Re: [CentOS] Hardening
Jim Perrin wrote: > On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen > wrote: >> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle >> wrote: >>> Hi All, >>> >>> What tips does everyone have on hardening a CenOS Server that is >>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be >>> processing payments from www? >> NSA hardening guidelines would be a good start. The CIS hardening >> guidelines would be also good. After that you want to look at specific >> hardening guidelines for apache > > The NSA guide is a very good start, and > http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments > it rather well. > You might also want to have a look at the DoD STIG guidelines, though > reading them will make your eyes bleed. > For php, you really want to run php built with the suhosin patch and run the suhosin module as well. I'm not sure, but I seem to recall there being a suhosin patched php either in testing or centos plus. Assuming you run php. I can't really comment on the others. One of the nice things about suhosin is it does transparent encryption of cookies / sessions (you can tweak it) making things like session theft a lot more difficult. I believe suhosin patch/module is standard in bsd ports, I'm not sure why it isn't standard in RHEL (maybe because it can cause issues with some php accelerators ??) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Rsync/SSH automation problem?
> -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of Kai Schaetzl > Sent: Wednesday, 29 April 2009 9:09 PM > To: centos@centos.org > Subject: Re: [CentOS] Rsync/SSH automation problem? > ">" is a quote marker, don't write your own text after a quote marker! > I totally understand how to quote messages when replying to posts in newsgroups. I've just checked my sent items folder and the message did not go out with the ">" you talk about!!! I'm not sure where it got injected into the message before getting to the newsgroup! Tia, Tkb. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] apache slow on lan transfers?
Nate, I think you've nailed it down for me... the trouble lies in the client, and not the server. Transferring from the Centos server to an Ubuntu client with wget yielded 110 megabytes/sec over a gigabit ethernet link (pretty much maxed out I'd think) Found and installed a windows wget client so I could preform the same test (using -O NUL) ... 4 megabytes/sec not mbps as originally thought, but still pretty slow. I noticed my CPU was maxed out, and then found the antivirus process hogging all the time. Killed the antivirus and repeated the test, with a result of 86 megabytes/sec. Thanks a lot for the help! -Gordon On Sat, May 2, 2009 at 12:34 AM, nate wrote: > Gordon McLellan wrote: > >> All suggestions are appreciated, > > Kind of a strange problem ... what http client are you using? > > If you haven't already try wget and send the output to /dev/null > > wget http://server/file -O /dev/null > > Just for maximum client performance.. > > nate > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Hello mail list world
First time to use the centos mail lists . In fact ,it's my first time to use mail list - -# , glad to chat with you , I love Centos as all people include you of course , ha ha ! -- Falcon Chen Sent from Guangzhou, 44, China ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hello mail list world
On Sat, May 2, 2009 at 10:47 PM, Falcon chen wrote: > First time to use the centos mail lists . In fact ,it's my first time to use > mail list - -# , glad to chat with you , I love Centos as all people include > you of course , ha ha ! > > -- > Falcon Chen > Sent from Guangzhou, 44, China > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > It's really nice to meet Chinese friend here in CentOS mailing list -- Keep It Simple Stupid http://www.ghosTunix.org Thomas X. Iverson(A.K.A ghosTM55) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] eSATA controller that supports Centos 4.4
Thanks for the advice, I intend to upgrade to 4.7 soon. But my question still stands: I'm looking for SATA controller with a eSATA port that is supported by Centos 4.7 (in that case) How can I list the sata controllers supported on my Centos 4 system ? Thanks Jean-François Leblond jfleblon...@hotmail.com > Date: Fri, 1 May 2009 17:57:13 -0700 > From: pie...@hogranch.com > To: centos@centos.org > Subject: Re: [CentOS] eSATA controller that supports Centos 4.4 > > Jean-Francois Leblond wrote: > > Hi, > > > > I'm looking for SATA controller with a eSATA port that is supported by > > Centos 4.4 ( rhel 4.4) > > > > Do you have any suggestions for a eSATA controller with good Linux support ? > > > > How can I list the sata controllers supported by Centos 4.4 ? > > > > > RHEL4 update 4 was released in August 2006, and CentOS 4.4 is derived > from that.. You haven't run yum update since august 2006?!? update 7 > aka 4.7 was released on July 2008, and there have been 100s of patches > since then. > > eSATA was still pretty new and relatively untested and undeveloped in > 2006, I'd expect a current update to have somewhat more support. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos _ Avec Windows Live, vous gardez le contact avec tous vos amis au même endroit. http://go.microsoft.com/?linkid=9660830___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening
On Sat, May 2, 2009 at 11:28 AM, Michael A. Peters wrote: > Jim Perrin wrote: >> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen >> wrote: >>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle >>> wrote: Hi All, What tips does everyone have on hardening a CenOS Server that is running web, e-mail, ssh, ftp, mysql, coldfusion and will be processing payments from www? >>> NSA hardening guidelines would be a good start. The CIS hardening >>> guidelines would be also good. After that you want to look at specific >>> hardening guidelines for apache >> >> The NSA guide is a very good start, and >> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments >> it rather well. >> You might also want to have a look at the DoD STIG guidelines, though >> reading them will make your eyes bleed. >> > > For php, you really want to run php built with the suhosin patch and run > the suhosin module as well. > > I'm not sure, but I seem to recall there being a suhosin patched php > either in testing or centos plus. > > Assuming you run php. > > I can't really comment on the others. > > One of the nice things about suhosin is it does transparent encryption > of cookies / sessions (you can tweak it) making things like session > theft a lot more difficult. > > I believe suhosin patch/module is standard in bsd ports, I'm not sure > why it isn't standard in RHEL (maybe because it can cause issues with > some php accelerators ??) I think there are issues with suhosin vs zend optimizer (other encoders/loaders/decoders may have issues as well). I tested php suhosin enabled + APC accelerator and haven't had a problem, eaccelerator also will probably work just fine with it. There's a rpm for suhosin compatible with the php version in rhel5/centos5 at: http://repo.redhat-club.org/redhat/5/i386/ > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] eSATA controller that supports Centos 4.4
Jean-Francois Leblond wrote: > How can I list the sata controllers supported on my Centos 4 system ? try not top posting, it completely destroys context. also, all ahci and libata mode sata controllers work fine. the device being internal or external has nothing to do with the driver used to talk to the controller. -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix Questions
On Sat, May 2, 2009 at 4:36 AM, Jason Todd Slack-Moehrle wrote: > Hi All, > > I am working on setting up Postfix and I have a few questions: > > 1. mynetworks = Do I put my public static IP here? So I am hosting at > another provider on my own dedicated hardware. Do I put that machines > IP or the IP of my apartment where I want to access from? Second, do I > have to know the Ip information for my BlackBerry to work as well? > put clients ip range there. e.g mynetworks = 192.168.0.0/24 then, clinets behind postfix mail server will be able to send mail via postfix server. > 2. relaying: Obviously I dont want to be an open relay, but I do what > to send mail from my apartment and from my Blackberry. as i said the above under mynetworks, Pls add those ip ranges. then, u r done. > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Thank you Indunil Jayasooriya ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix Questions
-- Original Message --- From: Indunil Jayasooriya To: CentOS mailing list Sent: Sun, 3 May 2009 07:46:17 +0530 Subject: Re: [CentOS] Postfix Questions > On Sat, May 2, 2009 at 4:36 AM, Jason Todd Slack-Moehrle > wrote: > > Hi All, > > > > I am working on setting up Postfix and I have a few questions: > > > > 1. mynetworks = Do I put my public static IP here? So I am hosting at > > another provider on my own dedicated hardware. Do I put that machines > > IP or the IP of my apartment where I want to access from? Second, do I > > have to know the Ip information for my BlackBerry to work as well? > > > > put clients ip range there. > > e.g > > mynetworks = 192.168.0.0/24 > > then, clinets behind postfix mail server will be able to send mail > via postfix server. > > > 2. relaying: Obviously I dont want to be an open relay, but I do what > > to send mail from my apartment and from my Blackberry. > > as i said the above under mynetworks, Pls add those ip ranges. then, > u r done. For dynamic IPs, like those assigned by home ISPs is not useful (besides stupid) adding the ISP's range (since the spammers will probably be windows machines using an IP from the same IP range than yours). What I did was implementing SMTP authentication, and then I can send e-amil from my e-mail client at home without my server being an open relay and without allowing the full ISP IP range to send mail through my mail server. Regards. > > > > > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > -- > Thank you > Indunil Jayasooriya > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos --- End of Original Message --- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
