**** BEGIN LOGGING AT Wed Nov 07 02:59:59 2018 Nov 07 06:59:37 ayjay_t: ? Nov 07 11:13:49 /cl Nov 07 11:13:53 fail Nov 07 12:00:33 hello all, anybody can tell me about arrow distributor if they are trust-able for beagle bone board shipping. it's my first time experience with arrow? Nov 07 12:05:07 arrow is one of the worlds largest distributors for electronic parts Nov 07 12:05:18 usman: ehh, any reason to not trust them? I have no experience with them but they seem like a major electronics distributor Nov 07 12:05:21 that Nov 07 14:59:19 lol, microsoft has only just now added support for network packet timestamping Nov 07 14:59:30 (software timestamping, no hardware timestamping yet of course) Nov 07 15:02:20 figures Nov 07 15:02:35 along with support for leap seconds Nov 07 16:04:00 interesting, reading the PRU eCAP counter from the cortex-a8 has noticably lower latency than reading a PWMSS eCAP counter Nov 07 16:38:48 neat, I now have PRU eCAP as system clock source (i.e. for the raw monotonic time) Nov 07 16:44:41 that gcc port Nov 07 16:44:53 ayjay_t: ah Nov 07 16:44:57 i just went down the deepest rabbit hole on linux auth Nov 07 16:45:05 i really need to get back to my todo list but i've been reading docs for like 3 weeks Nov 07 16:45:12 read read read read read read read Nov 07 16:45:21 auth in what sense? Nov 07 16:45:37 pam Nov 07 16:45:45 ah Nov 07 16:45:45 i want to do a custom single sign on thing Nov 07 16:45:52 and i hate LDAP, the syntax is revulsive Nov 07 16:45:57 i'm not interested in kerberos Nov 07 16:46:04 i don't see anything wrong with https Nov 07 16:46:17 kerbos doesn't let me cache users on the local anyway (the beaglebone) Nov 07 16:47:06 I've seen a pam thingy that authenticates users by their ability to ssh into some specific host Nov 07 16:47:20 kinda neat Nov 07 16:47:35 yeah actually the syntax isn't that Nov 07 16:47:39 the config file syntax is a bit custom Nov 07 16:47:47 ? Nov 07 16:47:52 but the API for making your own module isn't bad at all Nov 07 16:48:07 i'm talking about pam.conf and custom pam modules Nov 07 16:48:43 oh, it seemed like "yeah actually..." was a reply to what I said, but it didn't make sense as such Nov 07 16:49:03 but yeah pam config syntax is a bit odd Nov 07 16:49:13 i guess what i was trying to imply that once you get over the hump of the syntax, there's a lot you can do Nov 07 16:49:19 ah Nov 07 16:49:29 our plan is probably to add groups to pam_psql Nov 07 16:49:31 for postgres Nov 07 16:50:20 we might want something better eventually, but for now simply using ssh public-key authentication works fine (with a certificate authority to avoid having to update the authorized_users on every host if a new key is added) Nov 07 16:50:50 just out of curiousity, what frameworks are you using? Nov 07 16:50:59 like when you say ssh public-key authentication Nov 07 16:51:07 i'd like to read docs on the subject but i'm not sure what i should search for Nov 07 16:51:12 besides `man ssh` Nov 07 16:51:13 frameworks? o.O Nov 07 16:51:24 you don't use ssh public key authentication right now? Nov 07 16:51:37 yeah the basic kind Nov 07 16:51:46 with ~/.ssh/known_hosts and stuff Nov 07 16:51:50 rsa_id.pub or w/e Nov 07 16:52:02 ew, rsa. use ed25519 already! Nov 07 16:52:13 why isn't rsa still in vogue? Nov 07 16:52:18 it hasn't been broken has it Nov 07 16:52:56 you configured it to use a certificate authority instead of using a local authorized_users file... so i'm assuming theres another encrypted transaction in there. is that an sshd.conf setting? Nov 07 16:53:09 because rsa is slow as fuck Nov 07 16:53:12 is it slow Nov 07 16:53:29 rsa is just used for the handshake tho right? Nov 07 16:53:36 don't they switch to a symmetric encryption after the handshake? Nov 07 16:53:54 of course Nov 07 16:53:57 yeah so /shrug Nov 07 16:54:04 i mean, i guess if you're server is fieldings tons of handshakes Nov 07 16:54:07 fielding* Nov 07 16:54:11 gosh typos Nov 07 16:54:20 also the keys are huge Nov 07 16:54:23 public keys Nov 07 16:54:42 32 bytes or something Nov 07 16:55:10 crypto is not exactly something i'm 100% comfy with Nov 07 16:55:39 actually using a certificate authority is a really really good solution to the same problem Nov 07 16:55:42 and i should have thought of it Nov 07 16:55:53 it caches the authorized_users if someone wants to ssh locally? Nov 07 16:55:55 ed25519 public keys are 32 bytes Nov 07 16:57:00 I'm trying to remember if the equivalent rsa key size is 3072 or 4096 bits Nov 07 16:58:08 3072 is the current estimate it seems Nov 07 16:58:12 anyway, yeah, CA Nov 07 16:58:49 so, how it works is that you generate a special keypair for the CA (in a secure location), then add a special entry to authorized_users that basically says "this CA is allowed to authorize keys" Nov 07 16:59:15 then using the CA private key you can sign the public keys of users and give them the resulting certificate Nov 07 16:59:50 and from there it works automagically: ssh will offer the cert to the server, it will validate that it has been signed, and then the corresponding key can be used to log in Nov 07 17:00:30 right but user public keys are stored with the CA? Nov 07 17:01:09 thats the main takeaway for me Nov 07 17:01:12 but still does it cache? Nov 07 17:01:13 eh, you can store them if you want Nov 07 17:01:24 I do so purely as bookkeeping Nov 07 17:01:24 wait hold on okay let me reread Nov 07 17:01:30 nothing needs to be cached Nov 07 17:01:52 ooghhh Nov 07 17:02:12 ohh yeah thats pretty interesting Nov 07 17:02:28 uhh thats a different paradigm than i imagined and now i'm trying to wrap my head around how a model like that would effect us Nov 07 17:02:40 the big drawback is no easy way to revoke the key Nov 07 17:02:50 yeah thats the problem with tokens too Nov 07 17:03:01 i was so pumped for token based auth and then i realized i couldn't revoke privies in an easy way Nov 07 17:03:15 the big benefit is that it works entirely "offline", so if we bring a laptop to a device in the field then we could log in on it, even if it has no network connection Nov 07 17:03:45 right so i was thinking about having local devices ping a "central" psql server for users+their groups, keys, and then cache it Nov 07 17:04:47 the whole networks web interface users and ssh users come from the same db (except local root, which I haven't quite decided what to do with yet, but its an important fallback) so people can manage who has access to their devices in one place Nov 07 17:05:06 it sounds like your usecase is very different from ours Nov 07 17:05:21 i'm building something generic. Nov 07 17:05:43 we have sufficiently few users that I don't worry about the user/group databases. I'll manually add a user if needed Nov 07 17:05:48 and everyone has root access Nov 07 17:05:53 (on beaglebones) Nov 07 17:06:37 and since these beaglebones are in devices all over the world, I can't really assume I can query some database (nor would I want to expose such a database to the internet) Nov 07 17:07:48 right thats the point of the cache Nov 07 17:07:59 hopefully all your devices are only when you configure them Nov 07 17:08:13 online* Nov 07 17:08:53 but why would I have them retrieve passwd/group at that time? the latest version is part of the image that's flashed onto them Nov 07 17:12:57 btw, for illustration, this is the entire config used on the beaglebones for the CA-based ssh public key authentication: https://pastebin.com/raw/nrAPPP6q Nov 07 17:13:15 the "principals" thing is to limit developer keys to certain groups of devices Nov 07 17:13:31 (selected when their cert is generated) Nov 07 17:14:51 client don't need any specific config, they just send their ~/.ssh/id_ed25519.pub to me to be signed and get an ~/.ssh/id_ed25519-cert.pub in return Nov 07 17:14:53 so that people can revoke keys Nov 07 17:15:38 remote monitoring is an important option in my framework Nov 07 17:15:45 revocation is currently still missing.. ssh does have support for a revocation list I think, but then you still have to figure out how to distribute those Nov 07 17:16:31 i think our usecase is a superset of yours Nov 07 17:16:45 yeah, if you can guarantee that devices always have an online connection then that can significantly change things of course Nov 07 17:16:50 but we can't always assume that Nov 07 17:16:59 i'd _like_ that, but thats why i cache stuff Nov 07 17:17:08 the idea is that if someone takes a device offline and uses it, you can at least audit it so an extent Nov 07 17:17:31 but in the spirit of security, if a bad actor has physical access to your BBB, you're in bad shape unless we start encrypting block devices Nov 07 17:17:57 I'm not really concerned about physical access Nov 07 17:18:01 but if we move our solution up into a place where security requires securing against physical access than we'll have to upgrade to a more advanced sitara for the secure boot features so Nov 07 17:18:22 its kinda like, we're screwed on physical access anyway so at least being able to audit access is better than nothing if they've been logging in on the cache Nov 07 17:18:45 but yeah, i want my devices connected to a network Nov 07 17:18:52 I don't understand that last sentence... what does physical access have to do with "logging in on the cache" ? Nov 07 17:19:03 the idea that a bad actor could take a device off the network Nov 07 17:19:07 by that latter you mean logging in with expired credentials? Nov 07 17:19:13 right Nov 07 17:19:16 well for us that has nothing to do with a bad actor Nov 07 17:19:23 our devices are in the hands of customers Nov 07 17:19:34 network access is preferred, not guaranteed Nov 07 17:19:52 thats what i figured Nov 07 17:19:58 plus your customers aren't logging in via ssh are they? Nov 07 17:20:00 also, taking a device off the network isn't what I'd call "physical access" Nov 07 17:20:08 lol, no Nov 07 17:20:10 (no but it implies that they might have physical access) Nov 07 17:20:12 yeah so our customers are Nov 07 17:20:27 definitely very different use-cases :) Nov 07 17:20:40 right, but we're trying to include the maximum amoutn of features while still providing some security Nov 07 17:20:43 our customers are engineers. Nov 07 17:20:46 deploying devices. Nov 07 17:21:12 i need to get water and get to reading, ill ttyl Nov 07 17:24:51 btw, about performance, some eBACS results for a beaglebone black: Nov 07 17:26:14 rsa3072: verify 1.1ms, sign 133ms, keygen 6-15 seconds (!) Nov 07 17:26:34 wow Nov 07 17:27:00 ed25519: verify 2.6ms, sign 0.85ms, keygen 0.84ms Nov 07 17:28:04 also, sizes in bytes: Nov 07 17:29:03 yeah okay, i mean, 6-15 seconds was unexpectedly long Nov 07 17:29:15 one point for zmatt Nov 07 17:29:27 rsa3072: private key 3072 (wtf? why?), public key 384, signature 384 Nov 07 17:29:49 ed25519: private key 64, public key 32, signature 64 Nov 07 17:30:37 okayyy zmoney Nov 07 17:30:43 no its interesting Nov 07 17:30:58 thats actually pretty significant eh Nov 07 17:31:08 public key is used for signing, private key for verifying right Nov 07 17:31:19 some as for encrypting/decrypting Nov 07 17:31:23 that enormous private key size for rsa3072 must be specific to this implementation, I'm pretty sure it doesn't need to be that huge, but it might be something for performance Nov 07 17:31:29 yes Nov 07 17:32:07 is a signature just like an encrypted checksum or encrypted hash or something Nov 07 17:32:10 or is it just a hash Nov 07 17:32:18 it's a signature Nov 07 17:32:25 i'm not crypto expert and now i'm on a tangent rant again Nov 07 17:32:30 (the water was really good) Nov 07 17:32:34 hashing is involved, but obviously a mere hash isn't a signature Nov 07 17:32:56 one of my friends does this stuff and hes always talking about prime numbers and weird curves Nov 07 17:33:01 /shrug Nov 07 17:33:47 yeah, rsa is based on exponentiation modulo the product of two large primes, and its security depends on the difficulty of factoring such a product back into its two primes Nov 07 17:34:03 while ed25519 is an Elliptic Curve based signature scheme Nov 07 17:34:28 (with curve25519 being the name of the specific curve it uses) Nov 07 19:55:47 Aw! Nov 07 19:56:35 Getting jQuery these days is a mother on those BBBs. Nov 07 19:56:50 They have 200 + dep. Nov 07 19:57:54 I blame bootstrap. Bootstrap demands jQuery and some other thing. Nov 07 19:58:23 there is a vue.js version of bootstrap Nov 07 19:58:44 Aw! Nov 07 19:59:21 I just installed the entire package of bootstrap. I plan on making small miracles once I can get the nginx server running. Nov 07 20:00:13 The server is easy-peasy. But, yes but, I need to have an older version of nginx for arm. That means, I need to update my arm ideas onto a Debian distro on a 64 bit machine. Nov 07 20:00:38 Humperlstilzchen: Thank you for the info. Nov 07 20:02:18 The nginx server now, b/c of whatever, only supports specific chips on Debian Distros. Nov 07 20:02:45 i.e. Stretch. Nov 07 22:24:42 i'm not having the same experience Nov 07 22:48:45 set_: sorry but that sounds like nonsense Nov 07 22:48:53 nginx does not give a shit what chip you're using Nov 07 22:50:15 and the nginx version you get is purely dependent on which debian release you use, not which architecture you use Nov 07 22:52:02 (debian stretch ships nginx 1.10.3, debian buster ships nginx 1.14.0, also available via stretch-backports) **** BEGIN LOGGING AT Wed Nov 07 23:30:56 2018 Nov 07 23:31:14 Yep. I will erase my other server (if I can find it). Nov 07 23:31:53 I do not think I am using port 80 for any server now that i think about it. Nov 07 23:32:17 well the beaglebone images ship with a webserver Nov 07 23:32:28 Oh. Nov 07 23:32:30 so unless you disabled that, it's still running Nov 07 23:32:50 Well...it is most likely that one or I can change ports for the nginx server to run. Nov 07 23:33:12 zmatt: Where would I find that server on the BBB? Nov 07 23:33:44 can you pastebin the output of: ls /etc/systemd/system/multi-user.target.wants Nov 07 23:34:30 Sure but I just checked another dir. in the /home dir. It says I have nginx running at v. 1.10.3. Nov 07 23:34:42 ? Nov 07 23:34:59 I think I may have something running in it. Let me check. Nov 07 23:35:10 I will test ls /etc/... Nov 07 23:35:59 and what said you have nginx running? because what you just said doesn't really make sense Nov 07 23:36:45 and you can find which processes are listening on port 80 with: Nov 07 23:36:53 sudo ss --tcp -l -p '( sport = :80 )' Nov 07 23:36:53 https://pastebin.com/Bszz1xgz is the output of ls /etc/... Nov 07 23:36:56 Okay. Nov 07 23:37:00 I will check that idea. Nov 07 23:37:06 there we go, apache2.service Nov 07 23:37:18 sudo systemctl stop apache2 Nov 07 23:37:19 sudo systemctl disable apache2 Nov 07 23:37:33 Okay. What is wrong w/ apache2? Nov 07 23:37:42 too old? Nov 07 23:38:03 it's conficting with nginx right now since both are trying to listen on port 80 Nov 07 23:38:51 Oh. Should I just move the apache2 server to another port/ Nov 07 23:38:52 ? Nov 07 23:38:56 at the very least stop apache2 first and finish the nginx installation with: sudo apt-get -f install Nov 07 23:39:02 are you using it? Nov 07 23:39:02 Aw! Nov 07 23:39:05 Good idea. Nov 07 23:39:10 I am not using right now. Nov 07 23:39:14 why do you need both nginx and apache? Nov 07 23:39:18 if not, just disable apache Nov 07 23:39:21 Okay. Nov 07 23:40:58 same issue. Nov 07 23:42:20 I got it. Nov 07 23:42:25 Nope. Nov 07 23:43:22 ? Nov 07 23:43:37 nope what? Nov 07 23:44:00 It failed w/ exit-code. Nov 07 23:44:11 pastebin Nov 07 23:44:14 Off to the man pages. Nov 07 23:44:19 Okay. Please hold. Nov 07 23:44:49 Let me reset the daemon real quickly and I will give you an update. Nov 07 23:45:01 what did you do? Nov 07 23:45:14 my instructions were to stop apache2 and finish the nginx installation using sudo apt-get -f install Nov 07 23:45:19 what did that output? Nov 07 23:45:29 I stopped apache2 and finished the install. Nov 07 23:45:39 Please hold. I will pastebin the output. Nov 07 23:47:43 https://pastebin.com/fJsZJi1L is after the sudo apt-get -f install cmd. Nov 07 23:47:50 Then... Nov 07 23:48:04 are you very sure you stopped apache2? Nov 07 23:48:09 Yes, then, I tried to start my nginx.service file. Yes! Nov 07 23:48:11 as in, sudo systemctl stop apache2 Nov 07 23:48:15 Yes! Nov 07 23:48:33 I disabled it and stopped it w/ systemctl. Nov 07 23:48:45 "my nginx.service file" .. what do you mean by that? Nov 07 23:48:52 the nginx.service file is provided by the package Nov 07 23:49:09 Right. But it is failing so far. I figured I needed to enable it and then start it. Nov 07 23:49:24 no, you need to kill whatever webserver is already running and complete the installation Nov 07 23:49:30 I was going to reset the daemon w/ systectl but we were not on the same page. Nov 07 23:49:32 Okay Nov 07 23:49:34 it's still saying "Address is in use" Nov 07 23:49:35 Sorry. Nov 07 23:49:38 Okay. Nov 07 23:49:44 *Address already in use Nov 07 23:49:55 I tried that cmd you gave me for stop. Nov 07 23:49:58 please pastebin the output of: sudo ss --tcp -l -p '( sport = :80 )' Nov 07 23:50:03 = :80 Nov 07 23:50:08 Okay. Please hold. Nov 07 23:51:36 https://pastebin.com/AWxvQTkG is what you want. Yea boy! Nov 07 23:52:27 ok, pastebin output of: ls /etc/systemd/system/sockets.target.wants Nov 07 23:52:54 Okay. Please hold. Nov 07 23:53:34 avahi-daemon.socket bonescript.socket cloud9.socket node-red.socket is all. Nov 07 23:53:46 avahi! Nov 07 23:53:56 avahi is fine, one of the other three is the culprit Nov 07 23:54:08 I am getting rid of node-red and cloud9. Nov 07 23:54:40 for now we need to get that nginx installation finished, otherwise you won't be able to install/remove other packages (apt can be annoying) Nov 07 23:54:42 I have not once used node-red and I have stopped using cloud9 (although it is visually appealing). Nov 07 23:54:51 Okay. Nov 07 23:54:52 so just: sudo systemctl stop bonescript.socket cloud9.socket node-red.socket Nov 07 23:54:57 Okay. Nov 07 23:55:00 and then: sudo apt-get -f install Nov 07 23:55:00 Please hold. Nov 07 23:55:03 Okay. Nov 07 23:57:07 https://pastebin.com/Kd6q20jR are the issues. Nov 07 23:57:14 something about apt. Nov 07 23:57:37 not sure what it means but it doesn't looks like a problem Nov 07 23:57:44 Okay. Nov 07 23:57:47 What now? Nov 07 23:57:52 Try to install it over again? Nov 07 23:57:59 it should be installed now Nov 07 23:58:02 Okay. Nov 07 23:58:35 Gosh Jolly. You are correct! Nov 07 23:58:51 The nginx.service file is up and kickin' and who would have known it? Nov 08 00:00:14 to find out which of the socket files was using port 80 you can check: grep Listen /etc/systemd/system/sockets.target.wants/* Nov 08 00:01:23 Okay. Hold please. Nov 08 00:01:28 one will have something like ListenStream=80 Nov 08 00:01:49 you'll need to disable that one to ensure nginx won't fail to start if you reboot Nov 08 00:02:17 no reply. Nov 08 00:02:21 It was a blank reading. Nov 08 00:02:34 eh? Nov 08 00:02:38 Serious. Nov 08 00:02:46 sure you didn't make a typo? Nov 08 00:02:53 Let me make sure. Nov 08 00:03:19 Aw! Typo! l instead of L. Nov 08 00:03:21 Sheesh. Nov 08 00:03:38 bonescript. Nov 08 00:03:56 I can probably change that idea if needed. Nov 08 00:04:10 bonescript is creepy anyway, letting anyone on the network run code on your beaglebone Nov 08 00:04:11 I could set bonescript to port xx instead of 80. Nov 08 00:04:18 Okay. No issue. Nov 08 00:04:18 are you using it? Nov 08 00:04:25 otherwise just disable it Nov 08 00:04:27 At times but not often. Nov 08 00:04:29 Okay. Nov 08 00:04:53 or you can move nginx to another port number, or maybe bonescript Nov 08 00:05:17 too late. Bonescript is gone. Nov 08 00:05:28 well...the .socket file. Nov 08 00:05:53 well even if you've disabled it you could always reenable it Nov 08 00:05:58 Right! Nov 08 00:06:24 but these are all choices that are up to you. I wouldn't want bonescript enabled, but I'm not you Nov 08 00:06:25 I can configure things generally at times but I would not have known to look, for some reason, in the .sockets files. Nov 08 00:06:51 I can use it online if necessary later but I do not use it at all these days. Nov 08 00:06:52 this is why ss is useful, it shows who's using a port Nov 08 00:07:00 in this case it showed systemd, which indicates a .socket file Nov 08 00:07:13 ss heh? I will remember that one. Nov 08 00:07:27 so, ss --help will show some useful info? Nov 08 00:07:49 Try It And Seeā„¢ Nov 08 00:08:11 I just did. It works like a charm. Nov 08 00:08:51 I have been reading about setting up servers and putting my "own" web page online via that server. Nov 08 00:12:31 I keep getting something like static IP instead of Dynamic DNS. I am up poop's creek now but I am swimming out of it slowly. Less slushy that way. Nov 08 00:18:34 Is anyone getting "not secure" icons on their web pages when serving them w/ uWSGI? Nov 08 00:18:40 Sorry. Nov 08 00:18:43 wrong room. Nov 08 00:19:21 nothing uWSGI-specific, that's just all http (non-https) pages in browsers nowadays Nov 08 00:19:29 Right... Nov 08 00:19:45 Do I need something "spectacular" to get https to work on my site? Nov 08 00:19:49 Or does it cost money? Nov 08 00:20:15 Just some general questions. Nov 08 00:20:22 No issue. Nov 08 00:21:49 as long as it's an internet-facing webserver (not an internal one) it's free and pretty easy Nov 08 00:21:55 (using letsencrypt) Nov 08 00:22:33 See. I bought a website from google. I was going to serve what I produce as that web address on my server. Nov 08 00:28:18 do be cautious with making any service running on a beaglebone publicly accessible from the internet, since doing so will obviously mean it'll have to suffer through automated attack attempts Nov 08 00:28:33 Oh. Nov 08 00:29:09 using a weird port number instead of 80 helps a lot, but isn't always an option Nov 08 00:29:10 Yea...that would suck. Nov 08 00:29:36 I have been reading up on port numbers. There are many. Nov 08 00:30:23 port 22 (ssh) also gets a ton of shit. on our webserver we're seeing thousands of attempts to log in as root per day Nov 08 00:30:35 Yikes! Nov 08 00:30:46 So, people still mess w/ y'all, heh? Nov 08 00:31:27 they're just bots trying common username/password combinations on every ssh server they can find Nov 08 00:31:41 Odd days. That seems a bit odd to me. Nov 08 00:31:47 What if they get a good combo? Nov 08 00:31:47 why? Nov 08 00:31:52 Then what? Nov 08 00:32:11 Do they then use it to see info. that is not normally accessible to them? Nov 08 00:32:28 harvest valuable data or use it as attack platform Nov 08 00:32:33 Oh. Nov 08 00:32:36 Like black mail? Nov 08 00:32:48 Or to steal? Nov 08 00:33:24 It is like that playing cards and gambling, Python script. Nov 08 00:33:35 it just keeps guessing until you win or lose. Nov 08 00:33:44 ? Nov 08 00:33:45 ... Nov 08 00:33:56 I would have to find it. Please hold. Off to look. Nov 08 00:34:05 do I care? Nov 08 00:35:43 No. Nov 08 00:35:46 Do not worry. Nov 08 00:36:11 I was reviewing the old software. I do not think it is relevant these days. Nov 08 00:36:31 anyway, if you do want to run a public webserver and want to https-secure it, it's pretty easy Nov 08 00:36:35 from "Fluent Python." Nov 08 00:36:41 Oh? Nov 08 00:37:00 I thought it was but I have been making mistakes so far. Nov 08 00:37:06 but it first needs to be reachable on the internet via http Nov 08 00:37:24 Oh. Nov 08 00:38:13 For instance. I started a http site for fun. I could add whatever content was at my finger tips but I could not set up the domain name I purchased. Nov 08 00:39:22 all it states is, "Hey You!" Nov 08 00:39:34 I have other sites I got partially from w3schools.com. Nov 08 00:39:42 They have free templates, too. Nov 08 00:42:17 https://pastebin.com/Hc548Bhy is it for now. It shows http and "not secure" for whatever reason (certs. and things). Nov 08 00:42:39 I have other sites, like I said, that I will incorporate into my own site one day. Nov 08 00:42:45 the content you're serving is irrelevant Nov 08 00:42:54 Right. Nov 08 00:43:15 It is the truth. Nov 08 00:43:17 For now. Nov 08 00:44:37 How can I set up the domain in my own server on the BBB? I will most likely have to get an encryption book, too. This sounds frustrating at first. Nov 08 00:44:40 I think it is worth it. Nov 08 00:45:16 not really a BBB-specific question, and you don't need an encryption book Nov 08 00:45:36 Oh...no issue. Nov 08 00:45:43 I will ask on another outlet. Nov 08 00:46:13 I mean...do you think that serving a domain name on the BBB is too risky? Nov 08 00:46:14 to run a public webserver you need a public ip with port 80 (for http) and 443 (for https) mapped to whatever device is running your webserver, and you need a domain name that points to that IP Nov 08 00:46:28 PHew! Nov 08 00:46:38 Hahahha. That was done all in one sentence. Sheesh. Nov 08 00:47:05 Not so easy. Nov 08 00:47:07 well, why do you want to run a public webserver on your beaglebone? Nov 08 00:47:15 that's the main question I'd have Nov 08 00:47:29 For fun. I have these two sites I keep purchasing to keep them from people in my town. Nov 08 00:48:10 I used to get harassed by people for owning them. Then, I stopped the harassment by privitizing them. Nov 08 00:48:26 I have one left that i have not privitized and I want to see who wants it. Nov 08 00:48:32 you have an interesting definition of fun Nov 08 00:48:39 I know. I am quirky. Nov 08 00:48:42 but what does all this have to do with the beaglebone? Nov 08 00:48:52 I want to use it w/ the BBB! Nov 08 00:49:01 I saw something about a cluster a while back. Nov 08 00:49:18 The book is outdated but I could probably update the book. Nov 08 00:49:45 well, good luck I guess Nov 08 00:49:47 I thought running servers from the BBB was easy as pie. Nov 08 00:49:51 Thank you zmatt. I will need it. Nov 08 00:49:54 it is Nov 08 00:50:07 From what you know. Nov 08 00:50:18 but running a webserver on a beaglebone isn't the same thing as having a public website Nov 08 00:50:32 I know. Nov 08 00:50:53 I am tired of these people using me to run web pages online for their servers. Nov 08 00:51:00 the difference between the two doesn't really involve anything on the beaglebone though, it's mostly administrativia Nov 08 00:51:02 I can have my own server. Nov 08 00:51:09 Oh. Nov 08 00:51:36 You are right. Admin. stuff is a big issue in my world. Should I or should i not? Nov 08 00:52:02 Anyway...I will use your ideas w/ stride. Nov 08 00:52:35 it requires port mapping in your router, a registered domain name which you can point to your ip, and if your ip isn't stable you'll need some way to ensure it gets automatically updated (dynamic dns) Nov 08 00:52:48 Right! Nov 08 00:52:53 All of which I have read. Nov 08 00:53:28 Those ideas are exactly what I have been reading about but I have not found the perfect combo. of ideas to suit my needs w/ the BBB or other server. Nov 08 00:53:45 the BBB is not important in any of the stuff above Nov 08 00:54:05 zmatt: Do you think I could use the BBB w/ serving? Nov 08 00:54:09 other than being the piece of hardware on which your server happens to run Nov 08 00:54:14 Right! Nov 08 00:54:23 sure, as long as performance isn't important and you don't expect much traffic Nov 08 00:54:47 Okay...so. My traffic is few and far b/t. Nov 08 00:55:23 I rarely see any ideas from high traffic. It is mostly the other type of traffic. I think they call it unique visitors or something like that. Nov 08 00:57:15 I got my router manual out and a nginx book. I am reading the uWSGI docs. online. Nov 08 00:57:36 I am trying to configure things, still. Nov 08 01:28:14 zmatt: I have a lot of attacks to ssh.. Not many brute force, but change of username exploits Nov 08 01:28:40 "change of username exploits" ? Nov 08 01:31:53 (admin,ssh-connection) -> (administrator,ssh-connection). But without success (fixed in openssh long ago I guess?).. the botnets need to upgrade. Nov 08 01:34:17 I have no idea what you mean Nov 08 01:51:06 Okay! Nov 08 01:51:24 I got the nginx server to show on my blah, blah, blah webpage. Nov 08 01:51:25 Boy! Nov 08 01:54:14 Da' Bone! Nov 08 02:25:08 CoffeeBreakfast_: are you seeing a lot of annoying action in your logs? Nov 08 02:25:25 welcome to the internet. there are crawlers iterationing through _every_ ip address. Nov 08 02:26:31 https://imgur.com/a/WW3PxkA Nov 08 02:26:52 ayjay_t: not annoying, but odd... --> https://security.stackexchange.com/questions/121311/which-ssh-exploit-works-by-changing-the-user-name-in-the-middle-of-the-process Nov 08 02:27:36 yeah who knows Nov 08 02:27:46 not everyone getting their cybersecurity paycheck knows what they're doing Nov 08 02:27:47 I have a lot of that, more than "PAM: Authentication failure..." Nov 08 02:28:00 is that sshd-->PAM? Nov 08 02:28:10 yes Nov 08 02:28:18 yeah i mean, maybe change ports if you don't like it Nov 08 02:28:23 its your server Nov 08 02:28:33 if you want to listen for ssh on port 1, eff it Nov 08 02:28:39 Like, botnets don't know the openssh protocol? or trying an odd explot? Nov 08 02:28:47 yeah i bet trying an old exploid Nov 08 02:28:48 *exploit Nov 08 02:28:49 exploit* Nov 08 02:28:52 lol Nov 08 02:28:58 like a ip camera running a 1.8 kernel or something on a mediatek rofl Nov 08 02:29:00 looks like it's trying different logins, and used to be able to do that without having to reconnect? Nov 08 02:29:40 each of these pairs looks like obvious neighbours in a list of usernames to try Nov 08 02:29:51 yeah who knows eh? Nov 08 02:29:53 it could be that too Nov 08 02:30:43 i need to stop giving myself so much reading to do Nov 08 02:30:52 i don't know how this happened, i have another like 20 tabs to read Nov 08 02:31:19 * ayjay_t goes to the dive bar across the street to read Nov 08 02:31:21 the thing is, more change of usernames (a lot more) than password tries? Nov 08 02:33:18 it's likely to iterate over usernames in the inner loop and passwords in the outer loop Nov 08 02:34:33 I had admin:admin set up, just for fun, and nobody appears (no, not the user nobody) Nov 08 02:35:25 still weird that any attacker is trying it like this. the check that causes this disconnect is not remotely new, the commit dates from 2001 Nov 08 02:38:20 but yeah, looking at the relevant part of the ssh protocol doc referenced, the error simply means two login attempts were done on the same connection with different usernames, which is forbidden and results in disconnect. there's nothing more to it afaict. so it's just dumb attackers that fail to enforce the constraint of max 1 username per connection **** ENDING LOGGING AT Thu Nov 08 02:59:59 2018