General Linux Chat and Small Questions v. I broke my Arch Install - Hardware & Software

[QUOTE=nikomo;44485834]No, Debian and Ubuntu released new packages that are compiled with -DOPENSSL_NO_HEARTBEATS, which disables the functionality that is vulnerable.[/QUOTE] None of my servers have an openssl version with that flag sadly. Also they are all outdated... [img]http://i.imgur.com/zboOPFF.png[/img] [code] ~> asia openssl version -a OpenSSL 1.0.1e 11 Feb 2013 built on: Mon Apr 7 20:32:27 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" ~> ioexception openssl version -a mega@ioexception.at's password: OpenSSL 1.0.1e 11 Feb 2013 built on: Mon Apr 7 20:32:27 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" ~> africa openssl version -a OpenSSL 1.0.1e 11 Feb 2013 built on: Mon Apr 7 20:32:27 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" ~> bieling openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Wed Jan 8 07:20:55 UTC 2014 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic ~> ssh root@liquidscript.io openssl version -a OpenSSL 1.0.1e 11 Feb 2013 built on: Sat Feb 1 22:14:33 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" [/code]

[QUOTE=Mega1mpact;44485923]None of my servers have an openssl version with that flag sadly. Also they are all outdated... [img]http://i.imgur.com/zboOPFF.png[/img][/QUOTE] What distribution and which version? CentOS?

[QUOTE=kaukassus;44485934]What distribution and which version? CentOS?[/QUOTE] In order: Fedora, Debian x4 all running the latest distro version I did yum update/apt-get update;apt-get upgrade on all of them

[QUOTE=Mega1mpact;44485941]In order: Fedora, Debian x4 all running the latest distro version I did yum update/apt-get update;apt-get upgrade on all of them[/QUOTE] AFAIK Debian has the patched version already in the repos. [img]http://i.imgur.com/kluAWbw.png[/img] [url]http://www.debian.org/security/2014/dsa-2896[/url]

[QUOTE=kaukassus;44485959]AFAIK Debian has the patched version already in the repos. [img]http://i.imgur.com/kluAWbw.png[/img] [url]http://www.debian.org/security/2014/dsa-2896[/url][/QUOTE] The patch seems to have worked for a couple of my servers but others remain vulnerable [url]http://filippo.io/Heartbleed/#africa.basbieling.com[/url] [url]http://filippo.io/Heartbleed/#muhcloud.eu[/url] [url]http://filippo.io/Heartbleed/#nnmm.nl[/url]

Aparently it tells me my server is still vulnerable. I'm gonna disable my Webserver for the time being, since it currently doesent have any public use, and I don't need it right now. [editline]8th April 2014[/editline] I just moved my Private SSL Part to a non-standard port. Should keep it somewhat safe.

Arch has the updated package today so all of my servers are safe, but Amazon ec2 is still on 1.0.1e. Damn.

[QUOTE=Larikang;44487676]Arch has the updated package today so all of my servers are safe, but Amazon ec2 is still on 1.0.1e. Damn.[/QUOTE] Why are you running arch on a server

[QUOTE=Mega1mpact;44487920]Why are you running arch on a server[/QUOTE] Hope it's just some Test/Dev Server. If it's a productive environment, then yeah...

I have sort of an odd problem, I tried to install Ubuntu but for some reason when I reboot and the choice between XP and ubuntu comes up, my keyboard goes off and I cant select ubuntu. I was wondering if there was some way to either open ubuntu inside xp or completely delete xp without the xp install CD?

[QUOTE=gekko;44488702]I have sort of an odd problem, I tried to install Ubuntu but for some reason when I reboot and the choice between XP and ubuntu comes up, my keyboard goes off and I cant select ubuntu. I was wondering if there was some way to either open ubuntu inside xp or completely delete xp without the xp install CD?[/QUOTE] Do you happen to have an NKRO keyboard? I've got the same problem when mine is in NKRO mode, and it goes away when I switch to 6KRO mode. Try another keyboard maybe.

Remember to reboot the servers after updating the OpenSSL package. Also, I think Debian and Ubuntu might have cherrypicked the fix from the newer version, back into the old version, the patch is literally like 8 lines total. Also, Debian pushed out a new package, same as the old one except during install it says "you have to restart services" etc. after upgrade.

[QUOTE=Mega1mpact;44487920]Why are you running arch on a server[/QUOTE] We already talked about this on page 90. [QUOTE=Larikang;43325519]I would never use Arch for a business server or something with grave consequences in the event of a compromise, but I think you guys are seriously overestimating the security risk of running a server with Arch.[/QUOTE]

[QUOTE=Larikang;44489321]We already talked about this on page 90.[/QUOTE] There is no way we are ever going to stop discussing why the fuck anyone would run arch on a server.

I just checked my centOS machine and it was still had an older version of openssl that isn't vulnerable. From now on when people call me lazy for not updating things I will just tell them that I am actually just showing a great deal of foresight.

[QUOTE=Little Donny;44489511]I just checked my centOS machine and it was still had an older version of openssl that isn't vulnerable. From now on when people call me lazy for not updating things I will just tell them that I am actually just showing a great deal of foresight.[/QUOTE] CentOS repositories are made to be extremely old, but if you're not updating against the repos often, you're leaving yourself open to attacks on purpose.

[QUOTE=nikomo;44489569]CentOS repositories are made to be extremely old, but if you're not updating against the repos often, you're leaving yourself open to attacks on purpose.[/QUOTE] Yeah, I know mate. I'm just taking the piss out of my own bad habits when it comes to security.

[QUOTE=Mega1mpact;44489367]There is no way we are ever going to stop discussing why the fuck anyone would run arch on a server.[/QUOTE] By 'we' you mean you right?

[QUOTE=Jookia;44491711]By 'we' you mean you right?[/QUOTE] If that helps you sleep at night. But yea I guess it bothers me more then other people in this thread.

Witcher 2 got taken off my Linux games on Steam. Where'd it go? :(

They removed linux from the oslist; presumably because it wasn't meant to be visible yet.

Yeah, just checked there. Dammit, that's one of a handful of games I really miss here.

Gave Docker a proper try. [url]https://github.com/TheNikomo/dockerfiles/tree/master/ircd-hybrid[/url] This is fucking brilliant, I'm probably going to be using Docker a hell of a lot more than VMs from now on.

[QUOTE=Mega1mpact;44489367]There is no way we are ever going to stop discussing why the fuck anyone would run arch on a server.[/QUOTE] i like to fix broken things

[QUOTE=Yumyumbublegum;44494190]i like to fix broken things[/QUOTE] Likewise, it's why I've somehow become the Arch representative as far as Intel Inspector and Advisor go. Moral of the story, don't respond to surveys. Native installation for Parallel Studio coming soon!

[QUOTE=nikomo;44494047]Gave Docker a proper try. [url]https://github.com/TheNikomo/dockerfiles/tree/master/ircd-hybrid[/url] This is fucking brilliant, I'm probably going to be using Docker a hell of a lot more than VMs from now on.[/QUOTE] If I'm understanding it correctly, isn't Docker basically just fancy scripts to automate setting things up in a chroot?

[QUOTE=Lyokanthrope;44494724]If I'm understanding it correctly, isn't Docker basically just fancy scripts to automate setting things up in a chroot?[/QUOTE] It's way more than a chroot, it's using some of the functionality that's been added to Linux over the last year or two, it's using Linux containers and cgroups to manage everything. BSD Jails is a fairly good comparison, except then there's the stuff that Docker has on top of that, just look at all these commands: [code] nikomo@Iris:~ docker Usage: docker [OPTIONS] COMMAND [arg...] -H=[unix:///var/run/docker.sock]: tcp://host:port to bind/connect to or unix://path/to/socket to use A self-sufficient runtime for linux containers. Commands: attach Attach to a running container build Build a container from a Dockerfile commit Create a new image from a container's changes cp Copy files/folders from the containers filesystem to the host path diff Inspect changes on a container's filesystem events Get real time events from the server export Stream the contents of a container as a tar archive history Show the history of an image images List images import Create a new filesystem image from the contents of a tarball info Display system-wide information insert Insert a file in an image inspect Return low-level information on a container kill Kill a running container load Load an image from a tar archive login Register or Login to the docker registry server logs Fetch the logs of a container port Lookup the public-facing port which is NAT-ed to PRIVATE_PORT ps List containers pull Pull an image or a repository from the docker registry server push Push an image or a repository to the docker registry server restart Restart a running container rm Remove one or more containers rmi Remove one or more images run Run a command in a new container save Save an image to a tar archive search Search for an image in the docker index start Start a stopped container stop Stop a running container tag Tag an image into a repository top Lookup the running processes of a container version Show the docker version information wait Block until a container stops, then print its exit code [/code] If you're using chroot, you have to debootstrap an install etc., and fuck with that. Docker? [code] nikomo@Iris:~ docker search ubuntu NAME DESCRIPTION STARS OFFICIAL TRUSTED ubuntu General use Ubuntu base image. 132 phusion/baseimage A special image that is configured for cor... 35 stackbrew/ubuntu Barebone ubuntu images 34 crashsystems/gitlab-docker A trusted, regularly updated build of GitL... 18 [OK] dockerfile/ubuntu Trusted Ubuntu (http://www.ubuntu.com/) Build 8 [OK] zsol/haskell-platform-2013.2.0.0 haskell platform on ubuntu precise 7 cmfatih/dun The DUN stack: Docker, Ubuntu, Node.js - [... 6 yankcrime/owncloud ownCloud 6.0 with a MySQL backend, support... 5 angelrr7702/ubuntu-13.10-sshd sshd base on angelrr7702/ubuntu-13.10 4 [OK] [/code] Just grab a base image, you can then run that image in a container, do changes, commit them and then use that, or do a dockerfile and build an image with that, and use that (like I did). Running a CentOS server, and need to run a service but it's not available in the repos, and your other libraries would be too old anyways? docker pull debian, docker run -t -i debian /bin/bash and off you go.

Docker is pure awesome, I started using it in replacement of VMs a couple weeks ago. Want a simple, secure nginx reverse proxy? Done: [code]docker run -d -p 80:80 -p 443:443 -v /path/to/sites-enabled:/etc/nginx/sites-enabled -v /path/to/log:/var/log/nginx dockerfile/nginx[/code] Want to host a Minecraft server? Done: [code]docker run -d -p 25565:25565 -v /path/to/minecraft:/mc/server -v /path/to/backups:/mc/backup zenexer/minecraft[/code] You can attach to the minecraft console by simply typing `docker attach <docker id>` Docker manages networking, file system stacks, dependencies, container management, and just about all the nooks and crannies you would want without any issues.

okay, Docker sounds awesome Gonna play with it sometime.

I put Linux Mint 16 Cinnamon on my laptop. Was this a mistake?