ... have a good one everyone! 1313639581 N * Bertl Bertl_zZ 1313641424 J * sannes ~ace@cm-84.209.106.118.getinternet.no 1313643117 Q * hparker Quit: Quit 1313646950 J * ncopa ~ncopa@3.203.202.84.customer.cdi.no 1313647866 J * arekm ~arekm@ixion.pld-linux.org 1313648438 Q * ncopa Ping timeout: 480 seconds 1313648452 J * ncopa ~ncopa@3.203.202.84.customer.cdi.no 1313648897 Q * derjohn_mob Ping timeout: 480 seconds 1313649498 J * derjohn_mob ~aj@213.238.45.2 1313651312 Q * ex Ping timeout: 480 seconds 1313653130 J * kir ~kir@swsoft-msk-nat.sw.ru 1313655152 J * ghislain ~AQUEOS@adsl2.aqueos.com 1313655178 M * ghislain hello there 1313655345 M * ghislain anyone know if there is a way to check the vroot quota system ? I mean the vroot is here, the quota commands works, the /dev/hdvx is fine but quota are regulary unsync and i need a quotacheck to repair 1313655360 M * ghislain i have some trouble to find how to troublecheck this 1313655414 M * ghislain for exemple vrsetup, how to check if the link is fine between my vroot and my device with this ? 1313655415 M * daniel_hozac when does it get out of sync? 1313655429 M * daniel_hozac it won't work if it isn't... 1313655482 M * ghislain regulary i have big trouble doing update on my debian system, each time i need to refresh quota and then it works again (at least it SEEMS to work ;p) 1313655613 M * ghislain yes i create a 10mb file the user quota increments, if i destroy it it decrement so quota seems to work 1313655630 M * ghislain but it seems to not stay like this with time 1313655652 M * ghislain does tagging can get on the way ? 1313655661 M * ghislain i see the partition is tagged 1313655685 M * daniel_hozac why would it be tagged? 1313655703 M * daniel_hozac if you're using quotas it needs to be a dedicated filesystem for that guest. 1313655720 M * daniel_hozac tagging there seems quite pointless. 1313655721 M * ghislain to be able to add directory limitation , for exemple prevent runaway process to fill /var/tmp until the /var is full 1313655764 M * ghislain yes better put quota on the user we fear. But in theory does tagging could be the issue ? 1313655792 M * daniel_hozac how do you think tagging helps that? 1313655831 M * ghislain i know i have some cron to tag files to be sure they are owned by the vserver's tag. I do not know i really wonder why the quota seems to "desync" from time to time 1313655852 M * daniel_hozac what exactly is your setup? 1313655856 M * daniel_hozac because it sounds rather broken. 1313655878 M * ghislain the webmin wonderfull debian paquet juste delete the entire /etc/webmin directory when it fails ^^ with a disk space failure 1313655880 M * daniel_hozac tagging and quotas don't really make sense for the same filesystem. 1313655886 M * ghislain i have a /vservers that is unified 1313655904 M * ghislain then a /vserver/xxx/var that is a guest owned partition 1313655931 M * ghislain both are tagged, /vserver to limit each vserver from filling the root 1313655940 M * ghislain the /var to prevent /var/tmp filling 1313655948 M * daniel_hozac tagging would not at all help that 1313656025 M * ghislain so you think tag/disklimits + quota => issues ? 1313656047 M * daniel_hozac it's quite possible since tagging changes ids. 1313656085 M * ghislain ok thanks i will try to chnage this and see if quota goes wild again ^^ 1313656671 M * ghislain last question, if i do a remount to untag the partition , does it affect the vrsetup ? or do i need to relink it ? 1313656735 J * ex ex@valis.net.pl 1313656737 M * daniel_hozac no 1313656754 M * daniel_hozac vrsetup works on devices, doesn't care about mounts. 1313656778 M * ghislain doh ! ojk thanks a lot daniel 1313659046 M * Mr_Smoke mo'in 1313659871 M * Mr_Smoke say, is it possible to have default cflags ? 1313659879 M * Mr_Smoke flower page doesn't mention a .defaults/cflags 1313659882 M * Mr_Smoke never tried it though 1313659993 M * daniel_hozac no. 1313660653 Q * chrissbx Ping timeout: 480 seconds 1313661540 M * Mr_Smoke 'k 1313663018 Q * geos_one Ping timeout: 480 seconds 1313663158 J * geos_one ~chatzilla@chello080109195117.4.graz.surfer.at 1313666158 N * Bertl_zZ Bertl 1313666164 M * Bertl morning folks! 1313667883 M * Bertl ghislain: "from filling the root" ... which root? 1313668126 J * BenG ~bengreen@cpc12-aztw24-2-0-cust146.aztw.cable.virginmedia.com 1313670081 M * BenG Hi all, today, I'm trying to mount a volume from outside a guest into that guest 1313670087 M * BenG while it's running 1313670093 M * BenG is that at all possible? 1313670124 M * BenG so I'd be mounting from the host into the guest 1313670134 M * daniel_hozac vnamespace is your friend 1313670152 M * BenG yeah I saw that on the FAQ, but how to use it 1313670190 M * daniel_hozac vnamespace -e mount -n /dev/sdX /vservers/guest/path/to/mount 1313670198 M * daniel_hozac or you can use vmount 1313670206 M * BenG okay cheers daniel_hozac 1313670209 M * BenG will give that try 1313670942 M * BenG daniel_hozac, magic thanks, I don't know what I was missing there 1313671091 M * BenG hmmm, I should expand that FAQ entry a bit 1313671096 M * BenG just a tiny bit mind you 1313671147 M * Bertl go ahead, that's why it is a wiki afterall 1313672182 M * BenG 3.0.1 with vs2.3.1-pre9 looking good by the way, not having any problems 1313672685 P * kir Leaving. 1313677225 J * ffrank ~ffrank@g231243173.adsl.alicedsl.de 1313677261 M * ffrank hi. can multiple vservers on the same host receive multicast packets on the same address? 1313677326 M * daniel_hozac sure. 1313677349 M * Bertl it's the same as with multiple apps on the same host/address 1313677366 M * daniel_hozac did we ever add that NXC? 1313677369 M * daniel_hozac for multicast? 1313677389 M * Bertl probably not, but good point, let me check for 3.x 1313677482 M * Bertl nope, we had a patch for allowing it in general, IIRC? 1313677541 M * Bertl ah, already found it 1313677645 M * ffrank so this additional patch is required? 1313677665 M * Bertl it helps, as you do not need to assign multicast IPs to guests 1313677695 M * Bertl if you are interested, I can whip up a patch to test with 1313677710 M * ffrank i'd rather reconfigure my guests than patch my kernels further ;) 1313677756 M * Bertl daniel_hozac: define NXC_MULTICAST 0x00001000 looks good? 1313677772 M * daniel_hozac yeah 1313677802 M * Bertl ffrank: whatever works for you is fine 1313677870 M * ffrank thanks for the offer though - if I run into trouble, I may well take you up on that 1313678103 M * Bertl no problem, I'm doing the patch anyways 1313678528 J * hparker ~hparker@2001:470:1f0f:32c:beae:c5ff:fe01:b647 1313678820 M * Bertl daniel_hozac: http://vserver.13thfloor.at/ExperimentalT/delta-multicast-feat01.diff 1313678852 M * daniel_hozac yeah, looks good. 1313678870 M * Bertl I wonder if we shouldn't use nxi instead of current 1313679522 M * Bertl i.e. maybe nx_info_ncaps(nxi, NXC_MULTICAST) would be more appropriate 1313680052 Q * ncopa Quit: Leaving 1313680139 J * dowdle ~dowdle@scott.coe.montana.edu 1313682542 Q * BenG Quit: I Leave 1313683160 J * SkyNet2000 ~SkyNet200@71-81-25-51.dhcp.gwnt.ga.charter.com 1313683580 J * bonbons ~bonbons@2001:960:7ab:0:cc2e:f15b:5092:4260 1313685411 Q * ffrank Quit: Leaving 1313686302 Q * derjohn_mob Ping timeout: 480 seconds 1313686309 J * Piet_ ~Piet__@659AADQFJ.tor-irc.dnsbl.oftc.net 1313686697 Q * Piet Ping timeout: 480 seconds 1313686863 Q * arekm Ping timeout: 480 seconds 1313688366 N * Bertl Bertl_oO 1313690954 N * Bertl_oO Bertl 1313695899 Q * Piet_ Quit: Piet_ 1313698846 Q * bonbons Quit: Leaving 1313701591 Q * SkyNet2000 Quit: Leaving 1313703516 Q * sannes Remote host closed the connection 1313704016 Q * ghislain Quit: Leaving. 1313704839 J * Walex ~Walex@188-223-31-80.zone14.bethere.co.uk 1313705731 J * derjohn_mob ~aj@d026119.adsl.hansenet.de