Re: [CentOS-es] como actualizar convenientemente un servidor web CentOS-es
buenas a todos! aprovecho este tema para preguntar si se sabe si Centos va a utilizar Spacewalk para armar una especie de redhat network para servidores centos. Donde creandonos una cuenta, podamos agrupar nuestros servers y administrar las actualizaciones desde ahi. Saludos Dario El día 21 de julio de 2008 10:48, Ing. Ernesto Pérez Estévez [EMAIL PROTECTED] escribió: Por lo general deberias observar en que afecta la actualizacion a tu servidor, un ejemplo de esto son los servidores de bases de datos de oracle, donde un actualizacion puede ser catastrofica, mas aun cuando se involucran librerias y/o kernel. Por lo general es servidores de Producccion de mision criticas, no se efectuan actualizaciones a menos que sean de un grado alto de criticidad. o fallas en la seguridad y aun asi es de pensar. las actualizaciones siempre son beneficiosas, sea de producción o no, siempre deben implementarse. particularmente lo que hago es esperar unas horas a que otros se hayan dado el cabezazo.. entonces actualizamos en nuestras laptops y el siguiente fin de semana actualizamos un servidor a ver la reacción (El menos utilizado) y si no pasa nada actualizamos todos. Dejar sin actualizar un servdor de producción hace que puedas presentar posibles problemas a futuro y que no utilices lo más útil de centos que es actualizaciones garantizadas durante 7 años y actualizaciones seguras como comentario, excepto un problema que tuve con sendmail hace unos 5 años, nunca he tenido mayores problemas con las actualizaciones de centos/rhel -- Saludos! epe Ing. Ernesto Pérez Estévez http://www.NuestroServer.com/ USA: +1 305 359 4495 / España: +34 91 761 7884 Ecuador: +593 2 341 2402 / + 593 9 9246504 Mexico: +52 55 1163 8640 / Italia: +39 06 916504876 ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Analisis de Logs del Centos
Bien... les comento que al fiin pude solucionar el problema... les dejo un poco como me quedaron las lineas del squid.conf para autenticar cn ldap, por si a alguno le sirve para mas adelante.. auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=users,dc=imcanelones,dc=gub,dc=uy -h 10.1.1.25 -f (uid=%s) external_acl_type ldap_group children=7 %LOGIN /usr/lib/squid/squid_ldap_group -b ou=Groups,dc=imcanelones,dc=gub,dc=uy -h 10.1.1.25 -f ((cn=%g)(memberUid=%u)) acl password proxy_auth REQUIRED acl password_group external ldap_group Internet http_access allow password_group http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all muchas gracias a todos salu2 Carlitos Enrique Rosario escribió: Saludos. Pueden aconsejarme alguna herramienta para el analisis de los logs del Centos al estilo del Sarg para el squid, pero que me sirva para los logs del postfix, squid y httpd. He visto algunas como el surftrack que esta muy completa pero complicadisima de instalar. El wtebaliser es mas estadistico y no me da lo que quiero con el squid No se si el awstats podra servir. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Problemas Iptables - Direccionar a maquina interna
El mié, 23-07-2008 a las 10:08 -0400, Andre Aspée escribió: Hola, Ayer me instale el firestarter y logre direccionar el servicio de terminal server a una maquina de mi lan, pero se me creo otro problema. Resulta que tengo squid y el firewall en la misma máquina, entonces con las reglas de iptables yo redireccionaba hacia el puerto 8080 todas las peticiones de los clientes lan, asi los hacia pasar por el squid y lograba filtrar contenido. Bueno, con el firestarter no logro realizar este paso, puedo direccionar lo que viene desde afuera (internet) hacia una maquina interna, pero no logro direccionar de mi lan al squid que se encuentra en la misma máquina de firewall. Si me pueden ayudar, ya sea corrigiendo mi script de firewall para poder direccionar a maquinas de mi lan, o indicandome si con el firestarter puedo lograr que todos los clientes lan pasen por squid antes de salir a internet. Saludos Hace muchos año que ya no escribo scripts para manejar mis reglas de iptables, porque empezé a utilizar Shorewall http://www.shorewall.net/ Es facil de instalar, y de usar. Podrás hacer prácticamente todo lo que necesites a nivel de IPTables. Exitos y cuéntanos como te va -- Hardy Beltran Monasterios Consultor e Instructor GNU/Linux LPI Certified (LPIC-1) / RedHat Certified (RHCE) http://www.hardy.com.bo ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] squid cache manager
Hola: On Wed, Jul 23, 2008 at 5:12 PM, Carlos Moreira [EMAIL PROTECTED] wrote: gente.. siguiendo con el squid.. ya que ahora me funciona :D bien por la autentificacion con ldap! acl administrador src 10.1.1.59 (que es la ip de mi equipo donde quiero ver el cache manager) http_access allow manager localhost http_access allow manager administrador #http_access deny manager (esta la tenia descomentada, pero la comente.. por lo menos hasta poder arreglar el problema)+ revisa /var/log/httpd/error_log (o equivalente) y cuenta si te aparece algun error ahi /var/log/squid/*log tambien de paso o sea, intenta acceder y revisa en las trazas si te tira algun error o algun mensaje y postealo si no entiendes de que se trata. Saludos Osvaldo ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] Problemas servidor de correos sendmail
Amigos Tengo un servidor de correos con las siguientes caracter'isticas: - Core 2 duo de 2.0 - 2 gigas de ram - 120 disco duro - Centos 5.0 - kernel 2.6.18-53.1.19.el5 - sendmail-8.13.8-2.el5 - mailscanner-4.69.9-3, spamassassin-3.1.7-4.el5, claamav, razor, etc. - relays-domain solo mi dominio - local-host-name solo mi dominio - acces solo las ips necesarias y un proxy en otro servidor (varios m'aquinas con sus respectivas cuentas de correo) El problema es el siguiente: Mi servidor de correos trata de enviar miles de correos a cuentas de yahoo y a cuentas de aol, desde cuentas inexistentes en mi servidor de correos. en /var/spool/mqueue hay miles de correos encolados. por esta razon ya me bloquearon en yahoo y aol. No soy open relay segun una p'agina que encontre por ahi No estoy listado como spam en varias listas de correo que he chequeado este es un ejemplo de /var/log/maillog: Jul 23 22:19:40 mail sendmail[18539]: m6O39UFH018496: to=[EMAIL PROTECTED],[EMAIL PROTECTED] o.com,[EMAIL PROTECTED],[EMAIL PROTECTED], delay=00:10:10, xdelay=00:10:05, mailer= esmtp, pri=211541, relay=f.mx.mail.yahoo.com. [68.142.202.247], dsn=4.0.0, stat=Deferred: Connecti on timed out with f.mx.mail.yahoo.com. Jul 23 22:19:45 mail sendmail[20094]: m6O3DDsm020059: to=[EMAIL PROTECTED],lffwym@ yahoo.com,[EMAIL PROTECTED],[EMAIL PROTECTED], delay=00:06:32, xdelay=00:06:14, mailer=esmtp, pri= 211592, relay=c.mx.mail.yahoo.com. [216.39.53.3], dsn=4.0.0, stat=Deferred: 451 VS1-IP Excessive u nknown recipients - possible Open Relay http://help.yahoo.com/help/us/mail/spam/spam-18.html (#4.1 .8) midireccionip Jul 23 22:20:33 mail sendmail[18036]: m6O38NEi017993: to=[EMAIL PROTECTED],leviticusvi@ yahoo.com,[EMAIL PROTECTED],[EMAIL PROTECTED], delay=00:12:10, xdelay=00:12:05 , mailer=esmtp, pri=211597, relay=b.mx.mail.yahoo.com. [66.196.97.250], dsn=4.0.0, stat=Deferred: 451 VS1-IP Excessive unknown recipients - possible Open Relay http://help.yahoo.com/help/us/mail/s pam/spam-18.html (#4.1.8) midireccionip mailq m6O3BaPp019464 47 Wed Jul 23 22:11 [EMAIL PROTECTED] -cuenta no existe (editado por mi persona) (readqf: cannot open ./dfm6O3BaPp019464: No such file or dire) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] m6O3APZr018808 47 Wed Jul 23 22:10 [EMAIL PROTECTED]---cuenta no existe (editado por mi persona) (readqf: cannot open ./dfm6O3APZr018808: No such file or dire) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] m6O3BgN9019503 47 Wed Jul 23 22:11 [EMAIL PROTECTED] ---cuenta no existe (editado por mi persona) (readqf: cannot open ./dfm6O3BgN9019503: No such file or dire) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Les agradezco su atenci'on y su ayuda Saludos Nino _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] software manejador de proyectos
hola estoy buscando en la red un software que maneje proyectos, se q existe varios, de la linea de windows como el project de microsof y que para linux tambien existen variospero lo que quieor es un software especifico que me maneje proyectos de software, alguien conoce uno? ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] Re: Ideas for stopping ssh brute force attacks
On Wed, 23 Jul 2008 10:10:14 +1000, Les Bell wrote Scott Silva [EMAIL PROTECTED] wrote: Portsentry is still available on sourceforge I believe. Good call - http://sourceforge.net/projects/sentrytools/ shows they were uploaded back in 2003 and it looks like nothing has happened since then. There must be more modern equivalents, surely? I wrote a Perl daemon that I use to tail service log files. Initially it was a Postfix log scanner that looked for unknown address attempts, relay attempts, and honey pot email addresses that I embedded in my web pages. When any of these hits turned up in the mail log, the senders IP was added to the iptables rules. My goal was to cut down on spam. It helped some, but not enough to call it a complete success. But it's very modular. I started having some problems with brute force ftp attacks. Very annoying, kept filling up the log files (and my log partition) with chaff. So I wrote another module for my daemon to scan the ftp logs as well and firewall any ip that failed to log in after 10 tries (a 3 hour time out). This was very successful and now ftp crack attacks are a thing of the past. I've never had ssh problems. My ssh port rules limited it to a few known IP addresses that I may need remote access from. But my Perl daemon could be easily expanded with another module to scan for ssh attacks. Provided you've got some Perl experience and time to hack (I'm hog tied for the next while). Scott -- Registered Linux user #395249, http://counter.li.org Nothing goes to waste when Little Fish are near! (http://www.littlefish.ca) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] how do I stop X / gnome via SSH?
Hi all I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how do I stop X / gnome via SSH?
Rudi Ahlers wrote: Hi all I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? telinit 3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how do I stop X / gnome via SSH?
Paul Bijnens wrote: Rudi Ahlers wrote: Hi all I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? telinit 3 And forgot to mention that, to disable it when the next time the server reboots edit the file /etc/inittab and set the default runlevel to 3, instead of 5, by editing this line: id:3:initdefault: ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how do I stop X / gnome via SSH? [SOLVED]
Paul Bijnens wrote: Paul Bijnens wrote: Rudi Ahlers wrote: Hi all I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? telinit 3 And forgot to mention that, to disable it when the next time the server reboots edit the file /etc/inittab and set the default runlevel to 3, instead of 5, by editing this line: id:3:initdefault: ___ Cool, thanx :) -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how do I stop X / gnome via SSH?
I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? telinit 3 If you need the server to stay at runlevel 3 after a reboot change id:5:initdefault: to id:3:initdefault: in /etc/inittab. Make sure the required services are enabled at this runlevel. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how do I stop X / gnome via SSH?
On Wednesday 23 July 2008, Paul Bijnens wrote: Rudi Ahlers wrote: Hi all I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? telinit 3 This will cause the server to switch from runlevel 5 (which includes X) to runlevel 3 (which does not). _But_ a small warning here: runlevel 3 may very well differ in more ways that just lacking X. Depending on how your server is configured you may shutdown some services you wanted to keep (you may also start new ones you didn't expect). To further investigate what you server does indeed run in runlevel 3 and 5 study relevant columns from the command: chkconfig --list. /Peter signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Ned Slider wrote: [snip] I don't think anyone is suggesting running SSH on a non-standard port as a sole means of defence, but rather as part of a layered approach where it is very effective in what it is designed to do - namely to vastly reduce the number of random brute-forcing attempts and concomitant noise in log files not to mention reducing the overall load on other mechanisms of defence such as firewall scripts etc. Moreover, rate limiting is not as effective as it used to be as there is now evidence that attackers are using distributed methods of attack utilizing multiple random IP addresses that circumnavigate defences that rely on attacks originating from a single IP address. Studies suggest attackers will try a handful of common account names/passwords and then move on as that's what yields the highest returns for them. We should also remember that public/private key authentication is only secure as the host the private key is stored on when keys without passphrases are employed (all too common where users don't want to trade using a password for a passphrase). If a user account gets hacked then the keys to the kingdom are there for the taking and the hacker has instant access to any SSH servers which employ public/private key authentication (without passphrases). Indeed. and with keyloggers or social eng, passphrases get stolen too. (and trojans can also connect from the same client if an agent is running). so don't trust users too much... A useful additional layer of defence, if you want it, is a daemon that will watch for port scans on the simple services ports and immediately insert a firewall rule to block that source - such as the old PortSentry, if you can find it, or some more modern equivalent. Of course, this won't do much to defend against some types of stealthy scans, such as idle time scans. one problem here is that you may block innocent clients in the case of IP spoofing. better have a daemon that establishes tcp sessions before blocking. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how do I stop X / gnome via SSH?
Peter Kjellstrom wrote: On Wednesday 23 July 2008, Paul Bijnens wrote: Rudi Ahlers wrote: Hi all I need to disable / stop X from running on a remote server, to which I only have SSH access, and I have never done this before. So, can someone please tell me how todo it? telinit 3 This will cause the server to switch from runlevel 5 (which includes X) to runlevel 3 (which does not). _But_ a small warning here: runlevel 3 may very well differ in more ways that just lacking X. Depending on how your server is configured you may shutdown some services you wanted to keep (you may also start new ones you didn't expect). To further investigate what you server does indeed run in runlevel 3 and 5 study relevant columns from the command: chkconfig --list. /Peter ___ Thanx, I did notice it, but since this is a Xen server, with everything running on the domU VM, I need very little running on the main server as it is. So I have disabled a lot of unnecessary services as well. -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] 3ware 9650SE drivers for CentOS 5.0-EL kernel 2.6.18-8
Hi, I'm trying to install K12LTSP based on CentOS 5.0-el 32bits kernel 2.6.18-8 on a server with 3ware 9650SE raid controller. Does anybody know where I can find a driver diskette for the raid controller as this is only supported from kernel 2.6.19. Thanks for any help Gert ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: 3ware 9650SE drivers for CentOS 5.0-EL kernel 2.6.18-8
Hi Gert, The 3Ware drivers for EL50/ CentOS5 can be downloaded from: http://www.3ware.com/KB/article.aspx?id=15203 But I have red somewhere that the (in kernel 2.6.19 vanilla) 9650SE driver is backported to 2.6.18 EL in the 5.1 or 5.2 kernel series. If not, 3Ware also provide drivers for those kernels. John Gert Vandenreyt [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Hi, I'm trying to install K12LTSP based on CentOS 5.0-el 32bits kernel 2.6.18-8 on a server with 3ware 9650SE raid controller. Does anybody know where I can find a driver diskette for the raid controller as this is only supported from kernel 2.6.19. Thanks for any help Gert ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VNC server problem
Gopinath Achari wrote: hi, i just installed the vnc and vncserver package. i started the server with command vncserver :2 when i connected to vncserver using vncviewer 192.168.1.101:5902 i prompted for the password then it display i windows with a terminal but when gui is enabled by uncommenting the two lines in .vnc/xstartup file i diplays a blank window when connecting from the remote vncviewer i there any thing else to be configured http://wiki.centos.org/HowTos/VNC-Server signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban needs shorewall?
On Wednesday 23 July 2008 13:45:31 Kai Schaetzl wrote: I want to try out fail2ban and notice that both, kbs-CentOS-Testing and ATrpms, have shorewall as a dependency. I do not use shorewall and have never used it. I have my own iptables/firewall script and am happy with it. Can I install shorewall without any ill effects to my current sue of iptables or would I need to use shorewall for firewalling from that point on? (It may be a good product, but I really don't want to learn yet another rule syntax.) Kai I installed fail2ban from rpmforge and it has no dependencies. I use it with the default CentOS firewall fail2ban-0.8.2-2.el5.rf.noarch.rpm Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] df command reports inaccurate results?
Can anyone help make sense of this? This is an ext3 partition. It's only showing 403GB out of 426GB used, but then it says only 632MB available? Where'd the extra ~25GB go? [EMAIL PROTECTED] df -H /disks/vrac5 Filesystem Size Used Avail Use% Mounted on /dev/sdb2 426GB 403GB 632MB 100% /disks/vrac5 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df command reports inaccurate results?
Sean Carolan wrote: Can anyone help make sense of this? This is an ext3 partition. It's only showing 403GB out of 426GB used, but then it says only 632MB available? Where'd the extra ~25GB go? Those are the ~ 5% which are automatically reserved for root ... man tune2fs Ralph pgpsumvgxeY7X.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] MOUSE problem in Centos 5.1
HI All, i installed Cent OS 5.1 on a INtel P4 PC. it got installed successfully. Upto the login prompt the mouse cursor appears on the screen. then cursor disappers. i we move the mouse. the cursor movement is felt when it is on a icon or when right click is done but the cursor is transparent. i dont know what is the problem. the mouse cursor is seen on the CUI prompt but not in GUI. Please help me what to do. the mouse is of Logitech make and is a ball mouse Regards, Gopinath ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df command reports inaccurate results?
On Wed, 2008-07-23 at 15:09 +0200, Ralph Angenendt wrote: Sean Carolan wrote: Can anyone help make sense of this? This is an ext3 partition. It's only showing 403GB out of 426GB used, but then it says only 632MB available? Where'd the extra ~25GB go? Those are the ~ 5% which are automatically reserved for root ... man tune2fs Further, there is some overhead for i-nodes and what not. I don't recall if that is included or excluded in/from the df calculations. A df -i will likely show a *very* large number of available i-nodes and a small percent used. I've many times made a file system and reduced the number of i-nodes substantially and gained a *lot* of space. Due diligence is required: the profile of number of files, average files sizes, temporary files during busiest parts of the day, ... must be taken into consideration to derive a safe usable number. Get wrong and you'll need some aspirin for the headache. Also, when making the file system, reducing the amount reserved for root is usually safe on today's larger drives, especially on a relatively stable system/user base/file/system usage. Ralph snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Yum errors
Il giorno gio, 03/07/2008 alle 11.04 -0700, Scott Silva ha scritto: on 7-2-2008 8:01 AM Karanbir Singh spake the following: Scott Silva wrote: I'm having a problem with a fairly new server. Running yum upgrade I get the following: Traceback (most recent call last): File /usr/bin/yum, line 29, in ? yummain.main(sys.argv[1:]) File /usr/share/yum-cli/yummain.py, line 105, in main result, resultmsgs = base.doCommands() [cut] Hi! I've resolved it checking (manually) the lastest version of yum and some related packages: yum-3.2.8-9.el5.centos.2.1.noarch.rpm yum-fastestmirror-1.1.10-9.el5.centos.noarch.rpm yum-refresh-updatesd-1.1.10-9.el5.centos.noarch.rpm yum-updatesd-0.9-2.el5.noarch.rpm which I manually updated with a yum localinstall ./yum-* command after having *disabled* any other 3rd-party repository present in my sources list. Everything went ok after having done this. Good luck (if you still haven't found a solution on this topic!) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban needs shorewall?
Tony Molloy wrote on Wed, 23 Jul 2008 13:53:49 +0100: I installed fail2ban from rpmforge and it has no dependencies. Ah, thanks, I thought I had installed an rpm earlier that didn't have dependencies, but I couldn't find the machine I did it on. I disabled the kbs repo and I'm now getting it. yum wanted to install the older i386 rpm first, though. Does the i386 override noarch, although the version is newer? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df command reports inaccurate results?
Also, when making the file system, reducing the amount reserved for root is usually safe on today's larger drives, especially on a relatively stable system/user base/file/system usage. I gather this can't be done after creation? Kai Remember: You can tune a file system, but you can't tune a fish. % man tune2fs The -m option. /jens -- Jens Larsson, NSC, Linköpings universitet, SE-58183 LINKÖPING, SWEDEN Phone: +46-13-281432, Mobile: +46-709-521432, E-mail: [EMAIL PROTECTED] GPG/PGP Key: 1024D/C21BB2C7 2001-02-27 Jens Larsson [EMAIL PROTECTED] Key Fingerprint: BAEF 85CF BF1D 7A69 C965 2EE6 C541 D57F C21B B2C7___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df command reports inaccurate results?
On Wed, 2008-07-23 at 16:38 +0200, Jens Larsson wrote: Also, when making the file system, reducing the amount reserved for root is usually safe on today's larger drives, especially on a relatively stable system/user base/file/system usage. I gather this can't be done after creation? Kai Remember: You can tune a file system, but you can't tune a fish. Hootie and the Blowfish? They can be tuned! ;-) % man tune2fs The -m option. or the -r option. /jens -- snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban needs shorewall?
Tony Molloy wrote on Wed, 23 Jul 2008 14:53:05 +0100: you can specify noarch on the install line. that's what I did, I was just curious. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to get additional packages? How secure is Yum?
nate wrote: Security is pretty important for me too. For this, and other reasons I never point yum to 3rd party repositories. I only run CentOS/RHEL on servers. I run Debian on desktops(due to larger package selection and still long release cycles for stable). And usually Ubuntu on laptops(for more current hardware support). Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago? Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want Firefox and *not* Iceweasel. If security is a top priority, and you really want to use CentOS/RHEL, then don't use 3rd party packages, period. Otherwise I suggest you find a distro that supports the applications you wish to run directly or maintain them yourself. I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs... CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository... And of course security/stability rarely means having the latest version. Of course. Am I on the right list? Not very much answers, so far... CU Manuel -- () ascii ribbon campaign - against html mail /\- gegen HTML-Mail answers as html mail will be deleted automatically! Antworten als HTML-Mail werden automatisch gelöscht! GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
John Hinton wrote: Do I just ask really hard questions or are my questions just not clear? There has to be others on this list that are running nameservers via CentOS. This seems to be a nasty issue that we who are running bind need to get right. And the fix is really stupid for those running name servers behind firewalls. I can't say I'm an expert on this particular issue but from what I've read it seems like the attack depends on being able to send queries to the name server in question in order to predict the IDs that the system is generating. The way my DNS is setup at home is that I have 2 external name servers that do not allow recursion for domains that they are not responsible for other than for a couple trusted IPs(all of which are local). My main caching name server is internal to my network and cannot be directly queried from the internet. As such I think my exposure is pretty low. All of my name servers are setup to force their source port to be 53, I really really don't like the idea of opening up tens of thousands of ports back to my name servers. So I suspect, if your caching name servers are only vulnerable if they can be sent queries from the attacker. If your internal network is trusted then I think your fairly safe as long as you don't allow access to the caching name servers externally. And of course run dedicated name servers for authoritative hosting. I plan to have a similar setup at my company, the external authoritative servers are not behind a firewall(F5 Global traffic managers), the internal ones are not accessible outside the network. DNS cache poisoning is the least of my worries if an attacker has access to the internal network. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to get additional packages? How secure is Yum?
Manuel Reimer wrote: Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago? Yeah, fortunately I wasn't really affected, my systems weren't upgraded to the affected packages. (I didn't upgrade to the latest stable until fairly recently). Shit happens, nobody is perfect. But the fact remains that it's still supported by someone. I don't advocate debian for everyone I was just giving an example of a distribution that has long release cycles similar to RHEL, and a much wider selection of packages that are actively supported by the base vendor. Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want Firefox and *not* Iceweasel. Then don't use iceweasel, download firefox and install it yourself. It's not hard. I don't really care either way but I do like the fact that they back port security fixes. I did that for years myself, back in the early firefox and phoenix days. I haven't been on a debian mailing list in 5-6 years so haven't seen the political stuff, but still I didn't really care back then either. I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs... Maybe time to roll your own :) CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository... I agree, that's one of my main complaints about RHEL is the lack of packages. I checked and I have about 55 source rpms that I custom build to install on my systems(installed via cfengine), for RHEL4/5 both 32-bit and 64-bit. Back when I had to support a Ruby on Rails environment I had to build another 30 packages for the same 4 different platforms (for a while it was 6 different platforms) from source tarballs(made into RPMs using alien). Then there's custom drivers for the various kernels, e.g. for VMWare I build from source their drivers package for each kernel so I can push out a binary RPM along with the kernel RPM to provide correct drivers automatically, no need to re-run the configure script and I don't like to use their prebuilt binaries(no real reason, just prefer not to). Same goes for fiber channel card drivers, and for a while, I had to build/packge custom network(broadcom) and 3ware raid drivers since they weren't supported in the main kernels at the time. (inserting these drivers into the installation process was a pain..) Am I on the right list? Not very much answers, so far... Probably because there aren't any good answers. There's too many different preferences out there. For me rolling my own is fine for my CentOS/RHEL systems. For others, blindly using the main 3rd party repos is fine for them. Maybe for you, to lobby the distribution you prefer most(RHEL? since your on a CentOS list) to include the packages that you want(so they can then come down to CentOS). Or perhaps take another approach - Don't pick the applications you want to use and then try to find someone to support them. Pick a base platform to use and build your system around the applications they support. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] df command reports inaccurate results?
Kai Schaetzl wrote: William L. Maltby wrote on Wed, 23 Jul 2008 09:26:21 -0400: Also, when making the file system, reducing the amount reserved for root is usually safe on today's larger drives, especially on a relatively stable system/user base/file/system usage. I gather this can't be done after creation? That's why I said man tune2fs :) Yes, it can. Cheers, Ralph pgp4KttaYGBKo.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS V4?
On Tue, July 22, 2008 18:39, MJT wrote: Ok, I don't have the origional post in my email so I am replying via a reply cutting and pasting from the archives list web page. Thank you! Looks like just starting the nfs service turns on V2, 3, and 4 (based on reading the script, reading the man pages, and looking at the ports using netstat -l). That behavior is set in the /etc/sysconfig/nfs file Which is empty by default in Centos 4.6. In fact nonexistent. I don't believe this is a firewall issue, internal IPs are fully open to each other according to an early rule in iptables. It may not be a firewall issue, but NFS does use a different port. port 2049 Yes, I know that (in fact, it conflicted with a local use, too, so I'm running it on 22049 currently; that worked by setting RPCNFSDARGS in /etc/sysconfig/nfs to include -p 22049). You got yourself a configuration issue! So, this is what I did: Gosh, really? :-) On the server, in /etc/sysconfig/nfs be sure you set: SECURE_NFS=no until you are ready to take on kerveros authentication. While you are there you can change which versions of NFS get mounted. I haven't had to change anything else in that file. I don't believe SECURE_NFS does anything; at least, it's not mentioned in /etc/init.d/nfs anywhere, and it's not in the nfsd man page. Next, on both the sever and client, go into the /etc/idmap.conf and be sure to set your Domain = to your domain name. and also set: Nobody-User = nobody Nobody-Group = nobody Those are already set in the Centos 4.6 idpmapd.conf file. Domain is set to localdomain, though. Does it work if everybody agrees, or does it have to be right in some broader sense? I don't know what it uses this for. It's complicated here by the fact that internally our DNS likes to use example.local instead of example.com (I'm obfuscating the name of my employer). So I guess domain should probably be example.local, since host.example.local is what you look up to get the right internal IP for all our hosts? Now for the /etc/exports file Lets say you keep everything in a /export directory. In there you have a home/ and a data directory... Well, the export file should look something like: /export 192.168.0.*(rw,fsid=0,no_subtree_check,insecure,sync) /export/home 192.168.0.*(rw,no_subtree_check,insecure,sync) /export/home 192.168.0.*(ro,no_subtree_check,insecure,sync) Notice that the flags are different. Not the fsid=0 flag? Well that defines the /export as the root NFS directory so you do not need to included /export in the fstab or the mount string when mounting. There can be more than one fsid flag as long as the numbers are unique but only fsid=0 sets the root directory. Other numbers allow different kerberos setups, or so I understand. I'd read about fsid=0, but hadn't gotten the fact that it hides that level from what I read. Thanks! I'm getting the impression that /etc/exports is used by NFS V4 and earlier versions, and in conflicting ways. Is that true? Or are there at least semi-clever ways to make one that works for everything? Remember to restart NFS on the server! This is one place where command history has been very handy for me. Now to finish with the client, be sure you did the /etc/idmap.conf on the client or you will get all sorts of strange results! Edit the fstab file If you want to mount just /export on the server to /mnt/nfs on the client the fstab entry would look like: server.dom://mnt/nfs nfs4rw,soft,intr,proto=tcp,port=2049 0 0 Never would have occurred to me to specify the default port there! But since I'm using a non-default port, I have the port= parameter in place. Notice there is NO /export . That is because of the fsid=0 flag. If you included the /export it would deny the mount. To mount the two directories: server.dom:/home/home nfs4rw,soft,intr,proto=tcp,port=2049 0 0 server.dom:/data /mnt/data nfs4rw,soft,intr,proto=tcp,port=2049 0 0 again no /export Well, I definitely understand a couple of things better than when we started. Thank you very much! It is not, however, working. Is that likely to be the domain= setting, given what I said above? I'll try constructing a standard /export and set things up more exactly that way and see if anything changes. But the errors I'm getting tend to be like: [EMAIL PROTECTED] ~]$ sudo mount host01:/ddb /mnt/ddb -t nfs4 -o rw,hard,intr,proto=tcp,port=22049 mount: mount to NFS server 'host01' failed: System Error: Connection refused. Hmm; I'm currently exporting /home host00(rw,no_subtree_check,sync,fsid=0) and /home/ddb is under that. Do I have to separately export /home/ddb, given that it's really there and not a link? (My main application is exporing users' home directories to be shared among all the linux boxes, so setting up an extra hierarchy /export didn't see to gain me anything.) -- David Dyer-Bennet, [EMAIL PROTECTED];
Re: [CentOS] Bind Firewall Rules
nate wrote: John Hinton wrote: Do I just ask really hard questions or are my questions just not clear? There has to be others on this list that are running nameservers via CentOS. This seems to be a nasty issue that we who are running bind need to get right. And the fix is really stupid for those running name servers behind firewalls. I can't say I'm an expert on this particular issue but from what I've read it seems like the attack depends on being able to send queries to the name server in question in order to predict the IDs that the system is generating. The way my DNS is setup at home is that I have 2 external name servers that do not allow recursion for domains that they are not responsible for other than for a couple trusted IPs(all of which are local). My main caching name server is internal to my network and cannot be directly queried from the internet. As such I think my exposure is pretty low. All of my name servers are setup to force their source port to be 53, I really really don't like the idea of opening up tens of thousands of ports back to my name servers. So I suspect, if your caching name servers are only vulnerable if they can be sent queries from the attacker. If your internal network is trusted then I think your fairly safe as long as you don't allow access to the caching name servers externally. And of course run dedicated name servers for authoritative hosting. I plan to have a similar setup at my company, the external authoritative servers are not behind a firewall(F5 Global traffic managers), the internal ones are not accessible outside the network. DNS cache poisoning is the least of my worries if an attacker has access to the internal network. nate I'm running caching nameservers on almost all of my systems and then also three nameservers. All are available publicly. I too had hard coded bind to port 53. I also had specifically opened port 53 through the firewall. But now, it appears that using only port 53 is a bad thing. From what I read, both the port and the ID need to change to be secure (even this is just security through obscurity). It's sounding like I'll need to open a port range, but I don't know what a 'good practice' will be. I read through the redhat notes, googled and read all over the place. All I seem to find is to remove the named.conf line that forces bind through port 53 and then statements like 'your firewall will need to be adjusted accordingly', with no good suggestions for how to do this. So, I'm faced with turning off the firewall to show good external testing on bind sort of like unlocking every window and door to a house, in order try to keep someone from trying to open just one. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[Fwd: Re: [CentOS] fail2ban needs shorewall?]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've used denyhosts. If you do have an issue with fail2ban, it does pretty much the same thing. Andy - Original Message Subject: Re: [CentOS] fail2ban needs shorewall? Date: Wed, 23 Jul 2008 17:08:07 +0200 From: Kai Schaetzl [EMAIL PROTECTED] Reply-To: CentOS mailing list centos@centos.org To: centos@centos.org References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Tony Molloy wrote on Wed, 23 Jul 2008 14:53:05 +0100: you can specify noarch on the install line. that's what I did, I was just curious. Kai - -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiHX8EACgkQauMjEM4rxIS+OACgkb8cbA7lppmZh0COd4dFS2/W sz8AnRnVnxTpCMCUMOUwyOPF8eKk+bDP =nU4V -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Bind Firewall Rules
Correct me if I'm wrong but from my understanding doesn't the new BIND randomize outgoing source ports only? - If so then if you have your firewall to allow established connections you should be all set. P.A -Original Message- P.A From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On P.A Behalf Of John Hinton P.A Sent: Wednesday, July 23, 2008 12:41 PM P.A To: CentOS mailing list P.A Subject: Re: [CentOS] Bind Firewall Rules P.A P.A nate wrote: P.A John Hinton wrote: P.A P.A Do I just ask really hard questions or are my questions just not P.A clear? P.A There has to be others on this list that are running nameservers P.A via P.A CentOS. This seems to be a nasty issue that we who are running bind P.A need P.A to get right. P.A P.A P.A And the fix is really stupid for those running name servers behind P.A firewalls. P.A P.A I can't say I'm an expert on this particular issue but from what P.A I've P.A read it seems like the attack depends on being able to send queries P.A to P.A the name server in question in order to predict the IDs that the P.A system P.A is generating. P.A P.A The way my DNS is setup at home is that I have 2 external name P.A servers P.A that do not allow recursion for domains that they are not P.A responsible P.A for other than for a couple trusted IPs(all of which are local). My P.A main caching name server is internal to my network and cannot be P.A directly P.A queried from the internet. As such I think my exposure is pretty P.A low. P.A All of my name servers are setup to force their source port to be P.A 53, P.A I really really don't like the idea of opening up tens of thousands P.A of P.A ports back to my name servers. P.A P.A So I suspect, if your caching name servers are only vulnerable if P.A they P.A can be sent queries from the attacker. If your internal network is P.A trusted then I think your fairly safe as long as you don't allow P.A access to the caching name servers externally. And of course run P.A dedicated name servers for authoritative hosting. P.A P.A I plan to have a similar setup at my company, the external P.A authoritative P.A servers are not behind a firewall(F5 Global traffic managers), the P.A internal ones are not accessible outside the network. DNS cache P.A poisoning is the least of my worries if an attacker has access to P.A the P.A internal network. P.A P.A nate P.A P.A P.A I'm running caching nameservers on almost all of my systems and then P.A also three nameservers. All are available publicly. I too had hard P.A coded P.A bind to port 53. I also had specifically opened port 53 through the P.A firewall. But now, it appears that using only port 53 is a bad thing. P.A From what I read, both the port and the ID need to change to be P.A secure P.A (even this is just security through obscurity). It's sounding like P.A I'll P.A need to open a port range, but I don't know what a 'good practice' P.A will be. P.A P.A I read through the redhat notes, googled and read all over the place. P.A All I seem to find is to remove the named.conf line that forces bind P.A through port 53 and then statements like 'your firewall will need to P.A be P.A adjusted accordingly', with no good suggestions for how to do this. P.A P.A So, I'm faced with turning off the firewall to show good external P.A testing on bind sort of like unlocking every window and door to a P.A house, in order try to keep someone from trying to open just one. P.A P.A John Hinton P.A ___ P.A CentOS mailing list P.A CentOS@centos.org P.A http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Bind Firewall Rules
Paul A wrote: Correct me if I'm wrong but from my understanding doesn't the new BIND randomize outgoing source ports only? - If so then if you have your firewall to allow established connections you should be all set. That's a good point, just tested it out on my firewall, removed the port 53 option from named.conf and restarted bind and can still query it internally and externally for it's authoritative domains. Perhaps my firewall is just less strict than it used to be(migrated from freebsd to openbsd about a year ago). I don't recall what the ruleset used to look like. I do recall having to enable that option years ago else I couldn't query through the firewall. Still I think caching name servers should be more protected whenever possible, as this fix isn't really a fix it just makes it a bit harder to determine what the id is. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
Paul A wrote: Correct me if I'm wrong but from my understanding doesn't the new BIND randomize outgoing source ports only? - If so then if you have your firewall to allow established connections you should be all set. Maybe I'm just missing something... I have -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I'm not very good with firewall rules, but I assume these are the three that are important? I also read within the named.conf file, lines such as query-source address * port 53; need to be removed. Yet when I remove that line, bind will not restart. This is the only place in my named.conf file where port 53 is referenced. Testing from the outside world, shows that only port 53 is being used on their returns and I'm getting injection potential warnings. This is from dnsstuff.com. What they say is that both the query source port and the ID need to change. Obviously, I have the query source port set to 53. Somehow, I need to get past this port issue. John Hinton P.A -Original Message- P.A From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On P.A Behalf Of John Hinton P.A Sent: Wednesday, July 23, 2008 12:41 PM P.A To: CentOS mailing list P.A Subject: Re: [CentOS] Bind Firewall Rules P.A P.A nate wrote: P.A John Hinton wrote: P.A P.A Do I just ask really hard questions or are my questions just not P.A clear? P.A There has to be others on this list that are running nameservers P.A via P.A CentOS. This seems to be a nasty issue that we who are running bind P.A need P.A to get right. P.A P.A P.A And the fix is really stupid for those running name servers behind P.A firewalls. P.A P.A I can't say I'm an expert on this particular issue but from what P.A I've P.A read it seems like the attack depends on being able to send queries P.A to P.A the name server in question in order to predict the IDs that the P.A system P.A is generating. P.A P.A The way my DNS is setup at home is that I have 2 external name P.A servers P.A that do not allow recursion for domains that they are not P.A responsible P.A for other than for a couple trusted IPs(all of which are local). My P.A main caching name server is internal to my network and cannot be P.A directly P.A queried from the internet. As such I think my exposure is pretty P.A low. P.A All of my name servers are setup to force their source port to be P.A 53, P.A I really really don't like the idea of opening up tens of thousands P.A of P.A ports back to my name servers. P.A P.A So I suspect, if your caching name servers are only vulnerable if P.A they P.A can be sent queries from the attacker. If your internal network is P.A trusted then I think your fairly safe as long as you don't allow P.A access to the caching name servers externally. And of course run P.A dedicated name servers for authoritative hosting. P.A P.A I plan to have a similar setup at my company, the external P.A authoritative P.A servers are not behind a firewall(F5 Global traffic managers), the P.A internal ones are not accessible outside the network. DNS cache P.A poisoning is the least of my worries if an attacker has access to P.A the P.A internal network. P.A P.A nate P.A P.A P.A I'm running caching nameservers on almost all of my systems and then P.A also three nameservers. All are available publicly. I too had hard P.A coded P.A bind to port 53. I also had specifically opened port 53 through the P.A firewall. But now, it appears that using only port 53 is a bad thing. P.A From what I read, both the port and the ID need to change to be P.A secure P.A (even this is just security through obscurity). It's sounding like P.A I'll P.A need to open a port range, but I don't know what a 'good practice' P.A will be. P.A P.A I read through the redhat notes, googled and read all over the place. P.A All I seem to find is to remove the named.conf line that forces bind P.A through port 53 and then statements like 'your firewall will need to P.A be P.A adjusted accordingly', with no good suggestions for how to do this. P.A P.A So, I'm faced with turning off the firewall to show good external P.A testing on bind sort of like unlocking every window and door to a P.A house, in order try to keep someone from trying to open just one. P.A P.A John Hinton P.A ___ P.A CentOS mailing list P.A CentOS@centos.org P.A http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote I'm running caching nameservers on almost all of my systems and then also three nameservers. All are available publicly. I too had hard coded bind to port 53. I also had specifically opened port 53 through the firewall. But now, it appears that using only port 53 is a bad thing. From what I read, both the port and the ID need to change to be secure (even this is just security through obscurity). It's sounding like I'll need to open a port range, but I don't know what a 'good practice' will be. Port 53 is the dns port used by the world (and your internal private networks) to query your name server. If your name server is intended to provide domain resolution publicly just how do you expect the public to find it if you're randomly changing ports? The world won't port scan your machine until it finds a name server answering on one of them. Dns requests, internal or external, will come into your box on port 53 and there would be no point to running a name server (private, public, caching or otherwise) if this port is not open through the firewall. You've mis-understood the issues of dns security. It would be dangerous to start messing with your firewall rules until you understand exactly how the process works. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, Maybe I'm just missing something... I have -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I'm not very good with firewall rules, but I assume these are the three that are important? I find shorewall is a fantastic front-end to iptables. Options such as shorewall safe-restart - (which prevents the new rules being permanently applied by asking you for confirmation after they've been applied. If you don't respond then it reverts back to the old ruleset). It's saved me a lot of hassle :) Regards, Andy -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiHaDoACgkQauMjEM4rxIQO6wCeKBb+QOj4/77Ocs8hUD+SgWY5 lV4AoLRNqOUTyyFdfMlwQLrRK7YaFpgz =F3IR -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Tue, Jul 22, 2008 at 10:16:44AM -0500, David Dyer-Bennet wrote: On Tue, July 22, 2008 09:34, Rudi Ahlers wrote: By changing the ports on all our servers to a high (above 1024) port, we have eliminated SSH scans altogether - been running like that for a few years now without any problems. . On the other hand, why are people so worried about SSH scans? I'm worried about who actually gets in, not who connects to the port. Strong password quality enforcement, or maybe requiring public-key authentication, seem like a more useful response. For me it is signal to noise ratio. The longer the password file (valid users) the longer the list of connections and corresponding events (good and bad) that needs to be watched. Switching to another port with a large user community requires that the entire community be informed, configured and supported. I like 'denyhosts' as a tool to limit these attacks, other good solutions also exist. Most distros now have 'denyhosts' as a prebuilt RPM which is a plus IMO (+). As others remarked disable root logins. Manage the 'su, sudo' list with care and populate the illegal user list agressivly based on the attack list observed in the logs.Users with su, sudo privledge should be limited to those that use sshkey login and understand what a strong pass word is. Later, mitch (+) a prebuilt RPM does present the issue that any flaw in the prebuilt can be widely exploited. As such updates should be watched for, tested and deployed promptly. -- T o m M i t c h e l l Looking for a place to hang my hat :-( ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to get additional packages? How secure is Yum?
On Wed, Jul 23, 2008 at 8:11 AM, Manuel Reimer [EMAIL PROTECTED] wrote: I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs... CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository... Not sure why you *need* NTFS support to use/run VMWare Server...? For NTFS support, I routinely download the latest CentOS release kernel sources and build it in, but you can also just build the module and use dkms to keep it up to date. As for the availability of packages, well, some things come with a distribution and others don't. E.g., I like to use Seamonkey (instead of Firefox or other options), but I don't think it comes with any distribution, so I get it and install it separately. You just have to decide which is more important - the distro you like best, or the explosion of packages you want. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Bind Firewall Rules
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Mazur Sent: Wednesday, July 23, 2008 12:19 PM To: CentOS mailing list Subject: Re: [CentOS] Bind Firewall Rules On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote I'm running caching nameservers on almost all of my systems and then also three nameservers. All are available publicly. I too had hard coded bind to port 53. I also had specifically opened port 53 through the firewall. But now, it appears that using only port 53 is a bad thing. From what I read, both the port and the ID need to change to be secure (even this is just security through obscurity). It's sounding like I'll need to open a port range, but I don't know what a 'good practice' will be. Port 53 is the dns port used by the world (and your internal private networks) to query your name server. If your name server is intended to provide domain resolution publicly just how do you expect the public to find it if you're randomly changing ports? The world won't port scan your machine until it finds a name server answering on one of them. Dns requests, internal or external, will come into your box on port 53 and there would be no point to running a name server (private, public, caching or otherwise) if this port is not open through the firewall. You've mis-understood the issues of dns security. It would be dangerous to start messing with your firewall rules until you understand exactly how the process works. I've understood bind to work this way also. I haven't read up on this vulnerability but can't you just restrict who queries the server? http://oreilly.com/catalog/dns4/chapter/ch11.html#10959 Maybe dnsstuff is saying your server is vulnerable because of something else. I haven't used them since they starter charging but mine always passed. Do you have an allow-recursion line? Have you changed version to sonething like this? version [SECURED]; I only have my master and slave servers exposed to the outside. My caching and internal DNS is done behind my firewall. I would agree that taking down your firewall is way more dangerous. My firewall rules are based on the howto but try this. $IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -j ACCEPT ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
On Wed, July 23, 2008 12:25, Nifty Cluster Mitch wrote: I like 'denyhosts' as a tool to limit these attacks, other good solutions also exist. Most distros now have 'denyhosts' as a prebuilt RPM which is a plus IMO (+). As others remarked disable root logins. Manage the 'su, sudo' list with care and populate the illegal user list agressivly based on the attack list observed in the logs.Users with su, sudo privledge should be limited to those that use sshkey login and understand what a strong pass word is. Denyhosts has some interesting intelligence; I'm particularly pleased by the bit where it notifies me of dodgy logins (success after some failures). I also wonder what's being done to limit the denial-of-service possibilities of the synchronization mode. (*I* have added lines to /etc/hosts.allow to let key people in via SSH from their home and personal servers even if those addressed end up in hosts.deny.) (And there's a denyhost rpm in, hmm, I think 'rf' is the rpmforge repository for Centos.) I've been playing for years at a set of services to create firewall blocking commands based on attacks; delivery of email to spamtrap addresses, probes to closed ports, failed logins, etc. Studying the data, it looks like multiple copies of spam delivered to my host often come from different IPs, though (makes sense with botnets); that sort of information has lead me to be less aggressive about getting a system actually running. The SSH attacks I've seen currently *do* seem to come in series from the same IP, so blocking that has at least some benefit (mostly cleaning up my logs I suspect). -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] prevent runaway PID taking down server (RAM/swap)
Is there a way I can prevent processes from taking up all the ram then swap until the box crashes/freezes? I'm using IEs4Linux and the wineserver seems to start taking up RAM until my box dies, it happens slowly. I am able to kill the sucker now, but I'd like to not have to worry about that. sar -r 01:00:01 PM kbmemfree kbmemused %memused kbbuffers kbcached kbswpfree kbswpused %swpused kbswpcad 01:10:01 PM 5812 949580 99.39 5560 67688189912184169690.6533300 01:20:01 PM 4736 950656 99.50 4832 119364 0 2031608 100.0046104 01:30:02 PM 8788 946604 99.08 1004 32360 4 2031604 100.00 10672 01:52:50 PM LINUX RESTART ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS V4?
Well, I definitely understand a couple of things better than when we started. Thank you very much! It is not, however, working. Is that likely to be the domain= setting, given what I said above? The domain in NFSv4-speak has nothing to do with DNS. It _can_ be you DNS-domainname but it can be anything as long as client and server agrees. If they disagree you can still mount, but all files will be owned by Nobody-User and Nobody-Group if I remember correctly. I'll try constructing a standard /export and set things up more exactly that way and see if anything changes. But the errors I'm getting tend to be like: [EMAIL PROTECTED] ~]$ sudo mount host01:/ddb /mnt/ddb -t nfs4 -o rw,hard,intr,proto=tcp,port=22049 mount: mount to NFS server 'host01' failed: System Error: Connection refused. Shield up, Scotty! Looks like a firewall issue to me. Do you allow incoming traffic to port 22049/TCP? Can you mount over NFSv3? /jens -- Jens Larsson, NSC, Linköpings universitet, SE-58183 LINKÖPING, SWEDEN Phone: +46-13-281432, Mobile: +46-709-521432, E-mail: [EMAIL PROTECTED] GPG/PGP Key: 1024D/C21BB2C7 2001-02-27 Jens Larsson [EMAIL PROTECTED] Key Fingerprint: BAEF 85CF BF1D 7A69 C965 2EE6 C541 D57F C21B B2C7___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] prevent runaway PID taking down server (RAM/swap)
On Wed, Jul 23, 2008 at 02:36:11PM -0400, Ed Donahue wrote: Sender: [EMAIL PROTECTED] Is there a way I can prevent processes from taking up all the ram then swap until the box crashes/freezes? I'm using IEs4Linux and the wineserver seems to start taking up RAM until my box dies, it happens slowly. I am able to kill the sucker now, but I'd like to not have to worry about that. sar -r 01:00:01 PM kbmemfree kbmemused %memused kbbuffers kbcached kbswpfree kbswpused %swpused kbswpcad 01:10:01 PM 5812 949580 99.39 5560 67688189912184169690.6533300 01:20:01 PM 4736 950656 99.50 4832 119364 0 2031608 100.0046104 01:30:02 PM 8788 946604 99.08 1004 32360 4 2031604 100.00 10672 01:52:50 PM LINUX RESTART If wineserver has no hook for limiting its own footprint add a ulimit to the startup script or use a wrapper with one. Look at ulimit -a for all the limits and the man page. There are multiple shared commons resources that may apply. core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 20463 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size(512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 20463 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited You can check limits on a running process too. $ cat /proc/29906/limits Limit Soft Limit Hard Limit Units Max cpu time unlimitedunlimitedms Max file size unlimitedunlimited bytes Max data size unlimitedunlimited bytes Max stack size10485760 unlimited bytes Max core file size0unlimited bytes Max resident set unlimitedunlimited bytes Max processes 2046320463 processes Max open files1024 1024 files Max locked memory 3276832768 bytes Max address space unlimitedunlimited bytes Max file locksunlimitedunlimited locks Max pending signals 2046320463 signals Max msgqueue size 819200 819200 bytes Max nice priority 00 Max realtime priority 00 Max realtime timeout unlimitedunlimitedus -- T o m M i t c h e l l Looking for a place to hang my hat :-( ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] prevent runaway PID taking down server (RAM/swap)
On Wed, 2008-07-23 at 14:36 -0400, Ed Donahue wrote: Is there a way I can prevent processes from taking up all the ram then swap until the box crashes/freezes? If the process is started from bash, whther by hand or script, I would think that bash's ulimit builtin would give what you need? man bash, /ulimit To prevent a process from running wild, it would have to be non-root user I guess. I'm using IEs4Linux and the wineserver seems to start taking up RAM until my box dies, it happens slowly. snip -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS V4?
On Wednesday 23 July 2008 9:55:57 am David Dyer-Bennet wrote: change which versions of NFS get mounted. I haven't had to change anything else in that file. I don't believe SECURE_NFS does anything; at least, it's not mentioned in /etc/init.d/nfs anywhere, and it's not in the nfsd man page. It is in the /etc/sysconfig/nfs file, so it does not necessarily need to be in the /etc/init.d/nfs. It is supposed to handle authentication and you are having authentication problems, right?. I do not have your version of centos running but SECURE_NFS is not listed in /etc/init.d/nfs, it IS in /etc/rpcgssd and /etc/init.d/rpcvsgssd in centos 5.2, I'm betting that it is somewhat the same on your system. From Redhat documentation: https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Reference_Guide/s2-nfs-how-daemons.html pc.svcgssd — This process is used by the NFS server to perform user authentication and is started only when SECURE_NFS=yes is set in the /etc/sysconfig/nfs file. rpc.gssd — This process is used by the NFS server to perform user authentication and is started only when SECURE_NFS=yes is set in the /etc/sysconfig/nfs file. Notice that both of these talk about authentication, which is the problem you are having, right? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Yum errors
on 7-23-2008 6:27 AM kOoLiNuS - Nicola Losito spake the following: Il giorno gio, 03/07/2008 alle 11.04 -0700, Scott Silva ha scritto: on 7-2-2008 8:01 AM Karanbir Singh spake the following: Scott Silva wrote: I'm having a problem with a fairly new server. Running yum upgrade I get the following: Traceback (most recent call last): File /usr/bin/yum, line 29, in ? yummain.main(sys.argv[1:]) File /usr/share/yum-cli/yummain.py, line 105, in main result, resultmsgs = base.doCommands() [cut] Hi! I've resolved it checking (manually) the lastest version of yum and some related packages: yum-3.2.8-9.el5.centos.2.1.noarch.rpm yum-fastestmirror-1.1.10-9.el5.centos.noarch.rpm yum-refresh-updatesd-1.1.10-9.el5.centos.noarch.rpm yum-updatesd-0.9-2.el5.noarch.rpm which I manually updated with a yum localinstall ./yum-* command after having *disabled* any other 3rd-party repository present in my sources list. Everything went ok after having done this. Good luck (if you still haven't found a solution on this topic!) Thanks for the reply, but this was solved a few weeks ago. It just shows in another branch of the thread. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [Fwd: [CentOS] fail2ban needs shorewall?]
Andylockran wrote on Wed, 23 Jul 2008 17:43:45 +0100: If you do have an issue with fail2ban, it does pretty much the same thing. fail2ban from rpmforge works fine. It's missing the filter for dovecot, though, and got wrong filters for many other services. Here are some that I just figured out: dovecot:/var/log/secure failregex = dovecot-auth: pam_unix\(dovecot:auth\): authentication failure; * rhost=HOST sasl:/var/log/maillog failregex = postfix\/smtpd\[\d+\]: warning: unknown\[HOST\]: SASL LOGIN authentication failed: vsftpd:/var/log/secure failregex = vsftpd: .* authentication failure; .* rhost=HOST I noticed that there are several failregex in the conf files that end with $. However, if I try that my rules fail, although they look like perfectly valid regex, so I'm not matching until the end of line. Someone else can add to the list? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] e-SATA card well supported by Linux (CentOS) with built-in drivers and that supports hot plug
Hi, I'm looking for a good e-SATA card, preferrently one that is supported by Linux with built-in drivers (no need to compile the modules from the vendor), or at least that the vendor's drivers are packaged with dkms or something similar that makes it easy on kernel upgrades. It's essential that the card supports hot-plugging, because we want to use it to plug backup drives and have them rotated. We are testing one e-SATA drive from LaCie. We tested the Adaptec eSATA II RAID 1225SA, but just to get the module to compile right it was a huge PITA, and we still haven't gotten it to recognize our LaCie drive (we're still not sure why). Instead of spending more time making that s*#t work, I would rather buy another one, but then I would try to get one that works out-of-the box. I don't need that the card supports RAID, it really does not matter to me. Any advice will be much appreciated. Thanks, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to get additional packages? How secure is Yum?
Manuel Reimer wrote: nate wrote: Security is pretty important for me too. For this, and other reasons I never point yum to 3rd party repositories. I only run CentOS/RHEL on servers. I run Debian on desktops(due to larger package selection and still long release cycles for stable). And usually Ubuntu on laptops(for more current hardware support). Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just some weeks ago? Well, that could have happened to anyone. In this case it happened to Debain. All DNS since the beginning of the internet has just been declared totally unsafe on Linux and Windows and Mac too, stuff happens. Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. And those political discussions *suck*! For example I want Firefox and *not* Iceweasel. Any server can be hacked ... Debian is a fine system, as are many others. What CentOS offers is long support lifetimes and a known base that many other enterprise things are desgined to run on because of the upstream provider. We won't engage in cutting down other distros ... ours is what it is and millions of people use it. If security is a top priority, and you really want to use CentOS/RHEL, then don't use 3rd party packages, period. Otherwise I suggest you find a distro that supports the applications you wish to run directly or maintain them yourself. I'm searching for a distribution for several *months* now and so far I couldn't find something that fits my needs... CentOS seems to be pretty well done, but the amount of packages that is delivered with it definetly doesn't fit all needs. Today, I tried to set up a server with CentOS (VMWare server). Worked pretty well, but for installing the NTFS driver, I had to import the rpmforge repository... CentOS is a direct rebuild of the package versions available from RHEL, that is our main purpose. We do have some very minimal things is some other repositories called CentOS Extras and CentOSPlus ... but the purpose of those is usually to provide something that is not in the major 3rd party repos. We have no desire to duplicate the 3rd party repos. And of course security/stability rarely means having the latest version. Of course. Am I on the right list? Not very much answers, so far... There really are not any good answers ... RPMForge (Dag's repo) is a very good resource, but it is not part of CentOS. There is also EPEL and ATrpms and KBS CentOS extras. As others have said, if the 3rd party repos do not meet your requirements WRT security updates, then you will have to research and build your own. Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS V4?
On Wed, July 23, 2008 14:03, Jens Larsson wrote: Well, I definitely understand a couple of things better than when we started. Thank you very much! It is not, however, working. Is that likely to be the domain= setting, given what I said above? The domain in NFSv4-speak has nothing to do with DNS. It _can_ be you DNS-domainname but it can be anything as long as client and server agrees. If they disagree you can still mount, but all files will be owned by Nobody-User and Nobody-Group if I remember correctly. Thanks. Then that's not the problem. (and the Centos RPMs have it set a way that will work, which is good.) But the errors I'm getting tend to be like: [EMAIL PROTECTED] ~]$ sudo mount host01:/ddb /mnt/ddb -t nfs4 -o rw,hard,intr,proto=tcp,port=22049 mount: mount to NFS server 'host01' failed: System Error: Connection refused. Shield up, Scotty! Looks like a firewall issue to me. Do you allow incoming traffic to port 22049/TCP? As I said in the message you're responding to, all connections from internal IPs are allowed. Can you mount over NFSv3? Yes. And I said that in the message you're responding to also. -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS V4?
On Wed, July 23, 2008 14:17, MJT wrote: On Wednesday 23 July 2008 9:55:57 am David Dyer-Bennet wrote: change which versions of NFS get mounted. I haven't had to change anything else in that file. I don't believe SECURE_NFS does anything; at least, it's not mentioned in /etc/init.d/nfs anywhere, and it's not in the nfsd man page. It is in the /etc/sysconfig/nfs file, so it does not necessarily need to be in the /etc/init.d/nfs. It is supposed to handle authentication and you are having authentication problems, right?. In the Centos RPM, there is no /etc/sysconfig/nfs file (though the init.d/nfs script checks for one and reads it if present). By no reference in the init script, I'm pointing out that nothing would be different if that variable were set that I could find. The init script doesn't do anything based on it, and it's not mentioned in the nfsd man page as being used there either. I do not have your version of centos running but SECURE_NFS is not listed in /etc/init.d/nfs, it IS in /etc/rpcgssd and /etc/init.d/rpcvsgssd in centos 5.2, I'm betting that it is somewhat the same on your system. From Redhat documentation: https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Reference_Guide/s2-nfs-how-daemons.html pc.svcgssd â This process is used by the NFS server to perform user authentication and is started only when SECURE_NFS=yes is set in the /etc/sysconfig/nfs file. rpc.gssd â This process is used by the NFS server to perform user authentication and is started only when SECURE_NFS=yes is set in the /etc/sysconfig/nfs file. Notice that both of these talk about authentication, which is the problem you are having, right? Yes, and they say that it doesn't happen unless that variable is set in the sysconfig file. That variable is not set in the sysconfig file. I've gotten several useful pointers about the exact export syntax. I'll add the explicit SECURE_NFS=no to the sysconfig file rather than depending on the default, and test the export syntax, and I forget what (I've got notes, and I saved the email) and give these things a try; tomorrow it looks like though, a meeting is about to burn the rest of my day. Thanks again for your suggestions! -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
No method is perfect, but something that seems to work ok in practice is to just move ssh to a different TCP port, and -j DROP the unused ports. Failproof? No, but it reduces the noise tremendously. If the script kiddies learn the new port (unlikely), either move it to another port, or apply one of the other methods already recommended in this thread. -- Florin Andrei http://florin.myip.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ideas for stopping ssh brute force attacks
Bowie Bailey wrote: I know it's security through obscurity That's not necessarily a bad thing. It is bad if it's the _only_ protection. -- Florin Andrei http://florin.myip.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nspluginwrapper included in CentOS 5.2 fails completely
On Tue, Jul 22, 2008 at 2:28 PM, MHR [EMAIL PROTECTED] wrote: On Mon, Jul 21, 2008 at 2:41 PM, Lanny Marcus [EMAIL PROTECTED] wrote: http://wiki.centos.org/TipsAndTricks/MultimediaOnCentOS I think everything on that page is 32 bit and I think I have read in this ML that it is better to use 32 bit for multimedia stuff? Not sure if I remember that correctly Yeah, I was doing that last year, and all was going relatively smoothly until Seamonkey began to crash at odd (and really bad) moments, like when I wanted to save a page that was the confirmation of an order or a bill paid, and it was pretty adamant about doing that when I least expected it. I can readily understand that. I just looked at a page I saved from irs.gov on 30 June which is perfect, but I am using Firefox 3.0 (32 bit). Obviously, you have a reason that you prefer SeaMonkey, but this seems to work very well, with 32 bit Firefox. Possibly use 32 bit Firefox, when you are paying bills or placing an online order or dealing with the IRS? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: 3ware 9650SE drivers for CentOS 5.0-EL kernel 2.6.18-8
on 7-23-2008 5:00 AM Jim Perrin spake the following: On Wed, Jul 23, 2008 at 4:59 AM, Gert Vandenreyt [EMAIL PROTECTED] wrote: Hi, I'm trying to install K12LTSP based on CentOS 5.0-el 32bits kernel 2.6.18-8 on a server with 3ware 9650SE raid controller. Does anybody know where I can find a driver diskette for the raid controller as this is only supported from kernel 2.6.19. You REALLY don't want to use the 2.6.18-8 kernel. It's got a nasty vulnerability in it (vm_splice). Is there a reason you're using 5.0 instead of 5.1 or 5.2? I think that is the initial kernel on the CD rolled by the K12LTSP project. It probably yum updates right away( one hopes). -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Ideas for stopping ssh brute force attacks
Florin Andrei wrote: Bowie Bailey wrote: I know it's security through obscurity That's not necessarily a bad thing. It is bad if it's the _only_ protection. Right. I was just trying to head off the inevitable objections. Not that it worked... :) -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nspluginwrapper included in CentOS 5.2 fails completely
On Wed, Jul 23, 2008 at 2:17 PM, Lanny Marcus [EMAIL PROTECTED] wrote: Possibly use 32 bit Firefox, when you are paying bills or placing an online order or dealing with the IRS? Isn't that what the Anonymizer is for? ;^) mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nspluginwrapper included in CentOS 5.2 fails completely
On Wed, Jul 23, 2008 at 4:41 PM, MHR [EMAIL PROTECTED] wrote: On Wed, Jul 23, 2008 at 2:17 PM, Lanny Marcus [EMAIL PROTECTED] wrote: Possibly use 32 bit Firefox, when you are paying bills or placing an online order or dealing with the IRS? Isn't that what the Anonymizer is for? I was referring to your need to save web pages, when paying bils, online orders, etc. That works perfectly for me with Firefox 3.0.1 (32 bit). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote: OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. Consider using djbdns instead of BIND. It sounds like an excellent alternative to BIND. http://en.wikipedia.org/wiki/Djbdns ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Wed, 2008-07-23 at 17:37 -0500, Lanny Marcus wrote: On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote: OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. Consider using djbdns instead of BIND. It sounds like an excellent alternative to BIND. always seemed to be a bad idea to me. If the point is to use a supported/maintained package system like Red Hat or CentOS, security updates are always applied through. When you go off packaging, you then become responsible for the software from installation to maintenance. If you're going to use djbdns, why bother using CentOS? Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Adaptec RAID 3805 / 5805
Anybody using these? Pros? Cons? Drivers for CentOS 5? Config / management utility? -- Florin Andrei http://florin.myip.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Wed, Jul 23, 2008 at 5:59 PM, Craig White [EMAIL PROTECTED] wrote: On Wed, 2008-07-23 at 17:37 -0500, Lanny Marcus wrote: On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote: OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. Consider using djbdns instead of BIND. It sounds like an excellent alternative to BIND. always seemed to be a bad idea to me. If the point is to use a supported/maintained package system like Red Hat or CentOS, security updates are always applied through. When you go off packaging, you then become responsible for the software from installation to maintenance. If you're going to use djbdns, why bother using CentOS? Craig: What you wrote makes a lot of sense! Lanny ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Wed, 2008-07-23 at 17:37 -0500, Lanny Marcus wrote: On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote: OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. Consider using djbdns instead of BIND. It sounds like an excellent alternative to BIND. Having watched that over *many* years, it has had a lot of non-technical issues surrounding it. There still remains a lot of antipathy towards it. I won't detail any of it here, it's available all over the web. http://en.wikipedia.org/wiki/Djbdns I refused to use it when it first came out and I still find no compelling reason to move to it from well documented and supported packages, even if they do have problems. snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Mon, Jul 21, 2008 at 6:37 AM, John Hinton [EMAIL PROTECTED] wrote: Johnny Hughes wrote: John Hinton wrote: OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. how do you mean? opening port 53 in is still enough ... the outbound port is what is randomized not sure what kind of problems you are encountering I'm trying to pass the test on DNSstuff.com. These are my firewall rules for bind Accept If protocol is TCP and destination port is 53 and state of connection is NEW Accept If protocol is UDP and destination port is 53 and state of connection is NEW from my gui or -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j ACCEPT from iptables. I have upgraded bind, but when I remove this line from a config file, bind will not restart. query-source address * port 53; From what I read, the above line is supposed to be removed. My tests from outside states that I am vulnerable to cache injections. I don't think your problem is with your firewall.. its with something in the bind configs that is causieng bind not to work without the query-source line. What errors are you seeing? *Based on the results, a DNS server is vulnerable if:* The IPs /AND/ the Query source ports match or the query IDs match. Matching query source ports or query IDs make it easier to spoof fake results to the DNS server, poisoning its cache. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Firewall Rules
On Wed, Jul 23, 2008, Lanny Marcus wrote: On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote: OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. Consider using djbdns instead of BIND. It sounds like an excellent alternative to BIND. We have been using djbdns for years on a variety of Linux platforms and FreeBSD, largely because (a) security, (b) performance, and (c) ease of use. Not everybody likes Dan Bernstein, but I figure he's somewhat of a curmudgeon who designs good software. As for not having it supported on CentOS, I really don't care about that as the majority of the server software we use is built under the OpenPKG.org portable packaging system, independent of the underlying OS vendor's packaging system. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 The only freedom which deserves the name, is that of pursuing our own good in our own way, so long as we do not attempt to deprive others of theirs, or impede their efforts to obtain it. -- John Stuart Mill, 1859 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BackupPC won't fork after CentOS 5.2 upgrade
--On Friday, July 04, 2008 9:21 AM +1000 Ben [EMAIL PROTECTED] wrote: For some time now i have been running BackupPC 3.1.0 on CentOS 5.1 x86_64 however after upgrading to CentOS 5.2 BackupPC will not start. What RPM are you using for BackupPC? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 4.4 Linux Booting problem
Dear All, I'm running linux CentOS 4.4. Everything was working fine, then one day I tried to log in, and my computer hung Upon reboot I got this error message after the GRUB Bootloader screen: /etc/rc.d/rc.sysinit: line 126: 442 Segmentation fault /bin/dmesg -n $LOGLEVEL Initialization hardware... /etc/rc.d/rc.sysinit: line 167: 450 Segmentation fault LC_ALL=C fgrep -xq $1 /etc/hotplug/blacklist /dev/null /etc/rc.d/rc.sysinit: line 167: 455 Segmentation fault LC_ALL=C fgrep -xq $1 /etc/hotplug/blacklist 2/dev/null . Out of Memory: Killed process 722(sh). Out of Memory: Killed process 1133(sh). Out of Memory: Killed process 1151(sh). .. 07/21 17:32:20 checklock: stat failed, no file 07/21 17:32:20 locking the line 07/21 17:32:20 makelock(ttys1) called 07/21 17:32:20 checklock: stat failed, no file 07/21 17:32:20 cannot open /proc/0/cmdline: No such file or directory .. After i have rebooted the PC once again and I have getting same problem continuously. After booted up the server, login showing as (none) login:. The following error are display on screen while execute the commands:- -bash-3.00$ ifconfig Warning: cannot open /proc/net/dev (No such file or directory). Limited output. -bash-3.00$ ls ls:error while loading shared libraries: Ej: cannot open shared object file: No such file or directory. -bash-3.00$ ll -bash: ll: command not found We are not sure why this is happening. Can some one throw light on this. Regards -S.Balaji ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos