[CentOS] /etc/cron.d

[Fajar Priyanto]

Hi all,
Who takes care of cronjob in /etc/cron.d ?
Should we tell crond to run it?

/etc/crontab only mentions hourly, daily, weekly, monthly

-- 
Thanks
Fajar
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[Craig White]

On Dec 7, 2011, at 2:46 PM, Weplica wrote:

> Hello,
> 
> I have install Horde rpm with webmin:
> 
> Instalando paquete(s) con el comando yum -y install yun grouinstall horde ...
> 
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
>  * base: centos.intergenia.de
>  * epel: ftp-stud.hs-esslingen.de
>  * extras: centos.intergenia.de
>  * updates: ftp.belnet.be
> Setting up Install Process
> No package yun available.
> No package grouinstall available.
> Package horde-3.3.11-1.el6.noarch already installed and latest version
> Nothing to do
> 
> .. instalación completa.
> 
> 
> And I do that:
> If Apache is running, you must now configure this installation of  
> Horde by visiting:
> http://127.0.0.1/horde/
> and then navigating to Administration > Setup > Horde
> 
> Documentation on configuring Horde can be found at:
> /usr/share/doc/horde-3.3.11/docs/INSTALL
> 
> 
> But I only have ssh access, so I do:
> 
> http:// "my-ip" /horde/
> 
> But I have nothing...
> 
> Can someone help me please?

I think if you do succeed, you will be installing an outdated version.

Horde is now on version 4.x (I think something like 4.08)

Everything has changed

On top of that - it does take more than the administration panel to configure 
either Horde 3.x or Horde 4.x and thus you really need to ssh and read the file 
/usr/share/doc/horde-3.3.11/docs/INSTALL just as it says.

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[Mitch Patenaude]

On 12/7/11 1:46 PM, "Weplica"  wrote:
>[...]
>And I do that:
>If Apache is running, you must now configure this installation of
>Horde by visiting:
>http://127.0.0.1/horde/
>and then navigating to Administration > Setup > Horde
>
>Documentation on configuring Horde can be found at:
>/usr/share/doc/horde-3.3.11/docs/INSTALL
>
>
>But I only have ssh access, so I do:
>
>http:// "my-ip" /horde/
>
>But I have nothing...

The web server is probably only bound to the localhost interface as a
security measure.

You could launch a remote firefox as mroth suggested, but I would use ssh
port forwarding instead:

ssh "your_server" -L8080:localhost:80

Then you can open a browser with the url:
http://localhost:8080/horde/

and that should do what you want.

  -- Mitch Patenaudempatena...@shutterfly.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[Bill Campbell]

On Wed, Dec 07, 2011, John R Pierce wrote:
>On 12/07/11 1:58 PM, m.r...@5-cent.us wrote:
>> ssh -X yourserver
>> firefox -no-remote&
>> *Then*  http://127.0.0.1/horde, orhttp://localhost/horde, whatever.
>
>if that doesn't work, `yum install xauth`, then log out and log in again 
>with ssh -X ...

This may work better, ssh -Y.

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

It would be a great improvement if the government respected individuals
rights as much as they respect the rights of the caribous.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[John R Pierce]

On 12/07/11 1:58 PM, m.r...@5-cent.us wrote:
> ssh -X yourserver
> firefox -no-remote&
> *Then*  http://127.0.0.1/horde, orhttp://localhost/horde, whatever.

if that doesn't work, `yum install xauth`, then log out and log in again 
with ssh -X ...



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[m . roth]

Tim Evans wrote:
> On 12/07/2011 04:59 PM, Weplica wrote:
>> And I need to uninstal first, before to do yum -y groupinstall horde?
>
> I can't say.  I merely pointed out your command line had a couple of
> typographical errors. ("yun" and "grouinstall") and was wrong syntax.

I shouldn't think so - it'll tell you what's already installed, and
install the rest.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[m . roth]

m.r...@5-cent.us wrote:

> firefox -no-remote &


Now, this is aggravating: I went to test it, and all our servers just got
the current update last Friday, to either 5.7 or 6.x, and on *both* 5.7
and 6, when I try to run firefox (with i> Weplica wrote:
>> Hello,
>>
>> I have install Horde rpm with webmin:
>>
>> Instalando paquete(s) con el comando yum -y install yun grouinstall
>> horde
>> ...
>>
>> Loaded plugins: fastestmirror
>> Loading mirror speeds from cached hostfile
>>   * base: centos.intergenia.de
>>   * epel: ftp-stud.hs-esslingen.de
>>   * extras: centos.intergenia.de
>>   * updates: ftp.belnet.be
>> Setting up Install Process
>> No package yun available.
>> No package grouinstall available.
>> Package horde-3.3.11-1.el6.noarch already installed and latest version
>> Nothing to do
>>
>> .. instalación completa.
>>
>>
>> And I do that:
>> If Apache is running, you must now configure this installation of
>> Horde by visiting:
>> http://127.0.0.1/horde/
>> and then navigating to Administration > Setup > Horde
>>
>> Documentation on configuring Horde can be found at:
>> /usr/share/doc/horde-3.3.11/docs/INSTALL
>>
>>
>> But I only have ssh access, so I do:
>>
>> http:// "my-ip" /horde/
>>
>> But I have nothing...
>>
>> Can someone help me please?
>
> ssh -X yourservert running on my workstation), having issued the above
command, it refuses, saying that it's already running, but not
responding  There, I just killed this session, and restarted it, and
the session on my workstation's fine, but trying it on another server
with -no-remote still fails.

Anyone seen this since the last update?

 mark




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[Tim Evans]

On 12/07/2011 04:59 PM, Weplica wrote:
> And I need to uninstal first, before to do yum -y groupinstall horde?

I can't say.  I merely pointed out your command line had a couple of 
typographical errors. ("yun" and "grouinstall") and was wrong syntax.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[Weplica]

And I need to uninstal first, before to do yum -y groupinstall horde?



Quoting Tim Evans :

> On 12/07/2011 04:46 PM, Weplica wrote:
>> Hello,
>>
>> I have install Horde rpm with webmin:
>>
>> Instalando paquete(s) con el comando yum -y install yun grouinstall  
>> horde ...
>
> That would be:  yum -y groupinstall horde
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[m . roth]

Weplica wrote:
> Hello,
>
> I have install Horde rpm with webmin:
>
> Instalando paquete(s) con el comando yum -y install yun grouinstall horde
> ...
>
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
>   * base: centos.intergenia.de
>   * epel: ftp-stud.hs-esslingen.de
>   * extras: centos.intergenia.de
>   * updates: ftp.belnet.be
> Setting up Install Process
> No package yun available.
> No package grouinstall available.
> Package horde-3.3.11-1.el6.noarch already installed and latest version
> Nothing to do
>
> .. instalación completa.
>
>
> And I do that:
> If Apache is running, you must now configure this installation of
> Horde by visiting:
> http://127.0.0.1/horde/
> and then navigating to Administration > Setup > Horde
>
> Documentation on configuring Horde can be found at:
> /usr/share/doc/horde-3.3.11/docs/INSTALL
>
>
> But I only have ssh access, so I do:
>
> http:// "my-ip" /horde/
>
> But I have nothing...
>
> Can someone help me please?

ssh -X yourserver
firefox -no-remote &
*Then* http://127.0.0.1/horde, or http://localhost/horde, whatever.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help to install horde

[Tim Evans]

On 12/07/2011 04:46 PM, Weplica wrote:
> Hello,
>
> I have install Horde rpm with webmin:
>
> Instalando paquete(s) con el comando yum -y install yun grouinstall horde ...

That would be:  yum -y groupinstall horde


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Help to install horde

[Weplica]

Hello,

I have install Horde rpm with webmin:

Instalando paquete(s) con el comando yum -y install yun grouinstall horde ...

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
  * base: centos.intergenia.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: centos.intergenia.de
  * updates: ftp.belnet.be
Setting up Install Process
No package yun available.
No package grouinstall available.
Package horde-3.3.11-1.el6.noarch already installed and latest version
Nothing to do

.. instalación completa.


And I do that:
If Apache is running, you must now configure this installation of  
Horde by visiting:
http://127.0.0.1/horde/
and then navigating to Administration > Setup > Horde

Documentation on configuring Horde can be found at:
/usr/share/doc/horde-3.3.11/docs/INSTALL


But I only have ssh access, so I do:

http:// "my-ip" /horde/

But I have nothing...

Can someone help me please?

Ernesto

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Wednesday, December 07, 2011 10:44:10 AM Michael Simpson wrote:
> SELinux is great but didn't save Russell Coker from having his play
> machine owned with the vmsplice exploit.

> http://etbe.coker.com.au/2008/04/03/trust-and-play-machine/
> http://www.coker.com.au/selinux/play.html

In this particular instance, the 2.6.23 kernel introduced a setting that is a 
workaround for the general NULL dereference to page zero case, and it requires 
SELinux to be in enforcing mode to work.  Whether upstream backported that to 
2.6.18 (in EL5) or not, I don't know.  That fix is assuredly in the EL6 
2.6.32+patches kernel.  April 2008 is a long time ago in terms of SELinux.  
Russell is quite the brave soul for doing this sort of thing.

Nothing is 100%, of course.  That is a given.

> RSA also showed that social engineering is still an excellent vector.

Social engineering is the biggest problem, bar none.

> Rigorous patching, non-default ports, key based authentication,
> fail2ban/denyhosts, port knocking, SELinux &c are useful in increasing
> the cost of breaking into boxen above the (drive-by/skiddie)
> breakpoint of almost free but from that point onwards you need to
> balance potential cost of break-in against cost of prevention.

You cannot prevent an intrusion; you can only slow it down.  If you make it too 
slow to be useful, then you can have a chance at being relatively secure.  Make 
it cost the attacker, too, as they are also looking at a cost/benefit balance 
sheet.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Wednesday, December 07, 2011 12:30:27 PM Rui Miguel Silva Seabra wrote:
> The fact that they immediately (first thing, actually) did was to
> upgrade OpenSSH does suggest that there is a Zero Day bug around.

While at first blush that would appear to be so, it may be that the openssh was 
upgraded to get a valuable tunneling feature not present in the CentOS5 openssh 
(reading through the comments on the Kaspersky item).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] JNLP app problems

[m . roth]

Um, um, er... I didn't have java on my machine (CentOS 6, 64-bit). I went
to install openjdk; not sure of the correct package name, I did a yum list
\*jdk\*... and among the things I saw was java-1.6.0-openjdk-plugin. I did
a yum install, and it installed openjdk, and a few other packages.

I think looked at my *running* version of firefox, and the add-ons showed
icedtea was installed and enabled. I went to a java test site... and it
worked. No ifs, ands, or buts, and ff didn't crash.

Thanks to the icedtea folks!

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] JNLP app problems

[Alan McKay]

That did the trick - thanks so much!

-- 
“Don't eat anything you've ever seen advertised on TV”
 - Michael Pollan, author of "In Defense of Food"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Karanbir Singh]

On 12/07/2011 06:59 PM, John R Pierce wrote:
> 
> anyways, this is getting very far afield for a centos specific list, and 
> should instead be discussed on a security list or forum somewhere.

I've said this in the past as well - we have some super talent on this
list when it comes to admin / management / process and policy - we
should setup a list to focus on just that.

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[John R Pierce]

On 12/07/11 8:12 AM, Ljubomir Ljubojevic wrote:
> Better yet. sshd could be upgraded to have dummy daemon on port 22. He
> will accept connections, ask for password but will not be able to
> resolve any usernames. Now THAT would be something.

heh. connect port 22 to a honeypot running in a VM that has a hacked 
openssl that delays every packet response by 15 or 20 seconds...  heck, 
delay the SYN-ACK's and such too.  :)

anyways, this is getting very far afield for a centos specific list, and 
should instead be discussed on a security list or forum somewhere.



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] JNLP app problems

[Ljubomir Ljubojevic]

Here is another howto on fixing JNLP in Firefox:

http://stuffivelearned.org/doku.php?id=apps:firefox:jnlpfix

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] JNLP app problems

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 07:29 PM, Alan McKay piše:
> Anyone?  Anyone?  Buehler?
>
> Fortunately in one instance I am having the problem on an Oracle/Sun system
> that I have under support, and so I logged a call with them.  They told me
> to ensure I am running  JRE 1.5 or better, and of course I had not been.
>   So I installed JR 1.7 (latest) from their RPMs, and then followed the
> instructions here :
> http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395.html

DO NOT use Java 1.7. They are released with known bug that can wreck 
your database or something similar nasty.

Solution should be:

2. In your Firefox browser, go to Edit-> preferences-> Applications, and 
in Content Type select the option "use other" for jnlp files
3. In the dialog box, select the "javaws" file location (for me, it was 
located in "/usr/java/jre1.6.0_16/bin")


Bellow is additional info and my notes on how to install Java for Firefox.


Here are my notes on installing Java JRE on CentOS:

Java JRE on CentOS 6 i 5

1. yum install jre

2. ## java ##: alternatives --install /usr/bin/java java 
/usr/java/jre1.6.0_27/bin/java 2
  ## javaws (32-bit only) ##: alternatives --install /usr/bin/javaws 
javaws /usr/java/jre1.6.0_27/bin/javaws 2
  ## Java Browser (Mozilla) Plugin 32-bit ##: alternatives --install 
/usr/lib/mozilla/plugins/libjavaplugin.so libjavaplugin.so 
/usr/java/jre1.6.0_27/lib/i386/libnpjp2.so 2
  ## Java Browser (Mozilla) Plugin 64-bit ##: alternatives --install 
/usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64 
/usr/java/jre1.6.0_27/lib/amd64/libnpjp2.so 2

commands 64-bit:
alternatives --install /usr/bin/java java /usr/java/jre1.6.0_27/bin/java 
2
alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so 
libjavaplugin.so.x86_64 /usr/java/jre1.6.0_27/lib/amd64/libnpjp2.so 2

Do not use it blindly, select what you are installing (JRE/javaws, 32/64 
bit) and fix the commands accordingly.


Older notes but with JDK:

Java na CentOS-u i Firefox

1. yum install java

2. Now you need to add the Java you have installed to the list of 
alternatives for the java executable:
/usr/sbin/alternatives --install /usr/bin/java java 
/usr/java/latest/bin/java 2

Note: There is two - (hypen) before install.

Note: Tinker with /usr/java/latest/bin/java if you do not have Java 
installed at this location. In other words change it to point to the 
location of your installed Java executable from Sun.

3. Now configure alternatives to select the latest Java executable under 
/usr/java:
/usr/sbin/alternatives --config java

Check the version of Java to ensure that it is from Sun:
java -version

For example, this is the output I get:

java version "1.6.0_16″
Java(TM) SE Runtime Environment (build 1.6.0_16-b01)
Java HotSpot(TM) 64-Bit Server VM (build 14.2-b01, mixed mode)

Go to /usr/lib64/mozilla/plugins:
cd /usr/lib64/mozilla/plugins
or
cd /usr/lib/mozilla/plugins

4. Create a symbolic link to libnpjp2.so (Firefox plugin for Java):
ln -s /usr/java/latest/lib/amd64/libnpjp2.so
or
ln -s /usr/java/latest/lib/i386/libnpjp2.so

Note: The above is applicable for JDK installation. For JRE it is likely 
to be:
ln -s /usr/java/latest/lib/amd64/libnpjp2.so
or
ln -s /usr/java/latest/lib/i386/libnpjp2.so
5. Restart Firefox and type the following in URL field and press Enter:
about:plugins

You should now see a section titled Java(TM) Plug-in 1.6.x

You are done installing Java Plugin / Applet support in Firefox on CentOS 5.

ln -s /usr/java/latest/plugin/i386/ns7/libjavaplugin_oji.so  u 
/usr/lib/mozilla/plugins



>
> And then I restart Firefox and check the installed plugins that it thinks
> it has, and sure enough it has that one running.  But still I go to a JNLP
> app and get only XML, no app.
>
> Anyone?
>>
>> I'm trying to use a 5.3 box to run some JNLP apps, but all I get is a
>> view of XML.
>>
>> I try doing some googling and don't come up with much other than this
>> one thread that says I may need both 32 and 64 bit Java to run JNLP.
>> But it is not clear to me how to do that.

The howto I found:

1. Install an official Java for Linux (from the SUN site, )
2. In your Firefox browser, go to Edit-> preferences-> Applications, and 
in Content Type select the option "use other" for jnlp files
3. In the dialog box, select the "javaws" file location (for me, it was 
located in "/usr/java/jre1.6.0_16/bin")

4. Wery important to select the "javaws" from official SUN package, and 
not from the package with Linux java distribution - it's not works!

First try WITHOUT No 4. and avoid No 1., instead install 
"java-1.6.0-openjdk" and in java


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/

Re: [CentOS] JNLP app problems

[Alan McKay]

Anyone?  Anyone?  Buehler?

Fortunately in one instance I am having the problem on an Oracle/Sun system
that I have under support, and so I logged a call with them.  They told me
to ensure I am running  JRE 1.5 or better, and of course I had not been.
 So I installed JR 1.7 (latest) from their RPMs, and then followed the
instructions here :
http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395.html

To create a link in my .mozilla/plugins directory :

[amckay@solexa-db ~]$ ls -al !$
ls -al .mozilla/plugins/
total 7
drwxr-xr-x+ 2 amckay amckay  3 Dec  7 13:14 .
drwxr-xr-x+ 5 amckay amckay  5 Nov 16 09:25 ..
lrwxrwxrwx  1 amckay amckay 43 Dec  7 13:14 libnpjp2.so ->
/usr/java/jre1.7.0_01/lib/amd64/libnpjp2.so
[amckay@solexa-db ~]$ pwd
/home/amckay
[amckay@solexa-db ~]$

And then I restart Firefox and check the installed plugins that it thinks
it has, and sure enough it has that one running.  But still I go to a JNLP
app and get only XML, no app.

Anyone?


On Thu, Dec 1, 2011 at 2:25 PM, Alan McKay  wrote:

> Hey folks,
>
> I'm trying to use a 5.3 box to run some JNLP apps, but all I get is a
> view of XML.
>
> I try doing some googling and don't come up with much other than this
> one thread that says I may need both 32 and 64 bit Java to run JNLP.
> But it is not clear to me how to do that.
>
> thanks,
> -Alan
>
> --
> “Don't eat anything you've ever seen advertised on TV”
>  - Michael Pollan, author of "In Defense of Food"
>



-- 
“Don't eat anything you've ever seen advertised on TV”
 - Michael Pollan, author of "In Defense of Food"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Static routes with a metric?

[Benjamin Franz]

On 12/7/2011 10:03 AM, Matt Garman wrote:
> Hi,
>
> [...]
>
> What I basically need to be able to do is this:
> route add -host h1 gw g1 metric 0
> route add -host h1 gw g2 metric 10
>
> Notice that everything is the same except the gateway and metric. I could
> put this in /etc/rc.local, but was wondering if there's a cleaner way to do
> it in e.g. the network-scripts directory.
>

If you create files in the /etc/sysconfig/network-scripts directory 
named according to the scheme

route-eth0
route-eth1
route-eth2

it will execute each line in the files as

/sbin/ip route add 

when each interface is brought up.

Look in the /etc/sysconfig/network-scripts/ifup-routes script for all 
the gory details and features.

-- 
Benjamin Franz


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[Johnny Hughes]

On 12/07/2011 11:49 AM, 夜神　岩男 wrote:
> On 12/08/2011 12:14 AM, Johnny Hughes wrote:
>> On 12/07/2011 09:09 AM, m.r...@5-cent.us wrote:
>>> Lucian wrote:
 On 7 December 2011 14:03, Reynolds McClatchey  wrote:

> Any workaround or do I just need to use adobe on WinXP?

 Nobody should need to use windows.

 http://lmgtfy.com/?q=evince+password
>>>
>>> Or, least best answer, acroread runs jes' fine on Linux.
>>
>> except that they don't have an x86_64 version (unless it is fairly new)
>> and I refuse to install i386 libraries to run acroread.
> 
> Slight digression, but I always forget to ask this:
> 
> Why are people so against installing 32-bit libraries? I've never 
> understood this -- some people even opt for virtualization of a 32-bit 
> release of their entire OS within which to run a few key 32-bit apps 
> instead of just installing the 32-bit compatibility libraries.
> 
> What gives? Is there a technical argument against this?

I am against it because it adds clutter that I don't want ... also, if I
ever need to build anything on a machine with multi-lib it is very hard
to control what the auto config/compile tools do.

Then there are sometimes issues with the way RH does multi-lib ... the
sharing of config and doc files.  This sometimes causes issues.

But, the overriding reason is, if I wanted to run i686 stuff, I would
have installed the i686 distro :)




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Static routes with a metric?

[Matt Garman]

Hi,

How can I define static routes to be created at boot time with a specific
metric? I have two NICs that ultimately end up at the same peer, but
literally go through two completely different networks. IOW, each NIC
connects to a different layer 3 device.

Also, note that the machine actually has three total NICs: the third is the
owner of the default route. The two mentioned above are for a specialized
sub net.

What I basically need to be able to do is this:
route add -host h1 gw g1 metric 0
route add -host h1 gw g2 metric 10

Notice that everything is the same except the gateway and metric. I could
put this in /etc/rc.local, but was wondering if there's a cleaner way to do
it in e.g. the network-scripts directory.

Thanks,
Matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[夜神 岩男]

On 12/08/2011 12:14 AM, Johnny Hughes wrote:
> On 12/07/2011 09:09 AM, m.r...@5-cent.us wrote:
>> Lucian wrote:
>>> On 7 December 2011 14:03, Reynolds McClatchey  wrote:
>>>
 Any workaround or do I just need to use adobe on WinXP?
>>>
>>> Nobody should need to use windows.
>>>
>>> http://lmgtfy.com/?q=evince+password
>>
>> Or, least best answer, acroread runs jes' fine on Linux.
>
> except that they don't have an x86_64 version (unless it is fairly new)
> and I refuse to install i386 libraries to run acroread.

Slight digression, but I always forget to ask this:

Why are people so against installing 32-bit libraries? I've never 
understood this -- some people even opt for virtualization of a 32-bit 
release of their entire OS within which to run a few key 32-bit apps 
instead of just installing the 32-bit compatibility libraries.

What gives? Is there a technical argument against this?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 06:29 PM, Craig White piše:
>
> On Dec 7, 2011, at 4:49 AM, Johnny Hughes wrote:
>
>>> There is also use of denyhosts and fail2ban. They allow only few
>>> attempts from one IP, and all users can share attacking IP's (default is
>>> every 30 min) so you are automatically protected from known attacking
>>> IP's. Any downside on this protection?
>>
>> No downside, and they do work.
> 
> I am a true believer and use denyhosts everywhere but to say there is no 
> downside, that's not entirely true - I had a co-worker who was dyslexic, and 
> you would be surprised how often he locked himself out  ;-)  Honestly, I 
> don't know how he got a college degree in CIS being as dyslexic as he was.
>

hehehe. I whitelisted my internal IP's and other friendly IP's like 
other networks I maintain (and made secure :-) ).

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problem with dates

[Marcelo Beckmann]

Em 07-12-2011 14:55, Weplica escreveu:
> Thanks you, but the warning are on the shell while I am trying install
> Horde (I have more problems wiht the install) but do I need to fix
> this problems or I can install Horde and later fix the problem in
> php.ini if I have it?

In my case I saw these warnings after I have installed a mail server 
with roundcube webmail, then I did the fix later, with no more implications.

If you can fix now, it could be better to debug other problems, few 
error/warning logs to see.

Regards,
-- 
Marcelo Beckmann
Suporte Corporativo - supo...@webers.com.br
Webers Tecnologia - http://www.webers.com.br
Curitiba   (PR) (41) 3094-6600
Rio de Janeiro (RJ) (21) 4007-1207
São Paulo  (SP) (11) 4007-1207
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Rui Miguel Silva Seabra]

On Tue, 06 Dec 2011 15:45:04 -0600
Johnny Hughes  wrote:

> On 12/06/2011 02:36 PM, Les Mikesell wrote:
> > On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh
> >  wrote:
> >> On 12/06/2011 08:09 PM, Les Mikesell wrote:
> >>> Any luck on  the specific attack path yet?  The linked article
> >>> suggests Centos up to 5.5 was vulnerable.
> >>
> >> We  dont have access to the actual machines that were broken into
> >> - so pretty much everything is second hand info.
> >>
> >> But based on what we know and what we have been told and what we
> >> have worked out ourselves as well, its almost certainly
> >> bruteforced ssh passwords.
> > 
> > So, coincidence that they were CentOS, and pre-5.6?   Did they have
> > admins in common?
> > 
> 
> Kaspersky has access to the images ... but they were mostly
> cleaned/erased and only what they can recover from erased ext3 files
> are there to see.
> 
> The attackers used something to 0 out the files that they wanted
> to wipe directly ... so only things like old logs (that were deleted
> by logrotate and not wiped by the attackers) are on there.
> 
> There is one major possibility for something that could be an entry
> point besides brute force, and that is exim:
> 
> http://rhn.redhat.com/errata/RHSA-2010-0970.html
> 
> However, they do not know yet if exim was in use on those machines.
> 
> Note: CentOS released our update within 24 hours of that update from
> upstream ... but people who have < 5.5 and exim are vulnerable to
> that.
> 
> If I had to guess, I would say that the attackers probably developed
> their code on CentOS, so they were looking for a CentOS machine to
> deploy their code on in the wild.  That would be why I would say
> CentOS was the OS used.

The fact that they immediately (first thing, actually) did was to
upgrade OpenSSH does suggest that there is a Zero Day bug around.

If you capture a machine to be your C&C of a botnet, you certainly
don't want the same bug around so others can take your 0wned machine...

Rui


signature.asc
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Craig White]

On Dec 7, 2011, at 4:49 AM, Johnny Hughes wrote:

>> There is also use of denyhosts and fail2ban. They allow only few 
>> attempts from one IP, and all users can share attacking IP's (default is 
>> every 30 min) so you are automatically protected from known attacking 
>> IP's. Any downside on this protection?
> 
> No downside, and they do work.

I am a true believer and use denyhosts everywhere but to say there is no 
downside, that's not entirely true - I had a co-worker who was dyslexic, and 
you would be surprised how often he locked himself out  ;-)  Honestly, I don't 
know how he got a college degree in CIS being as dyslexic as he was.

Craig
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 82, Issue 4

[centos-announce-request]

Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CEEA-2011:1789  CentOS 5 x86_64 tg3-kmod Update (Johnny Hughes)
   2. CEEA-2011:1789  CentOS 5 i386 tg3-kmod Update (Johnny Hughes)
   3. CEEA-2011:1792  CentOS 5 x86_64 igb-kmod Update (Johnny Hughes)
   4. CEEA-2011:1792  CentOS 5 i386 igb-kmod Update (Johnny Hughes)


--

Message: 1
Date: Tue, 6 Dec 2011 18:34:14 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEEA-2011:1789  CentOS 5 x86_64 tg3-kmod
Update
To: centos-annou...@centos.org
Message-ID: <20111206183414.ga26...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Enhancement Advisory 2011:1789 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2011-1789.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

x86_64:
085b01a2392f719fb0e7e779971deb99  kmod-tg3-rhel5u7-3.119-2.el5_7.x86_64.rpm
67667e01c4db99e4f9570b81f7faba05  kmod-tg3-xen-rhel5u7-3.119-2.el5_7.x86_64.rpm

Source:
1f24c31f4d61bef6648c910ae775b390  tg3-kmod-3.119-2.el5_7.src.rpm


-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

Message: 2
Date: Tue, 6 Dec 2011 18:34:14 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEEA-2011:1789  CentOS 5 i386 tg3-kmod
Update
To: centos-annou...@centos.org
Message-ID: <20111206183414.ga26...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Enhancement Advisory 2011:1789 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2011-1789.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

i386:
19ced15df18da5a3b519127157bd548b  kmod-tg3-PAE-rhel5u7-3.119-2.el5_7.i686.rpm
04ef24479aa68979237b14abe0affdd1  kmod-tg3-rhel5u7-3.119-2.el5_7.i686.rpm
3f68a694ca7c6ac7b56abb115e0f82c4  kmod-tg3-xen-rhel5u7-3.119-2.el5_7.i686.rpm

Source:
1f24c31f4d61bef6648c910ae775b390  tg3-kmod-3.119-2.el5_7.src.rpm


-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

Message: 3
Date: Wed, 7 Dec 2011 14:07:07 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEEA-2011:1792  CentOS 5 x86_64 igb-kmod
Update
To: centos-annou...@centos.org
Message-ID: <20111207140707.ga19...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Enhancement Advisory 2011:1792 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2011-1792.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

x86_64:
272a5533abed3f43a05c37c61d8dc36a  kmod-igb-rhel5u7-3.0.6_k2_1-1.el5_7.x86_64.rpm
832ecad9aa8f1dee80553818085045c2  
kmod-igb-xen-rhel5u7-3.0.6_k2_1-1.el5_7.x86_64.rpm

Source:
d2d76b5a0175f1aca5e29ceab8a9753a  igb-kmod-3.0.6_k2_1-1.el5_7.src.rpm


-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

Message: 4
Date: Wed, 7 Dec 2011 14:07:06 +
From: Johnny Hughes 
Subject: [CentOS-announce] CEEA-2011:1792  CentOS 5 i386 igb-kmod
Update
To: centos-annou...@centos.org
Message-ID: <20111207140706.ga19...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Enhancement Advisory 2011:1792 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2011-1792.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

i386:
8d7f04d6f5766bf86fbdf0d4d9256cc7  
kmod-igb-PAE-rhel5u7-3.0.6_k2_1-1.el5_7.i686.rpm
a9bf8cedd22a8c19268b1d730371e97e  kmod-igb-rhel5u7-3.0.6_k2_1-1.el5_7.i686.rpm
8fbdd517fd4b3be1926ea9a6a2b1d6b0  
kmod-igb-xen-rhel5u7-3.0.6_k2_1-1.el5_7.i686.rpm

Source:
d2d76b5a0175f1aca5e29ceab8a9753a  igb-kmod-3.0.6_k2_1-1.el5_7.src.rpm


-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net



--

___
CentOS-announce mailing list
centos-annou...@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce


End of CentOS-announce Digest, Vol 82, Issue 4
**
___
CentOS mailing list
CentOS@centos.org
http://lists.centos

Re: [CentOS] Problem with dates

[Weplica]

Thanks you, but the warning are on the shell while I am trying install  
Horde (I have more problems wiht the install) but do I need to fix  
this problems or I can install Horde and later fix the problem in  
php.ini if I have it?

Quoting Marcelo Beckmann :

> Em 07-12-2011 14:31, Weplica escreveu:
>>
>> Hello,
>>
>> I am instaling Horde on my CentOS 6, and when I do "webmail-install" I
>> have a lots of this warnings:
>>
>>
>> Warning: date(): It is not safe to rely on the system's timezone
>> settings. You are *required* to use the date.timezone setting or the
>> date_default_timezone_set() function. In case you used any of those
>> methods and you are still getting this warning, you most likely
>> misspelled the timezone identifier. We selected 'America/Lima' for
>> 'PET/-5.0/no DST' instead in /usr/share/pear/Horde/Log/Logger.php on
>> line 182
> 
>
> You can define a timezone in your /etc/php.ini to avoid these warnings,
> like:
>
> date.timezone = "America/Sao_Paulo"
>
> See this URL, it was useful for me when I saw these warning first time:
> http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
>
>
> Regards,
> --
> Marcelo Beckmann
> Suporte Corporativo - supo...@webers.com.br
> Webers Tecnologia - http://www.webers.com.br
> Curitiba   (PR) (41) 3094-6600
> Rio de Janeiro (RJ) (21) 4007-1207
> São Paulo  (SP) (11) 4007-1207
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problem with dates

[Marcelo Beckmann]

Em 07-12-2011 14:31, Weplica escreveu:
>
> Hello,
>
> I am instaling Horde on my CentOS 6, and when I do "webmail-install" I
> have a lots of this warnings:
>
>
> Warning: date(): It is not safe to rely on the system's timezone
> settings. You are *required* to use the date.timezone setting or the
> date_default_timezone_set() function. In case you used any of those
> methods and you are still getting this warning, you most likely
> misspelled the timezone identifier. We selected 'America/Lima' for
> 'PET/-5.0/no DST' instead in /usr/share/pear/Horde/Log/Logger.php on
> line 182


You can define a timezone in your /etc/php.ini to avoid these warnings, 
like:

date.timezone = "America/Sao_Paulo"

See this URL, it was useful for me when I saw these warning first time:
http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone


Regards,
-- 
Marcelo Beckmann
Suporte Corporativo - supo...@webers.com.br
Webers Tecnologia - http://www.webers.com.br
Curitiba   (PR) (41) 3094-6600
Rio de Janeiro (RJ) (21) 4007-1207
São Paulo  (SP) (11) 4007-1207
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[Frank Cox]

On Wed, 07 Dec 2011 09:03:49 -0500
Reynolds McClatchey wrote:

> I have run into several pdf documents that request a password
> with evince; but not with Adobe.

Try xpdf.  Some files that won't open with anything else will open with xpdf.

-- 
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[m . roth]

Johnny Hughes wrote:
> On 12/07/2011 09:09 AM, m.r...@5-cent.us wrote:
>> Lucian wrote:
>>> On 7 December 2011 14:03, Reynolds McClatchey  wrote:
>>>
 Any workaround or do I just need to use adobe on WinXP?
>>>
>>> Nobody should need to use windows.
>>>
>>> http://lmgtfy.com/?q=evince+password
>>
>> Or, least best answer, acroread runs jes' fine on Linux.
>
> except that they don't have an x86_64 version (unless it is fairly new)
> and I refuse to install i386 libraries to run acroread.

Well, I found someone who says they've gotten it working* - actually, I
have it running - but they seem to think they're running a 64-bit
version... but then, using strace, they find they start having to install
i686 libraries, which I'm guessing are still 32-bit. Am I right, Johnny?

mark

*


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Problem with dates

[Weplica]

Hello,

I am instaling Horde on my CentOS 6, and when I do "webmail-install" I  
have a lots of this warnings:


Warning: date(): It is not safe to rely on the system's timezone  
settings. You are *required* to use the date.timezone setting or the  
date_default_timezone_set() function. In case you used any of those  
methods and you are still getting this warning, you most likely  
misspelled the timezone identifier. We selected 'America/Lima' for  
'PET/-5.0/no DST' instead in /usr/share/pear/Horde/Log/Logger.php on  
line 182

PHP Warning:  date(): It is not safe to rely on the system's timezone  
settings. You are *required* to use the date.timezone setting or the  
date_default_timezone_set() function. In case you used any of those  
methods and you are still getting this warning, you most likely  
misspelled the timezone identifier. We selected 'America/Lima' for  
'PET/-5.0/no DST' instead in /usr/share/pear/Services/Weather.php on  
line 166


I don't antdertand what I have to do to fix it, someones can help me please?

Ernesto Bustos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum with a proxy

[Marcelo Beckmann]

Em 07-12-2011 13:38, Philippe Naudin escreveu:
>
> Thanks for your answer : indeed, adding enabled=0 to fastestmirror.conf
> solves the problem.
>

If you want or need to use yum via proxy, you can put these lines in 
/etc/yum.conf:

proxy=http://IP_or_NAME:PORT/
proxy_username=username
proxy_password=password


Regards,
-- 
Marcelo Beckmann
Suporte Corporativo - supo...@webers.com.br
Webers Tecnologia - http://www.webers.com.br
Curitiba   (PR) (41) 3094-6600
Rio de Janeiro (RJ) (21) 4007-1207
São Paulo  (SP) (11) 4007-1207
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 01:35 PM, Karanbir Singh piše:
> On 12/07/2011 10:50 AM, Ljubomir Ljubojevic wrote:
>>> http://lists.centos.org/pipermail/centos/2011-August/116804.html
>>
>> Akemi, there is src.rpm also:
>> http://repos.fedorapeople.org/repos/lkundrak/kernel-nonpae/epel-6/SRPMS/kernel-2.6.32-71.7.1.el6.nonpae.src.rpm
>>
>> How complicated and time consuming would it be to use it's spec file to
>> build .nonpae.centosplus kernel for all published kernels?
>>
>
> give it a shot, submit a patch - if it can be automated, I'll even add
> it to the regular buildsystem to build in parallel with the regular kernel.

I never ever played with kernel building, that is why I asked. If no one 
accept the challenge, I will.


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Les Mikesell]

On Wed, Dec 7, 2011 at 10:12 AM, Ljubomir Ljubojevic  wrote:
>
> Better yet. sshd could be upgraded to have dummy daemon on port 22. He
> will accept connections, ask for password but will not be able to
> resolve any usernames. Now THAT would be something.

Or, it could simply rate-limit failures with logging/notifications to
make brute force attacks difficult and visible.

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 03:37 PM, Bowie Bailey piše:
> On 12/7/2011 7:07 AM, Lamar Owen wrote:
>> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
>>> [Changing the port #] is completely and utterly retarded.  You have done 
>>> *NOTHING* to secure SSH by doing this.  You have instead made it only 
>>> slightly, and I mean ever so slightly, more secure.  A simple port scan of 
>>> your network would find it within seconds and start to utilize it.
>> Simple port scans don't scan all 65,536 possible port numbers; those scans 
>> are a bit too easy for IDS detection and mitigation.  Most scans only scan 
>> common ports; the ssh brute-forcer I found in the wild only scanned port 22; 
>> if it wasn't open, it went on to the next IP address.
>>
>> Unusual port numbers, port knocking, and similar techniques obfuscate things 
>> enough to eliminate the 'honest' script-kiddie (that is, the one that 
>> doesn't know any more that what the log of the brute-forcer I found showed, 
>> that the kiddie was going by a rote script, including trying to download and 
>> install a *windows 2000 service pack* on the Linux server in question).  
>> This will cut down the IDS noise, that's for sure.  And cutting down the 
>> information overload for the one tasked with reading those logs is important.
>>
>> Of course, it could be argued that if you have port 22 open and you get 
>> those kiddies, you can block all access from those addresses with something 
>> like fail2ban (and pipe into your border router's ACL, if that ACL table has 
>> enough entries available.).
>
> Now there's an idea.  Run your SSH server on a non-standard port and put
> something on port 22 that does nothing but listen for connections and
> then block any IP that tries to connect (via fail2ban or whatever).
> That way the script kiddies have no chance of getting in on port 22 and
> anyone who tries is now blocked on all ports or even blocked from the
> entire network.
>

Better yet. sshd could be upgraded to have dummy daemon on port 22. He 
will accept connections, ask for password but will not be able to 
resolve any usernames. Now THAT would be something.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Michael Simpson]

On 7 December 2011 12:46, Lamar Owen  wrote:
> On Wednesday, December 07, 2011 05:32:00 AM Ljubomir Ljubojevic wrote:
>> There is also use of denyhosts and fail2ban. They allow only few
>> attempts from one IP, and all users can share attacking IP's (default is
>> every 30 min) so you are automatically protected from known attacking
>> IP's. Any downside on this protection?
>
> Botnets.  If a 100,000 host botnet hits you with a coordinated brute-force 
> attack, fail2ban and other similar tools won't help you, as every attempt 
> will come from a different host.  This may be one way the brute-forcers 
> appear to get in on the first or second try.  And some brute-forcers are the 
> so-called 'slow' brute-forcers that try things very slowly and never trigger 
> some of these protections.
>
> And don't let your guard down just because you have disabled password login 
> and have key-based auth; if a remote exec breach is found in a different 
> daemon that can write (or can execute a local root exploit that can then 
> write) to /etc/ssh/sshd_config, it's game over.  This is where SELinux in 
> enforcing mode with properly configured contexts and no unconfined users can 
> save the day.  Attach access rights to sshd_config to a local console user or 
> similar  (that's one thing ConsoleKit and PolicyKit are for) and make certain 
> other files are not writeable remotely as well.

For passwords get g0tm1lk's list to check out what you use.

http://g0tmi1k.blogspot.com/2011/06/dictionaries-wordlists.html

SELinux is great but didn't save Russell Coker from having his play
machine owned with the vmsplice exploit.

http://etbe.coker.com.au/2008/04/03/trust-and-play-machine/
http://www.coker.com.au/selinux/play.html

RSA also showed that social engineering is still an excellent vector.

http://www.f-secure.com/weblog/archives/2226.html

-the offending exploit had to be retrieved from the spam folder prior
to being opened
spear phishing ftw

Ultimately you could be running OpenBSD in a datacentre with all
manners of precautions  yet if the attacker can blag his/her way in
then your data is still all gone.
It'll cost them a *lot* more money than running autopwn against /8s
but the pay off will be higher.

Rigorous patching, non-default ports, key based authentication,
fail2ban/denyhosts, port knocking, SELinux &c are useful in increasing
the cost of breaking into boxen above the (drive-by/skiddie)
breakpoint of almost free but from that point onwards you need to
balance potential cost of break-in against cost of prevention.

mike
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum with a proxy

[Philippe Naudin]

Le mer 07 déc 2011 09:12:24 CET, Johnny Hughes a écrit:

> On 12/07/2011 09:03 AM, Philippe Naudin wrote:
> > Hello,
> > 
> > While yum is configured to use a proxy, like this :
> >  [base]
> >  name=CentOS-$releasever - Base
> >  
> > mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
> >  #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
> >  gpgcheck=1
> >  gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
> >  proxy=http://proxy.lasb:3128
> > 
> > it still make some attempts to connect directly to Internet (tcp 80).
> > These attempts are denied and logged by the firewall.
> > 
> > If I comment out the line mirrorlist= and uncomment the line
> > baseurl= then there is no more direct connexion to Internet.
> > (N.B. : in both cases, yum works well despite the access denied.)
> > 
> > I have tried to add a line proxy= to fastestmirror.conf, but it 
> > doesn't change anything. I can't put proxy= in /etc/yum.conf
> > because I also have a local repo.
> > 
> > Any idea on how to avoid these connexion to Internet ?
> 
> fastestmirror is designed to make direct connections to remote sites,
> time them, and then pick the fastest mirror from that machine to a
> specific mirror.  If your machine can not connect directly to the
> external mirror, it is going to cause issues.
> 
> It works ok through most transparent proxies (though, the connection
> times are going to be to the proxy, and all the same and very low, and
> not valid for the purpose of fastest mirror) ... it does not work with
> proxies that require a password or non port 80 proxies.
> 
> If you have a web proxy, you will most likely need to not use fastest
> mirror.

Thanks for your answer : indeed, adding enabled=0 to fastestmirror.conf
solves the problem.

-- 
Philippe Naudin
UMR MISTEA : Mathématiques, Informatique et STatistique pour 
l'Environnement et l'Agronomie
INRA, bâtiment 29   -   2 place Viala   -   34060 Montpellier cedex 2
tél: 04.99.61.26.34, fax: 04.99.61.29.03, mél: nau...@supagro.inra.fr
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[Johnny Hughes]

On 12/07/2011 09:09 AM, m.r...@5-cent.us wrote:
> Lucian wrote:
>> On 7 December 2011 14:03, Reynolds McClatchey  wrote:
>>
>>> Any workaround or do I just need to use adobe on WinXP?
>>
>> Nobody should need to use windows.
>>
>> http://lmgtfy.com/?q=evince+password
> 
> Or, least best answer, acroread runs jes' fine on Linux.

except that they don't have an x86_64 version (unless it is fairly new)
and I refuse to install i386 libraries to run acroread.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum with a proxy

[Johnny Hughes]

On 12/07/2011 09:03 AM, Philippe Naudin wrote:
> Hello,
> 
> While yum is configured to use a proxy, like this :
>  [base]
>  name=CentOS-$releasever - Base
>  
> mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
>  #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
>  gpgcheck=1
>  gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
>  proxy=http://proxy.lasb:3128
> 
> it still make some attempts to connect directly to Internet (tcp 80).
> These attempts are denied and logged by the firewall.
> 
> If I comment out the line mirrorlist= and uncomment the line
> baseurl= then there is no more direct connexion to Internet.
> (N.B. : in both cases, yum works well despite the access denied.)
> 
> I have tried to add a line proxy= to fastestmirror.conf, but it 
> doesn't change anything. I can't put proxy= in /etc/yum.conf
> because I also have a local repo.
> 
> Any idea on how to avoid these connexion to Internet ?

fastestmirror is designed to make direct connections to remote sites,
time them, and then pick the fastest mirror from that machine to a
specific mirror.  If your machine can not connect directly to the
external mirror, it is going to cause issues.

It works ok through most transparent proxies (though, the connection
times are going to be to the proxy, and all the same and very low, and
not valid for the purpose of fastest mirror) ... it does not work with
proxies that require a password or non port 80 proxies.

If you have a web proxy, you will most likely need to not use fastest
mirror.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[m . roth]

Lucian wrote:
> On 7 December 2011 14:03, Reynolds McClatchey  wrote:
>
>> Any workaround or do I just need to use adobe on WinXP?
>
> Nobody should need to use windows.
>
> http://lmgtfy.com/?q=evince+password

Or, least best answer, acroread runs jes' fine on Linux.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Johnny Hughes]

On 12/07/2011 08:17 AM, Stephen Harris wrote:
> On Wed, Dec 07, 2011 at 07:07:33AM -0500, Lamar Owen wrote:
>> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
>>> [Changing the port #] is completely and utterly retarded.  You have
>> done *NOTHING* to secure SSH by doing this.  You have instead made it
>> only slightly, and I mean ever so slightly, more secure.  A simple port
>> scan of your network would find it within seconds and start to utilize it.
>>
>> Simple port scans don't scan all 65,536 possible port numbers; those
>> scans are a bit too easy for IDS detection and mitigation.  Most scans
>> only scan common ports; the ssh brute-forcer I found in the wild only
>> scanned port 22; if it wasn't open, it went on to the next IP address.
> 
> In theory James is correct.  In practice Lamar appears to be.  About a
> year back I changed my ssh port and have not since seen password hack
> attempts, so the port scanners are definitely not pervasively scanning
> all ports.  (Not that they'd have logged in; but it was causing noise
> and annoyance in the logs)
> 
> Now the same wouldn't be true if I was managing firewalls for Chase or
> Bank Of America or Citi or HSBC; you can be sure that they're being 
> scanned on all ports and better not have external ssh connections open
> to the world!
> 

Right ... they need a reason to look somewhere else.  If they
specifically wanted that machine, they would scan all ports.  If they
are drive bye script kiddies, then if it is not on port 22 that will cut
down significantly on the drive byes.

Lots of times, they look for a port 22 open to back later, etc.

So, Lamar is correct.  It does not do anything to prevent a determined
attack ... but it does greatly reduce the chance someone will randomly
pick your machine for an attack.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] yum with a proxy

[Philippe Naudin]

Hello,

While yum is configured to use a proxy, like this :
 [base]
 name=CentOS-$releasever - Base
 
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
 #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
 proxy=http://proxy.lasb:3128

it still make some attempts to connect directly to Internet (tcp 80).
These attempts are denied and logged by the firewall.

If I comment out the line mirrorlist= and uncomment the line
baseurl= then there is no more direct connexion to Internet.
(N.B. : in both cases, yum works well despite the access denied.)

I have tried to add a line proxy= to fastestmirror.conf, but it 
doesn't change anything. I can't put proxy= in /etc/yum.conf
because I also have a local repo.

Any idea on how to avoid these connexion to Internet ?

TIA,

-- 
Philippe Naudin
UMR MISTEA : Mathématiques, Informatique et STatistique pour 
l'Environnement et l'Agronomie
INRA, bâtiment 29   -   2 place Viala   -   34060 Montpellier cedex 2
tél: 04.99.61.26.34, fax: 04.99.61.29.03, mél: nau...@supagro.inra.fr
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Bowie Bailey]

On 12/7/2011 7:07 AM, Lamar Owen wrote:
> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
>> [Changing the port #] is completely and utterly retarded.  You have done 
>> *NOTHING* to secure SSH by doing this.  You have instead made it only 
>> slightly, and I mean ever so slightly, more secure.  A simple port scan of 
>> your network would find it within seconds and start to utilize it.
> Simple port scans don't scan all 65,536 possible port numbers; those scans 
> are a bit too easy for IDS detection and mitigation.  Most scans only scan 
> common ports; the ssh brute-forcer I found in the wild only scanned port 22; 
> if it wasn't open, it went on to the next IP address.
>
> Unusual port numbers, port knocking, and similar techniques obfuscate things 
> enough to eliminate the 'honest' script-kiddie (that is, the one that doesn't 
> know any more that what the log of the brute-forcer I found showed, that the 
> kiddie was going by a rote script, including trying to download and install a 
> *windows 2000 service pack* on the Linux server in question).  This will cut 
> down the IDS noise, that's for sure.  And cutting down the information 
> overload for the one tasked with reading those logs is important.
>
> Of course, it could be argued that if you have port 22 open and you get those 
> kiddies, you can block all access from those addresses with something like 
> fail2ban (and pipe into your border router's ACL, if that ACL table has 
> enough entries available.).

Now there's an idea.  Run your SSH server on a non-standard port and put
something on port 22 that does nothing but listen for connections and
then block any IP that tries to connect (via fail2ban or whatever). 
That way the script kiddies have no chance of getting in on port 22 and
anyone who tries is now blocked on all ports or even blocked from the
entire network.

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect evince password request

[Lucian]

On 7 December 2011 14:03, Reynolds McClatchey  wrote:

> Any workaround or do I just need to use adobe on WinXP?

Nobody should need to use windows.

http://lmgtfy.com/?q=evince+password
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Stephen Harris]

On Wed, Dec 07, 2011 at 07:07:33AM -0500, Lamar Owen wrote:
> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
> > [Changing the port #] is completely and utterly retarded.  You have
> done *NOTHING* to secure SSH by doing this.  You have instead made it
> only slightly, and I mean ever so slightly, more secure.  A simple port
> scan of your network would find it within seconds and start to utilize it.
> 
> Simple port scans don't scan all 65,536 possible port numbers; those
> scans are a bit too easy for IDS detection and mitigation.  Most scans
> only scan common ports; the ssh brute-forcer I found in the wild only
> scanned port 22; if it wasn't open, it went on to the next IP address.

In theory James is correct.  In practice Lamar appears to be.  About a
year back I changed my ssh port and have not since seen password hack
attempts, so the port scanners are definitely not pervasively scanning
all ports.  (Not that they'd have logged in; but it was causing noise
and annoyance in the logs)

Now the same wouldn't be true if I was managing firewalls for Chase or
Bank Of America or Citi or HSBC; you can be sure that they're being 
scanned on all ports and better not have external ssh connections open
to the world!

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Incorrect evince password request

[Reynolds McClatchey]

I have run into several pdf documents that request a password
with evince; but not with Adobe.

[rey@reylinux docs]$ rpm -qa |grep evince
evince-0.6.0-13.el5
[rey@reylinux docs]$ evince Mir*
Error: Unsupported version/revision (4/4) of Standard security handler
Error: Incorrect password

Any workaround or do I just need to use adobe on WinXP?

-- 
M Reynolds McClatchey JrVP Engineering and Inventory
Southern Aluminum Finishing Co Inc  404-355-1560 x222 Voice
1581 Huber St NW404-350-0581 Fax
Atlanta GA 30318


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Wednesday, December 07, 2011 07:37:34 AM Always Learning wrote:
...
> The essential aspect of this suggestion is such a web site must be Linux
> non-denominational. Centos fans working with Ubuntu fans working with
> other flavours too including Red Hat et al. A genuine community
> Enterprise benefiting the entire community.

I've left this paragraph in; I could have chosen any paragraph, though.

Such tutorials exist; most of the really good ones are not freely available, 
though.  SANS.org is one place to look, and where you can purchase training in 
various security things.  Sites like packetstormsecurity.org have lots of 
files, including whitepapers and such, but finding what you need can be 
difficult.

I have found that the difficulty with free tutorials, whether it's at 
howtoforge or elsewhere, is that the author is going to write about the system 
they are using; and you can't expect otherwise from a free tutorial.  You have 
to translate to your own setup, and/or you have to do things the standard way.  
Well, unless the author has an 'agenda' for a particular way of doing things, 
and virtually all do, even if they're not aware of it.

That in and of itself is one of the biggest mistakes admins make: they have a 
'preferred way' of doing things, but that preferred way may not be the way that 
is most secure on that particular distribution.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Wednesday, December 07, 2011 05:32:00 AM Ljubomir Ljubojevic wrote:
> There is also use of denyhosts and fail2ban. They allow only few 
> attempts from one IP, and all users can share attacking IP's (default is 
> every 30 min) so you are automatically protected from known attacking 
> IP's. Any downside on this protection?

Botnets.  If a 100,000 host botnet hits you with a coordinated brute-force 
attack, fail2ban and other similar tools won't help you, as every attempt will 
come from a different host.  This may be one way the brute-forcers appear to 
get in on the first or second try.  And some brute-forcers are the so-called 
'slow' brute-forcers that try things very slowly and never trigger some of 
these protections.

And don't let your guard down just because you have disabled password login and 
have key-based auth; if a remote exec breach is found in a different daemon 
that can write (or can execute a local root exploit that can then write) to 
/etc/ssh/sshd_config, it's game over.  This is where SELinux in enforcing mode 
with properly configured contexts and no unconfined users can save the day.  
Attach access rights to sshd_config to a local console user or similar  (that's 
one thing ConsoleKit and PolicyKit are for) and make certain other files are 
not writeable remotely as well.

Don't let your guard down because you have things firewalled, either.  As RSA 
found out the hard way, all it takes is one employee opening one excel 
attachment with an embedded flash exploit, and 'blammo' you're pwned.

And if you think these sorts of contrivances aren't out in the wild, think 
again.

I have an example from the 'wild' that, once I have all the data in hand and 
permission to release it, will blow your mind.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Always Learning]

On Wed, 2011-12-07 at 07:07 -0500, Lamar Owen wrote:

> On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:


> > A basic qualification to operate a computer would also be nice.  Sad
> > thing is, there is no such thing.

> Microsoft has proposed such... of course, the prerequisites would
> likely include  running the latest Windows
> 
> If you get an 'Internet driver's license' you then have to have a
> licensing authority, and any time you get that sort of thing
> involved well, you can imagine how it could pan out.

BUT every country has unlicensed drivers !

It is in the economic interests of every country, world wide, to prevent
computer hacking, invasion of computer systems and the inevitable abuse
of computer facilities.

Even if only some of the sys admins became proficient in basic server
security it would be a de facto improvement.  What is needed is a web
site offering free lessons on how to secure servers. An ideal task for a
willing and knowledge Linux volunteer with help from non-English
speakers translating the information into their language.

Centos is probably the most widely used operating system for servers.
Data centres offer Centos to every Tom, Dick & Harry and even Eva & Ida
too - usually it for VPS. This means Linux newcomers are using it.

My experience is most hacking attacks, mail and web, come from VPSs in
Data Centres - the cheaper the hire cost, the more likely it is used.

Therefore these unknown newcomers to Linux would benefit from a few
basics. At present they have to hunt for the information.

If a basic security web site, internally recognised and endorsed by
governments (and no Ads) existed offering basic security information for
Linux servers, I am reasonably confident many ISPs would point their
server users to it - all flavours of Linux users.

The common good, and how it can be greatly improved, should concern all
of us. The solution is amazingly simple. Propagation of the web site's
existence is harder but with press, government, Usenet, Twitter,
Facebook etc. a vast improvement to the status quo can be achieved for
the benefit of all except the hackers and attackers.

The essential aspect of this suggestion is such a web site must be Linux
non-denominational. Centos fans working with Ubuntu fans working with
other flavours too including Red Hat et al. A genuine community
Enterprise benefiting the entire community.


-- 
With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[Karanbir Singh]

On 12/07/2011 09:45 AM, Akemi Yagi wrote:
>>> I believe that is true of CentOS-5 as well.
>> As in the latest C5 kernels require PAE?
> C5 kernels still come in two flavours, standard (kernel) and PAE (kernel-PAE).

right, and the Xen kernel is built with PAE as well.

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[Karanbir Singh]

On 12/07/2011 10:50 AM, Ljubomir Ljubojevic wrote:
>> http://lists.centos.org/pipermail/centos/2011-August/116804.html
> 
> Akemi, there is src.rpm also:
> http://repos.fedorapeople.org/repos/lkundrak/kernel-nonpae/epel-6/SRPMS/kernel-2.6.32-71.7.1.el6.nonpae.src.rpm
> 
> How complicated and time consuming would it be to use it's spec file to 
> build .nonpae.centosplus kernel for all published kernels?
> 

give it a shot, submit a patch - if it can be automated, I'll even add
it to the regular buildsystem to build in parallel with the regular kernel.

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Wednesday, December 07, 2011 04:59:52 AM Nicolas Thierry-Mieg wrote:
> alphanumeric only isn't so secure-seeming is it? Is this for admins who 
> log in with a cell phone instead of a real keyboard? ;-)
> seriously: I thought the consensus was that a secure password should 
> contain at least one or more non-alphanumeric characters.

Further down in the password files some 'patterned' symbol passwords are to be 
found, for more than the root user.  Things like the obvious:
p@ssw0rd
!@#$%
let!ME!in
T!m0+#y  (Timothy, if you haven't figured it out, and it just so happened that 
it was paired with the username 'timothy' ala slashdot).

And there were various iterations of those, with differing lengths and such.  
But I'll emphasize that the one I found was very rudimentary, and I found it 
several years ago.  Algorithmic brute-forcers can be much more sophisticated 
than that.

I also found in the searches that I made that there have been numerous 
instances of the first password tried working and getting in.  I have to wonder 
if the chosen user is based on a leak of information from something like a web 
forum, or a hotmail account, or something else that has gotten hacked.  Don't 
reuse passwords, in other words.  (easier said than done, unfortunately).

Basically, if any account you have is ever compromised through password login, 
assume that password has made it into someone's dictionary.  And I'm not 
talking just ssh accounts here.  I'm thinking about the large e-mail/password 
lists recently released by lulzsec, for instance.  The blackhats I'm sure have 
many more such lists that haven't been exposed yet.

And I agree with Johnny (and others) that disabling password auth and using 
keys for SSH access is a way to go; the fly in that ointment is mitigating 
private key loss and having a mechanism in place to rapidly revoke keys in a 
secure manner.  

That and other avenues of access are used that involve web applications, etc, 
that bypass SSH-oriented controls.

Two-factor auth is better; but even that is foolable (biometrics, even; 
Mythbusters defeated simple fingerprint scanners several years ago.).  

Layered security works best; but 'working best' doesn't mean '100% effective.'
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Tuesday, December 06, 2011 08:06:55 PM James A. Peltier wrote:
> [Changing the port #] is completely and utterly retarded.  You have done 
> *NOTHING* to secure SSH by doing this.  You have instead made it only 
> slightly, and I mean ever so slightly, more secure.  A simple port scan of 
> your network would find it within seconds and start to utilize it.

Simple port scans don't scan all 65,536 possible port numbers; those scans are 
a bit too easy for IDS detection and mitigation.  Most scans only scan common 
ports; the ssh brute-forcer I found in the wild only scanned port 22; if it 
wasn't open, it went on to the next IP address.

Unusual port numbers, port knocking, and similar techniques obfuscate things 
enough to eliminate the 'honest' script-kiddie (that is, the one that doesn't 
know any more that what the log of the brute-forcer I found showed, that the 
kiddie was going by a rote script, including trying to download and install a 
*windows 2000 service pack* on the Linux server in question).  This will cut 
down the IDS noise, that's for sure.  And cutting down the information overload 
for the one tasked with reading those logs is important.

Of course, it could be argued that if you have port 22 open and you get those 
kiddies, you can block all access from those addresses with something like 
fail2ban (and pipe into your border router's ACL, if that ACL table has enough 
entries available.).

> A basic qualification to operate a computer would also be nice.  Sad thing 
> is, there is no such thing.

Microsoft has proposed such... of course, the prerequisites would likely 
include  running the latest Windows

If you get an 'Internet driver's license' you then have to have a licensing 
authority, and any time you get that sort of thing involved well, you can 
imagine how it could pan out.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Always Learning]

On Wed, 2011-12-07 at 12:59 +0100, Ljubomir Ljubojevic wrote:

> Vreme: 12/07/2011 12:53 PM, Always Learning piše:
> >
> > On 12/07/2011 04:32 AM, Ljubomir Ljubojevic wrote:
> >
> >> There is also use of denyhosts and fail2ban. They allow only few
> >> attempts from one IP, and all users can share attacking IP's (default
> >> is every 30 min) so you are automatically protected from known
> >> attacking IP's. Any downside on this protection?
> >
> > Which is better for C 5.7 and C 6.x ?
> >
> 
> I personally use denyhosts, it felt better when I installed if several 
> years ago. Cant even remember why I thought it better.
> 
> It is best to read about it's features and configuration and choose for 
> your self. They are both good and secure, just have design differences.


Thank you.

Paul.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 12:53 PM, Always Learning piše:
>
> On 12/07/2011 04:32 AM, Ljubomir Ljubojevic wrote:
>
>> There is also use of denyhosts and fail2ban. They allow only few
>> attempts from one IP, and all users can share attacking IP's (default
>> is every 30 min) so you are automatically protected from known
>> attacking IP's. Any downside on this protection?
>
> Which is better for C 5.7 and C 6.x ?
>

I personally use denyhosts, it felt better when I installed if several 
years ago. Cant even remember why I thought it better.

It is best to read about it's features and configuration and choose for 
your self. They are both good and secure, just have design differences.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Lamar Owen]

On Wednesday, December 07, 2011 05:48:24 AM Adam Tauno Williams wrote:
> *DISABLE* password authentication on public-facing [and preferably all]
> servers.  Isn't that securing a server rule#1?

Interestingly enough, there are vulnerability scanning tools out there that 
will flag the lack of a password prompt as indicating that no password is 
required one such tool, which I can't name, is very popular in the PCI-DSS 
compliance industry.

In my particular case, I was able to convince the person running the scan that 
ssh with key-based security was better than passwords; but I could see where 
others would not be swayed, and would insist that having a password prompt is 
more secure. (of course, that somewhat ignores how key-based auth works, 
but when you are just reading the scan tool's output and taking it as 
fact..)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Always Learning]

On 12/07/2011 04:32 AM, Ljubomir Ljubojevic wrote:

> There is also use of denyhosts and fail2ban. They allow only few 
> attempts from one IP, and all users can share attacking IP's (default
> is every 30 min) so you are automatically protected from known
> attacking IP's. Any downside on this protection?

Which is better for C 5.7 and C 6.x ?

-- 
With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Johnny Hughes]

On 12/07/2011 04:32 AM, Ljubomir Ljubojevic wrote:
> Vreme: 12/07/2011 11:12 AM, Johnny Hughes piše:
>> On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
>>> Lamar Owen wrote:
 On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
> I happen to have a copy of an older brute-forcer dictionary here 
> (somewhere) and it's very large and has lots of very secure-seeming 
> passwords in it.

 I ran down the copy I have; here's an excerpt of one of the dictionaries:
 
 root:P7zkJTma
 root:5D8DY22
 root:mc99ZR34Z
 root:IVEUFc
 root:JJc9DicA
 root:zzz
 root:4m3ric4n
 root:3nglish
 root:g0v3rm3nt
 root:4zur3
 root:bl4ck
 root:blu3
 root:br0wn
 root:cy4n
 root:crims0n
 root:d4rkblu3
 root:d4rk
 root:g0ld
 

 Yeah, some of those would ordinarily be relatively secure-seeming 
 passwords.
>>>
>>> alphanumeric only isn't so secure-seeming is it? Is this for admins who
>>> log in with a cell phone instead of a real keyboard? ;-)
>>> seriously: I thought the consensus was that a secure password should
>>> contain at least one or more non-alphanumeric characters.
>>
>> The real bottom line is that the only way you should allow access to
>> your machine is via keys ... having an ssh port exposed to the internet
>> that allows password logins is, at some point, going to be breached if
>> someone wants to breach it.
>>
>> You could substitute a | or a ! for some i's in the above passwords and
>> the brute force checker will find those as well.
>>
>> The real issue is that passwords are not going to cut it as your primary
>> security measure to keep people out.
>>
>> You need to limit the ssh port to allowed IP addresses (or subnets), you
>> need to use keys (maybe even keys with pins as secondary option for more
>> security) to access that "IP address controlled" ssh port, and you need
>> to turn off remote root access and allow access from other users who
>> need to run sudo to get root.
>>
>> If you leave a password controlled ssh port that allows root login
>> exposed to the Internet, then the only reason it is not breached is that
>> someone has not yet had a desire to breach it.
>>
> 
> There is also use of denyhosts and fail2ban. They allow only few 
> attempts from one IP, and all users can share attacking IP's (default is 
> every 30 min) so you are automatically protected from known attacking 
> IP's. Any downside on this protection?

No downside, and they do work.




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Adam Tauno Williams]

On Tue, 2011-12-06 at 16:58 -0500, Lamar Owen wrote:
> On Tuesday, December 06, 2011 04:45:04 PM Johnny Hughes wrote:
> 1.) Keep up to date as much as possible (and a 24 hour window is quite short, 
> honestly, compared to the timeframes this attack appears to have occupied);
> 2.) Keep up with your servers and have tripwires for modifications;
> 3.) Keep good passwords. 

Disable password authentication.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 10:40 AM, Akemi Yagi piše:
> On Wed, Dec 7, 2011 at 1:08 AM, John Hodrien  wrote:
>> On Mon, 5 Dec 2011, Lamar Owen wrote:
>>
>>> On Monday, December 05, 2011 11:11:45 AM Akemi Yagi wrote:
 FYI, the ELRepo project now provides kernel-ml for EL6 [1] that
 includes a non-PAE kernel [2] (thanks to Alan Bartlett). However, one
 has to create an install disk/image with that kernel to perform the
 installation.
>>>
>>> This is good; thanks for the pointer.  Getting the install media built might
>>> be the only issue.
>>
>> I've been running 6.0 on my 1.1GHz Pentium M non-PAE laptop.  I basically did
>> an install using anaconda to install to a directory from within C5, and then
>> installed a non-PAE kernel (kernel-2.6.32-71.7.1.el6.nonpae.i686), grubbed it
>> up and that works nicely.  As a one off that was easier than worrying about
>> respinning the install media.  It'll be documented on list exactly what I 
>> did,
>> I installed that kernel 21st August 2011, so presumably I mailed about it
>> shortly afterwards.
>
> Found it here:
>
> http://lists.centos.org/pipermail/centos/2011-August/116804.html

Akemi, there is src.rpm also:
http://repos.fedorapeople.org/repos/lkundrak/kernel-nonpae/epel-6/SRPMS/kernel-2.6.32-71.7.1.el6.nonpae.src.rpm

How complicated and time consuming would it be to use it's spec file to 
build .nonpae.centosplus kernel for all published kernels?

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Adam Tauno Williams]

On Wed, 2011-11-30 at 13:05 -0500, m.r...@5-cent.us wrote:
> There's an article on slashdot about the Duqu team wiping all their
> intermediary c&c servers on 20 Oct. Interestingly, the report says that
> they were all (?) not only linux, but CentOS. There's a suggestion of a
> zero-day exploit in openssh-4.3, but both the original article, and
> Kaspersky labs (who have a *very* interesting post of the story) consider
> that highly unlikely, and the evidence points to brute-force attacks
> against the root password.

*DISABLE* password authentication on public-facing [and preferably all]
servers.  Isn't that securing a server rule#1?

Use shared-key authentication.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Ljubomir Ljubojevic]

Vreme: 12/07/2011 11:12 AM, Johnny Hughes piše:
> On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
>> Lamar Owen wrote:
>>> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
 I happen to have a copy of an older brute-forcer dictionary here 
 (somewhere) and it's very large and has lots of very secure-seeming 
 passwords in it.
>>>
>>> I ran down the copy I have; here's an excerpt of one of the dictionaries:
>>> 
>>> root:P7zkJTma
>>> root:5D8DY22
>>> root:mc99ZR34Z
>>> root:IVEUFc
>>> root:JJc9DicA
>>> root:zzz
>>> root:4m3ric4n
>>> root:3nglish
>>> root:g0v3rm3nt
>>> root:4zur3
>>> root:bl4ck
>>> root:blu3
>>> root:br0wn
>>> root:cy4n
>>> root:crims0n
>>> root:d4rkblu3
>>> root:d4rk
>>> root:g0ld
>>> 
>>>
>>> Yeah, some of those would ordinarily be relatively secure-seeming passwords.
>>
>> alphanumeric only isn't so secure-seeming is it? Is this for admins who
>> log in with a cell phone instead of a real keyboard? ;-)
>> seriously: I thought the consensus was that a secure password should
>> contain at least one or more non-alphanumeric characters.
>
> The real bottom line is that the only way you should allow access to
> your machine is via keys ... having an ssh port exposed to the internet
> that allows password logins is, at some point, going to be breached if
> someone wants to breach it.
>
> You could substitute a | or a ! for some i's in the above passwords and
> the brute force checker will find those as well.
>
> The real issue is that passwords are not going to cut it as your primary
> security measure to keep people out.
>
> You need to limit the ssh port to allowed IP addresses (or subnets), you
> need to use keys (maybe even keys with pins as secondary option for more
> security) to access that "IP address controlled" ssh port, and you need
> to turn off remote root access and allow access from other users who
> need to run sudo to get root.
>
> If you leave a password controlled ssh port that allows root login
> exposed to the Internet, then the only reason it is not breached is that
> someone has not yet had a desire to breach it.
>

There is also use of denyhosts and fail2ban. They allow only few 
attempts from one IP, and all users can share attacking IP's (default is 
every 30 min) so you are automatically protected from known attacking 
IP's. Any downside on this protection?


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Johnny Hughes]

On 12/07/2011 03:59 AM, Nicolas Thierry-Mieg wrote:
> Lamar Owen wrote:
>> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
>>> I happen to have a copy of an older brute-forcer dictionary here 
>>> (somewhere) and it's very large and has lots of very secure-seeming 
>>> passwords in it.
>>
>> I ran down the copy I have; here's an excerpt of one of the dictionaries:
>> 
>> root:P7zkJTma
>> root:5D8DY22
>> root:mc99ZR34Z
>> root:IVEUFc
>> root:JJc9DicA
>> root:zzz
>> root:4m3ric4n
>> root:3nglish
>> root:g0v3rm3nt
>> root:4zur3
>> root:bl4ck
>> root:blu3
>> root:br0wn
>> root:cy4n
>> root:crims0n
>> root:d4rkblu3
>> root:d4rk
>> root:g0ld
>> 
>>
>> Yeah, some of those would ordinarily be relatively secure-seeming passwords.
> 
> alphanumeric only isn't so secure-seeming is it? Is this for admins who 
> log in with a cell phone instead of a real keyboard? ;-)
> seriously: I thought the consensus was that a secure password should 
> contain at least one or more non-alphanumeric characters.

The real bottom line is that the only way you should allow access to
your machine is via keys ... having an ssh port exposed to the internet
that allows password logins is, at some point, going to be breached if
someone wants to breach it.

You could substitute a | or a ! for some i's in the above passwords and
the brute force checker will find those as well.

The real issue is that passwords are not going to cut it as your primary
security measure to keep people out.

You need to limit the ssh port to allowed IP addresses (or subnets), you
need to use keys (maybe even keys with pins as secondary option for more
security) to access that "IP address controlled" ssh port, and you need
to turn off remote root access and allow access from other users who
need to run sudo to get root.

If you leave a password controlled ssh port that allows root login
exposed to the Internet, then the only reason it is not breached is that
someone has not yet had a desire to breach it.




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] duqu

[Nicolas Thierry-Mieg]

Lamar Owen wrote:
> On Tuesday, December 06, 2011 04:58:42 PM Lamar Owen wrote:
>> I happen to have a copy of an older brute-forcer dictionary here (somewhere) 
>> and it's very large and has lots of very secure-seeming passwords in it.
>
> I ran down the copy I have; here's an excerpt of one of the dictionaries:
> 
> root:P7zkJTma
> root:5D8DY22
> root:mc99ZR34Z
> root:IVEUFc
> root:JJc9DicA
> root:zzz
> root:4m3ric4n
> root:3nglish
> root:g0v3rm3nt
> root:4zur3
> root:bl4ck
> root:blu3
> root:br0wn
> root:cy4n
> root:crims0n
> root:d4rkblu3
> root:d4rk
> root:g0ld
> 
>
> Yeah, some of those would ordinarily be relatively secure-seeming passwords.

alphanumeric only isn't so secure-seeming is it? Is this for admins who 
log in with a cell phone instead of a real keyboard? ;-)
seriously: I thought the consensus was that a secure password should 
contain at least one or more non-alphanumeric characters.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[Akemi Yagi]

On Wed, Dec 7, 2011 at 1:03 AM, John Hodrien  wrote:
> On Tue, 6 Dec 2011, Karanbir Singh wrote:
>
>> On 12/05/2011 07:00 PM, m.r...@5-cent.us wrote:
 I thought CentOS6 didn't come with a non-PAE kernel, more specifically,
 the standard 32bit kernel requires PAE even if it doesnt have PAE in its
 name.
>>>
>>> I hadn't followed that development. *sigh*
>>
>> I believe that is true of CentOS-5 as well.
>
> As in the latest C5 kernels require PAE?

C5 kernels still come in two flavours, standard (kernel) and PAE (kernel-PAE).

Akemi
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[Akemi Yagi]

On Wed, Dec 7, 2011 at 1:08 AM, John Hodrien  wrote:
> On Mon, 5 Dec 2011, Lamar Owen wrote:
>
>> On Monday, December 05, 2011 11:11:45 AM Akemi Yagi wrote:
>>> FYI, the ELRepo project now provides kernel-ml for EL6 [1] that
>>> includes a non-PAE kernel [2] (thanks to Alan Bartlett). However, one
>>> has to create an install disk/image with that kernel to perform the
>>> installation.
>>
>> This is good; thanks for the pointer.  Getting the install media built might
>> be the only issue.
>
> I've been running 6.0 on my 1.1GHz Pentium M non-PAE laptop.  I basically did
> an install using anaconda to install to a directory from within C5, and then
> installed a non-PAE kernel (kernel-2.6.32-71.7.1.el6.nonpae.i686), grubbed it
> up and that works nicely.  As a one off that was easier than worrying about
> respinning the install media.  It'll be documented on list exactly what I did,
> I installed that kernel 21st August 2011, so presumably I mailed about it
> shortly afterwards.

Found it here:

http://lists.centos.org/pipermail/centos/2011-August/116804.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[John Hodrien]

On Mon, 5 Dec 2011, Lamar Owen wrote:

> On Monday, December 05, 2011 11:11:45 AM Akemi Yagi wrote:
>> FYI, the ELRepo project now provides kernel-ml for EL6 [1] that
>> includes a non-PAE kernel [2] (thanks to Alan Bartlett). However, one
>> has to create an install disk/image with that kernel to perform the
>> installation.
>
> This is good; thanks for the pointer.  Getting the install media built might
> be the only issue.

I've been running 6.0 on my 1.1GHz Pentium M non-PAE laptop.  I basically did
an install using anaconda to install to a directory from within C5, and then
installed a non-PAE kernel (kernel-2.6.32-71.7.1.el6.nonpae.i686), grubbed it
up and that works nicely.  As a one off that was easier than worrying about
respinning the install media.  It'll be documented on list exactly what I did,
I installed that kernel 21st August 2011, so presumably I mailed about it
shortly afterwards.

I have no objections to Redhat dropping support for hardware they're not
interested in, old or new.  It's entirely up to them, and I really doubt
they're inconveniencing many customers with this decision.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Intel SE7210TP1-E giving memory errors

[John R Pierce]

On 12/07/11 12:55 AM, John Hodrien wrote:
> In my limited experience, if you can disable ECC in your BIOS, memtest 
> is just
> as good at spotting errors on ECC as non-ECC.  With ECC enabled, 
> you'll need
> seriously messed up ECC before it'll be detected. 

except with ECC disabled, the extra 8 ECC bits per 64bit memory word 
aren't touched at all.

I'd leave ECC on, and skip running memtest entirely, just run real OS 
workloads and let the ECC do the memory test on the fly, as its meant to.

does linux have an ECC scrubber process?   'real' Unix servers (Solaris, 
AIX, etc) generally have a background process, sometimes its part of the 
Idle process, that does a read/write of every memory location when the 
machine is otherwise idle, this catches and fixes soft ECC errors in 
otherwise idle memory, which in turn gets logged.  Solaris (on Sun Sparc 
hardware at least) keeps track of what locations have had bad memory, 
and will stop using a memory page entirely (with a logged alert) if 
there are too many soft ECC errors in the same area.

-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 6.1 .iso size?

[John Hodrien]

On Tue, 6 Dec 2011, Karanbir Singh wrote:

> On 12/05/2011 07:00 PM, m.r...@5-cent.us wrote:
>>> I thought CentOS6 didn't come with a non-PAE kernel, more specifically,
>>> the standard 32bit kernel requires PAE even if it doesnt have PAE in its
>>> name.
>>
>> I hadn't followed that development. *sigh*
>>>
>
> I believe that is true of CentOS-5 as well.

As in the latest C5 kernels require PAE?

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Intel SE7210TP1-E giving memory errors

[John Hodrien]

On Mon, 5 Dec 2011, Ljubomir Ljubojevic wrote:


Vreme: 12/05/2011 12:00 PM, John R Pierce piše:

On 12/05/11 2:57 AM, Ljubomir Ljubojevic wrote:

Download Hiren's BootCD and use bundled Memory Test if your way is
complicated.


that won't do much to detect soft ECC errors, will it?



They are (there are 4-5 apps) checking various patterns in memory (write
then read), and you can run it for a longer period of time.

As for ECC errors I can not say, I never ever used ECC memory or got
familiar with it.


In my limited experience, if you can disable ECC in your BIOS, memtest is just
as good at spotting errors on ECC as non-ECC.  With ECC enabled, you'll need
seriously messed up ECC before it'll be detected.

jh___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos