[CentOS-es] Nagios
buenas. Estimados tengo un problema con nagios al hacer consultas a hosts remotos. Este es el error: CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. Segun la documentacion dice que puede ser un error de imconpatibilidad del openssl. Actualice a la ultima version que es: openssl-0.9.8b-8.3.el5_0.2 que esta en ambos equipos, los servicios NRPE estan ok en ambos servers, el acceso al host tambien. Alguien puede darme alguna informacion respecto a esto. Saludos Atte. Fernando Quil Ayala ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] PROBLEMA DE PRIVILEGIOS DE USUARIOS EN SAMBA PDC
para solucionar ese problema tenes que agregar al ausuario o el grupo al grupo de administradores locales , de esa manera ese usuario es administrador pero de su maquina unicamente lo podes hacer en el administrador de equipo o de tu xp o con el comando net rpc desde tu linux saludos Andre Aspée wrote: No, he creado el usuario en la maquina, lo creo en el samba pdc. Encontre una forma de pasar el problema y es dando privilegios de acceso a las carpetas que solicitan los programas, dejando que puedan tener lectura y escritura los usuarios autentificados Lo de crear el usuario en la maquina, eso es lo que no quiero, de ser asi sigo trabajando con grupo de trabajo, y creando usuarios locales. Mario Ganga escribió: Hola.. Creaste el usuario en la maquina que el ocupa??? Atte. Mario Ganga Castro. On Jan 30, 2008 4:39 PM, Andre Aspée [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hola, Tengo un samba PDC, registro maquinas y usuarios que logran logearse correctamente. Todos los clientes seran winXP. Esoty haciendo las pruebas para comprobar los privilegios de usuarios segun los grupos que les asigno en el samba PDC. En el equipo que inicia sesion no tiene los privilegios necesarios para, por ejemplo: instalar programas, cambiar configuracion de las conexiones de red,Y mas problema aun, cuando ejecuto algunos programas (nuestro ERP) no lo deja por que no tiene el permiso para leer y escribir en la carpeta del SW. Es decir, inicia sesion, pero solo como un usuario restringido o invitado. Para que pueda el usuario utilizar el ERP, tengo que hacer que el usuario sea parte de Admins. del dominio, con el consiguiente problema de que puede instalar y cambiar configuraciones del equipo a su antojo. Me gustaria lograr tener un tipo de usuario del dominio que pueda leer y escribir en las carpetas de los programas, sin ser administrador del dominio, que no pueda modificar parametros de red, ni instalar programas. Se me ocurrio mapear un grupo Usuarios avanzado del dominio, y colocarle como sid S-1-5-32-SAmbaSID-547, pero el usuario al ser agregado a este grupo, queda como un usuario igual de restringido. Alguna sugerencia??? Gracias mi netgroupmap list [EMAIL PROTECTED] ~]# net groupmap list Opers. de servidores (S-1-5-32-549) - opers_sistema Duplicadores (S-1-5-32-552) - duplicadores Usuarios avanzados (S-1-5-32-547) - usrs_avanzados Opers. de impresión (S-1-5-32-550) - opers_impresion Administradores (S-1-5-32-544) - administradores Admins. del dominio (S-1-5-21-732503632-1872658953-3798343223-512) - admins_dominio Opers. de cuentas (S-1-5-32-548) - opers_cuentas Invitados del dominio (S-1-5-21-732503632-1872658953-3798343223-514) - invitados Usuarios del dominio (S-1-5-21-732503632-1872658953-3798343223-513) - usuarios_dominio Operadores de copias (S-1-5-32-551) - opers_copias Usuarios (S-1-5-32-545) - usuarios mi smb.conf #=== Global Settings = [global] # --- Netwrok Related Options - workgroup = tremac server string = Samba PDC netbios name = rapanui hosts allow = 127. 192.168.10. # --- Domain Controller Options security = user passdb backend = tdbsam unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* domain master = yes domain logons = yes time server = yes logon path = logon script = logon.cmd add user script = /usr/sbin/useradd %u add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -c Cuenta de máquina -M %u delete user script = /usr/sbin/userdel %u delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g set primary group script = /usr/sbin/usermod -g %g %u delete user from group script = /usr/sbin/userdel %u %g add group script = /usr/sbin/groupadd %g # --- Browser Control Options local master = yes ;os level = 33 preferred master = yes #- Name Resolution --- wins support = yes # --- Printing Options - load printers = yes cups options = raw username map = /etc/samba/smbusers ;printcap name = /etc/printcap #obtain list of printers automatically on SystemV ;printcap name = lpstat ;
[CentOS] General questions about security
Hi, I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries. I wonder where to begin. I would say first thing is get a series of auditing tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good reasonable set of rules for a web server, for example? Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in Red Hat Enterprise Linux 5 Unleashed by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject. Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD Any suggestions? Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: NFS problem in the latest kernel (Was: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm)
On Jan 31, 2008 6:21 PM, Akemi Yagi [EMAIL PROTECTED] wrote: This problem does not seem to be associated with specific hardware as implied in the original thread. I did not intend to imply any such thing, at least not as far as the client is concerned, we've verified this on different hardware from different suppliers. To me, this is an inter-op issue with the new kernel and EMC's celerra NFS server, and am currently working it together with EMC tech support - obviously it may affect other nfs servers as well; we can only test against what we have. BR Bent ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] cannot rewrite shadow password file
Hi, I run Centos 4. I can't add users using the adduser command, I get this error: adduser: cannot rewrite shadow password file I can't change the users passwords with passwd, I get this error: passwd: Authentication token manipulation error What is wrong? Thank you Samuel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] swapping on centos 5.1
Jerry Geis wrote: Hi all, I used to use centos 4.5 on an AMD 4800+ with 2GIG ram. Now I use centos 5.1 on AMD 6400+ with 4GIG RAM. The system responsiveness is different between the two. I noticed that centos 5.1 seems to be swapping programs out of memory at times resulting in slowness (perceived by me). I played with swappiness (/proc/sys/vm/) setting to 10, then 1 then 0. Still resulted in the same perceived slowness. Today I did swapoff -a and now the system obviously does not swap anything out all all. I thought thats what swappiness of 0 would have done. Are others experiencing this also? The perceived slowness maks the older system with less RAM and slower CPU seem faster. Any suggestions on other things to try? When you reset swappiness, how did you do it. The way that I have had the most luck in is editing /etc/sysctl.conf and adding: vm.swappiness=10 (or in your case, 0) and then: sysctl -p /etc/sysctrl.conf You would need to then make the things already swapped out come back (will happen over time) .. but rebooting is easier and faster. That should work ... but will not prevent all swapping. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] swapping on centos 5.1
On 01/02/2008 01:53, Jerry Geis wrote: Hi all, I used to use centos 4.5 on an AMD 4800+ with 2GIG ram. Now I use centos 5.1 on AMD 6400+ with 4GIG RAM. The system responsiveness is different between the two. I noticed that centos 5.1 seems to be swapping programs out of memory at times resulting in slowness (perceived by me). I played with swappiness (/proc/sys/vm/) setting to 10, then 1 then 0. Still resulted in the same perceived slowness. Today I did swapoff -a and now the system obviously does not swap anything out all all. I thought thats what swappiness of 0 would have done. Are others experiencing this also? The perceived slowness maks the older system with less RAM and slower CPU seem faster. Any suggestions on other things to try? Jerry Large amounts of swap in use does not necessarily reflect a system that is swapping heavily, and your perceived slowness may have another cause. Take a look at the output of vmstat 10 command's swap columns for real time or sar -W for historical information regarding the number of pages being swapped in and out. These numbers will give you a much more accurate picture of how much swapping is occuring on your system. Cheers Luke ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
Bent Terp wrote: On Jan 30, 2008 5:25 PM, Johnny Hughes [EMAIL PROTECTED] wrote: In any event, I can not duplicate the problem with an nfs export on c4 or c5 and connecting with a c5 client, regardless of the kernel using i686. Good point, thanks Johnny! We've verified that here; problem does not occur when mounting a Linux nfs-share, and does occur when mounting a Celerra nfs-share. I've opened a Service Request @ EMC, and will post here again when relevant. Thank you for helping us - with this issue in particular, and with making CentOS happen in general! You're welcome. There seems to be something about the new kernel that causes many more client rpc calls and nfs v3 client lookups for some (but not all) operations. I have been able to reproduce (as have others) the issues that seem to cause the problem on i686 and x86_64 regardless of the backend server, however it seems to more pronounced on x86_64 clients. Whether or not it has a major effect will depend on the volume of individual actions performed per time. The more actions per second, the bigger the impact (it seems). I did not see a major impact on performance on i686 (15 seconds on a 3.5 min operation), though I did see the issues in nfsstat ... however on x86_64 it did seem to cause more time issues. Also, I was doing one controlled operation, so if many of these where happening at the same time it might have a different impact. In any event, I have posted an upstream bug to address this issue: https://bugzilla.redhat.com/show_bug.cgi?id=431092 Hopefully we can get it resolved. Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DVD support on CentOS 5.1
[EMAIL PROTECTED] wrote: Hello out there! Been around the block trying to get DVD support for Totem, but I keep running into dead ends everywhere I go. Looking for CentOS 5.1-compatible xine and xine-lib packages as that seems to be the answer, but the only ones I find (like on DAG) seem to be just dead links or I get a message that the mirrors are unavailable when I try to run the rpm. Can anyone provide a link for rpm's that will provide DVD support on CentOS 5.1 32bit? I installed the Gstream rpm's so at least I have mp3 and mpeg support, I just really want DVD support as well. The package that you want to install from rpmforge is: gstreamer-ugly-plugins It should make gstreamer (and totem on centos5) be able to play dvds. I am not sure if it works, as I use mplayer on my personal workstation :D Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
Les Bell a écrit : Policy. It's a drag, writing policies, but without policies, you're in the Ready! Fire! Aim! school of security. The top tier of policy is the Enterprise Security Policy, which establishes the security function, roles, responsibilities, budget, etc. It also gives the power to enforce penalties for breaches of policies. At the next tier, you have system- and issue-specific policies, such as the Use of corporate email policy, the Inappropriate content in the workplace policy. You may then move down to standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user accounts, resetting passwords, etc.). snip Thanks for your very detailed response. Though I can't help feeling a bit like having asked for an identity photo... and getting a 10-foot oil painting :oD Basically, all I'm concerned about security-wise is a modest Apache/PHP/MySQL server running a single public library management software, and interconnecting eleven (small) public libraries, with a total of 60.000 database entries. No (very) big deal. The configuration is supposed to run on a dedicated server, so my question will be more practical: - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough, or do I really have to fine-tune the thing? - Basically, what auditing tools besides NMap can you recommend for such a thing? cheers, Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Samuel Rochas wrote: Hi, My answers: df gives me 41% use of the disk. I can create and copy files on the disk. Both /etc/passwd and /etc/shadow looks fine to me. Disk physical error? Might be, how do I check that? What's the output of lsattr /etc/shadow? Cheers, Ralph pgpbYaAhVCVa8.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] pgadmin and Centos 5?
I've been fighting to get the latest source of pgadmin compiled on Centos 5 64-bit. I obtained gnu-c++ (so it was happy with g++). It then complained about wxWidgets, so I obtained the source for that, compiled and installed, and ./configure for pgadmin saw wxWidgets and was happy with that. Go to make... It complains that some header file is missing. A google search reveals limited answers, but the same couple of searches reveal the wxwidgets modules need to be installed. What are these modules that are needed for pgadmin? I've found plenty of modules when performing a google search of wxwidgets, such as python, etc. Thanks for any help. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Samuel Rochas wrote: Hi Ralph, -r 1 root root 1653 ene 30 12:03 /etc/shadow What's the output of lsattr /etc/shadow? ^^ !! Ralph pgpeGAzINvSbK.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] loopback network device
On Feb 1, 2008 1:05 PM, Jordi Prats [EMAIL PROTECTED] wrote: Hi all, It's possible to create an alias of a device? Something like a device loN that all it's traffic is send to ethN, so ethN and loN are equivalent. It's for a bridged setup, i'm not trying to setup another IP on a device. Some wireless module create multiple name for the same device, like wifi0, wlan0 and eth0. Then technically this must be possible. But I don't know any user space tool to do that. Maybe you are wrong thinking, having multiple name for the same device will help you! What is you main problem ? Thanks! Jordi -- .. __ / / Jordi Prats C E / S / C A Dept. de Sistemes /_/Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED] .. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Alain Spineux aspineux gmail com May the sources be with you ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Hi Ralph, -r 1 root root 1653 ene 30 12:03 /etc/shadow Samuel Ralph Angenendt escribió: Samuel Rochas wrote: Hi, My answers: df gives me 41% use of the disk. I can create and copy files on the disk. Both /etc/passwd and /etc/shadow looks fine to me. Disk physical error? Might be, how do I check that? What's the output of lsattr /etc/shadow? Cheers, Ralph ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
On Feb 1, 2008 1:19 PM, Scott Ehrlich [EMAIL PROTECTED] wrote: I've been fighting to get the latest source of pgadmin compiled on Centos 5 64-bit. Di you look for a precompiled rpm ? search google for: pgadmin el5 rpm Regards. PS: Say hello to Dag :-) I obtained gnu-c++ (so it was happy with g++). It then complained about wxWidgets, so I obtained the source for that, compiled and installed, and ./configure for pgadmin saw wxWidgets and was happy with that. Go to make... It complains that some header file is missing. A google search reveals limited answers, but the same couple of searches reveal the wxwidgets modules need to be installed. What are these modules that are needed for pgadmin? I've found plenty of modules when performing a google search of wxwidgets, such as python, etc. Thanks for any help. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Alain Spineux aspineux gmail com May the sources be with you ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Hi, My answers: df gives me 41% use of the disk. I can create and copy files on the disk. Both /etc/passwd and /etc/shadow looks fine to me. Disk physical error? Might be, how do I check that? Samuel Marcelo Roccasalva escribió: On Feb 1, 2008 7:12 AM, Samuel Rochas [EMAIL PROTECTED] wrote: Hi, I run Centos 4. I can't add users using the adduser command, I get this error: adduser: cannot rewrite shadow password file I can't change the users passwords with passwd, I get this error: passwd: Authentication token manipulation error What is wrong? root filesystem full or read only? disk physical errors? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5 loses ip address (newbie question)
Reserved ip in 192.168.x.x range for CenOS 5 (Samba Server) loses samba clients due to eth0 losing it's ip. eth0 Link encap:Ethernet HWaddr 00:04:61:72:AB:98 inet addr:169.254.66.122 Bcast:169.254.255.255 Mask:255.255.0.0 inet6 addr: fe80::204:61ff:fe72:ab98/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 RX packets:60058 errors:0 dropped:0 overruns:0 frame:0 TX packets:66564 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11387965 (10.8 MiB) TX bytes:45451041 (43.3 MiB) Interrupt:193 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:23 errors:0 dropped:0 overruns:0 frame:0 TX packets:23 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2340 (2.2 KiB) TX bytes:2340 (2.2 KiB) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] swapping on centos 5.1
you can also flush the swap with a swapoff -a wait till it flushes then swapon -a Johnny Hughes wrote: Jerry Geis wrote: Hi all, I used to use centos 4.5 on an AMD 4800+ with 2GIG ram. Now I use centos 5.1 on AMD 6400+ with 4GIG RAM. The system responsiveness is different between the two. I noticed that centos 5.1 seems to be swapping programs out of memory at times resulting in slowness (perceived by me). I played with swappiness (/proc/sys/vm/) setting to 10, then 1 then 0. Still resulted in the same perceived slowness. Today I did swapoff -a and now the system obviously does not swap anything out all all. I thought thats what swappiness of 0 would have done. Are others experiencing this also? The perceived slowness maks the older system with less RAM and slower CPU seem faster. Any suggestions on other things to try? When you reset swappiness, how did you do it. The way that I have had the most luck in is editing /etc/sysctl.conf and adding: vm.swappiness=10 (or in your case, 0) and then: sysctl -p /etc/sysctrl.conf You would need to then make the things already swapped out come back (will happen over time) .. but rebooting is easier and faster. That should work ... but will not prevent all swapping. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Registered Microsoft Partner My Foundation verse: Isa 54:17 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
Check to see if the town/county has any policies in place for computer systems and networks for public services and follow those guidelines. Otherwise look at surrounding public library systems to see if they have any you can adopt. For a LAMP setup your definitely going to want to use selinux to limit what each application can read and write to, and you should use audit too to set auditing on sensitive directories like, /etc, /bin, /lib, /sbin, /usr/bin, /usr/lib, /usr/sbin. You will probably want to use smartmon to monitor drive health and something else to monitor resource usage (drive space, memory, cpu, mysql db space) with email/sms alerts. -Ross - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: CentOS mailing list centos@centos.org Sent: Fri Feb 01 06:47:36 2008 Subject: Re: [CentOS] General questions about security Les Bell a écrit : Policy. It's a drag, writing policies, but without policies, you're in the Ready! Fire! Aim! school of security. The top tier of policy is the Enterprise Security Policy, which establishes the security function, roles, responsibilities, budget, etc. It also gives the power to enforce penalties for breaches of policies. At the next tier, you have system- and issue-specific policies, such as the Use of corporate email policy, the Inappropriate content in the workplace policy. You may then move down to standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user accounts, resetting passwords, etc.). snip Thanks for your very detailed response. Though I can't help feeling a bit like having asked for an identity photo... and getting a 10-foot oil painting :oD Basically, all I'm concerned about security-wise is a modest Apache/PHP/MySQL server running a single public library management software, and interconnecting eleven (small) public libraries, with a total of 60.000 database entries. No (very) big deal. The configuration is supposed to run on a dedicated server, so my question will be more practical: - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough, or do I really have to fine-tune the thing? - Basically, what auditing tools besides NMap can you recommend for such a thing? cheers, Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
On Feb 1, 2008 7:12 AM, Samuel Rochas [EMAIL PROTECTED] wrote: Hi, I run Centos 4. I can't add users using the adduser command, I get this error: adduser: cannot rewrite shadow password file I can't change the users passwords with passwd, I get this error: passwd: Authentication token manipulation error What is wrong? root filesystem full or read only? disk physical errors? -- Marcelo ¿No será acaso que ésta vida moderna está teniendo más de moderna que de vida? (Mafalda) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
On Feb 1, 2008 9:14 AM, Niki Kovacs [EMAIL PROTECTED] wrote: Hi, I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries. Ussualy default linux setup have already good security rules enabled. The problems will come from you, what you will chnage, how you will reduce the security! I wonder where to begin. I would say first thing is get a series of auditing tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? nmap is the first step, nessus is overkill if you have to learn it to only protect one server. The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good reasonable set of rules for a web server, for example? You will certainly have dynamic contains, use PHP, ... You must first worry about the security of your web application ! Use the good settings in your php.ini, be careful about checking the validity of your user input ... Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in Red Hat Enterprise Linux 5 Unleashed by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject. You have 3 mode for SELinux: disabled, permissive, enforcing Set it to permissive, and then try to solve the few errors. When your server is stable (no more change) and you have no new error, switch to enforcing. Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD Any suggestions? Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Alain Spineux aspineux gmail com May the sources be with you ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
Niki Kovacs [EMAIL PROTECTED] wrote: Thanks for your very detailed response. Trust me when I say: that wasn't detailed. Nowhere near it. - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough You can go light on all that policy stuff, especially in a small business environment, but you need to give it at least superficial consideration. Until you do, you can't answer those questions, and we certainly can't. Would, say, a web site defacement cause your organization significant embarrassment? Would it cost you your job? Could borrowers' personal information be compromised? Are you storing information like SSN's? At what point does the benefit exceed the costs? The hassle is worth it for defense/government applications involving classified data, obviously. Probably not worth it for a web-surfing home desktop. You're somewhere - where? - in between. Only you can know, and it depends on business considerations. Remember: Ready! Fire! Aim!. One easy out: the due diligence approach. Find out what other libraries are doing, and do the same or better. The Koha, OpenBiblio and other mailing lists could be a help here. I'll let others clue you in on various web vulnerabilities - SQL injection, command injection, cross-site scripting, overflows, etc. - as well as tools like Nessus, Nikto, etc. for vuln scanning. However, your top priority here should be proactive patch management and intrusion detection techniques such as log file monitoring/analysis. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
On Feb 1, 2008 12:47 PM, Niki Kovacs [EMAIL PROTECTED] wrote: Les Bell a écrit : Policy. It's a drag, writing policies, but without policies, you're in the Ready! Fire! Aim! school of security. The top tier of policy is the Enterprise Security Policy, which establishes the security function, roles, responsibilities, budget, etc. It also gives the power to enforce penalties for breaches of policies. At the next tier, you have system- and issue-specific policies, such as the Use of corporate email policy, the Inappropriate content in the workplace policy. You may then move down to standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user accounts, resetting passwords, etc.). snip Thanks for your very detailed response. Though I can't help feeling a bit like having asked for an identity photo... and getting a 10-foot oil painting :oD Basically, all I'm concerned about security-wise is a modest Apache/PHP/MySQL server running a single public library management software, and interconnecting eleven (small) public libraries, with a total of 60.000 database entries. No (very) big deal. The configuration is supposed to run on a dedicated server, so my question will be more practical: - Is it worth the hassle to bother with SELinux? Must be your last concern. Use permissive. If you have time switch to enforcing at release time. - Is the standard firewall configuration enough, or do I really have to fine-tune the thing? The problem is not the tools, It is its usage, and its user here. Drugs can heal, but can kill too! Yes this is a good start, but try toi understand what you are doing. But the best is to put a cheap router/firwall in front of your server and forward _only_ the required ports. Dont give your server a public IP. - Basically, what auditing tools besides NMap can you recommend for such a thing? nmap :-) cheers, Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Alain Spineux aspineux gmail com May the sources be with you ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] pxeos tool in system-config-netboot missing in CentOS
Hello all, Since the pxeos utility is missing per Bug #0002304, http://bugs.centos.org/view.php?id=2304 which is required for me to setup a PXE server; which I'd like to in CentOS; Question: ... I am unable to find source for this; seems like the bug means that this was an oversight; perhaps the source is available somewhere and I can simply compile? If anyone is familiar where I can find this (a link/URL), a pointer would be greatly appreciated. -- best, Vince ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
On Jan 31, 2008 9:29 PM, Jeff Larsen [EMAIL PROTECTED] wrote: Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid. On the CentOS side use nss_ldap. This is a true single sign-on configuration with no /etc/passwd monkey business. We use it for database application auth and limited shell access. It just works, failures are rare. So is it possible to use nss_ldap with MS-AD if the Services for Unix are not installed? Or do you still have to resort to /etc/password monkey business? (I'm all for eliminating the monkey business, but I don't think my AD is going to get SFU. Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 loses ip address (newbie question)
frankly3d-centos wrote: Reserved ip in 192.168.x.x range for CenOS 5 (Samba Server) loses samba clients due to eth0 losing it's ip. Sounds like your using DHCP. If you've reserved an IP then set it statically on the server, as the dhcp client doesn't appear to be able to renew the lease when it expires. You can check the logs on the server to see if you can see why it cannot renew the lease if you want as well. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Samuel Rochas wrote: Dear Ralph, Sorry... - /etc/shadow Okay, so that's not it, either. Ralph pgpR4leUBQ8XF.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
On Fri, 1 Feb 2008 16:52:21 +0100, Ralph Angenendt wrote Samuel Rochas wrote: Dear Ralph, Sorry... - /etc/shadow Okay, so that's not it, either. What#347; the output of : getenforce ls -Z /etc/shadow might be an SELinux issue If so, you can do a restorecon /etc/shadow Regards, Michel Ralph BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 965044) is spam: Spam:http://neelix.grote.net/canit/b.php?c=si=965044m=45aa7f2f5521 Not spam:http://neelix.grote.net/canit/b.php?c=ni=965044m=45aa7f2f5521 Forget vote: http://neelix.grote.net/canit/b.php?c=fi=965044m=45aa7f2f5521 -- END-ANTISPAM-VOTING-LINKS -- Het.Grote.Net WebMail, powered by OpenWebMail -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
On Feb 1, 2008 9:38 AM, Michael Semcheski [EMAIL PROTECTED] wrote: So is it possible to use nss_ldap with MS-AD if the Services for Unix are not installed? Or do you still have to resort to /etc/password monkey business? (I'm all for eliminating the monkey business, but I don't think my AD is going to get SFU. You can use nss_ldap with 2003R2 DC when the additional software component (built-in to R2, see my other post) is installed. You can not use nss_ldap with pre-R2 DC without SFU. SFU modifies the AD schema to create new fields for UNIX attributes, most important of which is a password field compatible with UNIX crypt. In the case of R2, your schema will be modified in a similar fashion. WARNING: If you have multiple DCs, R2 and SFU are not compatible out of the box. They use different AD schema modifications. We had to track down hotfixes and DLLs to get our mixed environment working. It was not fun, but we eventually got it all squared away. -- Jeff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
On Feb 1, 2008 9:38 AM, [EMAIL PROTECTED] wrote: On Thu, 31 Jan 2008 20:29:07 -0600 Jeff Larsen [EMAIL PROTECTED] wrote: Don't use Samba. Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid. 1. I have the same problem, but the admin does not want to install Microsoft Services For UNIX. That's unfortunate. It's really quite non-invasive 2. You mention 2003R2, does something needs to installed, deployed? I don't see the Unix attributes. - Add/Remove Programs - - Add/Remove Windows Components - - - Active Directory Services - - - - Identity Management for UNIX ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
On Thu, 31 Jan 2008 20:29:07 -0600 Jeff Larsen [EMAIL PROTECTED] wrote: Don't use Samba. Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid. 1. I have the same problem, but the admin does not want to install Microsoft Services For UNIX. 2. You mention 2003R2, does something needs to installed, deployed? I don't see the Unix attributes. -- Thanks http://www.911networks.com When the network has to work ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
Scott Ehrlich wrote: I've been fighting to get the latest source of pgadmin compiled on Centos 5 64-bit. I obtained gnu-c++ (so it was happy with g++). It then complained about wxWidgets, so I obtained the source for that, compiled and installed, and ./configure for pgadmin saw wxWidgets and was happy with that. Go to make... It complains that some header file is missing. A google search reveals limited answers, but the same couple of searches reveal the wxwidgets Something I've wondered for a while, is there any site out there that allows you to search by filename to find what package a file belongs to for a particular distribution? One of the many things I've loved about Debian for years is their packages.debian.org site which among other things allows exactly that. It's so handy. Unless yum or some other tool provides this information(I'm not aware of any tool that can provide this. I still refer to packages.debian.org when I'm trying to find what package I need for a particular file, despite it being Debian at least I can get an idea what the source of the file is and can try to track down an equivalent for CentOS/RHEL/Fedora. And to be clear, I'm not talking about the rpm -q -f file command, I'm talking about finding package names for files that are NOT installed on your system(s). I suppose I could do rpm -q -l -p package for each and every RPM, and maintain that list, but that'd also assume that I have every RPM, which I may not(base distro RPMs aside). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
On Feb 1, 2008 10:20 AM, [EMAIL PROTECTED] wrote: On Fri, 1 Feb 2008 09:49:47 -0600 Jeff Larsen [EMAIL PROTECTED] wrote: 1. I have the same problem, but the admin does not want to install Microsoft Services For UNIX. That's unfortunate. It's really quite non-invasive The admin does not want to do any change to deal with only 1 user [me] 2. You mention 2003R2, does something needs to installed, deployed? I don't see the Unix attributes. - Add/Remove Programs - - Add/Remove Windows Components - - - Active Directory Services - - - - Identity Management for UNIX The admin does not want to do any change to deal with only 1 user [me], so there is no other way than XP within vmware? I'm not sure what problem you are trying to solve with that. Samba might be an option for you if your domain admin will let you join a linux machine to the domain. But I am not a Samba expert, so you'll have to seek advice from someone else. My advocating for nss_ldap is for the purpose of full-scale single sign-on. -- Jeff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Dear Michel, What#347; the output of : getenforce Enforcing ls -Z /etc/shadow -r root root system_u:object_r:shadow_t /etc/shadow After running those commands, I can run passwd without errors (passwd: all authentication tokens updated successfully), but the password won't be changed. might be an SELinux issue If so, you can do a restorecon /etc/shadow Did it, still can't update the password. Regards Samuel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
Hi, Before I had this problem, I've changed the root password twice, and something went wrong, since I was not able to login as root anymore :( I've started the box with the GRUB option init=/bin/bash, mounted the disk rw and executed the passwd command successfully. I've restarted and could log into the box as root. But then, trying to issue the passwd command again did not work. I am not sure if and how those actions can be related to my problem?!? Regards Samuel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
[EMAIL PROTECTED] wrote: The admin does not want to do any change to deal with only 1 user [me], so there is no other way than XP within vmware? if you're the only one using this linux system, well, I guess I can see his POV. OTOH, if this Linux system is providing a business function, who's in charge of this administrator? sounds to me like he needs a slapdown. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with authenticating against Active Directory.
On Fri, 1 Feb 2008 09:49:47 -0600 Jeff Larsen [EMAIL PROTECTED] wrote: 1. I have the same problem, but the admin does not want to install Microsoft Services For UNIX. That's unfortunate. It's really quite non-invasive The admin does not want to do any change to deal with only 1 user [me] 2. You mention 2003R2, does something needs to installed, deployed? I don't see the Unix attributes. - Add/Remove Programs - - Add/Remove Windows Components - - - Active Directory Services - - - - Identity Management for UNIX The admin does not want to do any change to deal with only 1 user [me], so there is no other way than XP within vmware? -- Thanks http://www.911networks.com When the network has to work ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
On Fri, Feb 01, 2008 at 08:42:50AM -0800, nate enlightened us: Scott Ehrlich wrote: I've been fighting to get the latest source of pgadmin compiled on Centos 5 64-bit. I obtained gnu-c++ (so it was happy with g++). It then complained about wxWidgets, so I obtained the source for that, compiled and installed, and ./configure for pgadmin saw wxWidgets and was happy with that. Go to make... It complains that some header file is missing. A google search reveals limited answers, but the same couple of searches reveal the wxwidgets Something I've wondered for a while, is there any site out there that allows you to search by filename to find what package a file belongs to for a particular distribution? One of the many things I've loved about Debian for years is their packages.debian.org site which among other things allows exactly that. It's so handy. Unless yum or some other tool provides this information(I'm not aware of any tool that can provide this. I still refer to packages.debian.org when I'm trying to find what package I need for a particular file, despite it being Debian at least I can get an idea what the source of the file is and can try to track down an equivalent for CentOS/RHEL/Fedora. And to be clear, I'm not talking about the rpm -q -f file command, I'm talking about finding package names for files that are NOT installed on your system(s). I suppose I could do rpm -q -l -p package for each and every RPM, and maintain that list, but that'd also assume that I have every RPM, which I may not(base distro RPMs aside). nate Is 'yum provides foo' not good enough? -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Unknown rootkit causes compromised servers
Les Mikesell wrote: Craig White wrote: We will work also with the Red Hat Security team and see if we can isolate any issues that might be FIXABLE. doesn't this almost beg for upstream to make denyhosts a base install and automatically on, just as sshd is automatically on? I've always wondered why a program like sshd didn't rate-limit connection attempts from day one. It's not exactly a new concept, especially for a security-oriented program. I actually think RedHat has moved backwards in this area. I'm seeing dictionary attacks on ssh, vsftp, dovecot, samba, virtually every service which might be available out to the web. Gaining access in any of these areas is the first step to a compromised system. ssh and vsftp seem to be the most often attacked... I have had ssh set to deny all and allow only known IP addresses of known users who need the service... still not perfect by any means, as somewhere along the line someone is going to need access while their connection is dynamic... just hadn't hit that one yet. I have to wonder about vsftp... Yes it's fast, but I wonder if some of this speed comes from not doing checks that really need to be done, like keeping up with multiple failed logins. Seems like wu and pro both had settings for this within their config files? But, even if we take the UNIX ideal for doing things, the modular approach... I am very surprised that RHEL doesn't appear to have any system within the provided packages which can be set to deal with the various servers in some straight forward manner. Yes, there are programs out there. I'm running one of them. But why are we left with this one shortcoming by upstream? Sorry, this just seems to be really odd to me. Dealing with each external system, is dealing with yet one more system to follow. Each time, there may be a new issue introduced with regards to a conflict on a server... the whole reason for following upstream as much as possible. Each one also introduces the need to follow another mailing list. It's just not very efficient nor as safe, when compared to yum or up2date updates. As for changes to passwords. Sure, changing the root password is a great idea. But then, what about all the users? It's absurd to consider making all the users on a hosting server change their passwords once a month, once a year or even once every ten years. They can barely keep up with the one they have and many don't. Most don't know how to configure their email client. Entry into a system from any service opens up a lot of potentials. I really don't get why there is not a system in place to deal with this just as we have selinux, suexec, etc. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] centos 4.6 and openssl
Hi, I was compiling a new version of bind on my centos 4.6 server and I discovered that the openssl version (openssl-0.9.7a-43.17.el4_6.1) has several exploits associated with it. I was wondering aside from removing the RPM and compiling a new version of openssl how can I upgrade my current openssl-0.9.7a-43.17.el4_6.1 to a newer version that is affected by the exploits. I know I can yum update openssl as that's is the last version for openssl for version 4. What can I do upgrade openssl? Is it possible to update the server from 4.6 to 5?, is this something that I want to do or is there a better way? TIA, Paul ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] dhcp squid
Everyone, I have set up squid as a proxy http server in order to filter web access for an office that wants to block certain web sites. Is there a way to use the dhcpd server to assign the squid server and port number 3128 to each Linux desktop when they boot using the existing dhcpd server. Or do I need to change each user's network preference setup in firefox. The dhcpd server and squid are on the same server. I have looked at the man pages for dhcpd, dhcpd.conf, dhcp-options, dhcllient, and dhclient.conf. I found an option : option www-server ###.###.###.### However there was no reference to stipulate a port number like 3128 that is used by squid. Other searching on the web has uncovered the use of: option custom-proxy-server http://192.168.1.1/wpad.pac; but I am uncertain as to how to configure wpad.pac file Any answers or suggestions on reading material would be appreciated. Thanks, Greg Ennis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
On Feb 1, 2008 10:54 AM, Johnny Hughes [EMAIL PROTECTED] wrote: Bent Terp wrote: Good point, thanks Johnny! We've verified that here; problem does not occur when mounting a Linux nfs-share, and does occur when mounting a Celerra nfs-share. Tunrs out that nfsstat wasn't telling us the whole truth We set up an rsync that only did the directory listing, and the .4 = .6 kernel opgrade (and I use the term loosely...) resulted in that rsync command taking 21 secs instead of 4.5 against a Linux nfs backend; and 20 secs instead of 10 against the celerra. I've opened a Service Request @ EMC, and will post here again when relevant. Issue remains open, although I'm sligthly embarassed about it now, given that linux backends are also affected. When we built a .6 kernel without the 5 nfs patches, nfsstat output reverted, but I don't know about the actual performance, yet. Probably we can rerun those tests monday. BR Bent ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
Matt Hyclak wrote: Is 'yum provides foo' not good enough? Not really, no. Say your building a package like the OP was, and you figure out you need the library libkabc_dir.so.1, now if your really into the development side of things you may be able to take a stab at what that library may be included with, for me, I have no idea. Some things are obvious, the above is not. Searching for this file on packages.debian.org tells me it's in the package kdelibs4c2a. The name has a k in it, but to me it doesn't really give a solid indicator that it might be from kde, in this case it happens to be though. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dhcp squid
Gregory P. Ennis wrote: Everyone, I have set up squid as a proxy http server in order to filter web access for an office that wants to block certain web sites. Is there a way to use the dhcpd server to assign the squid server and port number 3128 to each Linux desktop when they boot using the existing dhcpd server. Or do I need to change each user's network preference setup in firefox. The dhcpd server and squid are on the same server. Have you considered setting up squid as a transparent proxy so all HTTP requests go through it instead of configuring the clients to use the proxy? It'd be more secure anyways considering not everything has configuration to use a proxy. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
Matt Hyclak wrote: On Fri, Feb 01, 2008 at 10:16:47AM -0800, nate enlightened us: Matt Hyclak wrote: Is 'yum provides foo' not good enough? [EMAIL PROTECTED] ~]$ yum provides libkabc_dir.so.1 Loading priorities plugin Searching Packages: Setting up repositories Reading repository metadata in from local files kdelibs.i386 6:3.3.1-9.el4 base Matched from: libkabc_dir.so.1 ahh ok, thanks! I assumed that was only checking the RPM provides field. cool nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] centos 4.6 and openssl
Thanks Alex. I'm assuming that if another security exploit is found that the openssl version number who change on the repo correct, if not how would yum know to update? Thanks, Paul P.A -Original Message- P.A From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On P.A Behalf Of Alex White P.A Sent: Friday, February 01, 2008 1:13 PM P.A To: CentOS mailing list P.A Subject: Re: [CentOS] centos 4.6 and openssl P.A P.A On Fri, 1 Feb 2008 12:49:10 -0500 P.A Paul A [EMAIL PROTECTED] took out a #2 pencil and scribbled: P.A P.A Hi, P.A P.A I was compiling a new version of bind on my centos 4.6 server and P.A I discovered that the openssl version P.A (openssl-0.9.7a-43.17.el4_6.1) has several exploits associated P.A with it. I was wondering aside from removing the RPM and P.A compiling a new version of openssl how can I upgrade my current P.A openssl-0.9.7a-43.17.el4_6.1 to a newer version that is affected P.A by the exploits. I know I can yum update openssl as that's is the P.A last version for openssl for version 4. P.A P.A What can I do upgrade openssl? P.A Is it possible to update the server from 4.6 to 5?, is this P.A something that I want to do or is there a better way? P.A P.A P.A TIA, Paul P.A P.A Security fixes are backported, so the version number is not a good P.A indicator of security vulnerabilities. You may wish to look at the P.A change log associated with the rpm. P.A P.A rpm -q --changelog openssl P.A P.A HTH P.A P.A -- P.A [EMAIL PROTECTED] P.A Life is a prison, death is a release P.A ___ P.A CentOS mailing list P.A CentOS@centos.org P.A http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 4.6 and openssl
On Fri, 1 Feb 2008 13:40:32 -0500 Paul A [EMAIL PROTECTED] took out a #2 pencil and scribbled: Thanks Alex. I'm assuming that if another security exploit is found that the openssl version number who change on the repo correct, if not how would yum know to update? Thanks, Paul Typically if such a thing is to happen you'll see a release bump, similar to 0.9.8b-8.3.2 to 0.9.8b-8.3.3 HTH -- [EMAIL PROTECTED] Life is a prison, death is a release ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dhcp squid
On Fri, 2008-02-01 at 10:21 -0800, nate wrote: Gregory P. Ennis wrote: Everyone, I have set up squid as a proxy http server in order to filter web access for an office that wants to block certain web sites. Is there a way to use the dhcpd server to assign the squid server and port number 3128 to each Linux desktop when they boot using the existing dhcpd server. Or do I need to change each user's network preference setup in firefox. The dhcpd server and squid are on the same server. Have you considered setting up squid as a transparent proxy so all HTTP requests go through it instead of configuring the clients to use the proxy? It'd be more secure anyways considering not everything has configuration to use a proxy. nate Nate, Thanks for the suggestion... that was a much easier approach. There were some previous posts in November of last year that had some good references. I have everything working as I had hoped. I would still be interested to know if the dhcp servers could be used for this kind of thing. Greg ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
Ross S. W. Walker a écrit : Check to see if the town/county has any policies in place for computer systems and networks for public services and follow those guidelines. Otherwise look at surrounding public library systems to see if they have any you can adopt. The surrounding places here (town halls, police stations) mostly run Windows (98, Me, 2000, XP). So I'd better follow my nose than their security standards :oD Cheers, Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NTP server
I have a Centos 5 64-bit server that has ntp service enabled. Windows XP with SP2 cannot properly sync to it for time, but can communicate with it via samba, ssh, and anything else.I also disabled the Windows Firewall. The C5 system does not have any firewall enabled. Other C5 workstations can successfully sync to it via ntpdate. What else could cause the XP machine to not be able to time sync with the C5 server? Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: dhcp squid
on 2/1/2008 11:17 AM Gregory P. Ennis spake the following: On Fri, 2008-02-01 at 10:21 -0800, nate wrote: Gregory P. Ennis wrote: Everyone, I have set up squid as a proxy http server in order to filter web access for an office that wants to block certain web sites. Is there a way to use the dhcpd server to assign the squid server and port number 3128 to each Linux desktop when they boot using the existing dhcpd server. Or do I need to change each user's network preference setup in firefox. The dhcpd server and squid are on the same server. Have you considered setting up squid as a transparent proxy so all HTTP requests go through it instead of configuring the clients to use the proxy? It'd be more secure anyways considering not everything has configuration to use a proxy. nate Nate, Thanks for the suggestion... that was a much easier approach. There were some previous posts in November of last year that had some good references. I have everything working as I had hoped. I would still be interested to know if the dhcp servers could be used for this kind of thing. Greg I know that windows machines won't pick up any option like this from DHCP. You have to use the proxy.pac which I could never get working quite right from anything but a microsoft proxy server. A transparent filter works better anyway, as your users will have a harder time bypassing it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NTP server
-Original Message- From: Scott Ehrlich [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 11:37 AM To: centos@centos.org Subject: [CentOS] NTP server I have a Centos 5 64-bit server that has ntp service enabled. Windows XP with SP2 cannot properly sync to it for time, but can communicate with it via samba, ssh, and anything else.I also disabled the Windows Firewall. The C5 system does not have any firewall enabled. Other C5 workstations can successfully sync to it via ntpdate. What else could cause the XP machine to not be able to time sync with the C5 server? ~~ Try this; create a DNS entry called ntp.yourinternaldomain.com, then plug that name into XP's internet time. I had a similar problem and changing the IP address to FQDN fixed it. Perhaps it will work for you. Good luck, ~James ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cannot rewrite shadow password file
On Fri, 2008-02-01 at 17:29 +0100, Samuel Rochas wrote: Dear Michel, What#347; the output of : getenforce Enforcing ls -Z /etc/shadow -r root root system_u:object_r:shadow_t /etc/shadow After running those commands, I can run passwd without errors (passwd: all authentication tokens updated successfully), but the password won't be changed. might be an SELinux issue If so, you can do a restorecon /etc/shadow Did it, still can't update the password. To completely rule out SELinux.. Do setenforce 0 try to change password Please make sure that ALL fields are accounted for in the shadow file and there are no line breaks! As a final solution you can try to remove the password of root completely (in runlevel 1), reboot, login as root and change the password again. Regards, Michel van Deventer Regards Samuel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 965063) is spam: Spam:http://neelix.grote.net/canit/b.php?c=si=965063m=b276cefc88be Not spam:http://neelix.grote.net/canit/b.php?c=ni=965063m=b276cefc88be Forget vote: http://neelix.grote.net/canit/b.php?c=fi=965063m=b276cefc88be -- END-ANTISPAM-VOTING-LINKS ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NTP server
On Fri, 2008-02-01 at 11:43 -0800, James D. Parra wrote: -Original Message- From: Scott Ehrlich [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 11:37 AM To: centos@centos.org Subject: [CentOS] NTP server I have a Centos 5 64-bit server that has ntp service enabled. Windows XP with SP2 cannot properly sync to it for time, but can communicate with it via samba, ssh, and anything else.I also disabled the Windows Firewall. The C5 system does not have any firewall enabled. Other C5 workstations can successfully sync to it via ntpdate. What else could cause the XP machine to not be able to time sync with the C5 server? ~~ Try this; create a DNS entry called ntp.yourinternaldomain.com, then plug that name into XP's internet time. I had a similar problem and changing the IP address to FQDN fixed it. Perhaps it will work for you. Good luck, ~James Try running these from the command line net time /setsntp:10.0.0.87 your NTP ip here net time /querysntp net stop w32time net start w32time -Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
CI Security has some good hardening guidelines for Linux based servers. Any public facing server should be hardened before deploying it online. www.cisecurity.org Paul -- Original message -- From: Niki Kovacs [EMAIL PROTECTED] Hi, I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries. I wonder where to begin. I would say first thing is get a series of auditing tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good reasonable set of rules for a web server, for example? Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in Red Hat Enterprise Linux 5 Unleashed by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject. Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD Any suggestions? Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
On Fri, 2008-02-01 at 08:42 -0800, nate wrote: Scott Ehrlich wrote: I've been fighting to get the latest source of pgadmin compiled on Centos 5 64-bit. I obtained gnu-c++ (so it was happy with g++). It then complained about wxWidgets, so I obtained the source for that, compiled and installed, and ./configure for pgadmin saw wxWidgets and was happy with that. Go to make... It complains that some header file is missing. A google search reveals limited answers, but the same couple of searches reveal the wxwidgets Something I've wondered for a while, is there any site out there that allows you to search by filename to find what package a file belongs to for a particular distribution? One of the many things I've loved about Debian for years is their packages.debian.org site which among other things allows exactly that. It's so handy. Unless yum or some other tool provides this information(I'm not aware of any tool that can provide this. I still refer to packages.debian.org when I'm trying to find what package I need for a particular file, despite it being Debian at least I can get an idea what the source of the file is and can try to track down an equivalent for CentOS/RHEL/Fedora. And to be clear, I'm not talking about the rpm -q -f file command, I'm talking about finding package names for files that are NOT installed on your system(s). I suppose I could do rpm -q -l -p package for each and every RPM, and maintain that list, but that'd also assume that I have every RPM, which I may not(base distro RPMs aside). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos http://rpmfind.net/ HTH, Calin = In theory, there is no difference between theory and practice. In practice, there is. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Megraid SAS virtual disc question
Hi, Is there something OS related (CentOS 5.1) I would need to do for a CLI created array to become visible to the OS after the array is created and initialized? I don't want to reboot... Thanks! jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: NTP server
on 2/1/2008 12:03 PM Dennis McLeod spake the following: XP command line: net time \\servername returns what? Perhaps the response will give a clue. To set it: net time \\servername /set /yes Net time is only used to set time from a domain controller, not an ntp server. They use two completely different protocols. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 loses ip address (newbie question)
On Feb 1, 2008 6:08 AM, frankly3d-centos [EMAIL PROTECTED] wrote: Reserved ip in 192.168.x.x range for CenOS 5 (Samba Server) loses samba clients due to eth0 losing it's ip. eth0 Link encap:Ethernet HWaddr 00:04:61:72:AB:98 inet addr:169.254.66.122 Bcast:169.254.255.255 Mask:255.255.0.0 inet6 addr: fe80::204:61ff:fe72:ab98/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 RX packets:60058 errors:0 dropped:0 overruns:0 frame:0 TX packets:66564 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11387965 (10.8 MiB) TX bytes:45451041 (43.3 MiB) Interrupt:193 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:23 errors:0 dropped:0 overruns:0 frame:0 TX packets:23 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2340 (2.2 KiB) TX bytes:2340 (2.2 KiB) What is your system setup? Is it a LAN on the inside of a router? Do the systems exist inside and outside the router? Need more information for this to be useful. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NTP server
XP command line: net time \\servername returns what? Perhaps the response will give a clue. To set it: net time \\servername /set /yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Ehrlich Sent: Friday, February 01, 2008 11:37 AM To: centos@centos.org Subject: [CentOS] NTP server I have a Centos 5 64-bit server that has ntp service enabled. Windows XP with SP2 cannot properly sync to it for time, but can communicate with it via samba, ssh, and anything else.I also disabled the Windows Firewall. The C5 system does not have any firewall enabled. Other C5 workstations can successfully sync to it via ntpdate. What else could cause the XP machine to not be able to time sync with the C5 server? Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] pgadmin and Centos 5?
kalinix wrote: http://rpmfind.net/ yep, your right too. I've used rpmfind off and on over the past few years(never directly, usually via google searches). For some reason it never occurred to me to query it directly, duh. I guess I was expecting more of a site being managed by the distribution itself. thanks nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DVD support on CentOS 5.1
On Feb 1, 2008 2:17 AM, Ross Cavanagh [EMAIL PROTECTED] wrote: The package that you want to install from rpmforge is: gstreamer-ugly-plugins It should make gstreamer (and totem on centos5) be able to play dvds. I am not sure if it works, as I use mplayer on my personal workstation :D Thanks, Johnny Hughes Also, you may require libdvd, this is available from the rpmforge repo. -Ross- Actually, you need several libdvd libraries - libdvdplay, libdvdcss, libdvdnav, libdvdread and maybe something else (I still can't get Totem to play my DVDs - I use mplayer, too, and xine when it works ~40% of the time). mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NTP server
Scott Ehrlich wrote: I have a Centos 5 64-bit server that has ntp service enabled. Windows XP with SP2 cannot properly sync to it for time, but can communicate with it via samba, ssh, and anything else.I also disabled the Windows Firewall. The C5 system does not have any firewall enabled. The following would stop this: 1) DNS with a fully qualified name. 2) CentOS-5 server does not have port 123 open on its firewall iptables -nxvL | grep 123 should give you an answer to that 3) CentOS-5 server is not serving NTP to your network netstat -nalp | grep :123 should have something other than udp0 0 127.0.0.1:123 0.0.0.0:* This is configured in the /etc/ntp.conf file. -- -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] dmcrypt on install with centos 5.1?
Im new to the list and CentOS and wonder if there is any option to do full disk encryption with dmcrypt and LUKS during the install stage of CentOS 5.1? I use Debian Etch at the moment and Debian is able to to this. If not possible, are there any good guides that anyone knows about that explain how to dmcrypt everything but /boot on CentOS manually? --andrew -- GnuPG Key ID: ECB18ABA Fingerprint: FDF3 91FC F5BC 1164 E217 315E 337E 219B ECB1 8ABA signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: NTP server
On Fri, 2008-02-01 at 13:29 -0800, John R Pierce wrote: Scott Silva wrote: on 2/1/2008 12:03 PM Dennis McLeod spake the following: XP command line: net time \\servername returns what? Perhaps the response will give a clue. To set it: net time \\servername /set /yes Net time is only used to set time from a domain controller, not an ntp server. They use two completely different protocols. however, NET TIME /SETSNTP:ip-of-ntp-server WILL set the windows 'internet time' server IP. NET TIME /QUERYSNTP will show the current 'internet time' server(s). note that the default Windows NTP client is really braindead, it just 'sets' the system clock once a day, its not a proper NTP implementation. for most users, this is fine, but realize oddities can happen like the clock being set back a few seconds such that a given time happens twice. Very true. You can modify the time interval by editing your registry. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time \TimeProviders\NtpClient] SpecialPollInterval=dword:1c20 This will set it to update every two hours. The dword can be modified to set it for 1 hour to whatever. -jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: NTP server
on 2/1/2008 1:29 PM John R Pierce spake the following: Scott Silva wrote: on 2/1/2008 12:03 PM Dennis McLeod spake the following: XP command line: net time \\servername returns what? Perhaps the response will give a clue. To set it: net time \\servername /set /yes Net time is only used to set time from a domain controller, not an ntp server. They use two completely different protocols. however, NET TIME /SETSNTP:ip-of-ntp-server WILL set the windows 'internet time' server IP. NET TIME /QUERYSNTP will show the current 'internet time' server(s). note that the default Windows NTP client is really braindead, it just 'sets' the system clock once a day, its not a proper NTP implementation. for most users, this is fine, but realize oddities can happen like the clock being set back a few seconds such that a given time happens twice. I stand partially corrected, as the originally posted command line of net time \\servername /set /yes would not query a ntp server. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Megraid SAS virtual disc question
nate wrote: Joseph L. Casale wrote: Hi, Is there something OS related (CentOS 5.1) I would need to do for a CLI created array to become visible to the OS after the array is created and initialized? I don't want to reboot... If your not currently using the array, you may be able to unload the module and reload it. If the devices from that array show up as SCSI devices you may be able to interface with the /proc/scsi/scsi interface to add the new volume cat /proc/scsi/scsi and use echo scsi add-single-device X X X X /proc/scsi/scsi if I'm not mistaken, thats deprecated in kernel 2.6, the proc interface is no longer supposed to be used for that sort of thing, there's a new /sys mechanism.IIRC that worked in RHEL3, but not in RHEL4, at least not with various system provided FC drivers I tried it with. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: NTP server
Scott Silva wrote: on 2/1/2008 12:03 PM Dennis McLeod spake the following: XP command line: net time \\servername returns what? Perhaps the response will give a clue. To set it: net time \\servername /set /yes Net time is only used to set time from a domain controller, not an ntp server. They use two completely different protocols. however, NET TIME /SETSNTP:ip-of-ntp-server WILL set the windows 'internet time' server IP. NET TIME /QUERYSNTP will show the current 'internet time' server(s). note that the default Windows NTP client is really braindead, it just 'sets' the system clock once a day, its not a proper NTP implementation. for most users, this is fine, but realize oddities can happen like the clock being set back a few seconds such that a given time happens twice. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Megraid SAS virtual disc question
Joseph L. Casale wrote: Hi, Is there something OS related (CentOS 5.1) I would need to do for a CLI created array to become visible to the OS after the array is created and initialized? I don't want to reboot... If your not currently using the array, you may be able to unload the module and reload it. If the devices from that array show up as SCSI devices you may be able to interface with the /proc/scsi/scsi interface to add the new volume cat /proc/scsi/scsi and use echo scsi add-single-device X X X X /proc/scsi/scsi e.g. /proc/scsi/scsi on one of my systems: Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 24 Vendor: 3PARdata Model: VV Rev: Type: Direct-AccessANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 00 Vendor: 3PARdata Model: VV Rev: Type: Unknown ANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 24 Vendor: 3PARdata Model: VV Rev: Type: Direct-AccessANSI SCSI revision: 05 Host: scsi0 Channel: 00 Id: 00 Lun: 25 Vendor: 3PARdata Model: VV Rev: Type: Direct-AccessANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 25 Vendor: 3PARdata Model: VV Rev: Type: Direct-AccessANSI SCSI revision: 05 Assuming I only had 1 controller, scsi0, and I created a new volume to export to the system, it's likely that volume would have a different LUN. I would do: echo scsi add-single-device 0 0 0 1 /proc/scsi/scsi assuming the array used LUN 1 to export to the system. Then if you cat /proc/scsi/scsi again the device will show up and will be accessible. If nothing shows up then that device doesn't exist. Not knowing how megaraid exports a virtual disk I'm not sure what LUN it might assign, or maybe it presents it as a new ID number instead of a new LUN. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Megraid SAS virtual disc question
Joseph L. Casale wrote: Host: scsi2 Channel: 02 Id: 00 Lun: 00 Vendor: LSI Model: MegaRAID ELP Rev: 1.12 Type: Direct-AccessANSI SCSI revision: 05 So I can see echo scsi add-single-device 2 2 0 0 /proc/scsi/scsi would have been what I needed, correct? I would try these combinations: 2 2 0 1 2 2 1 0 2 2 1 1 In the future once I start using this system I won't be able to reboot it, so I will get a handle on how this controller adds virtual discs. Shame there isn't a way to simply rescan the bus without knowing what you are expecting:) There was, and might still be, I recall a command in RHEL 3 I think it was but I don't see it in newer versions. Looking at one of my Debian Sarge systems running on a 2.4 kernel there is a scsiadd -s command to scan for new devices but I don't see a scsiadd command on my newer systems. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Megraid SAS virtual disc question
John R Pierce wrote: if I'm not mistaken, thats deprecated in kernel 2.6, the proc interface is no longer supposed to be used for that sort of thing, there's a new /sys mechanism.IIRC that worked in RHEL3, but not in RHEL4, at least not with various system provided FC drivers I tried it with. Good to know, I use that interface all the time in RHEL4/5 CentOS 4/5, haven't heard of the new interface yet. thanks nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Megraid SAS virtual disc question
Not knowing how megaraid exports a virtual disk I'm not sure what LUN it might assign, or maybe it presents it as a new ID number instead of a new LUN. nate Thanks for all that info! In this situation, I could unload and reload the driver but in future I won't be able to. Looking at that file gives me the following: [EMAIL PROTECTED] ~]# cat /proc/scsi/scsi Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: ST3160812AS Rev: 3.AA Type: Direct-AccessANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: ST3160812AS Rev: 3.AA Type: Direct-AccessANSI SCSI revision: 05 Host: scsi2 Channel: 02 Id: 00 Lun: 00 Vendor: LSI Model: MegaRAID ELP Rev: 1.12 Type: Direct-AccessANSI SCSI revision: 05 So I can see echo scsi add-single-device 2 2 0 0 /proc/scsi/scsi would have been what I needed, correct? In the future once I start using this system I won't be able to reboot it, so I will get a handle on how this controller adds virtual discs. Shame there isn't a way to simply rescan the bus without knowing what you are expecting:) Thanks! jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Megraid SAS virtual disc question
ah for 2.6 systems (rhel5, etc)... # echo “- - -” /sys/class/scsi_host/hostH/scan scans for all devices on channel hostH # *echo “1” /sys/class/scsi_host/hostH/device//H:B:T:L//delete deletes device H:B:T:L from channel hostH * ** * # echo “/B T L/” /sys/class/scsi_host/hostH/scan* adds device B T L to hostH ... this is for scsi or fiberchannel, AFAIK. some more stuff about this here - http://www.linuxjournal.com/article/7321 * * ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NTP server
On Fri, 2008-02-01 at 13:49 -0700, Jason Ross wrote: On Fri, 2008-02-01 at 11:43 -0800, James D. Parra wrote: -Original Message- From: Scott Ehrlich [mailto:[EMAIL PROTECTED] Sent: Friday, February 01, 2008 11:37 AM To: centos@centos.org Subject: [CentOS] NTP server I have a Centos 5 64-bit server that has ntp service enabled. Windows XP with SP2 cannot properly sync to it for time, but can communicate with it via samba, ssh, and anything else.I also disabled the Windows Firewall. The C5 system does not have any firewall enabled. Other C5 workstations can successfully sync to it via ntpdate. What else could cause the XP machine to not be able to time sync with the C5 server? ~~ Try this; create a DNS entry called ntp.yourinternaldomain.com, then plug that name into XP's internet time. I had a similar problem and changing the IP address to FQDN fixed it. Perhaps it will work for you. Good luck, ~James Try running these from the command line net time /setsntp:10.0.0.87 your NTP ip here net time /querysntp net stop w32time net start w32time I think that you have to have administrative privileges or group policy permissions to be able to do those commands in Windows. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] General questions about security
Yes, but be aware of any requirements that if revealed afterwards can put a project in jeopardy both in terms of budget and schedule. There may be policies governing encryption or firewall setup or monitoring that are general and need to be covered in all environments. Or another type of requirement that might exist is to have low-vision access for the vision impaired for all public terminals. Not security related but can definitely pose a problem if it isn't covered in the build spec. -Ross - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: CentOS mailing list centos@centos.org Sent: Fri Feb 01 14:24:29 2008 Subject: Re: [CentOS] General questions about security Ross S. W. Walker a écrit : Check to see if the town/county has any policies in place for computer systems and networks for public services and follow those guidelines. Otherwise look at surrounding public library systems to see if they have any you can adopt. The surrounding places here (town halls, police stations) mostly run Windows (98, Me, 2000, XP). So I'd better follow my nose than their security standards :oD Cheers, Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
Les Bell wrote: mouss [EMAIL PROTECTED] wrote: If you consider this security through obscurity, then why not publish the list of your users on a public web page? after all, you should use strong passwords, so why hide usernames? Usernames are comparatively hard to guess, and chosen from a large space - although email addresses often provide a huge clue. By contrast, there are only 64K port numbers (and only 1K privileged ports, all of which will be scanned by default with nmap) - and to make it worse, the attacker only has to telnet or nc to a port and sshd will obligingly send back its version number and protocol version info as plaintext. So, the added obscurity is effectively zero. zero? No. On all the boxes where I changed the port, I noticed 0 login attempt (in ssh logs). before that, the boxes were under continuous attacks (the last box that was installed was probed one second after it was connected! after the port change, nothing in ssh logs). call this zero if you want. I do understand that changing the port does not bring real security. but it avoids silly malware probes. An attacker needs to find the port among say 30K possible ports. if he uses one host, he will trigger alarms before he gets a chance to see the banner. that gets us rid of such attempts, and more time to focus on real miscreants with more power. I sort of half-buy the log volume/noise argument, but rate-limiting and good analysis tools deal with this as well. not so long ago, there was a bug in fail2ban. It used lose parsing to get the IP to block. but an attacker could put the IP in the login name, which would result in blocking arbitrary IPs. of course, the problem was in the parsing and the solution is to fix the parsing. but if you get less probes, you are less vulnerable to such attacks. And it does nothing for the stress level, since the serious adversary will see through your non-standard port number in seconds. sure, but he needs to use multiple hosts, as otherwise he will be detected. I've not yet seen a distributed dictionary attack (I mean: using N machines against a singe target). I guess there are enough windows targets that they leave at in piece for now ;-p ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
Bent Terp wrote: Issue remains open, although I'm sligthly embarassed about it now, given that linux backends are also affected. When we built a .6 kernel without the 5 nfs patches, nfsstat output reverted, but I don't know about the actual performance, yet. Probably we can rerun those tests monday. If possible try to add your findings to https://bugzilla.redhat.com/show_bug.cgi?id=431092 so upstream can fix that bug. Thank you, Ralph pgpg8Ud2aTtkH.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] RAID Hot Spare
I've googled this question without a great deal of information. Monday I'm rebuilding a Linux server at work. Instead of purchasing 3 drives for this system I purchased 4 with intent to create a hot spare. Here is my usual setup which I'll do again but with a hot spare for each partion. Create /dev/md0 mount point /boot RAID1 3 drives with 1 hot spare Create two more raid setups /dev/md1 mount point / RAID5 3 drives with 1 hot spare /dev/md2 mount point /home RAID5 3 drives with 1 hot spare Now do I create partions of equal size for each set then if I remember correctly when creation the RAID there is a check box for hot spare. Do I just marry the 3 equal partions, click the check box and assume the system will find the partition of equal size and use it when needed? Makes no sense to me. Of couse will be creating RAID0 swap but leaving that out of the question for obvious reasons. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Monitor power save question
I decided to try the x86_64 version of CentOS 5 on my new desktop since it has an Athlon 64 X2 CPU. The one really perplexing oddity is that the monitor no longer goes to power save mode (standby) if the system is idle long enough (e.g., overnight). The power management option is set to put the display to sleep after thirty minutes. The display gets blanked but it never goes to standby. The weird thing is that the display behaved as expected when I still had the 32 bit version of CentOS installed so the hardware supports powering down the monitor. I don't see anything incriminating in dmesg, /var/log/messages or /var/log/Xorg.0.log. I'll switch the system to boot to runlevel 3 so I can see if X is spewing something to the first alternate console that isn't getting written to the log file. Anyone have other any suggestions as to diagnosing of fixing the problem? Thanks, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RAID Hot Spare
Dean Maluski wrote: I've googled this question without a great deal of information. Of couse will be creating RAID0 swap but leaving that out of the question for obvious reasons. You really should use anything but RAID 0 for swap. If you need to swap and that device is dead then your system is hosed. At one point I read that you can get RAID0-like performance by having multiple swap partitions on multiple devices and mounting them with the same priority(mount option pri=(some number)). It (was/is) supposed to stripe the swap partitions. Not sure if that ever worked, though I have configured systems over the years to use matching swap priorities, never really looked to see if it was doing what I expected though. Yeah, from swapon(2): [..] If two or more areas have the same priority, and it is the high-est priority available, pages are allocated on a round-robin basis between them. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 4.6 and openssl
Paul A wrote: I was compiling a new version of bind on my centos 4.6 server and I discovered that the openssl version (openssl-0.9.7a-43.17.el4_6.1) has several exploits associated with it. I want proof of that. Ralph pgpLP5398cPzZ.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: dhcp squid
On Fri, 2008-02-01 at 11:36 -0800, Scott Silva wrote: on 2/1/2008 11:17 AM Gregory P. Ennis spake the following: On Fri, 2008-02-01 at 10:21 -0800, nate wrote: Gregory P. Ennis wrote: Everyone, I have set up squid as a proxy http server in order to filter web access for an office that wants to block certain web sites. Is there a way to use the dhcpd server to assign the squid server and port number 3128 to each Linux desktop when they boot using the existing dhcpd server. Or do I need to change each user's network preference setup in firefox. The dhcpd server and squid are on the same server. Have you considered setting up squid as a transparent proxy so all HTTP requests go through it instead of configuring the clients to use the proxy? It'd be more secure anyways considering not everything has configuration to use a proxy. nate Nate, Thanks for the suggestion... that was a much easier approach. There were some previous posts in November of last year that had some good references. I have everything working as I had hoped. I would still be interested to know if the dhcp servers could be used for this kind of thing. Greg I know that windows machines won't pick up any option like this from DHCP. You have to use the proxy.pac which I could never get working quite right from anything but a microsoft proxy server. A transparent filter works better anyway, as your users will have a harder time bypassing it. Scott, Thanks for the advice... the transparent filter works perfectly, and better than I planned. I could not find a starting place with the proxy.pac file for Linux either. Greg ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 loses ip address (newbie question)
On Fri, 2008-02-01 at 13:20 -0800, MHR wrote: On Feb 1, 2008 6:08 AM, frankly3d-centos [EMAIL PROTECTED] wrote: Reserved ip in 192.168.x.x range for CenOS 5 (Samba Server) loses samba clients due to eth0 losing it's ip. eth0 Link encap:Ethernet HWaddr 00:04:61:72:AB:98 inet addr:169.254.66.122 Bcast:169.254.255.255 Mask:255.255.0.0 inet6 addr: fe80::204:61ff:fe72:ab98/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 RX packets:60058 errors:0 dropped:0 overruns:0 snip What is your system setup? Is it a LAN on the inside of a router? Do the systems exist inside and outside the router? If you control the DHCP server, you should be able to set the reserved range. Also, you should be able to extend the lease/renewal times to a *very* long interval. If you don't ... I'm lucky, IPCop is my friend. Regardless, if it's losing the IP and not getting re-assigned another (or same) one, something else must be wrong somewhere. Keeping in mind that I'm really ignorant about this stuff, if it were my unit I would be looking to see if I had conflicting setups somewhere. Like maybe booting into a static private IP address default configuration and yet having a DHCP client active. I don't know if that's possible or rational, but like I said, I don't know much. Did you use system-config-network for initial setup? If so, I would think subsequent diddling would be the screw-up. If not, initial diddling probably the culprit. Need more information for this to be useful. AMEN brother! (No religious injection intended here: simply an exclamatory reaffirmation shamelessly stolen from revival meetings I've seen on the boob-tube - as opposed to you-tube). mhr snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Monitor power save question
David G. Miller wrote: I don't see anything incriminating in dmesg, /var/log/messages or /var/log/Xorg.0.log. I'll switch the system to boot to runlevel 3 so I can see if X is spewing something to the first alternate console that isn't getting written to the log file. Anyone have other any suggestions as to diagnosing of fixing the problem? Are there any DPMS options set in your xorg.conf ? What is your video card/monitor and what driver are you using in X ? Another thing to check is see if DPMS is enabled as an extension by your setup: xdpyinfo |grep DPMS should return DPMS I have to explicitly set my monitor power saving to off on my laptop otherwise the screen has a high likelyhood of not coming back on after turning off. Toshiba says it's a known behavioral issue with multi core laptops. Happened under XP as well. Yay for screen burn in. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: RAID Hot Spare
on 2/1/2008 4:33 PM Dean Maluski spake the following: On Fri, 2008-02-01 at 16:11 -0800, nate wrote: Dean Maluski wrote: I've googled this question without a great deal of information. Of couse will be creating RAID0 swap but leaving that out of the question for obvious reasons. You really should use anything but RAID 0 for swap. If you need to swap and that device is dead then your system is hosed. At one point I read that you can get RAID0-like performance by having multiple swap partitions on multiple devices and mounting them with the same priority(mount option pri=(some number)). It (was/is) supposed to stripe the swap partitions. Not sure if that ever worked, though I have configured systems over the years to use matching swap priorities, never really looked to see if it was doing what I expected though. Yeah, from swapon(2): [..] If two or more areas have the same priority, and it is the high-est priority available, pages are allocated on a round-robin basis between them. nate OK, not really an answer to my hot spare question. What I read sounds similar to what you state that if you create multiple swap partions the system will create a raid0 of it. So what is the recommendation? create 1 swap partition on one drive? And for your hot spare question, you create the raid arrays the normal way, with raid type, number of drives set to 3, set the number of spares to 1, and have the 4 partitions on the command line. mdadm --create --level=5 --raid-devices=3 --spare-devices=1 /dev/part1 /dev/part2 /dev/part3 /dev/part4 It is all in the man page if you want other options. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 loses ip address (newbie question)
frankly3d-centos wrote: Reserved ip in 192.168.x.x range for CenOS 5 (Samba Server) loses samba clients due to eth0 losing it's ip. eth0 Link encap:Ethernet HWaddr 00:04:61:72:AB:98 inet addr:169.254.66.122 Bcast:169.254.255.255 Mask:255.255.0.0 whack, 169.254.x.x is the 'auto-IP' range of self assigned IPs used if a system can't reach the DHCP server. I wasn't aware Linux did this, I've only seen it on MS Windows. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Two Instances of Apache; Primary IP / Secondary IP
Al Sparks wrote: do you mean making apache use a specific IP when it proxies the request? (you really lost me, so I may be misunderstanding). why do need that at all? whatever IP is used should not matter since the backend will reply over the socket that was opened by the proxy (be it a production proxy or the test proxy). Both IP addresses are actually assigned to the same physical interface (eth1 and eth1:1). The proxy instance is accepting connections from clients using the eth1:1 secondary interface, but the same PHYSICAL interface as eth1. When it turns around and connects to the back-end service, it seems to be using eth1 even though it's listening on eth1:1. Since it's not listening to eth1, the packets are going to the bit-bucket. At least that's my theory. unless you did something special, apache listens on all the IPs of the system. check whether you have any restrictive Listen statement. (Note that services do not listen on interfaces, but on IP addresses) otherwise, the IP is selected by the kernel depending on the destination. so if you use something like ProxyPass / http://10.1.2.3:8080/ in one proxy and ProxyPass / http://10.4.5.6:8080/ each will use the selected IP. Is there something I can do with routing tables that can help? That would require advanced routing. standard routing is based on destination and the source IP is selected by the kernel after the route has been computed (this allows setting the right IP should you have multiple network interfaces...). but you should not need this. In the end, I may just have to either use a separate server or a second physical interface, probably in another VLAN, to make this work. And my idea seemed like such a good one. === Al ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: RAID Hot Spare
on 2/1/2008 4:33 PM Dean Maluski spake the following: On Fri, 2008-02-01 at 16:11 -0800, nate wrote: Dean Maluski wrote: I've googled this question without a great deal of information. Of couse will be creating RAID0 swap but leaving that out of the question for obvious reasons. You really should use anything but RAID 0 for swap. If you need to swap and that device is dead then your system is hosed. At one point I read that you can get RAID0-like performance by having multiple swap partitions on multiple devices and mounting them with the same priority(mount option pri=(some number)). It (was/is) supposed to stripe the swap partitions. Not sure if that ever worked, though I have configured systems over the years to use matching swap priorities, never really looked to see if it was doing what I expected though. Yeah, from swapon(2): [..] If two or more areas have the same priority, and it is the high-est priority available, pages are allocated on a round-robin basis between them. nate OK, not really an answer to my hot spare question. What I read sounds similar to what you state that if you create multiple swap partions the system will create a raid0 of it. So what is the recommendation? create 1 swap partition on one drive? It depends. If you are going to create LVM over the large raid5 partition you could put the swap there. Or you could create a raid 1 the same way you create the /boot partition. If the system is properly sized, swap is less of a performance issue anyway. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RAID Hot Spare
On Fri, 2008-02-01 at 16:11 -0800, nate wrote: Dean Maluski wrote: I've googled this question without a great deal of information. Of couse will be creating RAID0 swap but leaving that out of the question for obvious reasons. You really should use anything but RAID 0 for swap. If you need to swap and that device is dead then your system is hosed. At one point I read that you can get RAID0-like performance by having multiple swap partitions on multiple devices and mounting them with the same priority(mount option pri=(some number)). It (was/is) supposed to stripe the swap partitions. Not sure if that ever worked, though I have configured systems over the years to use matching swap priorities, never really looked to see if it was doing what I expected though. Yeah, from swapon(2): [..] If two or more areas have the same priority, and it is the high-est priority available, pages are allocated on a round-robin basis between them. nate OK, not really an answer to my hot spare question. What I read sounds similar to what you state that if you create multiple swap partions the system will create a raid0 of it. So what is the recommendation? create 1 swap partition on one drive? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 loses ip address (newbie question)
On Fri, 2008-02-01 at 16:53 -0800, John R Pierce wrote: frankly3d-centos wrote: Reserved ip in 192.168.x.x range for CenOS 5 (Samba Server) loses samba clients due to eth0 losing it's ip. eth0 Link encap:Ethernet HWaddr 00:04:61:72:AB:98 inet addr:169.254.66.122 Bcast:169.254.255.255 Mask:255.255.0.0 whack, 169.254.x.x is the 'auto-IP' range of self assigned IPs used if a system can't reach the DHCP server. I wasn't aware Linux did this, I've only seen it on MS Windows. It threw me for a loop first time I ever saw it. Especially when (for a brief moment IIRC) that *and* my IP was assigned to the same device. I guess that means the OP should check the logs for the DISCOVER... messages to see what is going on. He'll probably see the OFFERED rejected somewhere? snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Monitor power save question
nate wrote: David G. Miller wrote: I don't see anything incriminating in dmesg, /var/log/messages or /var/log/Xorg.0.log. I'll switch the system to boot to runlevel 3 so I can see if X is spewing something to the first alternate console that isn't getting written to the log file. Anyone have other any suggestions as to diagnosing of fixing the problem? Are there any DPMS options set in your xorg.conf ? What is your video card/monitor and what driver are you using in X ? Another thing to check is see if DPMS is enabled as an extension by your setup: xdpyinfo |grep DPMS should return DPMS And, see what xset q has to say about whether DPMS is currently enabled or not. I've noticed that mplayer disables DPMS on entry, but neglects to re-enable it on termination. -- Bob Nichols NOSPAM is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5 (Final): where is Xemacs?
CentOS 5 (Final): where is Xemacs? RH 5 doesn't have Xemacs? Why not? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dmcrypt on install with centos 5.1?
On Fri, 2008-02-01 at 22:39 +0100, Andrew Henry wrote: Im new to the list and CentOS and wonder if there is any option to do full disk encryption with dmcrypt and LUKS during the install stage of CentOS 5.1? I use Debian Etch at the moment and Debian is able to to this. If not possible, are there any good guides that anyone knows about that explain how to dmcrypt everything but /boot on CentOS manually? --andrew http://www.msquared.id.au/articles/cryptroot/ Hope that helps. --Tim ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 (Final): where is Xemacs?
Kenneth Wolcott wrote: RH 5 doesn't have Xemacs? Why not? Because Linux is a perfectly good operating system already without layering Emacs on top of it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 (Final): where is Xemacs?
On Feb 1, 2008 8:11 PM, Kenneth Wolcott [EMAIL PROTECTED] wrote: CentOS 5 (Final): where is Xemacs? RH 5 doesn't have Xemacs? Why not? RH-5 does not have Xemacs because a choice had to me made on using Emacs or Xemacs. Trying to support both was resource intensive and I think fewer people were installing Xemacs versus Emacs according to RHN stats.. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos