[CentOS-es] implementacion de servidor dns
quier implementar este servidor y utilizar un solo ip para varia paginas Alberto Torres Paredes: Ingenieria de Sistemas : Universidad Privada Cesar Vallejo : :.:: _ ¿Quieres descubrir todos los trucos de Windows 7? ¡Hazlo aquí! http://www.sietesunpueblodeexpertos.com/index_windows7.html___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] Abrir el puerto 1500
Hola, Soy nuevo en Linux y llevo various días intentando abrir el puerto 1500 para comunicar con una aplicación. Por defecto la polítca es ACCEPT En la Iptable añadi manualmente la siguiente entrada: -A RH-Firewall -1-INPUT -p tcp -m tcp --dport 1500 -j ACCEPT Pero al revisar con nmap, no me sale que el puerto esté abierto. ¿Qué puedo hacer? Gracias darme unas sugerencias. Saludos, -- - work as if you don't need money, - love as if you've never been hurt, - dance as if nobody can see, - sing as if no one can hear, - live as if Earth was heaven. by somebody ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] {Disarmed} implementacion de servidor dns
On 06/30/2010 09:11 AM, Jose Alberto Torres Paredes wrote: quier implementar este servidor y utilizar un solo ip para varia paginas activa NameBasedHosting en tu apache y configúralo de acuerdo a lo requerido ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Abrir el puerto 1500
Precisamente, nmap no escanea puertos abiertos sino más bien puertos publicados por alguna aplicación, por ejemplo si tienes un servidor de correos veras abierto el puerto 25 y 110, si tienes una aplicacion web seguro veras el 80, etc... lo que quieres hacer es monitorear la conexion, puede ser iftop, iptraf, etc. *Xavier Mauricio Tirado L.* Unidad de Infraestructura DIRECCION TECNOLOGICA ** Rubén González escribió: Si tu política por defecto es ACCEPT entonces el problema radica en en que no tienes una aplicación escuchando en el puerto 1500. Es lo que te puedo decir rápidamente. Date: Wed, 30 Jun 2010 12:53:59 +0200 From: ghislain.atemez...@gmail.com To: centos-es@centos.org Subject: [CentOS-es] Abrir el puerto 1500 Hola, Soy nuevo en Linux y llevo various días intentando abrir el puerto 1500 para comunicar con una aplicación. Por defecto la polítca es ACCEPT En la Iptable añadi manualmente la siguiente entrada: -A RH-Firewall -1-INPUT -p tcp -m tcp --dport 1500 -j ACCEPT Pero al revisar con nmap, no me sale que el puerto esté abierto. ¿Qué puedo hacer? Gracias darme unas sugerencias. Saludos, -- - work as if you don't need money, - love as if you've never been hurt, - dance as if nobody can see, - sing as if no one can hear, - live as if Earth was heaven. by somebody Discover the new Windows Vista Learn more! http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE NOTA DE DESCARGO: La informacioacuten contenida en este e-mail es confidencial y solo puede ser utilizada por su destinatario. El Ministerio del Ambiente - Ecuador no asume responsabilidad sobre informacion y opiniones o criterios contenidos en este e-mail. DISCLAIMER NOTICE: The information contained upon this e-mail is intended to be confidential and it can only be used by the designated recipient(s). Ministerio de Ambiente - Ecuador does not assume responsability about information and opinion or criteria contained in this e-mail. _ MENSAJE AMBIENTAL: Si vas a imprimir el presente correo? Piensa bien si es preciso hacerlo. Cuidemos el Ambiente que es responsabilidad de todos! - Ministerio del Ambiente ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es __ NOTA DE DESCARGO: La informacio contenida en este e-mail es confidencial y solo puede ser utilizada por su destinatario. El Ministerio de Ambiente - Ecuador no asume responsabilidad sobre informacio y opiniones o criterios contenidos en este e-mail. _ MENSAJE AMBIENTAL: Si vas a imprimir el presente correo, piensa bien si es preciso hacerlo !Cuidemos el Ambiente que es responsabilidad de todos! - Ministerio del Ambiente (txt) ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Abrir el puerto 1500
Cambia el INPUT por FORWARD y mira si es TCP, necesitas. Establecer una sesión remota a algún server o host o es comunicación UDP?? Revisa eso Mensaje enviado desde mi terminal BlackBerry® de Porta -Original Message- From: Damaso Payares lordel...@gmail.com Sender: centos-es-boun...@centos.org Date: Wed, 30 Jun 2010 20:27:50 To: centos-es@centos.org; gaugu...@fi.upm.es Reply-To: centos-es@centos.org Subject: Re: [CentOS-es] Abrir el puerto 1500 ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] CentOS MD RAID 1 on Openfiler iSCSI
On Wed, Jun 30, 2010 at 11:59 AM, Christopher Chan christopher.c...@bradbury.edu.hk wrote: Sounds exactly like the mentality in Hong Kong too. I mean, even the bigger companies with Asian managers have a similar mentality. The IT department is always the under-budgeted, under-manned and public enemy number one when cost-cutting. Not too surprised the mentality is similar, I'm in Asia and just a few hours away by plane. Despite putting out cost estimates to management, they just won't accept that spending a few dollars more now would reap 10x the cost savings over the next couple of years. Somehow, they seem to prefer gambling with the possibility of paying a couple of hundred bucks for emergency service calls and maybe a grand for data recovery than spending another hundred or so on an extra hard disk now. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How can binaries be different when package versions are identical? (mkfs.ext3 on CentOS 5.4)
On Wednesday 30 June 2010, Spiro Harvey wrote: Aleksey Tsalolikhin atsaloli.t...@gmail.com wrote: (a) account for the difference in the binaries, and (b) see if something else is different that I can make the same to get the mkfs.ext3 time down to 15 sec on both systems. Solving (a) should shed light on (b). Any ideas? Look into prelinking (man prelink). A prelinker from /etc/cron.daily that changes the binaries with an aim to speed up execution. While prelinking would give you different checksums for the same binary on different servers it would not show up in rpm -V as reported. This since rpms checksumming is prelink-aware. /Peter signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dell R605 w/ Perc 6/i problem
Jacob Bresciani wrote: R605 is a power edge server model I think.The Perc6/i is a Dell rebranded raid controller, it's actually an LSI in disguise. Try downloading the Megaraid utilities from LSI and using them to see the status of the card. Hmmm, I think I see the Linux/CentOS megaraid load as it comes up to the install screen (before I get to look at partitioning). Also, when you boot the R605, you should be able to get into the Perc's firmware for drive creation/maintenance. You might want to check there to see how it thinks things are configured and it hasn't decided the 750G drive is a hotspare or something (a hotspare wouldn't show up to the OS). As far as I can tell, it doesn't think it's a hot spare. Using the firmware configuration utility, it sees the physical drive, and that's it. I'm assuming all the drives are connected to the Perc6/i controller. Drives connected to the Perc controller won't necessarily show up to the BIOS. Yeah - five (I think) hot swap drive bays in the front of the box, all on an SAS backplane. mark -- Nuclear physicists speak of five fundamental forces: weak, strong, electromagnetic, gravity, and duct tape. -- American Science and Surplus Catalog ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500: Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting. Remove that module from httpd.conf and try again. If it still gives that warning you've proven the tool is braindead. You could also just tell Apache not to add a server signature. I wonder how the tool will react to that :-) Or is run locally and scans the rpm database? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS MD RAID 1 on Openfiler iSCSI
Emmanuel Noobadmin wrote: On Wed, Jun 30, 2010 at 11:59 AM, Christopher Chan christopher.c...@bradbury.edu.hk wrote: Sounds exactly like the mentality in Hong Kong too. I mean, even the bigger companies with Asian managers have a similar mentality. The IT department is always the under-budgeted, under-manned and public enemy number one when cost-cutting. Not too surprised the mentality is similar, I'm in Asia and just a few hours away by plane. Despite putting out cost estimates to management, they just won't accept that spending a few dollars more now would reap 10x the cost savings over the next couple of years. Somehow, they seem to prefer gambling with the possibility of paying a couple of hundred bucks for emergency service calls and maybe a grand for data recovery than spending another hundred or so on an extra hard disk now. One thing you can do on the cheap is set up nightly backups with backuppc. It can run on a machine that does something else in the daytime if necessary and its pooling and compression scheme will store about 10x the history you would expect. You need backups anyway since even complex redundancy schemes have modes of failure that can lose things. Or, I suppose you could roll your own with rsync to a zfs filesystem with du-dup, compression, and snapshots set up. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba and (and maybe other characters) in paths/files
Drew wrote: You must be spoiled by always using GUI tools that present a pick list - no one would ever type all that crap every time they want to access a file. And, you could just as well use underscores instead of spaces and get the same visual effect AND still permit natural 'break on whitespace' command line parsing of your shell commands. I always thought Microsoft and Apple encouraged using spaces in filenames explicitly to make it difficult for people to continue using command line tools. Actually ... For someone who manages Windows systems for a living I spend quite a bit of my day at the commandline. And that's why tab completion is my friend. :-) Let's not get into the whole windows debate and WTF is a Windows Admin doing on a Linux forum? type of questions. :-) It's the environment I inherited, politics, and some badly thought out projects on my predecessor's part keep Windows in the shop. I just don't tell anyone just how much linux there actually is in the shop. ;-) Doing stuff at the windows command line tends to be different that working with unix/linux shells. Unix admins are too lazy to do interactive commands repeatedly, even with tab completion, so they will want to save any likely repeated steps as scripts with wildcard expansion to pickup the relevant filenames - or pass them as parameters if wildcards don't make sense. And they'll probably run them across many hosts with ssh. Spaces get even more ugly when you think about quoting them for multiple layers of shell processing. Not impossible, but it gets away from the normal simple elegance of shell parsing to natural words. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Kai Schaetzl wrote: Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500: Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting. Remove that module from httpd.conf and try again. If it still gives that warning you've proven the tool is braindead. You could also just tell Apache not to add a server signature. I wonder how the tool will react to that :-) Or is run locally and scans the rpm database? The first probe is remote. The guy doing it also logged into the box and checked something after I told him about the backported fixes but I haven't caught up with him about the specifics yet. He will understand what RH does, but we have to convincingly document the details for less technical folks - or update to something without CVE's. I would expect this to be a fairly common problem, though. These boxes are running as reverse-proxies with some rewriterules but don't need to handle ftp. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba and (and maybe other characters) in paths/files
On Jun 30, 2010, at 8:47 AM, Les Mikesell lesmikes...@gmail.com wrote: Drew wrote: You must be spoiled by always using GUI tools that present a pick list - no one would ever type all that crap every time they want to access a file. And, you could just as well use underscores instead of spaces and get the same visual effect AND still permit natural 'break on whitespace' command line parsing of your shell commands. I always thought Microsoft and Apple encouraged using spaces in filenames explicitly to make it difficult for people to continue using command line tools. Actually ... For someone who manages Windows systems for a living I spend quite a bit of my day at the commandline. And that's why tab completion is my friend. :-) Let's not get into the whole windows debate and WTF is a Windows Admin doing on a Linux forum? type of questions. :-) It's the environment I inherited, politics, and some badly thought out projects on my predecessor's part keep Windows in the shop. I just don't tell anyone just how much linux there actually is in the shop. ;-) Doing stuff at the windows command line tends to be different that working with unix/linux shells. Unix admins are too lazy to do interactive commands repeatedly, even with tab completion, so they will want to save any likely repeated steps as scripts with wildcard expansion to pickup the relevant filenames - or pass them as parameters if wildcards don't make sense. And they'll probably run them across many hosts with ssh. Spaces get even more ugly when you think about quoting them for multiple layers of shell processing. Not impossible, but it gets away from the normal simple elegance of shell parsing to natural words. In my world I have two parts of the file system, one containing OS and apps that runs short-name standard and the other where the user data files are contained that uses long names and sometimes unicode names, and these can be all kinds of ugly. These days one needs to learn to quote paths or suffer the pain... -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba and (and maybe other characters) in paths/files
Ross Walker wrote: On Jun 30, 2010, at 8:47 AM, Les Mikesell lesmikes...@gmail.com wrote: Drew wrote: You must be spoiled by always using GUI tools that present a pick list - no one would ever type all that crap every time they want to access a file. And, you could just as well use underscores instead of spaces and get the same visual effect AND still permit natural 'break on whitespace' command line parsing of your shell commands. I always thought Microsoft and Apple encouraged using spaces in filenames explicitly to make it difficult for people to continue using command line tools. Actually ... For someone who manages Windows systems for a living I spend quite a bit of my day at the commandline. And that's why tab completion is my friend. :-) Let's not get into the whole windows debate and WTF is a Windows Admin doing on a Linux forum? type of questions. :-) It's the environment I inherited, politics, and some badly thought out projects on my predecessor's part keep Windows in the shop. I just don't tell anyone just how much linux there actually is in the shop. ;-) Doing stuff at the windows command line tends to be different that working with unix/linux shells. Unix admins are too lazy to do interactive commands repeatedly, even with tab completion, so they will want to save any likely repeated steps as scripts with wildcard expansion to pickup the relevant filenames - or pass them as parameters if wildcards don't make sense. And they'll probably run them across many hosts with ssh. Spaces get even more ugly when you think about quoting them for multiple layers of shell processing. Not impossible, but it gets away from the normal simple elegance of shell parsing to natural words. In my world I have two parts of the file system, one containing OS and apps that runs short-name standard and the other where the user data files are contained that uses long names and sometimes unicode names, and these can be all kinds of ugly. These days one needs to learn to quote paths or suffer the pain... Lots of easily-avoided choices turn out badly in the long run, don't they... -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dell R605 w/ Perc 6/i problem
On Tue, 2010-06-29 at 17:36 -0400, m.r...@5-cent.us wrote: Clues for the poor? I want to put the system on the SATA drive, leaving the raid for data. mark --- See the drive in the raid configurator? ^C-M Configure the 750G drive as a Raid 0? Init the Scrubing? The controler otherwise does not know the drive exists (allthough it does). Otherwise seek help @ linux-powere...@dell.com list is searchable via google. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Samba and (and maybe other characters) in paths/files
On Wed, Jun 30, 2010 at 08:47:17AM -0500, Les Mikesell wrote: Ross Walker wrote: In my world I have two parts of the file system, one containing OS and apps that runs short-name standard and the other where the user data files are contained that uses long names and sometimes unicode names, and these can be all kinds of ugly. These days one needs to learn to quote paths or suffer the pain... Lots of easily-avoided choices turn out badly in the long run, don't they... Sooner or later all this will have to support unicode well. It's an ugly legacy that we don't. Yes, anyone running systems should learn English; but that doesn't mean they shouldn't use native languages in file names. On the spaces thing, why not craft something in Perl that walks through the file tree and replaces all spaces by underscores? Unless that breaks other stuff that's really depending on those spacey filenames just as they are Whit ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Les Mikesell wrote: Kai Schaetzl wrote: Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500: Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting. Remove that module from httpd.conf and try again. If it still gives that warning you've proven the tool is braindead. You could also just tell Apache not to add a server signature. I wonder how the tool will react to that :-) Or is run locally and scans the rpm database? The first probe is remote. The guy doing it also logged into the box and checked something after I told him about the backported fixes but I haven't caught up with him about the specifics yet. He will understand what RH does, but we have to convincingly document the details for less technical folks - or update to something without CVE's. I would expect this to be a fairly common problem, though. snip I understand that. We had a scan a few months ago (and theyre about to do it again), and to satisfy it, I had to turn off the h/d/ramdisks in our laser printers mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dell R605 w/ Perc 6/i problem
2010/6/30 mark m.r...@5-cent.us: Jacob Bresciani wrote: R605 is a power edge server model I think.The Perc6/i is a Dell rebranded raid controller, it's actually an LSI in disguise. Try downloading the Megaraid utilities from LSI and using them to see the status of the card. Hmmm, I think I see the Linux/CentOS megaraid load as it comes up to the install screen (before I get to look at partitioning). Also, when you boot the R605, you should be able to get into the Perc's firmware for drive creation/maintenance. You might want to check there to see how it thinks things are configured and it hasn't decided the 750G drive is a hotspare or something (a hotspare wouldn't show up to the OS). As far as I can tell, it doesn't think it's a hot spare. Using the firmware configuration utility, it sees the physical drive, and that's it. you need to export drive as jbod or raid0 if you want to use it on os. this is typical on hardware raid controllers. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] RHEL 6b2 Release
For those who might be interested, RHEL 6b2 has just been announced. http://www.redhat.com/rhel/beta Cheers, B.J. CentOS 5.5, Linux 2.6.18-194.3.1.el5 x86_64 10:47:08 up 8 days, 14:45, 1 user, load average: 0.56, 0.55, 0.49 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6b2 Release
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of b.j. mcclure Sent: Wednesday, June 30, 2010 4:49 PM To: centos@centos.org Subject: [CentOS] RHEL 6b2 Release For those who might be interested, RHEL 6b2 has just been announced. http://www.redhat.com/rhel/beta Cheers, B.J. CentOS 5.5, Linux 2.6.18-194.3.1.el5 x86_64 10:47:08 up 8 days, 14:45, 1 user, load average: 0.56, 0.55, 0.49 Hi, And here are the Release Notes for RHEL 6 Beta 2: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Beta_2_Release_Notes/ Best regards, Morten ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6b2 Release
2010/6/30 Morten P.D. Stevens mstev...@imt-systems.com: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of b.j. mcclure Sent: Wednesday, June 30, 2010 4:49 PM To: centos@centos.org Subject: [CentOS] RHEL 6b2 Release For those who might be interested, RHEL 6b2 has just been announced. http://www.redhat.com/rhel/beta Cheers, B.J. CentOS 5.5, Linux 2.6.18-194.3.1.el5 x86_64 10:47:08 up 8 days, 14:45, 1 user, load average: 0.56, 0.55, 0.49 Hi, And here are the Release Notes for RHEL 6 Beta 2: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Beta_2_Release_Notes/ Best regards, is there package list with version numbers available? -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dell R605 w/ Perc 6/i problem
this sounds like the right solution, you can do this either form the firmware or the megaraid command line tool MegaCli64 (MegaCli for non-64 bit systems) On 2010-06-30, at 7:18 AM, Eero Volotinen wrote: 2010/6/30 mark m.r...@5-cent.us: Jacob Bresciani wrote: R605 is a power edge server model I think.The Perc6/i is a Dell rebranded raid controller, it's actually an LSI in disguise. Try downloading the Megaraid utilities from LSI and using them to see the status of the card. Hmmm, I think I see the Linux/CentOS megaraid load as it comes up to the install screen (before I get to look at partitioning). Also, when you boot the R605, you should be able to get into the Perc's firmware for drive creation/maintenance. You might want to check there to see how it thinks things are configured and it hasn't decided the 750G drive is a hotspare or something (a hotspare wouldn't show up to the OS). As far as I can tell, it doesn't think it's a hot spare. Using the firmware configuration utility, it sees the physical drive, and that's it. you need to export drive as jbod or raid0 if you want to use it on os. this is typical on hardware raid controllers. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6b2 Release
On 30/06/10 16:25, Eero Volotinen wrote: is there package list with version numbers available? Not that I've seen, but you could just browse the source dir: ftp://ftp.redhat.com/pub/redhat/rhel/beta/6Server-beta2/source/SRPMS/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Grub fails on dell optiplex 320
After reading: *[1] http://forums.fedoraforum.org/showthread.php?t=141178 *[2] https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flattopic_id=22187; forum=39 *[3] http://wirelessness.wordpress.com/2007/02/07/installing-fedora-linux-on-a-dell-o ptiplex-320/ *[4] http://lists.us.dell.com/pipermail/linux-desktops/2007-January/000148.html 1. I booted with linux rescue 2. chroot /mnt/sysimage 3. yum upgrade 4. reboot 5. 2.6.18-194.3.1.el5 6. hang... Per [4] this should have been fixed in 2.6.20 (2007), did this get back ported by the upstream? The LILO solution wont work because we have to use LVM. Suggestions? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS MD RAID 1 on Openfiler iSCSI
On 6/30/10, Les Mikesell lesmikes...@gmail.com wrote: One thing you can do on the cheap is set up nightly backups with backuppc. It can run on a machine that does something else in the daytime if necessary and its pooling and compression scheme will store about 10x the history you would expect. You need backups anyway since even complex redundancy schemes have modes of failure that can lose things. Or, I suppose you could roll your own with rsync to a zfs filesystem with du-dup, compression, and snapshots set up. Thanks for that suggestion. Right now I have a script that I used on several machines that basically runs at around 5am (depending on what other cronjobs are scheduled) that tarzip the datafolders, then move the archives into a USB HDD. The clients swap out that drive every few days or weeks (depending on who) when the script sends an email alert that it's full. But a proper software meant to do that sounds like a better idea :D ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dell R605 w/ Perc 6/i problem
Thanks, everyone. Making the single drive a RAID-0 was the answer. From the boot, it was ctrl-R, and then follow what y'all were saying. As soon as I did that, and had the controller software make it bootable, when I got out and went into the CenOS install, everything was wonderful - I even saw what had been on there (before I blew it all away). Thanks again. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS MD RAID 1 on Openfiler iSCSI
On 6/30/2010 11:02 AM, Emmanuel Noobadmin wrote: On 6/30/10, Les Mikeselllesmikes...@gmail.com wrote: One thing you can do on the cheap is set up nightly backups with backuppc. It can run on a machine that does something else in the daytime if necessary and its pooling and compression scheme will store about 10x the history you would expect. You need backups anyway since even complex redundancy schemes have modes of failure that can lose things. Or, I suppose you could roll your own with rsync to a zfs filesystem with du-dup, compression, and snapshots set up. Thanks for that suggestion. Right now I have a script that I used on several machines that basically runs at around 5am (depending on what other cronjobs are scheduled) that tarzip the datafolders, then move the archives into a USB HDD. The clients swap out that drive every few days or weeks (depending on who) when the script sends an email alert that it's full. But a proper software meant to do that sounds like a better idea :D Not only a better idea, but easier as well. See the details at http://backuppc.sourceforge.net/ but you'd probably want to install from the epel package. A hint, though: the packaged version has already configured where the archive resides and because of the hardlinks it has to be a single filesystem. So, if you mount some big disk/raid as /var/lib/backuppc _before_ you install the rpm you'll avoid some messy contortions. And you'll likely accumulate so many files/links that it won't be practical to copy the filesystem except with image methods. You might want to make a 3-member RAID1 with one device 'missing'. Then you can periodically add a matching external disk (esata is fastest), let it sync, then fail and remove it for offsite storage. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Devhelp had problem
when i opened Devhelp,there was a segment err even i had reinstall it. How can i fix it? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] xulrunner-devel dependencies
What's the deal with all of the new dependencies for xulrunner-devel in the last update? I'm updating my servers and the update for xulrunner-devel is forcing me to install 43 new packages! Is this a packaging problem, or are all of those packages really needed? For the moment, I've been removing xulrunner-devel from my machines to avoid the problem. I figure since it is a development package, I can always reinstall it later if I need it. Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Anyone seen the Adobe update?
I get an email from security, I see the article on slashdot, and other places, that Adobe's issued an update to acroread... but yum update AdobeReader_enu is still telling me there's no update. Has anyone seen it yet, in the repositories? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Devhelp had problem
On 30/06/2010 17:47, cjzjm100 wrote: when i opened Devhelp,there was a segment err even i had reinstall it. How can i fix it? I've just pushed an update to the centos mirrors for devhelp that should fix this issue for you. Give it a few hours to be seen publicly. If your problem persists after the update, open an issue report at http://bugs.centos.org/ thanks - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone seen the Adobe update?
On Wed, Jun 30, 2010 at 12:52 PM, m.r...@5-cent.us wrote: I get an email from security, I see the article on slashdot, and other places, that Adobe's issued an update to acroread... but yum update AdobeReader_enu is still telling me there's no update. Has anyone seen it yet, in the repositories? Nope. I'm still waiting to see it as well. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] prelink
The above discussion of prelink gave me pause for thought... I have a suite of programs that I install in their own directory, along with their datafiles, under /opt. Would it be a good idea to add that directory to /etc/prelink.conf? What could go wrong? -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On Wed, 2010-06-30 at 10:10 -0400, m.r...@5-cent.us wrote: I understand that. We had a scan a few months ago (and theyre about to do it again), and to satisfy it, I had to turn off the h/d/ramdisks in our laser printers What is the point of doing a security scan under conditions that are not actually live? It sounds like moving the flammable materials out before a fire inspection, then moving them right back in when the inspector leaves. What is gained? You're no more secure than you were before the inspection, and and you're no longer running what you had running during the inspection. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Frank Cox wrote: On Wed, 2010-06-30 at 10:10 -0400, m.r...@5-cent.us wrote: I understand that. We had a scan a few months ago (and they're about to do it again), and to satisfy it, I had to turn off the h/d/ramdisks in our laser printers What is the point of doing a security scan under conditions that are not actually live? It sounds like moving the flammable materials out before a fire inspection, then moving them right back in when the inspector leaves. Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. Right. What is gained? You're no more secure than you were before the inspection, and and you're no longer running what you had running during the inspection. They're scanning mostly based on WinDoze, and too many of them don't actually understand what they're looking for, and certainly they have *NOT* thought about what they're asking. For that matter, IMO, they didn't even read the results of their scans, just forwarded a large mass of everything that didn't pass to the general group responsible (or rather, they didn't even break it up to each group, just a large mess; they didn't even pay attention to what was desktop support, which is closer to being under them, directly). Mostly for show, on their part, to look like they're Doing Something. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6b2 Release
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Morten P.D. Stevens Sent: Wednesday, June 30, 2010 5:13 PM To: CentOS mailing list Subject: Re: [CentOS] RHEL 6b2 Release Hi, And here are the Release Notes for RHEL 6 Beta 2: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6- Beta/html/Beta_2_Release_Notes/ The official Redhat mirror is very slow at the moment. Here is a faster mirror from my company for the x86-64 version: http://download2.imt-systems.com/rhel6b2/ Best regards, Morten ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] uuid_fixer?
Anyone know of a repository with uuid_fixer? Now that I've rebuilt this thing, I need to recover the LVM that the raid comprises mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
For most (large) organizations, security scans have NOTHING to do with increasing security, and everything with being able to answer Yes to a question like Do you regularly scan for known defects?, probably for a VISA type compliance check. If you don't already know, you really don't want to know about data security in the medical or banking communities. On Wed, 30 Jun 2010, Frank Cox wrote: What is the point of doing a security scan under conditions that are not actually live? It sounds like moving the flammable materials out before a fire inspection, then moving them right back in when the inspector leaves. What is gained? You're no more secure than you were before the inspection, and and you're no longer running what you had running during the inspection. -- Jim Wildman, CISSP, RHCE j...@rossberry.com http://www.rossberry.com Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one. Thomas Paine ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Grub fails on dell optiplex 320
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron Sent: Wednesday, June 30, 2010 11:54 To: 'CentOS mailing list' Subject: [CentOS] Grub fails on dell optiplex 320 After reading: *[1] http://forums.fedoraforum.org/showthread.php?t=141178 *[2] https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flattopic_id=22187; forum=39 *[3] http://wirelessness.wordpress.com/2007/02/07/installing-fedora-linux-on-a-dell-o ptiplex-320/ *[4] http://lists.us.dell.com/pipermail/linux-desktops/2007-January/000148.html *[5] https://bugzilla.redhat.com/show_bug.cgi?id=244067 Open bug at RedHat 1. I booted with linux rescue 2. chroot /mnt/sysimage 3. yum upgrade 4. reboot 5. 2.6.18-194.3.1.el5 6. hang... Per [4] this should have been fixed in 2.6.20 (2007), did this get back ported by the upstream? The LILO solution wont work because we have to use LVM. Suggestions? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Jim Wildman wrote: On Wed, 30 Jun 2010, Frank Cox wrote: snip What is the point of doing a security scan under conditions that are not actually live? It sounds like moving the flammable materials out before a fire inspection, then moving them right back in when the inspector leaves. What is gained? You're no more secure than you were before the inspection, and and you're no longer running what you had running during the inspection. For most (large) organizations, security scans have NOTHING to do with increasing security, and everything with being able to answer Yes to a question like Do you regularly scan for known defects?, probably for a VISA type compliance check. If you don't already know, you really don't want to know about data security in the medical or banking communities. Heh. Heh. Heh. And don't forget the credit card community. Or the US gov't (and gov't medical community). mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using. If your purpose is simply to check off a box on a form, why not just write the Sooper Dooper Security Scanner yourself? int main(void) { printf(Sooper Dooper Security Scanner!\n); printf(Starting scan...\nScan completed...\nScan passed.\n exit 0; } You would gain just as much from that as what you're gaining right now, and it would take less effort on your part. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On Wed, Jun 30, 2010, Frank Cox wrote: On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using. There are fundamental problems with the PCI compliance checking that I've seen. I've had them say that sites accept SSLv2 when they explicitly don't as a real test shows (e.d. use openssl in client mode to attempt to connect using that protocol). The one that really frosts me is that the systems we support use a combination of tcp_wrappers, swatch, and software I've written that automatically blocks IP addresses which exhibit malicious behaviour, similar to fail2ban, but using a DNSRBL to automatically block sites have been identified as attackers. The PCI testers get blocked because of what appear to be cracking attempts, then have the gall to say that the site fails because it appears to have active firewalls. Well DUH! Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 Democracy is the theory that the common people know what they want and deserve to get it good and hard. == H.L. Mencken ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Frank Cox wrote: On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using. If your purpose is simply to check off a box on a form, why not just write the Sooper Dooper Security Scanner yourself? snip You would gain just as much from that as what you're gaining right now, and it would take less effort on your part. Frank, I'm not sure of the object of your part of the conversation, me, or the security team that I have to deal with. I'm also feeling as though we're talking past each other. They ran the scan. My manager handed the response handling of it to me. As part of what I did, I had to turn off the laser printers access to their own h/d/ramdisk, thus afflicting the printers. I did not turn the access back on, so some of the capabilities and speed of these printerSSS is utterly wasted, and for what? Someone might get through the gov't firewall, and fill up the h/d on the printer? Someone might run the trays out of paper? To me, this indicates that they have *no* concept of what they're requiring, that they've included treating printers as though they were servers or workstations. But then, they also had problems with several servers that another admin takes care of, complaining that they could allow certain kinds of access, which would be true of any *Nix variant... but don't exactly work in VMS. One size of security does *not* fit all. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
m.r...@5-cent.us wrote: Frank Cox wrote: On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using. If your purpose is simply to check off a box on a form, why not just write the Sooper Dooper Security Scanner yourself? snip You would gain just as much from that as what you're gaining right now, and it would take less effort on your part. Frank, I'm not sure of the object of your part of the conversation, me, or the security team that I have to deal with. I'm also feeling as though we're talking past each other. They ran the scan. My manager handed the response handling of it to me. As part of what I did, I had to turn off the laser printers access to their own h/d/ramdisk, thus afflicting the printers. I did not turn the access back on, so some of the capabilities and speed of these printerSSS is utterly wasted, and for what? Someone might get through the gov't firewall, and fill up the h/d on the printer? Someone might run the trays out of paper? To me, this indicates that they have *no* concept of what they're requiring, that they've included treating printers as though they were servers or workstations. Forgive the minor nit, and hopefully not continuing the talking past each other, but modern printers have more computer resources than a smart phone, and the embedded OS is either equally as complex or an embedded braindead version of Windows. In other words, they are assets worth protecting. -- -- John E. Jasen (jja...@realityfailure.org) -- Deserve Victory. -- Terry Goodkind, Naked Empire ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
John Jasen wrote: m.r...@5-cent.us wrote: Frank Cox wrote: On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. snip Forgive the minor nit, and hopefully not continuing the talking past each other, but modern printers have more computer resources than a smart phone, and the embedded OS is either equally as complex or an embedded braindead version of Windows. In other words, they are assets worth protecting. So, you're saying protection is more important than having them usable for the folks whose use they were bought for? You're saying that we should just get rid of them, and buy less capable printers that can't do as much? Even when the only way to get to the existing printers is from a system that's *inside* the firewall, and on our network? Hey, how 'bout I just unplug them from the network altogether? They'll be doorstops, but they'll be secure. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On 6/30/2010 4:02 PM, m.r...@5-cent.us wrote: Frank, I'm not sure of the object of your part of the conversation, me, or the security team that I have to deal with. I'm also feeling as though we're talking past each other. They ran the scan. My manager handed the response handling of it to me. As part of what I did, I had to turn off the laser printers access to their own h/d/ramdisk, thus afflicting the printers. I did not turn the access back on, so some of the capabilities and speed of these printerSSS is utterly wasted, and for what? Someone might get through the gov't firewall, and fill up the h/d on the printer? Someone might run the trays out of paper? Actually the problem with hd's on printer/scanner/fax machines is that when you scrap the device, someone can pull the drives and easily recover all the confidential info that has been through them that no one thought about securing. You probably do have a policy about not scrapping computers without removing or securely wiping the hard disks - but all the same stuff ends up on the printers too. But then, they also had problems with several servers that another admin takes care of, complaining that they could allow certain kinds of access, which would be true of any *Nix variant... but don't exactly work in VMS. One size of security does *not* fit all. True, but how would you do it better from a very high level - where you want to end up with an unbiased audit that shows best practices are being followed? We should probably know better by now than to let companies/business units/administrators police themselves so you need metrics for someone else to test with. And even internally you need to document why the failure of any standard check should be overlooked. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
Les Mikesell wrote: On 6/30/2010 4:02 PM, m.r...@5-cent.us wrote: Frank, I'm not sure of the object of your part of the conversation, me, or the security team that I have to deal with. I'm also feeling as though we're talking past each other. They ran the scan. My manager handed the response handling of it to me. As part of what I did, I had to turn off the laser printers access to their own h/d/ramdisk, thus afflicting the printers. I did not turn the access back on, so some of the capabilities and speed of these printerSSS is utterly wasted, and for what? Someone might get through the gov't firewall, and fill up the h/d on the printer? Someone might run the trays out of paper? Actually the problem with hd's on printer/scanner/fax machines is that when you scrap the device, someone can pull the drives and easily recover all the confidential info that has been through them that no one thought about securing. You probably do have a policy about not scrapping computers without removing or securely wiping the hard disks - but all the same stuff ends up on the printers too. We haven't retired a printer since I've been here (only since last Aug), but I suspect there is such a policy. When we surplus a system, we either sanitze it to DoD standards (thanks, Darik's boot 'n' nuke), or we have it degaussed. Tapes, too, so I'd be surprised if we don't do something like that for printers. (Btw, I am only speaking for myself, not for my employer or the US gov't agency that I work at, but this *is* a US federal gov't agency.) But then, they also had problems with several servers that another admin takes care of, complaining that they could allow certain kinds of access, which would be true of any *Nix variant... but don't exactly work in VMS. One size of security does *not* fit all. True, but how would you do it better from a very high level - where you want to end up with an unbiased audit that shows best practices are being followed? We should probably know better by now than to let You need a different scan for each kind of thing you're scanning. What's valid in one arena is *not* valid in another; either it's moot, or non-existant, or cannot occur for good and sufficient reasons. Trying one size fits all gives meaningless results if you've only built your scanner for two or three basic things. companies/business units/administrators police themselves so you need metrics for someone else to test with. And even internally you need to document why the failure of any standard check should be overlooked. No, the security people should have defined requirements specifically for our environment, rather than using something that's designed, say, for a std. corporate IT dept. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
But the point is that the original poster is NOT the one running the scan. And the results of the scan (complaining about vulnerabilities based on version numbers) indicates that it is not a true 'security' scan anyway. For (almost) every CVE issued, there is a way to mitigate the risk that does not involve installing the latest and greatest with all the new fixes. It is at best a superficial scan of the type that is sold to PHB's so they can check the box. I've spent a lot of hours trying to educate auditors. On Wed, 30 Jun 2010, Frank Cox wrote: The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using. If your purpose is simply to check off a box on a form, why not just write the Sooper Dooper Security Scanner yourself? -- Jim Wildman, CISSP, RHCE j...@rossberry.com http://www.rossberry.com Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one. Thomas Paine ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On 6/30/2010 4:39 PM, m.r...@5-cent.us wrote: companies/business units/administrators police themselves so you need metrics for someone else to test with. And even internally you need to document why the failure of any standard check should be overlooked. No, the security people should have defined requirements specifically for our environment, rather than using something that's designed, say, for a std. corporate IT dept. I like the sentiment, but the people making the situation-specific rules would need to know more than the people actually doing the work which doesn't seem likely to happen. And there's some value in making everyone follow the same rules. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How can binaries be different when package versions are identical? (mkfs.ext3 on CentOS 5.4)
On Wed, Jun 30, 2010 at 1:48 AM, Peter Kjellstrom c...@nsc.liu.se wrote: On Wednesday 30 June 2010, Spiro Harvey wrote: Aleksey Tsalolikhin atsaloli.t...@gmail.com wrote: (a) account for the difference in the binaries, and (b) see if something else is different that I can make the same to get the mkfs.ext3 time down to 15 sec on both systems. Solving (a) should shed light on (b). Any ideas? Look into prelinking (man prelink). A prelinker from /etc/cron.daily that changes the binaries with an aim to speed up execution. Yes, actually the full rpm -V message mentions prelink: [r...@server2 ~]# rpm -V e2fsprogs prelink: /sbin/mkfs.ext3: at least one of file's dependencies has changed since prelinking S.?T/sbin/mkfs.ext3 [r...@server2 ~]# I will RTFM on prelink. Thank you, Spiro, all! Aleksey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On Jun 30, 2010, at 6:03 PM, Les Mikesell lesmikes...@gmail.com wrote: On 6/30/2010 4:39 PM, m.r...@5-cent.us wrote: companies/business units/administrators police themselves so you need metrics for someone else to test with. And even internally you need to document why the failure of any standard check should be overlooked. No, the security people should have defined requirements specifically for our environment, rather than using something that's designed, say, for a std. corporate IT dept. I like the sentiment, but the people making the situation-specific rules would need to know more than the people actually doing the work which doesn't seem likely to happen. And there's some value in making everyone follow the same rules. Plus, one can also write up a detailed report for any given exception explaining why it is either not applicable for a given platform (including exploit test results) or that there is a definitive business reason why the exception must exist and that there are mitigating controls around it. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On Wed, Jun 30, 2010 at 5:02 PM, m.r...@5-cent.us wrote: Frank, I'm not sure of the object of your part of the conversation, me, or the security team that I have to deal with. I'm also feeling as though we're talking past each other. They ran the scan. My manager handed the response handling of it to me. As part of what I did, I had to turn off the laser printers access to their own h/d/ramdisk, thus afflicting the printers. I did not turn the access back on, so some of the capabilities and speed of these printerSSS is utterly wasted, and for what? Someone might get through the gov't firewall, and fill up the h/d on the printer? Someone might run the trays out of paper? The copy machine requirements are relatively recent, though the problem has been around for years. Apparently the hard drives inside the copiers store faxes and images going back for months (depends on capacity and configuration). Though I usually scoff at the latest massive problems that make the news, this one did have me worried. There was a TV expose' that showed how easily one could purchase a used copy machine, disassemble the hard drive, then have access to months of confidential information that got stored on the hard drive. I *never* considered that making a copy at a Kinko's could leave my private information in someone's hands. To me, this indicates that they have *no* concept of what they're requiring, that they've included treating printers as though they were servers or workstations. Right, the scanners rarely have any idea of what it is that they're requesting. They've often asked me for screenshots of a Putty session to verify that a setting is correct. In essence, they are trusting the person providing the information to comply with the requirement. And of course the other problem is that the requirements are rather vague. But then, they also had problems with several servers that another admin takes care of, complaining that they could allow certain kinds of access, which would be true of any *Nix variant... but don't exactly work in VMS. One size of security does *not* fit all. For many compliance efforts, showing that a problem is mitigated by other controls is sometimes enough for compliance. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] firewire in centos 5.4 - do i really need the centosplus kernel
Hi list, I'm running 2.6.18-164-15.1 xen kernel. Any way to get firewire to work on it? I've read plenty about needing the centosplus kernel but is that really necessary? - aurf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Live CD problems
Hi, I'm trying to repair a remote system using the Live CD. I have VPN access to the subnet where it lives. An onsite person is booting from cd, and running a small script I provided to tweak the default firewall rule set to allow incoming ssh, and set a password for the centos user and start sshd so far so good I can remotely access the system. the problem is the live cd environment is very fragile. I need to rebuild the contents of a couple filesystems, so I need to umount them and remount them rw. If I make a mistake in a mount command instead of giving an error message and letting me try again. The system freezes and any other ssh session freezes, ahnd will not accept any more incoming ssh connections. the only way I have found to recover is have the onsite person reboot from cd and rerun the script allowing incoming ssh again. Hmm. I should try to talk the onsite person through trying something else from the console. Argghhh!!! This is more than just an annoyance. -- Drew Einhorn You can see a lot by just looking. -- Yogi Berra ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] firewire follow up
A bit more info about my system; I edited /etc/modprobe.d/blacklist-firewire and commented out the blacklist like so it looks like so; #blacklist firewire-ohci Running lspci returns; 10:0b.0 Firewire (IEEE 1394): Texas Instruments TSB82AA2 IEEE-1394b Link Layer Controller (rev 02) lsmod | grep firewire returns; firewire_sbp2508970 firewire_core793051 firewire_sbp2 scsi_mod1969535firewire_sbp2,scsi_dh,sg,libata,sd_mod - aurf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Live CD problems
Instead of unmounting the partition try using 'mount -o rw,remount ', I dont use the live CD much, but unless you screwup the rw, remount, or the path to the mounted partition it should either remount the partition properly or error that you didnt point to the correct path. I have rarely had issues with remount so it sounds like it would get around your issue. -- Trevor Benson dCAP, LPIC-1, CLA, Network+, MCP, CNA A1 Networks - Network Engineer DID (707)703-1041 FAX (707)703-1983 On Jun 30, 2010, at 4:43 PM, drew einhorn wrote: Hi, I'm trying to repair a remote system using the Live CD. I have VPN access to the subnet where it lives. An onsite person is booting from cd, and running a small script I provided to tweak the default firewall rule set to allow incoming ssh, and set a password for the centos user and start sshd so far so good I can remotely access the system. the problem is the live cd environment is very fragile. I need to rebuild the contents of a couple filesystems, so I need to umount them and remount them rw. If I make a mistake in a mount command instead of giving an error message and letting me try again. The system freezes and any other ssh session freezes, ahnd will not accept any more incoming ssh connections. the only way I have found to recover is have the onsite person reboot from cd and rerun the script allowing incoming ssh again. Hmm. I should try to talk the onsite person through trying something else from the console. Argghhh!!! This is more than just an annoyance. -- Drew Einhorn You can see a lot by just looking. -- Yogi Berra ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
m.r...@5-cent.us wrote: John Jasen wrote: m.r...@5-cent.us wrote: Frank Cox wrote: On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. snip Forgive the minor nit, and hopefully not continuing the talking past each other, but modern printers have more computer resources than a smart phone, and the embedded OS is either equally as complex or an embedded braindead version of Windows. In other words, they are assets worth protecting. So, you're saying protection is more important than having them usable for the folks whose use they were bought for? You're saying that we should just get rid of them, and buy less capable printers that can't do as much? Even when the only way to get to the existing printers is from a system that's *inside* the firewall, and on our network? Hey, how 'bout I just unplug them from the network altogether? They'll be doorstops, but they'll be secure. Well, I'm a security admin, so of course protection is more important than utility! :) But seriously, the assessment tools provide information on your environment, based on certain standard metrics. Its (HOPEFULLY! PCI compliance notwithstanding ) up to the people who end up reading them to fix the environment, determine that its not a problem, or accept the risk that was discovered. -- -- John E. Jasen (jja...@realityfailure.org) -- Deserve Victory. -- Terry Goodkind, Naked Empire ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How can binaries be different when package versions are identical? (mkfs.ext3 on CentOS 5.4)
I read up on prelink as suggested; and used ldd /sbin/mkfs.ext3 to see what the dependencies (libraries) are. There are 13 dependencies; file size is the same between servers but md5sum's are different! Most of these libraries have other libraries they call; I finally drilled down to ld-2.5.so which is statically built. Same thing: same file size, same datestamp, same package version; but the binary is actually different; yet rpm -V does not complain. Why? (Both systems are running CentOS 5.4; one was deployed in December 2009, the other in April 2010.) [r...@server1 /lib64]# ls -l ld-2.5.so -rwxr-xr-x 1 root root 139416 Sep 2 2009 ld-2.5.so [r...@server1 /lib64]# md5sum ld-2.5.so ad38c69452b3990852c0d3e0ea51a31b ld-2.5.so [r...@server1 /lib64]# ldd ld-2.5.so statically linked [r...@server1 /lib64]# rpm -q -f /lib64/ld-2.5.so glibc-2.5-42 [r...@server1 /lib64]# rpm -V glibc [r...@server1 /lib64]# [r...@server2 /lib64]# ls -l ld-2.5.so -rwxr-xr-x 1 root root 139416 Sep 2 2009 ld-2.5.so [r...@server2 /lib64]# md5sum ld-2.5.so ddb5ad336c3cf40ee2c69b91ef7bfd04 ld-2.5.so [r...@server2 /lib64]# ldd ld-2.5.so statically linked [r...@server2 /lib64]# [r...@server2 /lib64]# rpm -q -f /lib64/ld-2.5.so glibc-2.5-42 [r...@server2 /lib64]# rpm -V glibc-2.5-42 [r...@server2 /lib64]# ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How can binaries be different when package versions are identical? (mkfs.ext3 on CentOS 5.4)
i think you'll need to re-read the man pages on prelink. specifically, the -y or --md5 or --sha options. that is essentially what rpm -V does, it does an undo of the prelink to verify the original binary file's hash; which will be the same for the same version of software from the same package. doing an md5sum/sha1sum on prelinked binaries is meaningless now. i know this whole 'prelink' thing throws people off the first time they encounter it. especially if you're doing computer forensics and you haven't been made aware of this, it'll drive you nuts until you understand prelink. personally speaking, i think this 'optimization' comes at a cost, but one eventually gets use to it. hope that helps... -Bond -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Aleksey Tsalolikhin Sent: Wednesday, June 30, 2010 6:00 PM To: CentOS mailing list Subject: Re: [CentOS] How can binaries be different when package versions are identical? (mkfs.ext3 on CentOS 5.4) I read up on prelink as suggested; and used ldd /sbin/mkfs.ext3 to see what the dependencies (libraries) are. There are 13 dependencies; file size is the same between servers but md5sum's are different! Most of these libraries have other libraries they call; I finally drilled down to ld-2.5.so which is statically built. Same thing: same file size, same datestamp, same package version; but the binary is actually different; yet rpm -V does not complain. Why? (Both systems are running CentOS 5.4; one was deployed in December 2009, the other in April 2010.) [r...@server1 /lib64]# ls -l ld-2.5.so -rwxr-xr-x 1 root root 139416 Sep 2 2009 ld-2.5.so [r...@server1 /lib64]# md5sum ld-2.5.so ad38c69452b3990852c0d3e0ea51a31b ld-2.5.so [r...@server1 /lib64]# ldd ld-2.5.so statically linked [r...@server1 /lib64]# rpm -q -f /lib64/ld-2.5.so glibc-2.5-42 [r...@server1 /lib64]# rpm -V glibc [r...@server1 /lib64]# [r...@server2 /lib64]# ls -l ld-2.5.so -rwxr-xr-x 1 root root 139416 Sep 2 2009 ld-2.5.so [r...@server2 /lib64]# md5sum ld-2.5.so ddb5ad336c3cf40ee2c69b91ef7bfd04 ld-2.5.so [r...@server2 /lib64]# ldd ld-2.5.so statically linked [r...@server2 /lib64]# [r...@server2 /lib64]# rpm -q -f /lib64/ld-2.5.so glibc-2.5-42 [r...@server2 /lib64]# rpm -V glibc-2.5-42 [r...@server2 /lib64]# ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos