date:20080723


On Wed, 2008-07-23 at 15:09 +0200, Ralph Angenendt wrote:
 Sean Carolan wrote:
  Can anyone help make sense of this?  This is an ext3 partition.  It's
  only showing 403GB out of 426GB used, but then it says only 632MB
  available?  Where'd the extra ~25GB go?
 
 Those are the ~ 5% which are automatically reserved for root ...
 
 man tune2fs

Further, there is some overhead for i-nodes and what not. I don't recall
if that is included or excluded in/from the df calculations.

A df -i will likely show a *very* large number of available i-nodes
and a small percent used. I've many times made a file system and reduced
the number of i-nodes substantially and gained a *lot* of space. Due
diligence is required: the profile of number of files, average files
sizes, temporary files during busiest parts of the day, ... must be
taken into consideration to derive a safe usable number. Get wrong and
you'll need some aspirin for the headache.

Also, when making the file system, reducing the amount reserved for root
is usually safe on today's larger drives, especially on a relatively
stable system/user base/file/system usage.

 
 Ralph
 snip sig stuff

-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Re: Yum errors

2008-07-23 Thread kOoLiNuS - Nicola Losito

Il giorno gio, 03/07/2008 alle 11.04 -0700, Scott Silva ha scritto:
 on 7-2-2008 8:01 AM Karanbir Singh spake the following:
  Scott Silva wrote:
  I'm having a problem with a fairly new server.
  Running yum upgrade I get the following:
 
  Traceback (most recent call last):
File /usr/bin/yum, line 29, in ?
  yummain.main(sys.argv[1:])
File /usr/share/yum-cli/yummain.py, line 105, in main
  result, resultmsgs = base.doCommands()

[cut]
Hi!
I've resolved it checking (manually) the lastest version of yum and some
related packages:

yum-3.2.8-9.el5.centos.2.1.noarch.rpm
yum-fastestmirror-1.1.10-9.el5.centos.noarch.rpm
yum-refresh-updatesd-1.1.10-9.el5.centos.noarch.rpm
yum-updatesd-0.9-2.el5.noarch.rpm

which I manually updated with a yum localinstall ./yum-*  command
after having *disabled* any other 3rd-party repository present in my
sources list.

Everything went ok after having done this.
Good luck (if you still haven't found a solution on this topic!)



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] fail2ban needs shorewall?

2008-07-23 Thread Kai Schaetzl

Tony Molloy wrote on Wed, 23 Jul 2008 13:53:49 +0100:

 I installed fail2ban from rpmforge and it has no dependencies.

Ah, thanks, I thought I had installed an rpm earlier that didn't have 
dependencies, but I couldn't find the machine I did it on. I disabled the kbs 
repo and I'm now getting it. yum wanted to install the older i386 rpm first, 
though. Does the i386 override noarch, although the version is newer?



Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] df command reports inaccurate results?

2008-07-23 Thread Jens Larsson

  Also, when making the file system, reducing the amount reserved for 
  root is usually safe on today's larger drives, especially on a 
  relatively stable system/user base/file/system usage.

 I gather this can't be done after creation?
 Kai

Remember: You can tune a file system, but you can't tune a fish. 

% man tune2fs

The -m option.

/jens

-- 
Jens Larsson, NSC, Linköpings universitet, SE-58183 LINKÖPING, SWEDEN
Phone: +46-13-281432, Mobile: +46-709-521432, E-mail: [EMAIL PROTECTED]
GPG/PGP Key: 1024D/C21BB2C7 2001-02-27 Jens Larsson [EMAIL PROTECTED]
Key Fingerprint: BAEF 85CF BF1D  7A69 C965 2EE6  C541 D57F C21B  B2C7___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] df command reports inaccurate results?


On Wed, 2008-07-23 at 16:38 +0200, Jens Larsson wrote:
   Also, when making the file system, reducing the amount reserved for 
   root is usually safe on today's larger drives, especially on a 
   relatively stable system/user base/file/system usage.
 
  I gather this can't be done after creation?
  Kai
 
 Remember: You can tune a file system, but you can't tune a fish. 

Hootie and the Blowfish? They can be tuned!  ;-)

 
 % man tune2fs
 
 The -m option.

or the -r option.

 
 /jens
 
 -- 
 snip sig stuff

-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] fail2ban needs shorewall?

2008-07-23 Thread Kai Schaetzl

Tony Molloy wrote on Wed, 23 Jul 2008 14:53:05 +0100:

 you can specify noarch on the install 
 line.

that's what I did, I was just curious.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get additional packages? How secure is Yum?

2008-07-23 Thread Manuel Reimer

nate wrote:
 Security is pretty important for me too. For this, and other reasons
 I never point yum to 3rd party repositories. I only run CentOS/RHEL
 on servers. I run Debian on desktops(due to larger package selection
 and still long release cycles for stable). And usually Ubuntu on
 laptops(for more current hardware support).

Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just 
some weeks ago?

Especially if it gets to security, I don't think that Debian is a good 
solution. AFAIR they also got their servers hacked several times for several 
different reasons. Not very trustworthy, IMHO. And those political discussions 
*suck*! For example I want Firefox and *not* Iceweasel.

 If security is a top priority, and you really want to use CentOS/RHEL,
 then don't use 3rd party packages, period. Otherwise I suggest you
 find a distro that supports the applications you wish to run directly
 or maintain them yourself.

I'm searching for a distribution for several *months* now and so far I couldn't 
find something that fits my needs...

CentOS seems to be pretty well done, but the amount of packages that is 
delivered with it definetly doesn't fit all needs. Today, I tried to set up a 
server with CentOS (VMWare server). Worked pretty well, but for installing the 
NTFS driver, I had to import the rpmforge repository...

 And of course security/stability rarely means having the latest version.

Of course.

Am I on the right list? Not very much answers, so far...

CU

Manuel
-- 
()  ascii ribbon campaign - against html mail
/\- gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED]
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

2008-07-23 Thread nate

John Hinton wrote:
 Do I just ask really hard questions or are my questions just not clear?
 There has to be others on this list that are running nameservers via
 CentOS. This seems to be a nasty issue that we who are running bind need
 to get right.

And the fix is really stupid for those running name servers behind firewalls.

I can't say I'm an expert on this particular issue but from what I've
read it seems like the attack depends on being able to send queries to
the name server in question in order to predict the IDs that the system
is generating.

The way my DNS is setup at home is that I have 2 external name servers
that do not allow recursion for domains that they are not responsible
for other than for a couple trusted IPs(all of which are local). My
main caching name server is internal to my network and cannot be directly
queried from the internet. As such I think my exposure is pretty low.
All of my name servers are setup to force their source port to be 53,
I really really don't like the idea of opening up tens of thousands of
ports back to my name servers.

So I suspect, if your caching name servers are only vulnerable if they
can be sent queries from the attacker. If your internal network is
trusted then I think your fairly safe as long as you don't allow
access to the caching name servers externally. And of course run
dedicated name servers for authoritative hosting.

I plan to have a similar setup at my company, the external authoritative
servers are not behind a firewall(F5 Global traffic managers), the
internal ones are not accessible outside the network. DNS cache
poisoning is the least of my worries if an attacker has access to the
internal network.

nate

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get additional packages? How secure is Yum?

2008-07-23 Thread nate

Manuel Reimer wrote:
 Debian? Didn't they have a *pretty* dangerous hold in their SSL packages
 just some weeks ago?

Yeah, fortunately I wasn't really affected, my systems weren't upgraded
to the affected packages. (I didn't upgrade to the latest stable until
fairly recently). Shit happens, nobody is perfect. But the fact remains
that it's still supported by someone. I don't advocate debian for everyone
I was just giving an example of a distribution that has long release
cycles similar to RHEL, and a much wider selection of packages that are
actively supported by the base vendor.

 Especially if it gets to security, I don't think that Debian is a good
 solution. AFAIR they also got their servers hacked several times for several
 different reasons. Not very trustworthy, IMHO. And those political
 discussions *suck*! For example I want Firefox and *not* Iceweasel.

Then don't use iceweasel, download firefox and install it yourself. It's
not hard. I don't really care either way but I do like the fact that
they back port security fixes. I did that for years myself, back in the
early firefox and phoenix days.  I haven't been on a debian mailing list
in 5-6 years so haven't seen the political stuff, but still I didn't
really care back then either.

 I'm searching for a distribution for several *months* now and so far I
 couldn't find something that fits my needs...

Maybe time to roll your own :)

 CentOS seems to be pretty well done, but the amount of packages that is
 delivered with it definetly doesn't fit all needs. Today, I tried to set up
 a server with CentOS (VMWare server). Worked pretty well, but for installing
 the NTFS driver, I had to import the rpmforge repository...

I agree, that's one of my main complaints about RHEL is the lack of
packages. I checked and I have about 55 source rpms that I custom build
to install on my systems(installed via cfengine), for RHEL4/5 both
32-bit and 64-bit. Back when I had to support a Ruby on Rails environment
I had to build another 30 packages for the same 4 different platforms
(for a while it was 6 different platforms) from source tarballs(made
into RPMs using alien).

Then there's custom drivers for the various kernels, e.g. for VMWare
I build from source their drivers package for each kernel so I can push
out a binary RPM along with the kernel RPM to provide correct drivers
automatically, no need to re-run the configure script and I don't like
to use their prebuilt binaries(no real reason, just prefer not to).
Same goes for fiber channel card drivers, and for a while, I had to
build/packge custom network(broadcom) and 3ware raid drivers since
they weren't supported in the main kernels at the time. (inserting
these drivers into the installation process was a pain..)

 Am I on the right list? Not very much answers, so far...

Probably because there aren't any good answers. There's too many
different preferences out there. For me rolling my own is fine for
my CentOS/RHEL systems. For others, blindly using the main 3rd
party repos is fine for them. Maybe for you, to lobby the distribution
you prefer most(RHEL? since your on a CentOS list) to include the
packages that you want(so they can then come down to CentOS).

Or perhaps take another approach - Don't pick the applications you
want to use and then try to find someone to support them. Pick a
base platform to use and build your system around the applications
they support.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] df command reports inaccurate results?

2008-07-23 Thread Ralph Angenendt

Kai Schaetzl wrote:
 William L. Maltby wrote on Wed, 23 Jul 2008 09:26:21 -0400:
 
  Also, when making the file system, reducing the amount reserved for root
  is usually safe on today's larger drives, especially on a relatively
  stable system/user base/file/system usage.
 
 I gather this can't be done after creation?

That's why I said man tune2fs :)

Yes, it can.

Cheers,

Ralph


pgp4KttaYGBKo.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS V4?


On Tue, July 22, 2008 18:39, MJT wrote:
 Ok, I don't have the origional post in my email so I am replying via a
 reply
 cutting and pasting from the archives list web page.

Thank you!

 Looks like just starting the nfs service turns on V2, 3, and 4 (based on
 reading the script, reading the man pages, and looking at the ports using
 netstat -l).

 That behavior is set in the /etc/sysconfig/nfs file

Which is empty by default in Centos 4.6.  In fact nonexistent.

 I don't believe this is a firewall issue, internal IPs are fully open to
 each other according to an early rule in iptables.

 It may not be a firewall issue, but NFS does use a different port. port
 2049

Yes, I know that (in fact, it conflicted with a local use, too, so I'm
running it on 22049 currently; that worked by setting RPCNFSDARGS in
/etc/sysconfig/nfs to include -p 22049).


 You got yourself a configuration issue! So, this is what I did:

Gosh, really?   :-)


 On the server, in /etc/sysconfig/nfs be sure you set: SECURE_NFS=no
 until
 you are ready to take on kerveros authentication. While you are there you
 can
 change which versions of NFS get mounted. I haven't had to change anything
 else in that file.

I don't believe SECURE_NFS does anything; at least, it's not mentioned in
/etc/init.d/nfs anywhere, and it's not in the nfsd man page.


 Next, on both the sever and client, go into the /etc/idmap.conf and be
 sure to
 set your Domain = to your domain name.  and also set:

 Nobody-User = nobody
 Nobody-Group = nobody

Those are already set in the Centos 4.6 idpmapd.conf file.

Domain is set to localdomain, though.  Does it work if everybody agrees,
or does it have to be right in some broader sense?  I don't know what it
uses this for.

It's complicated here by the fact that internally our DNS likes to use
example.local instead of example.com (I'm obfuscating the name of my
employer).  So I guess domain should probably be example.local, since
host.example.local is what you look up to get the right internal IP for
all our hosts?


 Now for the /etc/exports file

 Lets say you keep everything in a /export directory. In there you have a
 home/
 and a data directory... Well, the export file should look something like:

 /export 192.168.0.*(rw,fsid=0,no_subtree_check,insecure,sync)
 /export/home 192.168.0.*(rw,no_subtree_check,insecure,sync)
 /export/home 192.168.0.*(ro,no_subtree_check,insecure,sync)

 Notice that the flags are different. Not the fsid=0 flag? Well that
 defines
 the /export as the root NFS directory so you do not need to
 included /export in the fstab or the mount string when mounting. There
 can
 be more than one fsid flag as long as the numbers are unique but only
 fsid=0
 sets the root directory. Other numbers allow different kerberos setups, or
 so
 I understand.

I'd read about fsid=0, but hadn't gotten the fact that it hides that level
from what I read.  Thanks!

I'm getting the impression that /etc/exports is used by NFS V4 and earlier
versions, and in conflicting ways.  Is that true?  Or are there at least
semi-clever ways to make one that works for everything?

 Remember to restart NFS on the server!

This is one place where command history has been very handy for me.

 Now to finish with the client, be sure you did the /etc/idmap.conf on the
 client or you will get all sorts of strange results!

 Edit the fstab file

 If you want to mount just /export on the server to /mnt/nfs on the client
 the
 fstab entry would look like:

 server.dom://mnt/nfs nfs4rw,soft,intr,proto=tcp,port=2049
 0 0

Never would have occurred to me to specify the default port there!  But
since I'm using a non-default port, I have the port= parameter in place.

 Notice there is NO /export . That is because of the fsid=0 flag. If you
 included the /export it would deny the mount.

 To mount the two directories:

 server.dom:/home/home nfs4rw,soft,intr,proto=tcp,port=2049
 0 0
 server.dom:/data   /mnt/data nfs4rw,soft,intr,proto=tcp,port=2049
 0 0

 again no /export

Well, I definitely understand a couple of things better than when we
started.  Thank you very much!

It is not, however, working.  Is that likely to be the domain= setting,
given what I said above?

I'll try constructing a standard /export and set things up more exactly
that way and see if anything changes.

But the errors I'm getting tend to be like:

[EMAIL PROTECTED] ~]$ sudo mount host01:/ddb /mnt/ddb -t nfs4 -o
rw,hard,intr,proto=tcp,port=22049
mount: mount to NFS server 'host01' failed: System Error: Connection refused.

Hmm; I'm currently exporting

/home   host00(rw,no_subtree_check,sync,fsid=0)

and /home/ddb is under that.  Do I have to separately export /home/ddb,
given that it's really there and not a link?  (My main application is
exporing users' home directories to be shared among all the linux boxes,
so setting up an extra hierarchy /export didn't see to gain me anything.)

-- 
David Dyer-Bennet, [EMAIL PROTECTED];

Re: [CentOS] Bind Firewall Rules

2008-07-23 Thread John Hinton


nate wrote:

John Hinton wrote:
  

Do I just ask really hard questions or are my questions just not clear?
There has to be others on this list that are running nameservers via
CentOS. This seems to be a nasty issue that we who are running bind need
to get right.



And the fix is really stupid for those running name servers behind firewalls.

I can't say I'm an expert on this particular issue but from what I've
read it seems like the attack depends on being able to send queries to
the name server in question in order to predict the IDs that the system
is generating.

The way my DNS is setup at home is that I have 2 external name servers
that do not allow recursion for domains that they are not responsible
for other than for a couple trusted IPs(all of which are local). My
main caching name server is internal to my network and cannot be directly
queried from the internet. As such I think my exposure is pretty low.
All of my name servers are setup to force their source port to be 53,
I really really don't like the idea of opening up tens of thousands of
ports back to my name servers.

So I suspect, if your caching name servers are only vulnerable if they
can be sent queries from the attacker. If your internal network is
trusted then I think your fairly safe as long as you don't allow
access to the caching name servers externally. And of course run
dedicated name servers for authoritative hosting.

I plan to have a similar setup at my company, the external authoritative
servers are not behind a firewall(F5 Global traffic managers), the
internal ones are not accessible outside the network. DNS cache
poisoning is the least of my worries if an attacker has access to the
internal network.

nate

  
I'm running caching nameservers on almost all of my systems and then 
also three nameservers. All are available publicly. I too had hard coded 
bind to port 53. I also had specifically opened port 53 through the 
firewall. But now, it appears that using only port 53 is a bad thing. 
From what I read, both the port and the ID need to change to be secure 
(even this is just security through obscurity). It's sounding like I'll 
need to open a port range, but I don't know what a 'good practice' will be.


I read through the redhat notes, googled and read all over the place. 
All I seem to find is to remove the named.conf line that forces bind 
through port 53 and then statements like 'your firewall will need to be 
adjusted accordingly', with no good suggestions for how to do this.


So, I'm faced with turning off the firewall to show good external 
testing on bind sort of like unlocking every window and door to a 
house, in order try to keep someone from trying to open just one.


John Hinton
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[Fwd: Re: [CentOS] fail2ban needs shorewall?]

2008-07-23 Thread andylockran

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I've used denyhosts.

If you do have an issue with fail2ban, it does pretty much the same thing.

Andy

-  Original Message 
Subject: Re: [CentOS] fail2ban needs shorewall?
Date: Wed, 23 Jul 2008 17:08:07 +0200
From: Kai Schaetzl [EMAIL PROTECTED]
Reply-To: CentOS mailing list centos@centos.org
To: centos@centos.org
References: [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

Tony Molloy wrote on Wed, 23 Jul 2008 14:53:05 +0100:

 you can specify noarch on the install 
 line.

that's what I did, I was just curious.

Kai

- --
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiHX8EACgkQauMjEM4rxIS+OACgkb8cbA7lppmZh0COd4dFS2/W
sz8AnRnVnxTpCMCUMOUwyOPF8eKk+bDP
=nU4V
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] Bind Firewall Rules

2008-07-23 Thread Paul A

Correct me if I'm wrong but from my understanding doesn't the new BIND
randomize outgoing source ports only? - If so then if you have your firewall
to allow established connections you should be all set.

P.A  -Original Message-
P.A  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
P.A  Behalf Of John Hinton
P.A  Sent: Wednesday, July 23, 2008 12:41 PM
P.A  To: CentOS mailing list
P.A  Subject: Re: [CentOS] Bind Firewall Rules
P.A  
P.A  nate wrote:
P.A   John Hinton wrote:
P.A  
P.A   Do I just ask really hard questions or are my questions just not
P.A  clear?
P.A   There has to be others on this list that are running nameservers
P.A  via
P.A   CentOS. This seems to be a nasty issue that we who are running bind
P.A  need
P.A   to get right.
P.A  
P.A  
P.A   And the fix is really stupid for those running name servers behind
P.A  firewalls.
P.A  
P.A   I can't say I'm an expert on this particular issue but from what
P.A  I've
P.A   read it seems like the attack depends on being able to send queries
P.A  to
P.A   the name server in question in order to predict the IDs that the
P.A  system
P.A   is generating.
P.A  
P.A   The way my DNS is setup at home is that I have 2 external name
P.A  servers
P.A   that do not allow recursion for domains that they are not
P.A  responsible
P.A   for other than for a couple trusted IPs(all of which are local). My
P.A   main caching name server is internal to my network and cannot be
P.A  directly
P.A   queried from the internet. As such I think my exposure is pretty
P.A  low.
P.A   All of my name servers are setup to force their source port to be
P.A  53,
P.A   I really really don't like the idea of opening up tens of thousands
P.A  of
P.A   ports back to my name servers.
P.A  
P.A   So I suspect, if your caching name servers are only vulnerable if
P.A  they
P.A   can be sent queries from the attacker. If your internal network is
P.A   trusted then I think your fairly safe as long as you don't allow
P.A   access to the caching name servers externally. And of course run
P.A   dedicated name servers for authoritative hosting.
P.A  
P.A   I plan to have a similar setup at my company, the external
P.A  authoritative
P.A   servers are not behind a firewall(F5 Global traffic managers), the
P.A   internal ones are not accessible outside the network. DNS cache
P.A   poisoning is the least of my worries if an attacker has access to
P.A  the
P.A   internal network.
P.A  
P.A   nate
P.A  
P.A  
P.A  I'm running caching nameservers on almost all of my systems and then
P.A  also three nameservers. All are available publicly. I too had hard
P.A  coded
P.A  bind to port 53. I also had specifically opened port 53 through the
P.A  firewall. But now, it appears that using only port 53 is a bad thing.
P.A   From what I read, both the port and the ID need to change to be
P.A  secure
P.A  (even this is just security through obscurity). It's sounding like
P.A  I'll
P.A  need to open a port range, but I don't know what a 'good practice'
P.A  will be.
P.A  
P.A  I read through the redhat notes, googled and read all over the place.
P.A  All I seem to find is to remove the named.conf line that forces bind
P.A  through port 53 and then statements like 'your firewall will need to
P.A  be
P.A  adjusted accordingly', with no good suggestions for how to do this.
P.A  
P.A  So, I'm faced with turning off the firewall to show good external
P.A  testing on bind sort of like unlocking every window and door to a
P.A  house, in order try to keep someone from trying to open just one.
P.A  
P.A  John Hinton
P.A  ___
P.A  CentOS mailing list
P.A  CentOS@centos.org
P.A  http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] Bind Firewall Rules

2008-07-23 Thread nate

Paul A wrote:
 Correct me if I'm wrong but from my understanding doesn't the new BIND
 randomize outgoing source ports only? - If so then if you have your firewall
 to allow established connections you should be all set.

That's a good point, just tested it out on my firewall, removed
the port 53 option from named.conf and restarted bind and can
still query it internally and externally for it's authoritative domains.

Perhaps my firewall is just less strict than it used to be(migrated
from freebsd to openbsd about a year ago). I don't recall what the
ruleset used to look like. I do recall having to enable that option
years ago else I couldn't query through the firewall.

Still I think caching name servers should be more protected whenever
possible, as this fix isn't really a fix it just makes it a bit harder
to determine what the id is.

nate

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

2008-07-23 Thread John Hinton


Paul A wrote:

Correct me if I'm wrong but from my understanding doesn't the new BIND
randomize outgoing source ports only? - If so then if you have your firewall
to allow established connections you should be all set.
  

Maybe I'm just missing something... I have

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j 
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j 
ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I'm not very good with firewall rules, but I assume these are the three 
that are important?


I also read within the named.conf file, lines such as

query-source address * port 53;

need to be removed.

Yet when I remove that line, bind will not restart. This is the only 
place in my named.conf file where port 53 is referenced.


Testing from the outside world, shows that only port 53 is being used on 
their returns and I'm getting injection potential warnings. This is from 
dnsstuff.com. What they say is that both the query source port and the 
ID need to change. Obviously, I have the query source port set to 53.


Somehow, I need to get past this port issue.

John Hinton

P.A  -Original Message-
P.A  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
P.A  Behalf Of John Hinton
P.A  Sent: Wednesday, July 23, 2008 12:41 PM
P.A  To: CentOS mailing list
P.A  Subject: Re: [CentOS] Bind Firewall Rules
P.A  
P.A  nate wrote:

P.A   John Hinton wrote:
P.A  
P.A   Do I just ask really hard questions or are my questions just not
P.A  clear?
P.A   There has to be others on this list that are running nameservers
P.A  via
P.A   CentOS. This seems to be a nasty issue that we who are running bind
P.A  need
P.A   to get right.
P.A  
P.A  
P.A   And the fix is really stupid for those running name servers behind
P.A  firewalls.
P.A  
P.A   I can't say I'm an expert on this particular issue but from what
P.A  I've
P.A   read it seems like the attack depends on being able to send queries
P.A  to
P.A   the name server in question in order to predict the IDs that the
P.A  system
P.A   is generating.
P.A  
P.A   The way my DNS is setup at home is that I have 2 external name
P.A  servers
P.A   that do not allow recursion for domains that they are not
P.A  responsible
P.A   for other than for a couple trusted IPs(all of which are local). My
P.A   main caching name server is internal to my network and cannot be
P.A  directly
P.A   queried from the internet. As such I think my exposure is pretty
P.A  low.
P.A   All of my name servers are setup to force their source port to be
P.A  53,
P.A   I really really don't like the idea of opening up tens of thousands
P.A  of
P.A   ports back to my name servers.
P.A  
P.A   So I suspect, if your caching name servers are only vulnerable if
P.A  they
P.A   can be sent queries from the attacker. If your internal network is
P.A   trusted then I think your fairly safe as long as you don't allow
P.A   access to the caching name servers externally. And of course run
P.A   dedicated name servers for authoritative hosting.
P.A  
P.A   I plan to have a similar setup at my company, the external
P.A  authoritative
P.A   servers are not behind a firewall(F5 Global traffic managers), the
P.A   internal ones are not accessible outside the network. DNS cache
P.A   poisoning is the least of my worries if an attacker has access to
P.A  the
P.A   internal network.
P.A  
P.A   nate
P.A  
P.A  
P.A  I'm running caching nameservers on almost all of my systems and then
P.A  also three nameservers. All are available publicly. I too had hard
P.A  coded
P.A  bind to port 53. I also had specifically opened port 53 through the
P.A  firewall. But now, it appears that using only port 53 is a bad thing.
P.A   From what I read, both the port and the ID need to change to be
P.A  secure
P.A  (even this is just security through obscurity). It's sounding like
P.A  I'll
P.A  need to open a port range, but I don't know what a 'good practice'
P.A  will be.
P.A  
P.A  I read through the redhat notes, googled and read all over the place.

P.A  All I seem to find is to remove the named.conf line that forces bind
P.A  through port 53 and then statements like 'your firewall will need to
P.A  be
P.A  adjusted accordingly', with no good suggestions for how to do this.
P.A  
P.A  So, I'm faced with turning off the firewall to show good external

P.A  testing on bind sort of like unlocking every window and door to a
P.A  house, in order try to keep someone from trying to open just one.
P.A  
P.A  John Hinton

P.A  ___
P.A  CentOS mailing list
P.A  CentOS@centos.org
P.A  http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

2008-07-23 Thread Scott Mazur

On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote
 I'm running caching nameservers on almost all of my systems and then 
 also three nameservers. All are available publicly. I too had hard 
 coded bind to port 53. I also had specifically opened port 53 
 through the firewall. But now, it appears that using only port 53 is 
 a bad thing.  From what I read, both the port and the ID need to 
 change to be secure 
 (even this is just security through obscurity). It's sounding like 
 I'll need to open a port range, but I don't know what a 'good 
 practice' will be.

Port 53 is the dns port used by the world (and your internal private networks)
to query your name server.  If your name server is intended to provide domain
resolution publicly just how do you expect the public to find it if you're
randomly changing ports?  The world won't port scan your machine until it
finds a name server answering on one of them.  Dns requests, internal or
external, will come into your box on port 53 and there would be no point to
running a name server (private, public, caching or otherwise) if this port is
not open through the firewall.

You've mis-understood the issues of dns security.  It would be dangerous to
start messing with your firewall rules until you understand exactly how the
process works.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

2008-07-23 Thread andylockran

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John,

 Maybe I'm just missing something... I have
 
 -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state NEW -j
 ACCEPT
 -A RH-Firewall-1-INPUT -p udp -m udp -m state --dport 53 --state NEW -j
 ACCEPT
 -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 I'm not very good with firewall rules, but I assume these are the three
 that are important?

I find shorewall is a fantastic front-end to iptables.  Options such as
shorewall safe-restart - (which prevents the new rules being
permanently applied by asking you for confirmation after they've been
applied.  If you don't respond then it reverts back to the old ruleset).

It's saved me a lot of hassle :)

Regards,

Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiHaDoACgkQauMjEM4rxIQO6wCeKBb+QOj4/77Ocs8hUD+SgWY5
lV4AoLRNqOUTyyFdfMlwQLrRK7YaFpgz
=F3IR
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Ideas for stopping ssh brute force attacks

2008-07-23 Thread Nifty Cluster Mitch

On Tue, Jul 22, 2008 at 10:16:44AM -0500, David Dyer-Bennet wrote:
 On Tue, July 22, 2008 09:34, Rudi Ahlers wrote:
 
  By changing the ports on all our servers to a high (above 1024) port, we
  have eliminated SSH scans altogether - been running like that for a few
  years now without any problems.
 
.
 
 On the other hand, why are people so worried about SSH scans?  I'm worried
 about who actually gets in, not who connects to the port.  Strong password
 quality enforcement, or maybe requiring public-key authentication, seem
 like a more useful response. 

For me it is signal to noise ratio.  The longer the password file (valid
users) the longer the list of connections and corresponding events (good
and bad) that needs to be watched.  Switching to another port with a
large user community requires that the entire community be informed,
configured and supported.

I like 'denyhosts' as a tool to limit these attacks, other good solutions
also exist.  Most distros now have 'denyhosts' as a prebuilt RPM which
is a plus IMO (+).   As others remarked disable root logins.  Manage the
'su, sudo' list with care and populate the illegal user list agressivly
based on the attack list observed in the logs.Users with su,  sudo
privledge should be limited to those that use sshkey login and understand
what a strong pass word is.

Later,
mitch

 (+)  a prebuilt RPM does present the issue that any flaw in
 the prebuilt can be widely exploited.   As such updates should
 be watched for, tested and deployed promptly.


-- 
T o m  M i t c h e l l 
Looking for a place to hang my hat :-(

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get additional packages? How secure is Yum?

2008-07-23 Thread MHR

On Wed, Jul 23, 2008 at 8:11 AM, Manuel Reimer [EMAIL PROTECTED] wrote:

 I'm searching for a distribution for several *months* now and so far I 
 couldn't find something that fits my needs...

 CentOS seems to be pretty well done, but the amount of packages that is 
 delivered with it definetly doesn't fit all needs. Today, I tried to set up a 
 server with CentOS (VMWare server). Worked pretty well, but for installing 
 the NTFS driver, I had to import the rpmforge repository...


Not sure why you *need* NTFS support to use/run VMWare Server...?

For NTFS support, I routinely download the latest CentOS release
kernel sources and build it in, but you can also just build the module
and use dkms to keep it up to date.

As for the availability of packages, well, some things come with a
distribution and others don't.  E.g., I like to use Seamonkey (instead
of Firefox or other options), but I don't think it comes with any
distribution, so I get it and install it separately.  You just have to
decide which is more important - the distro you like best, or the
explosion of packages you want.

mhr
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] Bind Firewall Rules

2008-07-23 Thread Dan Carl

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Behalf Of Scott Mazur
 Sent: Wednesday, July 23, 2008 12:19 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] Bind Firewall Rules

 On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote
  I'm running caching nameservers on almost all of my systems and then
  also three nameservers. All are available publicly. I too had hard
  coded bind to port 53. I also had specifically opened port 53
  through the firewall. But now, it appears that using only port 53 is
  a bad thing.  From what I read, both the port and the ID need to
  change to be secure
  (even this is just security through obscurity). It's sounding like
  I'll need to open a port range, but I don't know what a 'good
  practice' will be.

 Port 53 is the dns port used by the world (and your internal
 private networks)
 to query your name server.  If your name server is intended to
 provide domain
 resolution publicly just how do you expect the public to find it if you're
 randomly changing ports?  The world won't port scan your machine until it
 finds a name server answering on one of them.  Dns requests, internal or
 external, will come into your box on port 53 and there would be
 no point to
 running a name server (private, public, caching or otherwise) if
 this port is
 not open through the firewall.

 You've mis-understood the issues of dns security.  It would be
 dangerous to
 start messing with your firewall rules until you understand
 exactly how the
 process works.

I've understood bind to work this way also.
I haven't read up on this vulnerability but can't you just restrict who
queries the server?
http://oreilly.com/catalog/dns4/chapter/ch11.html#10959
Maybe dnsstuff is saying your server is vulnerable because of something
else.
I haven't used them since they starter charging but mine always passed.
Do you have an allow-recursion line?
Have you changed version to sonething like this?
version [SECURED];

I only have my master and slave servers exposed to the outside.
My caching and internal DNS is done behind my firewall.
I would agree that taking down your firewall is way more dangerous.
My firewall rules are based on the howto but try this.

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed

$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -j ACCEPT

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Ideas for stopping ssh brute force attacks


On Wed, July 23, 2008 12:25, Nifty Cluster Mitch wrote:

 I like 'denyhosts' as a tool to limit these attacks, other good solutions
 also exist.  Most distros now have 'denyhosts' as a prebuilt RPM which
 is a plus IMO (+).   As others remarked disable root logins.  Manage the
 'su, sudo' list with care and populate the illegal user list agressivly
 based on the attack list observed in the logs.Users with su,  sudo
 privledge should be limited to those that use sshkey login and understand
 what a strong pass word is.

Denyhosts has some interesting intelligence; I'm particularly pleased by
the bit where it notifies me of dodgy logins (success after some
failures).  I also wonder what's being done to limit the denial-of-service
possibilities of the  synchronization mode. (*I* have added lines to
/etc/hosts.allow to let key people in via SSH from their home and personal
servers even if those addressed end up in hosts.deny.)

(And there's a denyhost rpm in, hmm, I think 'rf' is the rpmforge
repository for Centos.)

I've been playing for years at a set of services to create firewall
blocking commands based on attacks; delivery of email to spamtrap
addresses, probes to closed ports, failed logins, etc.  Studying the data,
it looks like multiple copies of spam delivered to my host often come from
different IPs, though (makes sense with botnets); that sort of information
has lead me to be less aggressive about getting a system actually running.
 The SSH attacks I've seen currently *do* seem to come in series from the
same IP, so blocking that has at least some benefit (mostly cleaning up my
logs I suspect).

-- 
David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] prevent runaway PID taking down server (RAM/swap)

2008-07-23 Thread Ed Donahue

Is there a way I can prevent processes from taking up all the ram then swap
until the box crashes/freezes?

I'm using IEs4Linux and the wineserver seems to start taking up RAM until my
box dies, it happens slowly.

I am able to kill the sucker now, but I'd like to not have to worry about
that.

sar -r
01:00:01 PM kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree
kbswpused  %swpused  kbswpcad
01:10:01 PM  5812   949580   99.39   5560
67688189912184169690.6533300
01:20:01 PM  4736   950656   99.50   4832
119364 0 2031608  100.0046104
01:30:02 PM  8788   946604   99.08   1004
32360 4 2031604   100.00   10672

01:52:50 PM   LINUX RESTART
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS V4?

2008-07-23 Thread Jens Larsson

 Well, I definitely understand a couple of things better than when we
 started.  Thank you very much!
 
 It is not, however, working.  Is that likely to be the domain= setting,
 given what I said above?

The domain in NFSv4-speak has nothing to do with DNS. It _can_ be you 
DNS-domainname but it can be anything as long as client and server agrees. 
If they disagree you can still mount, but all files will be owned by 
Nobody-User and Nobody-Group if I remember correctly.

 I'll try constructing a standard /export and set things up more exactly
 that way and see if anything changes.
 
 But the errors I'm getting tend to be like:
 
 [EMAIL PROTECTED] ~]$ sudo mount host01:/ddb /mnt/ddb -t nfs4 -o
 rw,hard,intr,proto=tcp,port=22049
 mount: mount to NFS server 'host01' failed: System Error: Connection refused.

Shield up, Scotty! 

Looks like a firewall issue to me. Do you allow incoming traffic to port 
22049/TCP?

Can you mount over NFSv3? 

/jens

-- 
Jens Larsson, NSC, Linköpings universitet, SE-58183 LINKÖPING, SWEDEN
Phone: +46-13-281432, Mobile: +46-709-521432, E-mail: [EMAIL PROTECTED]
GPG/PGP Key: 1024D/C21BB2C7 2001-02-27 Jens Larsson [EMAIL PROTECTED]
Key Fingerprint: BAEF 85CF BF1D  7A69 C965 2EE6  C541 D57F C21B  B2C7___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] prevent runaway PID taking down server (RAM/swap)

2008-07-23 Thread Nifty Cluster Mitch

On Wed, Jul 23, 2008 at 02:36:11PM -0400, Ed Donahue wrote:
 Sender: [EMAIL PROTECTED]
 
Is there a way I can prevent processes from taking up all the ram then
swap until the box crashes/freezes?
I'm using IEs4Linux and the wineserver seems to start taking up RAM
until my box dies, it happens slowly.
I am able to kill the sucker now, but I'd like to not have to worry
about that.
sar -r
01:00:01 PM kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree
kbswpused  %swpused  kbswpcad
01:10:01 PM  5812   949580   99.39   5560
67688189912184169690.6533300
01:20:01 PM  4736   950656   99.50   4832
119364 0 2031608  100.0046104
01:30:02 PM  8788   946604   99.08   1004
32360 4 2031604   100.00   10672
01:52:50 PM   LINUX RESTART

If wineserver has no hook for limiting its own footprint
add a ulimit to the startup script or use a wrapper with one.

Look at ulimit -a for all the limits and the man page.  There are
multiple shared commons resources that may apply.

core file size  (blocks, -c) 0
data seg size   (kbytes, -d) unlimited
scheduling priority (-e) 0
file size   (blocks, -f) unlimited
pending signals (-i) 20463
max locked memory   (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files  (-n) 1024
pipe size(512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority  (-r) 0
stack size  (kbytes, -s) 10240
cpu time   (seconds, -t) unlimited
max user processes  (-u) 20463
virtual memory  (kbytes, -v) unlimited
file locks  (-x) unlimited

You can check limits on a running process too.

$ cat /proc/29906/limits
Limit Soft Limit   Hard Limit   
Units 
Max cpu time  unlimitedunlimitedms  
  
Max file size unlimitedunlimited
bytes 
Max data size unlimitedunlimited
bytes 
Max stack size10485760 unlimited
bytes 
Max core file size0unlimited
bytes 
Max resident set  unlimitedunlimited
bytes 
Max processes 2046320463
processes 
Max open files1024 1024 
files 
Max locked memory 3276832768
bytes 
Max address space unlimitedunlimited
bytes 
Max file locksunlimitedunlimited
locks 
Max pending signals   2046320463
signals   
Max msgqueue size 819200   819200   
bytes 
Max nice priority 00
Max realtime priority 00
Max realtime timeout  unlimitedunlimitedus  
  


-- 
T o m  M i t c h e l l 
Looking for a place to hang my hat :-(

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] prevent runaway PID taking down server (RAM/swap)


On Wed, 2008-07-23 at 14:36 -0400, Ed Donahue wrote:
 Is there a way I can prevent processes from taking up all the ram then
 swap until the box crashes/freezes?

If the process is started from bash, whther by hand or script, I would
think that bash's ulimit builtin would give what you need? man
bash, /ulimit

To prevent a process from running wild, it would have to be non-root
user I guess.

 
 I'm using IEs4Linux and the wineserver seems to start taking up RAM
 until my box dies, it happens slowly.
 
 snip

-- 
Bill


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS V4?

2008-07-23 Thread MJT

On Wednesday 23 July 2008 9:55:57 am David Dyer-Bennet wrote:
  change which versions of NFS get mounted. I haven't had to change
  anything else in that file.

 I don't believe SECURE_NFS does anything; at least, it's not mentioned in
 /etc/init.d/nfs anywhere, and it's not in the nfsd man page.

It is in the /etc/sysconfig/nfs file, so it does not necessarily need to be in 
the /etc/init.d/nfs.  It is supposed to handle authentication and you are 
having authentication problems, right?.

I do not have your version of centos running but SECURE_NFS is not listed 
in  /etc/init.d/nfs, it IS in /etc/rpcgssd and /etc/init.d/rpcvsgssd  in 
centos 5.2, I'm betting that it is somewhat the same on your system.


From Redhat documentation:

 
https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Reference_Guide/s2-nfs-how-daemons.html

pc.svcgssd — This process is used by the NFS server to perform user 
authentication and is started only when SECURE_NFS=yes is set in 
the /etc/sysconfig/nfs file.

rpc.gssd — This process is used by the NFS server to perform user 
authentication and is started only when SECURE_NFS=yes is set in 
the /etc/sysconfig/nfs file.

Notice that both of these talk about authentication, which is the problem you 
are having, right? 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Re: Yum errors

2008-07-23 Thread Scott Silva


on 7-23-2008 6:27 AM kOoLiNuS - Nicola Losito spake the following:

Il giorno gio, 03/07/2008 alle 11.04 -0700, Scott Silva ha scritto:

on 7-2-2008 8:01 AM Karanbir Singh spake the following:

Scott Silva wrote:

I'm having a problem with a fairly new server.
Running yum upgrade I get the following:

Traceback (most recent call last):
  File /usr/bin/yum, line 29, in ?
yummain.main(sys.argv[1:])
  File /usr/share/yum-cli/yummain.py, line 105, in main
result, resultmsgs = base.doCommands()


[cut]
Hi!
I've resolved it checking (manually) the lastest version of yum and some
related packages:

yum-3.2.8-9.el5.centos.2.1.noarch.rpm
yum-fastestmirror-1.1.10-9.el5.centos.noarch.rpm
yum-refresh-updatesd-1.1.10-9.el5.centos.noarch.rpm
yum-updatesd-0.9-2.el5.noarch.rpm

which I manually updated with a yum localinstall ./yum-*  command
after having *disabled* any other 3rd-party repository present in my
sources list.

Everything went ok after having done this.
Good luck (if you still haven't found a solution on this topic!)
Thanks for the reply, but this was solved a few weeks ago. It just shows in 
another branch of the thread.


--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [Fwd: [CentOS] fail2ban needs shorewall?]

2008-07-23 Thread Kai Schaetzl

Andylockran wrote on Wed, 23 Jul 2008 17:43:45 +0100:

 If you do have an issue with fail2ban, it does pretty much the same thing.

fail2ban from rpmforge works fine. It's missing the filter for dovecot, 
though, and got wrong filters for many other services.

Here are some that I just figured out:

dovecot:/var/log/secure
failregex = dovecot-auth: pam_unix\(dovecot:auth\): authentication failure; 
* rhost=HOST

sasl:/var/log/maillog
failregex = postfix\/smtpd\[\d+\]: warning: unknown\[HOST\]: SASL LOGIN 
authentication failed:

vsftpd:/var/log/secure
failregex = vsftpd: .* authentication failure; .* rhost=HOST

I noticed that there are several failregex in the conf files that end with 
$. However, if I try that my rules fail, although they look like perfectly 
valid regex, so I'm not matching until the end of line.

Someone else can add to the list?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] e-SATA card well supported by Linux (CentOS) with built-in drivers and that supports hot plug

2008-07-23 Thread Filipe Brandenburger

Hi,

I'm looking for a good e-SATA card, preferrently one that is supported
by Linux with built-in drivers (no need to compile the modules from
the vendor), or at least that the vendor's drivers are packaged with
dkms or something similar that makes it easy on kernel upgrades.

It's essential that the card supports hot-plugging, because we want to
use it to plug backup drives and have them rotated. We are testing one
e-SATA drive from LaCie.

We tested the Adaptec eSATA II RAID 1225SA, but just to get the module
to compile right it was a huge PITA, and we still haven't gotten it to
recognize our LaCie drive (we're still not sure why). Instead of
spending more time making that s*#t work, I would rather buy another
one, but then I would try to get one that works out-of-the box.

I don't need that the card supports RAID, it really does not matter to me.

Any advice will be much appreciated.

Thanks,
Filipe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get additional packages? How secure is Yum?

2008-07-23 Thread Johnny Hughes


Manuel Reimer wrote:

nate wrote:

Security is pretty important for me too. For this, and other reasons
I never point yum to 3rd party repositories. I only run CentOS/RHEL
on servers. I run Debian on desktops(due to larger package selection
and still long release cycles for stable). And usually Ubuntu on
laptops(for more current hardware support).


Debian? Didn't they have a *pretty* dangerous hold in their SSL packages just 
some weeks ago?



Well, that could have happened to anyone.  In this case it happened to 
Debain.  All DNS since the beginning of the internet has just been 
declared totally unsafe on Linux and Windows and Mac too, stuff happens.



Especially if it gets to security, I don't think that Debian is a good solution. AFAIR they also 
got their servers hacked several times for several different reasons. Not very trustworthy, IMHO. 
And those political discussions *suck*! For example I want Firefox and *not* 
Iceweasel.



Any server can be hacked ... Debian is a fine system, as are many 
others.  What CentOS offers is long support lifetimes and a known base 
that many other enterprise things are desgined to run on because of the 
upstream provider.  We won't engage in cutting down other distros ... 
ours is what it is and millions of people use it.



If security is a top priority, and you really want to use CentOS/RHEL,
then don't use 3rd party packages, period. Otherwise I suggest you
find a distro that supports the applications you wish to run directly
or maintain them yourself.


I'm searching for a distribution for several *months* now and so far I couldn't 
find something that fits my needs...

CentOS seems to be pretty well done, but the amount of packages that is 
delivered with it definetly doesn't fit all needs. Today, I tried to set up a 
server with CentOS (VMWare server). Worked pretty well, but for installing the 
NTFS driver, I had to import the rpmforge repository...



CentOS is a direct rebuild of the package versions available from RHEL, 
that is our main purpose.


We do have some very minimal things is some other repositories called 
CentOS Extras and CentOSPlus ... but the purpose of those is usually to 
provide something that is not in the major 3rd party repos.  We have no 
 desire to duplicate the 3rd party repos.




And of course security/stability rarely means having the latest version.


Of course.

Am I on the right list? Not very much answers, so far...



There really are not any good answers ... RPMForge (Dag's repo) is a 
very good resource, but it is not part of CentOS.


There is also EPEL and ATrpms and KBS CentOS extras.

As others have said, if the 3rd party repos do not meet your 
requirements WRT security updates, then you will have to research and 
build your own.


Thanks,
Johnny Hughes



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS V4?


On Wed, July 23, 2008 14:03, Jens Larsson wrote:
 Well, I definitely understand a couple of things better than when we
 started.  Thank you very much!

 It is not, however, working.  Is that likely to be the domain=
 setting,
 given what I said above?

 The domain in NFSv4-speak has nothing to do with DNS. It _can_ be you
 DNS-domainname but it can be anything as long as client and server agrees.
 If they disagree you can still mount, but all files will be owned by
 Nobody-User and Nobody-Group if I remember correctly.

Thanks.  Then that's not the problem.  (and the Centos RPMs have it set a
way that will work, which is good.)

 But the errors I'm getting tend to be like:

 [EMAIL PROTECTED] ~]$ sudo mount host01:/ddb /mnt/ddb -t nfs4 -o
 rw,hard,intr,proto=tcp,port=22049
 mount: mount to NFS server 'host01' failed: System Error: Connection
 refused.

 Shield up, Scotty!

 Looks like a firewall issue to me. Do you allow incoming traffic to port
 22049/TCP?

As I said in the message you're responding to, all connections from
internal IPs are allowed.


 Can you mount over NFSv3?

Yes.  And I said that in the message you're responding to also.

-- 
David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS V4?

On Wed, July 23, 2008 14:17, MJT wrote:
On Wednesday 23 July 2008 9:55:57 am David Dyer-Bennet wrote:
change which versions of NFS get mounted. I haven't had to change
anything else in that file.

I don't believe SECURE_NFS does anything; at least, it's not mentioned
in
/etc/init.d/nfs anywhere, and it's not in the nfsd man page.

It is in the /etc/sysconfig/nfs file, so it does not necessarily need to
be in
the /etc/init.d/nfs. It is supposed to handle authentication and you are
having authentication problems, right?.

In the Centos RPM, there is no /etc/sysconfig/nfs file (though the
init.d/nfs script checks for one and reads it if present).

By no reference in the init script, I'm pointing out that nothing would
be different if that variable were set that I could find. The init script
doesn't do anything based on it, and it's not mentioned in the nfsd man
page as being used there either.

I do not have your version of centos running but SECURE_NFS is not
listed
in /etc/init.d/nfs, it IS in /etc/rpcgssd and /etc/init.d/rpcvsgssd in
centos 5.2, I'm betting that it is somewhat the same on your system.

From Redhat documentation:

https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Reference_Guide/s2-nfs-how-daemons.html

pc.svcgssd â This process is used by the NFS server to perform user
authentication and is started only when SECURE_NFS=yes is set in
the /etc/sysconfig/nfs file.

rpc.gssd â This process is used by the NFS server to perform user
authentication and is started only when SECURE_NFS=yes is set in
the /etc/sysconfig/nfs file.

Notice that both of these talk about authentication, which is the problem
you
are having, right?

Yes, and they say that it doesn't happen unless that variable is set in
the sysconfig file. That variable is not set in the sysconfig file.

I've gotten several useful pointers about the exact export syntax. I'll
add the explicit SECURE_NFS=no to the sysconfig file rather than depending
on the default, and test the export syntax, and I forget what (I've got
notes, and I saved the email) and give these things a try; tomorrow it
looks like though, a meeting is about to burn the rest of my day.

Thanks again for your suggestions!
--
David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Ideas for stopping ssh brute force attacks

2008-07-23 Thread Florin Andrei

No method is perfect, but something that seems to work ok in practice is 
to just move ssh to a different TCP port, and -j DROP the unused ports.


Failproof? No, but it reduces the noise tremendously.

If the script kiddies learn the new port (unlikely), either move it to 
another port, or apply one of the other methods already recommended in 
this thread.


--
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Ideas for stopping ssh brute force attacks

2008-07-23 Thread Florin Andrei


Bowie Bailey wrote:


I know it's security through obscurity


That's not necessarily a bad thing.

It is bad if it's the _only_ protection.

--
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nspluginwrapper included in CentOS 5.2 fails completely

On Tue, Jul 22, 2008 at 2:28 PM, MHR [EMAIL PROTECTED] wrote:
 On Mon, Jul 21, 2008 at 2:41 PM, Lanny Marcus [EMAIL PROTECTED] wrote:

 http://wiki.centos.org/TipsAndTricks/MultimediaOnCentOS

 I think everything on that page is 32 bit and I think I have read in
 this ML that it is better to use
 32 bit for multimedia stuff? Not sure if I remember that correctly

 Yeah, I was doing that last year, and all was going relatively
 smoothly until Seamonkey began to crash at odd (and really bad)
 moments, like when I wanted to save a page that was the confirmation
 of an order or a bill paid, and it was pretty adamant about doing that
 when I least expected it.

I can readily understand that. I just looked at  a page I saved from
irs.gov on 30 June which is perfect, but I am using Firefox 3.0 (32
bit).
Obviously, you have a reason that you prefer SeaMonkey, but this seems
to work very well, with 32 bit Firefox. Possibly use 32 bit Firefox,
when you are paying bills or placing an online order or dealing with
the IRS?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Re: 3ware 9650SE drivers for CentOS 5.0-EL kernel 2.6.18-8

2008-07-23 Thread Scott Silva


on 7-23-2008 5:00 AM Jim Perrin spake the following:

On Wed, Jul 23, 2008 at 4:59 AM, Gert Vandenreyt
[EMAIL PROTECTED] wrote:

Hi,

I'm trying to install K12LTSP based on CentOS 5.0-el 32bits kernel 2.6.18-8
on a server with 3ware 9650SE raid controller. Does anybody know where I can
find a driver diskette for  the raid controller as this is only supported
from kernel 2.6.19.



You REALLY don't want to use the 2.6.18-8 kernel. It's got a nasty
vulnerability in it (vm_splice). Is there a reason you're using 5.0
instead of 5.1 or 5.2?


I think that is the initial kernel on the CD rolled by the K12LTSP project. It 
probably yum updates right away( one hopes).


--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] Ideas for stopping ssh brute force attacks

2008-07-23 Thread Bowie Bailey

Florin Andrei wrote:
 Bowie Bailey wrote:
  
  I know it's security through obscurity
 
 That's not necessarily a bad thing.
 
 It is bad if it's the _only_ protection.

Right.  I was just trying to head off the inevitable objections.

Not that it worked...  :)

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nspluginwrapper included in CentOS 5.2 fails completely

2008-07-23 Thread MHR

On Wed, Jul 23, 2008 at 2:17 PM, Lanny Marcus [EMAIL PROTECTED] wrote:

 Possibly use 32 bit Firefox,
 when you are paying bills or placing an online order or dealing with
 the IRS?

Isn't that what the Anonymizer is for?

;^)

mhr
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nspluginwrapper included in CentOS 5.2 fails completely

On Wed, Jul 23, 2008 at 4:41 PM, MHR [EMAIL PROTECTED] wrote:
 On Wed, Jul 23, 2008 at 2:17 PM, Lanny Marcus [EMAIL PROTECTED] wrote:
 Possibly use 32 bit Firefox,
 when you are paying bills or placing an online order or dealing with
 the IRS?

 Isn't that what the Anonymizer is for?

I was referring to your need to save web pages, when paying bils,
online orders, etc. That works perfectly
for me with Firefox 3.0.1 (32 bit).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote:
 OK, so does anybody have a good firewall rule solution for what we're
 supposed to be doing with bind these days? Obviously port 53 is no longer
 enough.

Consider  using djbdns instead of BIND. It sounds like an excellent alternative
to BIND.

http://en.wikipedia.org/wiki/Djbdns
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

2008-07-23 Thread Craig White

On Wed, 2008-07-23 at 17:37 -0500, Lanny Marcus wrote:
 On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote:
  OK, so does anybody have a good firewall rule solution for what we're
  supposed to be doing with bind these days? Obviously port 53 is no longer
  enough.
 
 Consider  using djbdns instead of BIND. It sounds like an excellent 
 alternative
 to BIND.

always seemed to be a bad idea to me.

If the point is to use a supported/maintained package system like Red
Hat or CentOS, security updates are always applied through.

When you go off packaging, you then become responsible for the software
from installation to maintenance.

If you're going to use djbdns, why bother using CentOS?

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Adaptec RAID 3805 / 5805

2008-07-23 Thread Florin Andrei

Anybody using these? Pros? Cons? Drivers for CentOS 5? Config / 
management utility?


--
Florin Andrei

http://florin.myip.org/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules

On Wed, Jul 23, 2008 at 5:59 PM, Craig White [EMAIL PROTECTED] wrote:
 On Wed, 2008-07-23 at 17:37 -0500, Lanny Marcus wrote:
 On Sat, Jul 19, 2008 at 2:27 PM, John Hinton [EMAIL PROTECTED] wrote:
  OK, so does anybody have a good firewall rule solution for what we're
  supposed to be doing with bind these days? Obviously port 53 is no longer
  enough.

 Consider  using djbdns instead of BIND. It sounds like an excellent 
 alternative
 to BIND.
 
 always seemed to be a bad idea to me.

 If the point is to use a supported/maintained package system like Red
 Hat or CentOS, security updates are always applied through.

 When you go off packaging, you then become responsible for the software
 from installation to maintenance.

 If you're going to use djbdns, why bother using CentOS?

Craig: What you wrote makes a lot of sense! Lanny
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Firewall Rules