Re: [CentOS] Update Issue
On Fri, Jul 10, 2009 at 9:54 PM, MHR wrote: > On Fri, Jul 10, 2009 at 7:46 PM, Ron Blizzard wrote: >> >> A few days ago, I think someone mentioned that they were doing >> something at RPMForge. I'm guessing this is part of it -- this is is >> an old Pentium III that I've got CentOS 4.7 on, and I tried to do an >> update (haven't turned it on in a couple months) and got the following >> errors. >> >> Error: Missing Dependency: libdirectfb-1.0.so.0 is needed by package vlc >> Error: Missing Dependency: libfusion-1.0.so.0 is needed by package vlc >> Error: Missing Dependency: glibc >= 2.4 is needed by package flash-plugin >> Error: Missing Dependency: libdirect-1.0.so.0 is needed by package vlc >> Error: Missing Dependency: libx264.so.55 is needed by package vlc >> > > Hmm, I dunno - I'm running 5.3 (fully up to date) on an AMD 64x2 7750 > > :-) > > Haven't heard back from the other side (rpmforge) yet. I'm not using the 64 bit version, but the on name seems to indicate a 64 bit file? Is it possible that the libraries got mixed up somehow? -- RonB -- Using CentOS 5.3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update Issue
On Fri, Jul 10, 2009 at 7:46 PM, Ron Blizzard wrote: > > A few days ago, I think someone mentioned that they were doing > something at RPMForge. I'm guessing this is part of it -- this is is > an old Pentium III that I've got CentOS 4.7 on, and I tried to do an > update (haven't turned it on in a couple months) and got the following > errors. > > Error: Missing Dependency: libdirectfb-1.0.so.0 is needed by package vlc > Error: Missing Dependency: libfusion-1.0.so.0 is needed by package vlc > Error: Missing Dependency: glibc >= 2.4 is needed by package flash-plugin > Error: Missing Dependency: libdirect-1.0.so.0 is needed by package vlc > Error: Missing Dependency: libx264.so.55 is needed by package vlc > Hmm, I dunno - I'm running 5.3 (fully up to date) on an AMD 64x2 7750 :-) Haven't heard back from the other side (rpmforge) yet. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update Issue
On Fri, Jul 10, 2009 at 9:12 PM, MHR wrote: > On Fri, Jul 10, 2009 at 7:06 PM, Ron Blizzard wrote: >> I should also mention that I added (a few days ago) the M Harris >> repository so that I could install Firefox 3.5. >> > > I ran an update for my rpmforge stuff this morning and saw the same > thing. Anyone here have a clue? I'm gonna ask on the rpmforge list, > too. A few days ago, I think someone mentioned that they were doing something at RPMForge. I'm guessing this is part of it -- this is is an old Pentium III that I've got CentOS 4.7 on, and I tried to do an update (haven't turned it on in a couple months) and got the following errors. Error: Missing Dependency: libdirectfb-1.0.so.0 is needed by package vlc Error: Missing Dependency: libfusion-1.0.so.0 is needed by package vlc Error: Missing Dependency: glibc >= 2.4 is needed by package flash-plugin Error: Missing Dependency: libdirect-1.0.so.0 is needed by package vlc Error: Missing Dependency: libx264.so.55 is needed by package vlc So, I'll wait a day or two and try again. Thanks for letting me know it wasn't just me. -- RonB -- Using CentOS 4.7 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update Issue
On Fri, Jul 10, 2009 at 7:06 PM, Ron Blizzard wrote: > I should also mention that I added (a few days ago) the M Harris > repository so that I could install Firefox 3.5. > I ran an update for my rpmforge stuff this morning and saw the same thing. Anyone here have a clue? I'm gonna ask on the rpmforge list, too. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Update Issue
I should also mention that I added (a few days ago) the M Harris repository so that I could install Firefox 3.5. -- RonB -- Using CentOS 5.3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Update Issue
I come to you "hat in hand" again. For the first time in a long while I got a "Update Notification" at the bottom of my screen -- so I decided to click on it and run the update. Unfortunately I got a couple dependency errors and am not sure how to solve them. (Not even sure why I got them.) They are as follows: Missing Dependency: libavcodec.so.51 is needed by package transcode-1.0.5-1.el5.rf.i386 (installed) Missing Dependency: libx264.so.55 is needed by package transcode-1.0.5-1.el5.rf.i386 (installed) The only non-CentOS repositories I have enabled are Adobe and RPMForge. (I have, however, downloaded files individually from PBone.) This is the first time I have had any problems for a while. Have I broken something? (I did find libavcodec.so.51 at PBone, but it won't install because it wants the libx264.so.55, which I haven't been able to find.) Is transcode what I use to convert CDs to MP3 files? I did recently add MP3 codecs to Juicer, so I could convert my CD collection. And I did try to update via yum after running 'yum clean all' and I got the same dependency issues. Thanks for any pointers. -- RonB -- Using CentOS 5.3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
> You mentioned that the data can be retrieved from somewhere else. Is > some part of this filename a unique key? The real key is up to 1023 chracters long and it's unique, but I have to trim to 256 charactes, by this way is not unique unless I add the hash. >Do you have to track this > relationship anyway - or age/expire content? I have to track the long filename -> short file name realation ship. Age is not relevant here. I'd try to arrange things > so the most likely scenario would take the fewest operations. Perhaps a > mix of hash+filename would give direct access 99+% of the time and you > could move all copies of collisions to a different area. yes its a good idea, but at this point I don't want to add more complexity tomy app, and having a separate area for collisions would make it more complex. >Then you could > keep the database mapping the full name to the hashed path but you'd > only have to consult it when the open() attempt fails. As the long filename is up to 1023 chars long i can't index it with mysql (it has a lower max limit). That's why I use the hash which is indexed). What I do is keeping a list of just the md5 of teh cached files in memory in my app, before going to mysql, I frist check if it's in the list (realy a RB-Tree). _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
o wrote: >> I don't think you've explained the constraint that would make you use >> mysql or not. > > My original idea was using the just the hash as filename, by this way I could > have a direct access. But the customer rejected this and requested to have > part of the long file name (from 11 to 1023 characters). As linux only allows > 256 characters in the path and I could get duplicates with the 256 first > chars, I trim teh real filename to around 200 characters and I add the hash > at the end (plus a couple metadata small fields). > > Yes, there requirements does not makes too much sense, but I've tried to > convince the customer to use just the hash with no luck (seems he does not > understand well what is a hash although I've tried to explain it several > times). You mentioned that the data can be retrieved from somewhere else. Is some part of this filename a unique key? Do you have to track this relationship anyway - or age/expire content? I'd try to arrange things so the most likely scenario would take the fewest operations. Perhaps a mix of hash+filename would give direct access 99+% of the time and you could move all copies of collisions to a different area. Then you could keep the database mapping the full name to the hashed path but you'd only have to consult it when the open() attempt fails. > That's why I need or a) use mysql or b) do a directory lising. > >> 00/AA/FF/filename > That would make up to 256^3 directory leaves, what is more than 16 Million > ones, due I have around 15M files, I think that this is an excessive number > of directories. I guess that's why squid only uses 16 x 256... -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
According to my tests the average size per file is around 15KB (although there are files from 1Kb to 150KB). _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
2009/7/10, Filipe Brandenburger : > On Fri, Jul 10, 2009 at 16:21, Alexander > Georgiev wrote: >> I would use either only a database, or only the file system. To me - >> using them both is a violation of KISS. > > I disagree with your general statement. > > Storing content that is appropriate for files (e.g., pictures) as > BLOBs in an SQL database only makes it more complex. > Please, explain why. I was under the impression that storing large binary streams is BLOB's reason to exist. > Creating "clever" file formats to store relationships between objects > in a filesystem instead of using a SQL database only makes it more > complex (and harder to extend!). Indeed. > Just because you are using less technologies doesn't necessarily make > it simpler. Of course, but if one of those technologies can provide both functionalities without hacks, twists and abuse, I would stay with that single technology. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
On Fri, Jul 10, 2009 at 16:21, Alexander Georgiev wrote: > I would use either only a database, or only the file system. To me - > using them both is a violation of KISS. I disagree with your general statement. Storing content that is appropriate for files (e.g., pictures) as BLOBs in an SQL database only makes it more complex. Creating "clever" file formats to store relationships between objects in a filesystem instead of using a SQL database only makes it more complex (and harder to extend!). Think a website that stores user's pictures and has social networking features (maybe like Flickr?). The natural place to store the JPEG images is the filesystem. The natural place to store user info, favorites, relations between users, etc. is the SQL database. If you try to do it different, it starts looking like you are trying to fit a square piece in a round hole. It may be possible to do it, but it is certainly not elegant. Just because you are using less technologies doesn't necessarily make it simpler. Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
2009/7/10, o : > > Ok, I coudl use mysql, but think we have around 15M entries and I would have > to add to each a file from 1KB to 150KB, in total the files size can be > around 200GB. How will be the performance of this in mysql? > in the worst case - 150kb for a 1500 of files I get: 1500 * 150 / (1024 * 1024) 2145.7672119140625000 or 2TB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
Ok, I coudl use mysql, but think we have around 15M entries and I would have to add to each a file from 1KB to 150KB, in total the files size can be around 200GB. How will be the performance of this in mysql? _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
> > My original idea was using the just the hash as filename, by this way I > could have a direct access. But the customer rejected this and requested to > have part of the long file name (from 11 to 1023 characters). As linux only > allows 256 characters in the path and I could get duplicates with the 256 > first chars, I trim teh real filename to around 200 characters and I add the > hash at the end (plus a couple metadata small fields). > > Yes, there requirements does not makes too much sense, but I've tried to > convince the customer to use just the hash with no luck (seems he does not > understand well what is a hash although I've tried to explain it several > times). > > That's why I need or a) use mysql or b) do a directory lising. I would use either only a database, or only the file system. To me - using them both is a violation of KISS. If you were able to convince them to change the directory layout, and if you are more confortable with a database - try to convince them to use a database. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
>I don't think you've explained the constraint that would make you use > mysql or not. My original idea was using the just the hash as filename, by this way I could have a direct access. But the customer rejected this and requested to have part of the long file name (from 11 to 1023 characters). As linux only allows 256 characters in the path and I could get duplicates with the 256 first chars, I trim teh real filename to around 200 characters and I add the hash at the end (plus a couple metadata small fields). Yes, there requirements does not makes too much sense, but I've tried to convince the customer to use just the hash with no luck (seems he does not understand well what is a hash although I've tried to explain it several times). That's why I need or a) use mysql or b) do a directory lising. >00/AA/FF/filename That would make up to 256^3 directory leaves, what is more than 16 Million ones, due I have around 15M files, I think that this is an excessive number of directories. _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] recent rsyslog package available for CentOS?
Hi, I'm looking for a recent version of rsyslog. The yum repositories only show me a version that is 2.0.6. According to the www.rsyslog.com site, they are up to version 5 (dev), which means that I would think/assume that there would at least be v3 or v4 available somewhere. Does anyone know if/where I can find something more recent than 2.0.6? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
o wrote: > Hi, After talking with te customer, I finnaly managed to convince him for > using the first characters of the hash as directory names. > > Now I'm in doubt about the following options: > > a) Using directory 4 levels /c/2/a/4/ (200 files per directory) and mysql > with a hash->filename table, so I can get teh file name from the hash and > then I can directly access it (I first query mysql for the hash of the file, > and the I read the file). > > b) Using 5 levels without mysql, and making a dir listing (due to technical > issues, I can't only know an approximate file name, so I can't make a direct > access here), match the file name and then read it. The issue here is that I > would have 16^5 leave directories (more than a million). > > I could also make more combinations of mysql/not mysql and number of levels. > > What do you think it would give the best performance in ext3? I don't think you've explained the constraint that would make you use mysql or not. I'd avoid it if everything involved can compute the hash or is passed the whole path since is bound to be slower than doing the math, and just on general principles I'd use a tree like 00/AA/FF/filename (three levels of 2 hex characters) as the first cut, although squid uses just two levels with a default of 16 first level and 256 2nd level directories and probably has some good reason for it. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Regarding LARGE number of files in a folder in linux
> > > > I would like to know what you do about the number of files in a > > folder, or if that is a concern. I think there is a limitation or a > > slow down if it gets to big, but what is optimal (if necessary) > > > SO what is best for file management and system resources? > Using hash_index on ext3 or a hashing file system helps... > but in many such contexts, I've found if you can do a > multi-level directory hashing scheme (compute some > reproducible hash on a file name or user name/ID) and index > into a directory structure, this can help. > -Alan I set up using an ext3 and with centos I believe that is 4blocks which has a 8tb size limit overall. However, I believe that is per logical drive. Also, the number of total files per logical drive is some strange formula or Volume size divided by 2 to the 23rd power...but not sure, it may be size /2 and then to the 23rd power. That is a lot of files I think. 32,000 is the max sub directory count for a directory. I am going with a max size of 1000 files per folder and a max sub directory for, let's say an image folder, of 10,000. I think this will keep the application I am building fine with most computers. For my own sites, I think when approacing a huge volume it will be time to just get some bigger drives with a different file system to host those specific directories and that should solve it all. The only way, I can see, to not slow the computer down is limit to number of files in a directory and number of folders in a directory (such as no more than 1000 1st tier sub directories in the image folder. And tying to make sure it is eiter folders or files in a folder, not both should help. OF course it would be nice to be able to benchmark the process by number of files, sub directories, and files per sub directorythere might be a way. I think that is the only way to handle it, at least in a small system without large drives and using ext3. Thanks for all the input. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about optimal filesystem with many small files.
Hi, After talking with te customer, I finnaly managed to convince him for using the first characters of the hash as directory names. Now I'm in doubt about the following options: a) Using directory 4 levels /c/2/a/4/ (200 files per directory) and mysql with a hash->filename table, so I can get teh file name from the hash and then I can directly access it (I first query mysql for the hash of the file, and the I read the file). b) Using 5 levels without mysql, and making a dir listing (due to technical issues, I can't only know an approximate file name, so I can't make a direct access here), match the file name and then read it. The issue here is that I would have 16^5 leave directories (more than a million). I could also make more combinations of mysql/not mysql and number of levels. What do you think it would give the best performance in ext3? Thanks. _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP/Autofs instructions are conflicting in Centos5.3
"Kwan Lowe" wrote in message news:b7e478370907092006x5340883n1ec1652fa27b5...@mail.gmail.com... On Thu, Jul 9, 2009 at 10:37 PM, Eric B. wrote: Hi, I'm not sure if I am posting this in the right place, so if this belongs more on another list, please let me know. The 389 list is a better place: 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Thanks. Will try to post there for more information. Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there an openssh security problem?
On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstrom wrote: > On Friday 10 July 2009, Rob Kampen wrote: >> Coert Waagmeester wrote: > ... >> > it only allows one NEW connection to ssh per minute. >> > >> > That is also a good protection right? > ... >> Not really protection - rather a deterrent - it just makes it slower for >> the script kiddies that try brute force attacks > > Basically it's not so much about protection in the end as it is about keeping > your secure-log readable. Or maybe also a sense of being secure... > > It's always good to limit your exposure but you really have to weigh cost > against the win. Two examples: > > Limit from which hosts you can login to a server: > Configuration cost: trivial setup (one iptables line) > Additional cost: between no impact and some impact depending on your habits > Positive effect: 99.9+% of all scans and login attempts are now gone > Verdict: Clear win as long as the set of servers are easily identifiable > > Elaborate knocking/blocking setup: > Configuration cost: significant (include keeping it up-to-date) > Additional cost: setup of clients for knocking, use of -p XXX for new port > Positive effect: "standard scans" will probably miss but not air tight > Verdict: Harder to judge, I think it's often not worth it > > Other things worth looking into are, for example, access.conf (pam_access.so) > and ensuring that non-trivial passwords are used. > > my €0.02, > Peter > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > Virtual Networks are such as tinc-vpn.org or hamachi create an encrypted network only accessible to members of the virtual network. So if your server's virtual nic has an address of 5.4.3.2, then the only other host that may see your server would be your laptop with address 5.4.3.3. No other internet hosts would even see 5.4.3.2... It is like IPSec, but much easier. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there an openssh security problem?
On Friday 10 July 2009, Rob Kampen wrote: > Coert Waagmeester wrote: ... > > it only allows one NEW connection to ssh per minute. > > > > That is also a good protection right? ... > Not really protection - rather a deterrent - it just makes it slower for > the script kiddies that try brute force attacks Basically it's not so much about protection in the end as it is about keeping your secure-log readable. Or maybe also a sense of being secure... It's always good to limit your exposure but you really have to weigh cost against the win. Two examples: Limit from which hosts you can login to a server: Configuration cost: trivial setup (one iptables line) Additional cost: between no impact and some impact depending on your habits Positive effect: 99.9+% of all scans and login attempts are now gone Verdict: Clear win as long as the set of servers are easily identifiable Elaborate knocking/blocking setup: Configuration cost: significant (include keeping it up-to-date) Additional cost: setup of clients for knocking, use of -p XXX for new port Positive effect: "standard scans" will probably miss but not air tight Verdict: Harder to judge, I think it's often not worth it Other things worth looking into are, for example, access.conf (pam_access.so) and ensuring that non-trivial passwords are used. my €0.02, Peter signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there an openssh security problem?
On 07/10/2009 02:59 PM, Rainer Duffner wrote: > Brute-forcing has long-since started to go distributed, fooling fail2ban > and similar scripts with just 3 or 4 checks per single source-host. I've never been a big fan of either denyhosts or fail2ban, both of them are just making it easier for someone else to ddos you, and achieve little in terms of the real problem, as you said here the brute forcing has gone into the spam-botnets a long time back. as an example : one of my machines got ssh attempts from > 3500 different ip's in under an hour a few weeks back. pam_shield and similar solutions offer a slightly gentler way to implement similar stuff, but iptables and perhaps a creative netlables solution to lock in what you need and how you need it, is a far better solution. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] vsftpd not able to log in
Hi folks, I can't seem to log into my system via vsftpd. All other services using PAM are fine...Am I missing something simple? ftp> user (username) user 331 Please specify the password. Password: 530 Login incorrect. # getenforce Permissive here is the event in /var/log/audit/audit.log: type=USER_AUTH msg=audit(1247235151.569:9781): user pid=21052 uid=0 auid=0 subj=root:system_r:ftpd_t:s0 msg='PAM: authentication acct="user" : exe="/usr/sbin/vsftpd" (hostname=hostname, addr=1.2.3.4, terminal=ftp res=failed)' cat /etc/pam.d/vsftpd #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth accountinclude system-auth sessioninclude system-auth sessionrequired pam_loginuid.so # grep local /etc/vsftpd/vsftpd.conf local_enable=YES local_umask=022 chroot_local_user=YES # getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_tftp_anon_write --> off ftp_home_dir --> on ftpd_disable_trans --> off ftpd_is_daemon --> on httpd_enable_ftp_server --> off tftpd_disable_trans --> off ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there an openssh security problem?
Rob Kampen schrieb: > Not really protection - rather a deterrent - it just makes it slower > for the script kiddies that try brute force attacks - they have to > pace themselves to one try per minute rather than one or two per > second. Thus they normally move on to an easier target. > You can also use iptables to allow say four attempts from an IP and > then block for 5 or more minutes - this is what I use. Not really, either ;-) Brute-forcing has long-since started to go distributed, fooling fail2ban and similar scripts with just 3 or 4 checks per single source-host. The bad guys do cloud-computing, too Rainer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there an openssh security problem?
Coert Waagmeester wrote: On Thu, 2009-07-09 at 15:18 -0700, Bill Campbell wrote: This appeared today on Macworld, an article saying this is probably a hoax: http://www.macworld.com/article/141628/2009/07/openssh_securityhoax.html?lsrc=rss_main Bill In my iptables setup I have the following rule: (excuse the ugly line breaks) /sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \ --dport 22 -m state -m recent --state NEW --update --seconds 15 -j \ DROPLOG /sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \ --dport 22 -m state -m recent --state NEW --set -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \ --dport 22 -m state --state ESTABLISHED --state RELATED -j ACCEPT it only allows one NEW connection to ssh per minute. That is also a good protection right? Regards, Coert ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Not really protection - rather a deterrent - it just makes it slower for the script kiddies that try brute force attacks - they have to pace themselves to one try per minute rather than one or two per second. Thus they normally move on to an easier target. You can also use iptables to allow say four attempts from an IP and then block for 5 or more minutes - this is what I use. HTH Rob begin:vcard fn:Rob Kampen n:Kampen;Rob email;internet:rkam...@kampensonline.com tel;work:407-896-9556 x6344 tel;fax:407-896-7607 tel;home:407-876-4854 tel;cell:407-341-3815 version:2.1 end:vcard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there an openssh security problem?
On Thu, 2009-07-09 at 15:18 -0700, Bill Campbell wrote: > This appeared today on Macworld, an article saying this is > probably a hoax: > > http://www.macworld.com/article/141628/2009/07/openssh_securityhoax.html?lsrc=rss_main > > Bill In my iptables setup I have the following rule: (excuse the ugly line breaks) /sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \ --dport 22 -m state -m recent --state NEW --update --seconds 15 -j \ DROPLOG /sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \ --dport 22 -m state -m recent --state NEW --set -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p tcp -s 196.1.1.0/24 -d 196.1.1.31 \ --dport 22 -m state --state ESTABLISHED --state RELATED -j ACCEPT it only allows one NEW connection to ssh per minute. That is also a good protection right? Regards, Coert ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
