--- Log opened Sun Apr 15 00:00:45 2018 00:35 < Guddu> Can i ask a virtual box GUEST to HOST acccess question here? 00:35 < Barones> Hi, is there any tool that gets a trace route output and plot the hops geographically? 00:37 < compdoc> you can ask, maybe someone will answer 00:38 < compdoc> isnt there a VB channel? 00:56 < {HD}> tds: I think some of my issue is just what namecheap calls their options. I can set a 'custom nameserver' and I can add a 'private dns' so, it is odd trying to follow along with guides that call it glue records or hosts or whatever. 00:58 < tds> yeah, looking over namecheap's docs, it looks like adding a "personal dns server" adds the glue record for you 00:58 < {HD}> tds: That is what I figured so that is what I did. I should read those docs. After you add a 'personal dns' They don't show up in a list anywhere for me to see/edit. 00:58 < {HD}> ...that I can see at least 01:04 < {HD}> Well. I added ns1 and ns2 to my personal dns. Then I added those to my custom dns and I added a records on vestaCP for ns1 and ns2 in addition to NS records 01:05 < {HD}> Hopefully when namecheap dns updates it will magically work. 01:05 < SporkWitch> it can take a bit for NS entries to propagate 01:06 < SporkWitch> should be fine in a day or two 01:06 < tds> Yeah, the TTL will typically be relatively high (normally ~48 hours iirc) 01:06 < {HD}> well checking 'whatsmydns.com' it seems like the correct ip is showing up but, it is not displaying my page like it should be. 01:06 < tds> if you want to check it now, you can use dig +trace to follow up from the root 01:08 < {HD}> tds: I did a 'dig +trace 01:09 < {HD}> ' but the results were um generic 01:09 < {HD}> nothing looks specific to my server 01:10 < tds> just to confirm, did you do that passing it your domain? 01:10 < tds> eg dig +trace example.com 01:11 < {HD}> Lol um... 01:11 < {HD}> Brb 01:11 < SporkWitch> {HD}: the discrepancy is the difference between querying a server that had previously cached it and one that had to do a fresh lookup 01:27 < remote> what's the standard that allows wifi access points to prompt clients to add a specific root CA to their OS or browser? 01:28 < SporkWitch> RFC911 - Begging for malicious use 01:28 < SporkWitch> "hi, i'm a MITM by design, btw, trust anything i send you" 01:29 < SporkWitch> (more seriously, i don't know off-hand, but you're talking about a "captive portal" so if you structure your queries around that while searching, you'll probably find it) 01:44 < remote> thanks 01:45 < remote> SporkWitch: there are many legitimate use-cases for MITM'ing HTTPS 01:47 < SporkWitch> remote: i would argue that pretty much all of them have a better method for diseminating trusted CA root certs. Doing it on a captive portal implies people that are not your employees using it, and an open hotspot wanting me to trust its CA screams red flags all over the place. You want to know that my bank is X? Fine, but at least i know the contents of the traffic aren't compromised. 01:48 < remote> yeah you're right 01:48 < remote> I want to use it locally for tests but you're right, it's WIFI in first place afterall 01:50 < SporkWitch> wifi isn't the issue; WPA2-PSK will cover anyone not on the network, TLS covers the important bits on the network. If you need more, there's RADIUS (i'd have to double-check, but i'm reasonably sure RADIUS doesn't just have per-user auth, but also separate session keys so other wifi clients can't snoop your traffic) 02:06 < {HD}> it works! I have my dns working! 02:06 < {HD}> Thanks people! 02:10 < tds> {HD} good to hear :) 02:11 < {HD}> it is not perfect yet. I cannot get to mail.*.com but https://wwww.*.com works just fine. 02:20 < {HD}> well, there is an a record for mail.*.com but there is nothing there. I found it at *.com/webmail instead. Interestingly wwww.*.com is showing up as https with my letsencrypt but www.*.com/webmail is not secure... 02:20 < {HD}> What gives? 02:26 < SporkWitch> {HD}: did you use a wildcard for the CN, or list multiple? did you remember to list both? 02:26 < SporkWitch> {HD}: also note that *.foo.bar != foo.bar 02:27 < {HD}> SporkWitch: Well, most of the dns entries were setup by default by vestaCP. I also used the create lets encrypt button when adding domain to vestaCP. So, I don't know how it is setup but, I guess I can try to check. 02:29 < SporkWitch> {HD}: if you're using some automated thing that you don't really control, this isn't the place to be asking for help; bug the vendor 02:29 < SporkWitch> {HD}: anything we offer is predicated on you actually having real control 02:30 < {HD}> well, I have control but the initial setup was certainly done with default optimal options. I am reading all the settings now. 02:30 < SporkWitch> if i had to guess, wwww and www set up different certs, so you'd need the services listening to use the correct cert based on the requested domain 02:31 < SporkWitch> in short: this is why people condemn things like webmin and its ilk, as they do things in non-optimal ways, and often mangle config files to such a degree that wiping and starting over is often easier than repairing the damage 02:32 < Jorja> Is there a way to make a Windows 10 desktop into a hotspot? 02:32 < tds> ^ yes, vestacp is a similar kind of thing to cpanel/webmin/whatever, and generally I'd also say to just do it yourself properly, that way you get a working system and you understand how it works 02:33 < {HD}> Well, as I learn with setting things up I will start to ween off of cheater-tools and go more granular. 02:33 < SporkWitch> {HD}: again, because of how they mangle things, you're actually doing more harm than good if you want to learn. it's one thing to use them when you don't know and you just need it to work, but taking what they did and then trying to work FROM that is pure hell; no one has the patience to deal with that, no offense 02:37 < {HD}> Well, I guess I will do some research on what I would want to use. I am used to LAMP but I think I want to switch to ngenx. Lets encrypt seems easy enough to setup but, I don't have a clue about dns or email... 02:39 < javi404> Happy Monday 02:39 < Jorja> NETSH WLAN show drivers 02:39 < Jorja> Is there a way to make a Windows 10 desktop into a hotspot? 02:39 < SporkWitch> {HD}: when using actual stuff and not the cpanel type stuff, many will be happy to help. LEMP is trivial to set up, as is DNS. Mail can be tricky, but once you understand it, it's not bad. 02:39 < SporkWitch> Jorja: don't spam, and that's a google question 02:40 < Jorja> google is no help 02:40 < SporkWitch> you're a poor liar 02:41 < Jorja> I am not lying 02:41 < SporkWitch> https://lmgtfy.com/?q=windows+10+as+hotspot 02:41 < SporkWitch> yes, you are 02:53 < mast> Anyone here work with Arlo camera security hardware? 02:55 < mervin> ok 03:09 < SporkWitch> mast: If you have a question, just ask! For example: "I have a problem with ___; I'm running Debian version ___. When I try to do ___ I get the following output ___. I expected it to do ___." Don't ask if you can ask, if anyone uses it, or pick one person to ask. We're all volunteers; make it easy for us to help you. If you don't get an answer try a few hours later or on debian-user@lists.debian.o 03:09 < SporkWitch> erm... less the debian part lol 03:09 < mast> I think I understand what you mean 03:16 < comet23> are proxychains connections really anonymous? 03:16 < SporkWitch> define "really anonymous" 03:17 < comet23> like unable to be traced 03:17 < SporkWitch> define "traced" 03:17 < comet23> the source that originated the request 03:17 < SporkWitch> if you want return traffic, of course it can be traced, it must be traced 03:17 < SporkWitch> the question is how many systems do you need to be logging traffic through to do that 03:32 < azizLIGHT> recommendationc s0for a ping utulilty which graphs, windows 7 03:32 < c|oneman> our mom 03:33 < c|oneman> er, ur mom 03:33 < SporkWitch> zenmap 03:33 < azizLIGHT> we're long lost brothers ? 03:34 < azizLIGHT> zenmap seems like overkill. just want to graph the ping over time to a LAN device 03:35 < c|oneman> I played with this for a while but it might be underkill http://denilson.sa.nom.br/prettyping/ 03:35 < c|oneman> https://www.pingplotter.com 03:38 < azizLIGHT> prettyping seems ok, but is it for windows? 03:38 < azizLIGHT> seems like *nix 03:38 < SporkWitch> that's a google question; most good tools are linux, though many have windows versions 03:44 < c|oneman> I've been wanting a decent ping monitor myself because I find PRTG annoying 03:44 < c|oneman> do you have an Asus router? 03:45 < c|oneman> you could potentially setup entware and run some linux tools on it 03:46 < SporkWitch> ♥ asus routers; that is some damned impressive stock SOHO firmware 03:59 < Jorja> Which router would be better https://www.walmart.com/ip/Netgear-N300-Wireless-Router-WNR2000-802-11b-g-n-up-to-300Mbps-10-100-Mbps-Ethernet-Port-x4/10928683 or https://www.walmart.com/ip/NETGEAR-RangeMax-WNR3500L-router-802-11b-g-n-draft-2-0-desktop/14663200 04:02 < comet23> anyone here use freenet for file sharing? 04:03 < mast> https://www.ebay.ca/itm/Digi-PortServer-16-50000260-02-D-Ethernet-Terminal-Server-No-AC-Adapter/232422867837?hash=item361d7b837d:g:CM4AAOSwDd9ZdlXX 04:03 < mast> I could use something like this to remote into a collection of cisco switches/routers? 04:03 < mast> I have C2960s and 2801 routers 04:04 < mast> I have a feeling I already know the answer, just want to make sure 04:16 < azizLIGHT> welp i missed if someone said anyhting 04:17 < Kag3rou> Anyone know the best possible security to use for an RDP Server? 04:18 < fryguy> probably ipsec 04:19 < compdoc> an ipsec or openvpn vpn 04:21 < Kag3rou> Any links I can use to look further into both of those? 04:22 < electricbear> Kag3rou, give them some context 04:23 < fryguy> https://en.wikipedia.org/wiki/IPsec 04:28 < dogbert_2> LOL...compiling DAQ-2.0.6/Snort-2.9.11.x on a Libre Computer SBC (Le Potato) aml-s905x-cc 1gb (Quad Core 1.6Ghz ARM A53 processor w/1GB of DDR3 ram)... 04:28 < dogbert_2> Armbian OS 04:39 < azizLIGHT> c|oneman: prettypings so nice :) 04:41 < c|oneman> you found a way to run it on windows? 04:43 < azizLIGHT> nah im running it on my linux box. gonna add it to my other boxes too 04:43 < c|oneman> cool 04:43 < c|oneman> I use it at work on my mac 04:46 < azizLIGHT> why would my router start doing this all of a suden https://i.imgur.com/WEqfbsQ.png 04:46 < c|oneman> could be a switching/cabling issue 04:47 < c|oneman> does it do that from different computers? 04:47 < c|oneman> or say... from the internet? 04:47 < azizLIGHT> well, it was doing it when tested from a windows laptop, and also linux box 04:48 < azizLIGHT> all within LAN. just pinging the gateway 04:48 < azizLIGHT> the one thing i tried to do was put 1.1.1.1 or 8.8.8.8 or 9.9.9.9 in the dns for the router and ever since then i think its been fucking up 04:49 < azizLIGHT> even after i did a factory reset 04:49 < azizLIGHT> like 1-2 days ago 04:57 < sergiman94> hey, does anyone know how to make my wifi more eficient, i mean, faster ?? 04:59 < azizLIGHT> cantenna aimed at your wifi 04:59 < azizLIGHT> or just go wired 04:59 < azizLIGHT> go 5ghz wifi 05:20 < Jorja> Which router would be better https://www.walmart.com/ip/Netgear-N300-Wireless-Router-WNR2000-802-11b-g-n-up-to-300Mbps-10-100-Mbps-Ethernet-Port-x4/10928683 or https://www.walmart.com/ip/NETGEAR-RangeMax-WNR3500L-router-802-11b-g-n-draft-2-0-desktop/14663200 05:22 < comet23> lol 05:22 < comet23> walmart?! 05:22 < comet23> hahaha 05:28 < {HD}> I setup this server less then 5 hours ago and I already have a fail2ban added on ssh...wtf... just bots I assume? 05:30 < Jorja> they are the fast I can get a router without having to wait six weeks 05:33 < Mr_Roboto1> {HD}: I had one server with 25K failed logins within 24 hours on public IP space 05:37 < Mr_Roboto1> I had previously set a machine up with a patched copy of SSH to show the passwords in a list; it was fascinating really, there were multiple hosts that had the same exact list they were probing for 05:40 < {HD}> Mr_Roboto1: wow, that is scary. 05:41 < Mr_Roboto1> yeah strong passwords+fail2ban or better still key based auth with password disabled 05:42 < {HD}> yep, I have key only auto 05:42 < {HD}> auth* 05:45 < Mr_Roboto1> pretty much may as well count on getting probed 05:46 < Mr_Roboto1> When I did hosting and the customer had monitoring service you'd find that Nagios alerts for SSH were likely people probing. I'd also go through netflow and see who had established the most SSH connections and start null routing based on that............Or checking local servers for compromise. 05:57 < Jorja> Which router would be better https://www.walmart.com/ip/Netgear-N300-Wireless-Router-WNR2000-802-11b-g-n-up-to-300Mbps-10-100-Mbps-Ethernet-Port-x4/10928683 or https://www.walmart.com/ip/NETGEAR-RangeMax-WNR3500L-router-802-11b-g-n-draft-2-0-desktop/14663200 05:58 < phirephly> wow. They still sell draft n wifi gear? 05:58 < dogbert_2> get something which supports 802.11ac 05:58 < dogbert_2> which by definition should support a/b/g/n 05:59 < phirephly> or at least spec N and gigE, I've never seen an 802.11N plus 100bTX before 06:01 < dogbert_2> spend 30-40 more and get a Netgear AC 1750 or D-Link AC 1750 06:07 < korean-walmart_> comet23, what you got against walmart?? 06:09 < Jorja> why 802.11 06:11 < phirephly> Jorja, 802.11 covers all of wifi, what are you asking? 06:12 < Jorja> I am just looking for a router that works 06:12 < fnDross> wifi that can contact voyager 06:14 < phirephly> Jorja, So are you asking why have wifi on a router? You're looking at $50 consumer routers, they all generally have wifi 06:14 < vvande> I've got a WNR3500L v2 and it did the trick for a long time. In fact I just plugged it in again to use as an AP for a neighbor down the street to access. 06:16 < Jorja> No Nevermind 06:16 < Jorja> I am too stupid to know what I am asking 06:16 < vvande> it's running Shibby AIO though - I never looked at whatever was on it when I bought it. 06:27 < jennam> Hi, just a general question, had a quick look on wikipedia, it's been a while since I've had to do a crossover cable connection, and I right in thinking it has one end the same as T568A and the other is B spec? 06:28 < phirephly> jennam, Yep. But the 1G spec requires devices to handle auto cross over, so needing one is pretty rare 06:29 < jennam> Yeah I thought it was rare, this is for HDMI over Cat6 06:30 < jennam> the reason I ask is I keep coming across cables wired B spec on both ends 06:30 < jennam> but thanks 06:30 < phirephly> yeah, practically everyone standardized on T568B for both ends. 06:31 < jennam> Oh okay, interesting 06:34 < Jorja> Can one connect a tablet to a computer using bluetooth then watch videos on tablet that are steaming on the computer 07:19 < VoidShift> Is there a way to switch ssh from desktop 1, to X during connection? 07:19 < VoidShift> Like an easy way to switch back and forth? 07:20 < VoidShift> Or would i need 2 seperate tunnels? 07:34 < voidstar> VoidShift, forwarding an x window over ssh? 07:38 < VoidShift> Yes 07:39 < voidstar> in your situation is it infeasible to run 2 ssh sessions? 07:40 < VoidShift> So when at home on my pi, I can just use my vnc thru ssh tunnel as remote mouse and keyboard and see it in live time. I suppose I could run 2. Was just wondering if there might be a sort of switch command 07:41 < VoidShift> Never tried running 2. Didn't even know for sure that was possible 08:04 < Jorja> Can one connect a tablet to a computer using bluetooth then watch videos on tablet that are steaming on the computer 08:04 < Guest94038> VLC can do it over network 08:04 < Guest94038> dont know about over bluetooth 08:05 < jennam> you can set up vlc on the computer as a streaming server 08:05 < jennam> and connect using either vlc or another media player on the tablet 08:09 < hornydong> ALL HAIL HITLER! WE BOMBED SYRIA! 08:09 < jennam> must be one of those over enthusiastic 'hunting hitler' documentary fans 08:09 < jennam> sorry but he's dead 08:09 < hornydong> jennam: wtf? 08:09 < TV`sFrank> Nah. Just another whackjob yank. 08:09 < hornydong> no dude i am the niggiest of all niggers 08:10 < TV`sFrank> Winner 08:10 < hornydong> king fuck-dong thats my name 08:10 < jennam> well I wouldnt be hailing hitler he only liked the aryans 08:10 < TV`sFrank> Yep. Bored criminally psychotic yank. 08:11 < hornydong> not criminal 08:11 < hornydong> saying hail HITLER is not criminal 08:11 < hornydong> i will say it again 08:11 < TV`sFrank> Have a great day/night crimmo whackjob yank 08:11 < hornydong> HITLER HITLER HITLER HITLER HITLER 08:12 < asphyxia> what is going on over here 08:12 < hornydong> HITLER HITLER HITLER HITLER HITLER 08:12 < asphyxia> this channel sure is noisy 08:12 < TV`sFrank> lol why is it SO many halfwit yanks are so desperate for attention 08:12 < hornydong> asphyxia: nutjob tries to tell me i am criminal 08:12 < hornydong> for hailing hitler 08:12 < hornydong> HITLER HITLER HITLER 08:12 < jennam> i dont think thats what they meant when they said that 08:12 < jennam> but I suppose we cant expect you to understand that 08:12 < asphyxia> well technically irc channels are a privelege not a right 08:12 < asphyxia> hornydong: so maybe tone it down or you might get kicked 08:13 < hornydong> i understand your racist hate for all Hitlerists 08:13 < hornydong> asphyxia: the jew ops can kick me i will rejoin 08:13 < hornydong> they can ban me and i will evade 08:13 < hornydong> they cannot silence the truth 08:13 < jennam> what truth 08:13 < jennam> he's dead dude 08:13 < z0null> wut truth? 08:13 < hornydong> the ghost of Adolf Hitler is out there, trapped in a pocket watch 08:13 < z0null> troll 08:13 < asphyxia> jennam: XD 08:14 < jennam> nah i dropped the watch in the bath 08:14 < asphyxia> yuck it's a troll 08:14 < asphyxia> kill it before it breeds 08:14 < hornydong> trolls are evil 08:14 < hornydong> i am a spammer 08:14 < hornydong> there is a difference 08:14 < TV`sFrank> Meh. This halfwit queef just wants attention. /ignore it and it will go back to bed crying for it's daddy. 08:14 < hornydong> being a nigger i dont have the proper intelligence to troll so i spam instead 08:14 < asphyxia> hornydong: you're fucked 08:14 < TV`sFrank> Don't feed it. 08:15 < hornydong> SMOKE ALL THE WEEEEEEED 08:15 < hornydong> I SUPPORT THE RIGHT 08:15 < hornydong> TO HUFF SPRAY PAINT 08:15 < jennam> cool, you should take that seriously on board 08:15 < jennam> practise what you preach 08:15 < hornydong> wut 08:16 < hornydong> how much spray paint u think i huffedm 08:16 < jennam> I'd like to say a lot, it'd explain your ranting 08:16 < hornydong> a MILLION CANS OF SPRAY PAINT AND A BILLION BOTTLES OF GLUE 08:16 < jennam> but I fear it's none yet 08:16 < hornydong> oh jeez 08:16 < hornydong> i shit my pants again 08:17 < hornydong> sorry aaro no DCC 08:19 < voidstar> VoidShift, you can have as many as you can stand to manage 08:23 < Jorja> Can one connect a tablet to a computer using bluetooth then watch videos on tablet that are steaming on the computer 08:23 < VoidShift> voidstar: from one void to another, thank you lol. But just for the sake of knowledge... if I DIDN'T want to run multiple tunnels...would there be a way to switch between :1 and x? 08:24 < voidstar> not that I know of 08:24 < VoidShift> Alright 08:25 < voidstar> you could run xterm or something similar over your vnc connection 08:26 < VoidShift> I'm not familiar with xterm 08:26 < voidstar> you're running raspian or noobs? 08:26 < VoidShift> But I tunnel my vnc through the ssh. 08:26 < VoidShift> Kali-pi 08:27 < VoidShift> (Running kali-pi) 08:29 < voidstar> oh, I think I misinterpreted. why would you need to switch? 08:29 < detha> VoidShift: ssh -X will give you X forwarding, so any X program you start in the ssh session will appear on your local X server. With -R5900... added you get a vnc tunnel 08:29 < detha> sorry, -L5900 08:31 < VoidShift> voidstar: was just thinking it'd be handy in the scenario of my pi being compromised. By switching to X, I can see exactly what they're found, and even take control 08:31 < VoidShift> *what they're doing 08:31 < VoidShift> But I can just do the same with 2 tunnels, so that works 08:31 < voidstar> if someone was savvy enough to compromise you, surely you wouldn't find them in an x session 08:33 < VoidShift> I mean, if the pi itself was taken, once plugged in and connected, I could ssh to X and watch what they're doing. And wym I wouldn't find them in x session? 08:34 < VoidShift> Where would the savvy go? 08:34 < hornydong> nigger sex 08:34 < detha> X doesn't work like that. And a standard VNC server gives you a separate session anyway. If you want to see what it happening on the main screen you need x11vnc. 08:35 < hornydong> no you need nigger sex 08:35 < voidstar> in case of theft, and the pi is phoning home then ^ 08:36 < VoidShift> detha: that's because say tigervnc, it configured to start at session :1. But I can change that to X in the files can't i? 08:37 < hornydong> Sigyn is a nigger lol 08:37 < detha> not that I know of 08:37 < hornydong> detha: do you huff paint? 08:38 < VoidShift> Hmm ok. Thanks 08:38 < detha> x11vnc is made specifically to have VNC access to :0 08:38 < VoidShift> Yea, I had x11 first. But tiger had less issues with the kali-pi build, so they replaced x11 with tiger 08:40 < VoidShift> voidstar: if a person could compromise by other means, like through network vuln. Where would they be if not on the default session? Jw 08:41 < VoidShift> detha: apologies. The x11 vs tiger comment was for u 08:41 < hornydong> i have a horny penis 08:41 < hornydong> its hungry for niggger vagina 08:42 < detha> VoidShift: on a reverse shell, probably 08:42 < c_cinap> cause it smells like swamp gaas? 08:42 < voidstar> they'd pop a shell, or direct ssh, or 08:42 < voidstar> any other arbitrary remote code execution 08:43 < VoidShift> Ok, thanks both 08:43 < detha> the only thing one would see on a remote X11 is physical compromise, i.e. someone plugged a keyboard+monitor into the pi 08:44 < VoidShift> Ah, makes sense now 08:45 < VoidShift> What steps could I take to better protect my ssh tunnel from being compromised? 08:46 < voidstar> if this is a service open to the internet, don't use known insecure ciphers and large key sizes 08:46 < voidstar> if it's an internal service, lock down your network 08:47 < voidstar> but lock down your home network regardless 08:47 < detha> disable password auth, disable weak ciphers. limit ranges that can connect to the service. 08:52 < VoidShift> I'm new to this stuff. Think I've heard of not using passwords, to use rsa keys (I think?) Instead 08:53 < voidstar> yep 08:53 < VoidShift> What's a good cipher? 08:53 < VoidShift> Or is that rsa 08:54 < VoidShift> And how do i limit ranges? 08:55 < Quatermass> OB 08:55 < voidstar> he meant limit ranges of ips that are able to connect to your service. 08:56 < voidstar> see https://support.asperasoft.com/hc/en-us/articles/221494788-Best-practices-for-SSH-configuration for a sample config 08:56 < VoidShift> voidstar: I know, just never done that and don't know how 08:56 < voidstar> iptables 08:56 < VoidShift> Thanks again for helping. Will read 08:57 < eraserpencil> Is this the place to ask about dns SERVFAILs? 09:01 < detha> one can ask here. for a solution, whoever operates the DNS server may be a better bet. 09:02 < vvande> there's also #dns 09:02 < VoidShift> voidstar: nice article. However it says to allow password connect. So Imma just correct that part myself to no. But very helpful 09:03 < eraserpencil> ahh okay i'll give #dns a try 09:03 < eraserpencil> thanks alot 09:03 < voidstar> for aspera's purposes, leaving password on till a key is generated is to prevent lock out 09:03 < VoidShift> Oh ok 09:04 < voidstar> it's never fun to get locked out of ssh 09:07 < vvande> I usually make one or two IPs not affected by number of attempts etc. 09:21 < voidstar> does x forwarding work on linux subsystem on windows? 09:48 < azonenberg> voidstar: pretty sure Xming can, if nothing else works 09:56 < xingu> voidstar: opentext exceed is probably the benchmark display server for windows (unless you have an allergy to spending money); x11 forwarding per se isn't a big ask, anything that can link a named pipe to a tcp socket will suffice (so, sshd for instance) 09:57 < voidstar> ah, I wasn't clear: I'm looking to forward an x window to windows via wsl 09:58 < voidstar> oh, I see 09:59 < voidstar> opentext exceed seems a bit excessive for personal use 09:59 < xingu> it has a wall of history behind it; the free solutions will work, until they don't 10:00 < xingu> mapping x11 and xcb to windows gdi primitives is at least 20% art. 10:01 < voidstar> heh 10:02 < xingu> a small suggestion would be to target launching a vnc server as the root display from a display manager 10:03 < xingu> then connect to it via loopback tcp from the windows side as a regular vnc session 10:04 < xingu> I did that a long long time ago in a galaxy far far away to bring various legacy remote sysvr4 (and their various proprietary windget sets) things into the windows world 10:05 < voidstar> ah, I'll take that into consideration. I really only need one window from a vm 10:06 < xingu> yup; but to get there from here you need to deserialise then render x11 events into a hopefully double-buffered framebuffer of some description 10:06 < xingu> which almost perfectly describes what vncserver actually is. 10:08 < xingu> apparently tightvncserver should run under wsl 10:10 < Sircle_> Hi 10:10 < xingu> I've been at this for long enough that I've had to deal with fun topics like (undocumented) endianness issues between client pixmap format and server framebuffer :) 10:10 < jelly> exceed still exists?! 10:10 < Sircle_> How to block all outgoing 22 connections but not from a single user. e.g -m owner thing? -A OUTPUT -p tcp -m tcp --dport 22 -j REJECT 10:11 < xingu> jelly: it just keeps coming and coming 10:12 < jelly> I remember using a dos version 10:13 < xingu> jelly: I remember using an os/2 version ;) 10:15 < jelly> Sircle_, first allow one user, then block everything (else)? 10:15 < Sircle_> ok 10:18 < jelly> oh, iptables-extensions(8) says it also has negation 10:18 < xingu> jelly: exceed running on mga came close to destroying the market for flat 2daccel low end graphical workstations. 10:25 < Sircle_> jelly, is this correct syntax to allow 1002 id user iptables -I OUTPUT m owner --owner-gid 1001 -p tcp --dport 22 -j ALLOW 10:26 < Sircle_> jelly, is this correct syntax to allow 1002 id user iptables -I OUTPUT m owner --owner-uid 1001 -p tcp --dport 22 -j ALLOW 10:26 < Sircle_> sory 10:27 < Sircle_> jelly, is this correct syntax to allow 1002 id user iptables -I OUTPUT m owner --owner-uid 1001 -p tcp --dport 22 -j ACCEPT 10:35 < Sircle> unknown option "--owner-uid" > sudo iptables -I OUTPUT -m owner --owner-uid 1001 -p tcp --dport 22 -j ACCEPT whats wrong 10:39 < Apachez> check the manual for the module owner 10:44 < Sircle> Apachez, some how the following is now allowing the destination ip to be sshed. What can be the reason 10:44 < Sircle> -A OUTPUT -s 168.235.95.234/32 -p tcp -m tcp --dport 22 -j ACCEPT 10:44 < Sircle> -A OUTPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable 10:45 < Sircle> I guess - should be -d 10:50 < Sircle> solved 10:53 < Apachez> you are doing it wrong 10:53 < Apachez> oh nevermind 11:38 < azizLIGHT> whats the cheapest/easiest way to incorporate a 2nd internet connection and use it as failover automatically, and switch back to main internet when its back up 11:41 < JPT> Probably a custom configured router - maybe take a look at openwrt. 11:42 < JPT> Existing TCP connections or sessions bound to your ip address may still get interrupted, so keep that in mind. 11:43 < Apachez> rackdiag is really cool :) https://bit.ly/2JO22PW 11:47 < _BIGSHOT_> i am behind Double NAT, and I want to access my local plex media server from outside my network - is it possible using ngrok? 11:47 < Apachez> -Quatermass- wanna hug? 11:54 < azizLIGHT> JPT: is there anything for dumbos, just plug and play. stick 2 ethernet cords in and get failover automaticaly 11:55 < azizLIGHT> is there a difference between arris 1862 and technicolor tc8715d cable modems? thge interfaces on google images look very similar 11:55 < JPT> I don't know. I haven't seen a solution for cases like this yet. 13:22 < wiresharked> So is there any difference between advanced energy efficient ethernet and the regular low-power ethernet? 13:27 < djph> less power consumption with EEE (ports shut off when not in use, etc) 13:28 < wiresharked> djph: But I also saw "advanced EEE" in my ethernet adapter settings 13:28 < djph> TBH, it's probably only going to make a difference if you have lots of switches with not much capacity used 13:29 < wiresharked> djph: I'm not talking about switches though. I'm referring to my desktop computer 13:29 < detha> Also, the savings in burning electrical power are negated by the admins burning up energy walking to that switch /again/ because some port decided to turn itself off, and won't come back on unless someone physically unplugs/plugs it 13:30 < djph> I think the NIC is the least of your worries for power consumption in a PC 13:31 < djph> especially now with MSFT sending all your keystrokes to the mothership 13:33 < wiresharked> djph: That's why I don't use energy efficient ethernet 13:33 < wiresharked> And my computer has a wifi adapter as well 16:03 < DJDan> is there a better way to reverse lookup IP addresses on a network interface besides doing "avahi-resolve-address [ip]" for each. Want to find out the local dns name (eg; blah.local) 16:07 < Carll> DJDan: doesn't your /etc/hosts file list them? 16:08 < DJDan> Carll: no, im trying to get the ones that other computers on the network broadcast not my own 16:09 < mawk> DJDan: host 16:09 < mawk> if it's the local dns name you need avahi tho 16:09 < mawk> the local name isn't a dns name, it's mDNS 16:09 < mawk> it's what avahi is for 16:10 < DJDan> wanted a better method then manually finding what ips on network then avahi-browse them all 16:10 < DJDan> local not internet.. host seems to do internet 16:10 < DJDan> the mdns can only be done with avahi? 16:10 < DJDan> i did try with nmap but couldnt work it out 16:10 < mawk> host uses whatever DNS server you set up 16:11 < DJDan> so then how do i use host 16:11 < mawk> mDNS is done by avahi yes 16:11 < mawk> .local is mDNS 16:11 < DJDan> i want the local dns name 16:11 < DJDan> eg; blah.local 16:11 < mawk> but there should be a way to use avahi to list every mDNS name known at the moment 16:12 < mawk> or you can use your ARP table for computers you've spoken to 16:12 < mawk> because mDNS is done on the local link in the same manner as ARP 16:13 < Carll> I'm not familiar but you could try; avahi-resolve-address -a 16:14 < DJDan> oh i see.... and can nmap do that too 16:14 < DJDan> but arp table can have old values 16:14 < DJDan> if theres a list all in avahi-browse that would be good.. cause currently im doing it 1 by 1 16:15 < mawk> there's a package name avahi-discover 16:15 < mawk> it could maybe help you 16:16 < mawk> UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 20: ordinal not in range(128) 16:16 < mawk> lol 16:16 < mawk> just found a bug in it 16:16 < mawk> the fix is simple 16:16 < Carll> avahi-browse --all 16:16 < Carll> https://linux.die.net/man/1/avahi-browse 16:17 < DJDan> is there a way with nmap 16:17 < DJDan> cant seem to find avahi-discover .. but doesnt help that im using LEDE ash either... 16:17 < mawk> yeah avahi-browse for command line too 16:17 < jotef> Hi there. I have a subdomain (mail.example.org) that is managed by a different nameserver than the root domain (example.org) by setting up a corresponding NS record in example.org. With this setup, would it be possible that all mail that is being sent to example.org could be handled transparently by mail.example.org? 16:20 < DJDan> Carll: oh thats what i had before, but that shows the services too... i guess just looping through with avahi-browse is better then 16:20 < Peng_> jotef: Sure, set example.org's MX record(s) 16:22 < DJDan> how would i do avahi-browse -a -r and then only show the IP and Hostname if its not duplicated 16:23 < mawk> first, add -t for the process to terminate 16:24 < mawk> and -p for a parsable output 16:24 < mawk> so avahi-browse -arpt 16:24 < mawk> now you just want ip address and hostname, not duplicated ? 16:24 < DJDan> yep 16:24 < mawk> IPv4 and IPv6 ? 16:24 < DJDan> ipv4 16:27 < mawk> IFS=$'\n'; for line in $(avahi-browse -arpt); do IFS=';'; a=($line); IFS=$' \t\n'; if [[ ${a[2]} == IPv4 && ${a[7]} != '' ]]; then echo "${a[7]}" "${a[6]}"; fi; done 16:27 < mawk> that's with duplicates 16:27 < mawk> now let's add a uniq or something like that 16:27 < DJDan> lede/linux seems to work with avahi-browse but osx and some others like dnsd which seems limited 16:28 < mawk> { IFS=$'\n'; for line in $(avahi-browse -arpt); do IFS=';'; a=($line); IFS=$' \t\n'; if [[ ${a[2]} == IPv4 && ${a[7]} != '' ]]; then echo "${a[6]}" "${a[7]}"; fi; done; } | uniq -f2 16:28 < mawk> here it is 16:31 < DJDan> that only seem to report just the 1.. not others 16:31 < mawk> then the others are duplicates 16:31 < mawk> or the IP is lacking 16:31 < mawk> check the avahi-browse -arpt log 16:32 < DJDan> Too many arguments 16:32 < mawk> no, I mean: check avahi-browse -arpt 16:33 < jotef> Peng_: I am not able to set MX records as I already have a NS record that says that mail.example.org should be handled by a different nameserver. 16:33 < DJDan> im using lede linux, which is based on ash/busybox (and i have bash installed to)... so avahi-browse might be limited hmm 16:34 < Peng_> jotef: Why wouldn't you be able to set an MX record 16:34 < tds> jotef - you said "corresponding NS record", what name is the ns record set on? 16:35 < tds> If it's on mail.example.com you need to add the Mx record in the parent zone, otherwise you can just add an Mx record in your zone 16:35 < DJDan> mawk: ok the first commands with duplicates worked fine... the second cut them off 16:36 < mawk> alright 16:37 < jotef> the name of the NS entry is "mail" and the value is an external nameserver under a different domain. 16:38 < DJDan> what does uniq -f2 meant to do 16:38 < DJDan> cause that just shows the first entry only 16:40 < DJDan> mawk: ./ip-ipstonetworkname-better | sed '$!N; /^\(.*\)\n\1$/!P; D' .. i think that works 16:40 < mawk> uniq -f2 removes the duplicated IPs 16:41 < DJDan> oh still kept duplicates 16:42 < DJDan> it seems to just remove everything... and only kept 1 ip and 1 name... but theres at least 3 devices and ips 16:42 < mawk> and whithout duplicates removed you see them all ? 16:42 < mawk> strange 16:42 < mawk> I may have gotten my uniq command wrong 16:43 < mawk> ah, you need to sort before doing uniq sorry DJDan 16:43 < mawk> { stuff; } | sort -k1,1 | uniq -f2 16:43 < mawk> that should work 16:44 < DJDan> nup only showed one.. hmm 16:46 < DJDan> i think i prob have it wrong order 16:46 < DJDan> didnt seem to work.. only shows the top entry.. and not the rest { IFS=$'\n'; for line in $(avahi-browse -arpt); do IFS=';'; a=($line); IFS=$' \t\n'; if [[ ${a[2]} == IPv4 && ${a[7]} != '' ]]; then echo "${a[6]}" "${a[7]}"; fi; done; } | sort -k1,1 | uniq -f2 16:54 < DJDan> something seems wrong with the last part 16:56 < DJDan> mawk: any ideas? also avahi-resolve-address seems to actually resolve more stuff.. (like netbios names or something) where as avahi-browse -arpt doesnt pickup my windows machines 16:58 < {HD}> I am using DigitalOcean for server1.mydomain.tld and I have a ptr issued for it through DO. Do I need to also add a corresponding record to my server1.mydomain.tld DNS server? Which is itself...? 17:01 < Emperorpenguin> HD: yes 17:01 < mawk> dunno 17:01 < Emperorpenguin> HD: generally your domain registrar 17:01 < mawk> check in the man page maybe 17:02 < DJDan> mawk: so far it seems avahi-resolve-address with manually checking every ip is better then avahi-browse -arpt .... cause that isnt showing my windows netbios names... 17:02 < {HD}> Emperorpenguin: Yes, I have my ns1.mydomain.tld setup to point to my DNS I am talking about a corresponding PTR record in my DNS... 17:03 < mawk> check the man page DJDan 17:03 < Emperorpenguin> ah no you don't have to do anything 17:03 < Emperorpenguin> domain.tld belongs to you and your DNS server points to the IP 17:03 < Emperorpenguin> the IP belongs to digitalocean, resolves to THEIR dns server and points to your hostname 17:04 < {HD}> Emperorpenguin: Oh, I was hoping I would need to. Because before I had a PTR at DO I did a 'blacklist check' and I wasn't on any. But once I updated got my PTR I am blacklisted @ dnsbl.spfbl.net 17:04 < Emperorpenguin> well I think you should add an A record on your side 17:05 < Emperorpenguin> maybe they check that forward and reverse match 17:05 < {HD}> The error is "ip blocked for misconfiguration of rDNS' 17:05 < DJDan> mawk: i did... https://www.systutorials.com/docs/linux/man/1-avahi-browse/ and https://linux.die.net/man/1/avahi-resolve-address ... not 100% understand the difference... but so far manuallly doing every ip with avahi-resolve-address at least shows the windows netbios names too.. 17:07 < {HD}> Emperorpenguin: hum...back to the googles. I might just have to apply for 'delist' from that blacklist 17:07 < Emperorpenguin> HD yeah it's that I was saying 17:07 < Emperorpenguin> your reverse and forward don't match 17:07 < Emperorpenguin> anyone can say "this IP is google" 17:07 < Emperorpenguin> but only google can say "this is my IP" 17:07 < Emperorpenguin> so they check that your reverse (this IP is google) matches the forward (this IP is mine) 17:08 < {HD}> Yea I think forward and backwards is pointing to same ip... 17:17 < Emperorpenguin> HD: forward point to IP, reverse point to domains 17:18 < Emperorpenguin> A point to IP, PTR point to A 17:18 < Emperorpenguin> they are not necssarily on the same server 17:19 < {HD}> So I just need a a record for server1 or “server1.mydomain.tld.” 17:22 < DJDan> awk so your not sure the difference... is there a way to do it with dns-sd? that seems to be much more limited then avahi 17:23 < DJDan> mawk: 17:24 < mawk> dunno, I'm not a mDNS expert 17:24 < mawk> you can parse avahi-resolve-address if you want 17:25 < DJDan> yeah ive already passed that for now... was just working out other methods 17:26 < DJDan> avahi-resolve-address seems best method so far... because i cant get netbios names working on the other 17:26 < Exagone313> you can check what AS controls an IP and thus knowing if it's owned by e.g. Google 17:26 < DJDan> mawk: theres also a way to use nmap to resolve it.. but i couldnt work it out... i did write a script that did netbios names only with port 139 but that didnt include mdns names 17:27 < DJDan> i assume the only methods of local names.. are really... mdns/avahi and netbios 17:27 < DJDan> dns names 17:28 < DJDan> dns-sd -B _services._dns-sd._udp . shows all services, but it wont tell me the actual IP they came from 17:28 < Apachez> DJDan: resolv.conf 17:28 < DJDan> Apachez: thats not mdns stuff that other machines broadcast 17:30 < Apachez> dont broadcast shit then? 17:32 < DJDan> Apachez: huh.. that doesnt answer the question 17:33 < DJDan> is there a way with dns-sd -B _services._dns-sd._udp . to actual list the real ips 17:39 < DJDan> so dns-sd cant? 17:40 < Apachez> real ip of what? 17:41 < DJDan> the local ip addresses of the broadcasted devices 17:41 < DJDan> its just showing .local and not the actual 192.168.0.x ip 17:45 < DJDan> is there a way with dns-sd to show the local ip addresses too? 18:34 < cluelessperson> hi all. Does anyone here know how to block routes on unifi network? 18:34 < cluelessperson> I have several networks I want the USG to provide DHCP for, but no internet, nor routes out 18:48 < redrabbit> im trying to setup two AP with the same MAC adress, however the 1st AP turns back to hardware mac when i turn the 2nd one 18:48 < redrabbit> they are gateways for ESP-now with some esp8266 18:48 < redrabbit> (raw wifi frames) 18:50 < ntd> why would you want two APs to have the same bssid? 18:56 < DJDan> Apachez: do you know how with dns-sd -B _services._dns-sd._udp . to display the actual local 192.168.0.x ips instead of just local 18:56 < cluelessperson> ntd: pretty sure that you wouldn't 18:57 < cluelessperson> ntd: note, bssid isn't the same as ssid 18:57 < cluelessperson> bssid is basically mac of ap. 18:58 < ntd> he said "ap with same mac" 18:59 < Apachez> apple with same mac 19:15 < redrabbit> they are raw frames gateways 19:16 < redrabbit> i need to set same mac because nodes adress packets to that MAC 19:36 < cluelessperson> it's quiet 19:43 < quantum> Question on port mirroring on a switch: If I mirror port 3 to 4, can I still reach the devices connected to them from port 2? 19:44 < Apachez> sure 19:44 < Apachez> port 2 isnt part of reciving the mirror stuff 19:45 < Apachez> actually depending on your vlan config you can still send out junk on receiving port 19:51 < quantum> Apachez: Thanks. No VLAN here. 19:52 < quantum> I'm putting a small managed switch between the instrument cluster and center display of a Tesla. 19:52 < Epic|> Wut 19:53 < quantum> I want the IS to always talk to the center display, but I also want to intervene with a Pi on port 2. 19:54 < quantum> So I'm torn whether to mirror 3 to 4 (IC to display), or 3 to 2 and have the Pi do the forwarding. 19:54 < quantum> ... I want the IC... 19:59 < Apachez> normally when you mirror stuff you should run the box connected to the port where all is dumped at in promiscious mode 20:00 < Apachez> so it will accept frames with wrong dstmac 20:01 < quantum> Ok. I'm not really sure why I need to monitor that traffic anyway. 20:01 < quantum> ... but better to be safe than sorry. 20:02 < dogbert2> heh...when you run out of ethernet ports on your home router :) 20:03 < quantum> I mean between the Tesla Instrument Cluster and the center display (main CPU). 20:04 < quantum> dogbert2: Are you saying that when I cascade a switch that I need to mirror all of the higher switch's ports down to the cascaded one? 20:05 < dogbert2> I'm talking about my situation...I only have one port left on my D-Link AC1750...so I need to get an 8 port unmanaged GigE switch to add more ports 20:06 < quantum> Where does mirroring come in? 20:07 < dogbert2> well, mirror/SPAN ports are useful for attaching an IDS or packet capture device 20:07 < quantum> (And, it's time to go to a GS728TP) 20:08 < quantum> (... actually cheaper used than the 16 port because there are more of them) 20:09 < quantum> (... but freakin' noisy so relegate it to the basement) 20:10 < dogbert2> heh... 20:44 < jimm> hj, (eventually I want to fix a program that generates a masqing firewall from interface definitions, but for now...) I have two internal nets, each on an a network interface, that I want to provide a route to the "rest of the net", using iptables rules... how can I do that simply and quickly enough that it's worth replacing it with the more general solution later? 20:44 < jimm> the two nets are 172.18.0.0/16 and 172.19.0.0/16 20:46 < jimm> actually let me test something real quick, be right back 20:47 < tds> jimm: assuming you want nat, an iptables rule like -t nat -A POSTROUTING -s 172.18.0.0/15 -o -j MASQUERADE should do that for you 20:47 < tds> (and you want to make sure forwarding is enabled and you have rules to allow forwarding) 21:15 < jimm> tds, ok, thanks... (I left to check to see if an older kernel would work, it didn't) 21:16 < tds> jimm: if you want some docs on iptables stuff, I quite like the arch wiki pages 21:17 < jimm> thanks for the reminder... right now, I need to see why the thing isn't working... I'll look at the wiki in a bit 21:20 < jimm> how can I delete that rule? 21:21 < jimm> sec, I'll read man iptables 21:30 < Lenders> hi - i'm working on setting up local POE cams - i have a POE switch that is a smart managed switch. i dont want people to be able to go to one of my cams outside my home, unplug and plug right into it accessing my internal network. I'm wondering if setting up a vlan for all the ports using cameras would work? 21:30 < purplex88> whats the meaning of network traffic statistics? 21:30 < purplex88> what are statistics here 21:31 < petemc> data 21:31 < L3gacy> Data, or data? 21:31 < purplex88> then i'll call it network traffic data 21:31 < purplex88> lol 21:32 < Kingrat> L3gacy, Lieutenant Commander Data 21:33 < purplex88> are they counters of a certain value? 21:33 < purplex88> say unique ips 21:34 < purplex88> what are really statistics.. how can i say it 21:35 < petemc> purplex88: amount of data send/received, dropped packets, different modes enabled 21:36 < zhangxaochen> how does this invitation link work? https://wap.yidai.com/landpage/?u=NTExNjAyX3JlZ2ludml0ZQ== 21:36 < zhangxaochen> I find in the