Re: [CentOS-es] Fwd: Re: Eleccion distro cortafuegos
Ss§ Enviado desde mi BlackBerry de Movistar -Original Message- From: may...@maykel.sytes.net Sender: centos-es-boun...@centos.org Date: Thu, 29 Dec 2011 17:10:12 To: centos-es@centos.org Reply-To: centos-es@centos.org Subject: Re: [CentOS-es] Fwd: Re: Eleccion distro cortafuegos Muchas gracias. El 2011-12-29 16:09, carlos restrepo escribió: Maykel, este links en un buen comienzo: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ C.R. El 29 de diciembre de 2011 09:48, Maykel Franco Hernández may...@maykel.sytes.net escribió: Desde hacia unos 6 años vengo administrando debian, ubuntu, centos y opensuse. Me gustaría aprender más sobre FreeBSD porque nada más que escucho que maravillas pero recuerdo que una vez intente implementar un script de servidor de correo en teoría facil y daba errores de compilación por todos lados. Me gustaría adentrarme en FreeBSD porque como servidor es una roca. De todas formas, si alguien conoce alguna página de tutoriales o doc de FreeBSD lo agradecería. Saludos. El 29/12/11 00:09, Victor Padro escribió: 2011/12/28 Jose Manuel Ajhuacho Vargasjose_t...@yahoo.es [6]: +1 a pfsense pero tienes otras opciones zential es otro appliance que tal vez te pueda interesar Atte Jose Manuel GPG Key ID: UBCMEOLVQMHEILINJBE --- El mié, 28/12/11, Edg@r Rodolfoedgarr...@gmail.com [1] escribió: De: Edg@r Rodolfoedgarr...@gmail.com [2] Asunto: Re: [CentOS-es] Eleccion distro cortafuegos Para: centos-es@centos.org [3] Fecha: miércoles, 28 de diciembre, 2011 19:00 Edguit@r http://espejobinario.blogspot.com [4] El día 28 de diciembre de 2011 07:15,may...@maykel.sytes.net [5] escribió: Hola muy buenas estoy pensando en poner un cortafuegos en mi casa para practicar routing y cacharrear un poco con el tráfico y aprender. Iptables es muy bueno, va integrado en el kernel de linux y todo esto está muy bien porque está muy agilizado, pero estaba buscando una distro que se administre via web y venga implementado, he encontrado las siguientes: Lo mas limpio y donde se aprende de verdad es si FreeBSD, OpenBSD), ipfilter (NetBSD), ipfw (Nativo FreeBSD), yo prefiero pf en FreeBSD y NetBSD para cortafuegos, se hacen muchas cosas interesantes. Pfsense usa pf como cortafuegos es muy bueno si deseas las cosas rapido, pero en mi opinion se puede hacer la mayoria de cosas con Freebsd puro como router, nat, proxy, etc., es mas sabes lo que haces, con pfsense no, pero es muy bueno. smoothwall, clearos, ipcop, pfsense, ebox Yo me decantaría por pfsense(freeBSD), ya que la pila TCP/IP la maneja muy bien. También me ha gustado mucho clearOS. Alguien ha probado alguno y me puede aconsejar?? He probado FreeBSD (de este nacio pfsense) y NetBSD (miralo es muy bueno tambien), si te animas a usarlos para servidores no te arrepentiras, tan bueno como CentOS, pero no es gnu/linux. Sería para proteger puertos, enrutar tráfico, realizar vpn, posibles problemas de tráfico, estadísticas...etc. Una maravilla pf para todo eso, freebsd tiene phpsysinfo en ports, con eso vez como va el server. Saludos.___ CentOS-es mailing list CentOS-es@centos.org [8] ___ CentOS-es mailing list CentOS-es@centos.org [9] http://lists.centos.org/mailman/listinfo/centos-es [10] Pfsense es lo mejor que hay...es lo más cercano a appliances de Nokia, Sonicwall, Cisco, etc. Y lo mejor de todo es que es muy amigable y tiene una comunidad tan grande como la de CentOS. Yo te recomendaría que eligieras Pfsense, veras que no te arrepientes. Saludos. ___ CentOS-es mailing list CentOS-es@centos.org [11] http://lists.centos.org/mailman/listinfo/centos-es [12] -- Carlos Restrepo M. Administrador de Sistemas. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Links: -- [1] mailto:edgarr...@gmail.com [2] mailto:edgarr...@gmail.com [3] mailto:centos-es@centos.org [4] http://espejobinario.blogspot.com [5] mailto:may...@maykel.sytes.net [6] mailto:jose_t...@yahoo.es [7] mailto:CentOS-es@centos.org [8] mailto:CentOS-es@centos.org [9] mailto:CentOS-es@centos.org [10] http://lists.centos.org/mailman/listinfo/centos-es [11] mailto:CentOS-es@centos.org [12] http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Fwd: Re: Eleccion distro cortafuegos
Maykel, este links en un buen comienzo: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ C.R. El 29 de diciembre de 2011 09:48, Maykel Franco Hernández may...@maykel.sytes.net escribió: Desde hacia unos 6 años vengo administrando debian, ubuntu, centos y opensuse. Me gustaría aprender más sobre FreeBSD porque nada más que escucho que maravillas pero recuerdo que una vez intente implementar un script de servidor de correo en teoría facil y daba errores de compilación por todos lados. Me gustaría adentrarme en FreeBSD porque como servidor es una roca. De todas formas, si alguien conoce alguna página de tutoriales o doc de FreeBSD lo agradecería. Saludos. El 29/12/11 00:09, Victor Padro escribió: 2011/12/28 Jose Manuel Ajhuacho Vargasjose_t...@yahoo.es: +1 a pfsense pero tienes otras opciones zential es otro appliance que tal vez te pueda interesar Atte Jose Manuel GPG Key ID: UBCMEOLVQMHEILINJBE --- El mié, 28/12/11, Edg@r Rodolfoedgarr...@gmail.com escribió: De: Edg@r Rodolfoedgarr...@gmail.com Asunto: Re: [CentOS-es] Eleccion distro cortafuegos Para: centos-es@centos.org Fecha: miércoles, 28 de diciembre, 2011 19:00 Edguit@r http://espejobinario.blogspot.com El día 28 de diciembre de 2011 07:15,may...@maykel.sytes.net escribió: Hola muy buenas estoy pensando en poner un cortafuegos en mi casa para practicar routing y cacharrear un poco con el tráfico y aprender. Iptables es muy bueno, va integrado en el kernel de linux y todo esto está muy bien porque está muy agilizado, pero estaba buscando una distro que se administre via web y venga implementado, he encontrado las siguientes: Lo mas limpio y donde se aprende de verdad es sin interface, puedes conectarte por ssh y meterte a tu box, puedes hacer todo lo que escribes con pf (NetBSD, FreeBSD, OpenBSD), ipfilter (NetBSD), ipfw (Nativo FreeBSD), yo prefiero pf en FreeBSD y NetBSD para cortafuegos, se hacen muchas cosas interesantes. Pfsense usa pf como cortafuegos es muy bueno si deseas las cosas rapido, pero en mi opinion se puede hacer la mayoria de cosas con Freebsd puro como router, nat, proxy, etc., es mas sabes lo que haces, con pfsense no, pero es muy bueno. smoothwall, clearos, ipcop, pfsense, ebox Yo me decantaría por pfsense(freeBSD), ya que la pila TCP/IP la maneja muy bien. También me ha gustado mucho clearOS. Alguien ha probado alguno y me puede aconsejar?? He probado FreeBSD (de este nacio pfsense) y NetBSD (miralo es muy bueno tambien), si te animas a usarlos para servidores no te arrepentiras, tan bueno como CentOS, pero no es gnu/linux. Sería para proteger puertos, enrutar tráfico, realizar vpn, posibles problemas de tráfico, estadísticas...etc. Una maravilla pf para todo eso, freebsd tiene phpsysinfo en ports, con eso vez como va el server. Saludos. No te olvides DE PONER OT en el asunto cuando trates algo que no es relacionado con CentOS ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Pfsense es lo mejor que hay...es lo más cercano a appliances de Nokia, Sonicwall, Cisco, etc. Y lo mejor de todo es que es muy amigable y tiene una comunidad tan grande como la de CentOS. Yo te recomendaría que eligieras Pfsense, veras que no te arrepientes. Saludos. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es -- Carlos Restrepo M. Administrador de Sistemas. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Fwd: Re: Eleccion distro cortafuegos
maykel y aqui en español: http://www.freebsd.org/es/ C.R El 29 de diciembre de 2011 09:48, Maykel Franco Hernández may...@maykel.sytes.net escribió: Desde hacia unos 6 años vengo administrando debian, ubuntu, centos y opensuse. Me gustaría aprender más sobre FreeBSD porque nada más que escucho que maravillas pero recuerdo que una vez intente implementar un script de servidor de correo en teoría facil y daba errores de compilación por todos lados. Me gustaría adentrarme en FreeBSD porque como servidor es una roca. De todas formas, si alguien conoce alguna página de tutoriales o doc de FreeBSD lo agradecería. Saludos. El 29/12/11 00:09, Victor Padro escribió: 2011/12/28 Jose Manuel Ajhuacho Vargasjose_t...@yahoo.es: +1 a pfsense pero tienes otras opciones zential es otro appliance que tal vez te pueda interesar Atte Jose Manuel GPG Key ID: UBCMEOLVQMHEILINJBE --- El mié, 28/12/11, Edg@r Rodolfoedgarr...@gmail.com escribió: De: Edg@r Rodolfoedgarr...@gmail.com Asunto: Re: [CentOS-es] Eleccion distro cortafuegos Para: centos-es@centos.org Fecha: miércoles, 28 de diciembre, 2011 19:00 Edguit@r http://espejobinario.blogspot.com El día 28 de diciembre de 2011 07:15,may...@maykel.sytes.net escribió: Hola muy buenas estoy pensando en poner un cortafuegos en mi casa para practicar routing y cacharrear un poco con el tráfico y aprender. Iptables es muy bueno, va integrado en el kernel de linux y todo esto está muy bien porque está muy agilizado, pero estaba buscando una distro que se administre via web y venga implementado, he encontrado las siguientes: Lo mas limpio y donde se aprende de verdad es sin interface, puedes conectarte por ssh y meterte a tu box, puedes hacer todo lo que escribes con pf (NetBSD, FreeBSD, OpenBSD), ipfilter (NetBSD), ipfw (Nativo FreeBSD), yo prefiero pf en FreeBSD y NetBSD para cortafuegos, se hacen muchas cosas interesantes. Pfsense usa pf como cortafuegos es muy bueno si deseas las cosas rapido, pero en mi opinion se puede hacer la mayoria de cosas con Freebsd puro como router, nat, proxy, etc., es mas sabes lo que haces, con pfsense no, pero es muy bueno. smoothwall, clearos, ipcop, pfsense, ebox Yo me decantaría por pfsense(freeBSD), ya que la pila TCP/IP la maneja muy bien. También me ha gustado mucho clearOS. Alguien ha probado alguno y me puede aconsejar?? He probado FreeBSD (de este nacio pfsense) y NetBSD (miralo es muy bueno tambien), si te animas a usarlos para servidores no te arrepentiras, tan bueno como CentOS, pero no es gnu/linux. Sería para proteger puertos, enrutar tráfico, realizar vpn, posibles problemas de tráfico, estadísticas...etc. Una maravilla pf para todo eso, freebsd tiene phpsysinfo en ports, con eso vez como va el server. Saludos. No te olvides DE PONER OT en el asunto cuando trates algo que no es relacionado con CentOS ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Pfsense es lo mejor que hay...es lo más cercano a appliances de Nokia, Sonicwall, Cisco, etc. Y lo mejor de todo es que es muy amigable y tiene una comunidad tan grande como la de CentOS. Yo te recomendaría que eligieras Pfsense, veras que no te arrepientes. Saludos. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es -- Carlos Restrepo M. Administrador de Sistemas. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] Fwd: Re: Eleccion distro cortafuegos
Desde hacia unos 6 años vengo administrando debian, ubuntu, centos y opensuse. Me gustaría aprender más sobre FreeBSD porque nada más que escucho que maravillas pero recuerdo que una vez intente implementar un script de servidor de correo en teoría facil y daba errores de compilación por todos lados. Me gustaría adentrarme en FreeBSD porque como servidor es una roca. De todas formas, si alguien conoce alguna página de tutoriales o doc de FreeBSD lo agradecería. Saludos. El 29/12/11 00:09, Victor Padro escribió: 2011/12/28 Jose Manuel Ajhuacho Vargasjose_t...@yahoo.es: +1 a pfsense pero tienes otras opciones zential es otro appliance que tal vez te pueda interesar Atte Jose Manuel GPG Key ID: UBCMEOLVQMHEILINJBE --- El mié, 28/12/11, Edg@r Rodolfoedgarr...@gmail.com escribió: De: Edg@r Rodolfoedgarr...@gmail.com Asunto: Re: [CentOS-es] Eleccion distro cortafuegos Para: centos-es@centos.org Fecha: miércoles, 28 de diciembre, 2011 19:00 Edguit@r http://espejobinario.blogspot.com El día 28 de diciembre de 2011 07:15,may...@maykel.sytes.net escribió: Hola muy buenas estoy pensando en poner un cortafuegos en mi casa para practicar routing y cacharrear un poco con el tráfico y aprender. Iptables es muy bueno, va integrado en el kernel de linux y todo esto está muy bien porque está muy agilizado, pero estaba buscando una distro que se administre via web y venga implementado, he encontrado las siguientes: Lo mas limpio y donde se aprende de verdad es sin interface, puedes conectarte por ssh y meterte a tu box, puedes hacer todo lo que escribes con pf (NetBSD, FreeBSD, OpenBSD), ipfilter (NetBSD), ipfw (Nativo FreeBSD), yo prefiero pf en FreeBSD y NetBSD para cortafuegos, se hacen muchas cosas interesantes. Pfsense usa pf como cortafuegos es muy bueno si deseas las cosas rapido, pero en mi opinion se puede hacer la mayoria de cosas con Freebsd puro como router, nat, proxy, etc., es mas sabes lo que haces, con pfsense no, pero es muy bueno. smoothwall, clearos, ipcop, pfsense, ebox Yo me decantaría por pfsense(freeBSD), ya que la pila TCP/IP la maneja muy bien. También me ha gustado mucho clearOS. Alguien ha probado alguno y me puede aconsejar?? He probado FreeBSD (de este nacio pfsense) y NetBSD (miralo es muy bueno tambien), si te animas a usarlos para servidores no te arrepentiras, tan bueno como CentOS, pero no es gnu/linux. Sería para proteger puertos, enrutar tráfico, realizar vpn, posibles problemas de tráfico, estadísticas...etc. Una maravilla pf para todo eso, freebsd tiene phpsysinfo en ports, con eso vez como va el server. Saludos. No te olvides DE PONER OT en el asunto cuando trates algo que no es relacionado con CentOS ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Pfsense es lo mejor que hay...es lo más cercano a appliances de Nokia, Sonicwall, Cisco, etc. Y lo mejor de todo es que es muy amigable y tiene una comunidad tan grande como la de CentOS. Yo te recomendaría que eligieras Pfsense, veras que no te arrepientes. Saludos. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Fwd: Re: Eleccion distro cortafuegos
Muchas gracias. El 2011-12-29 16:09, carlos restrepo escribió: Maykel, este links en un buen comienzo: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ C.R. El 29 de diciembre de 2011 09:48, Maykel Franco Hernández may...@maykel.sytes.net escribió: Desde hacia unos 6 años vengo administrando debian, ubuntu, centos y opensuse. Me gustaría aprender más sobre FreeBSD porque nada más que escucho que maravillas pero recuerdo que una vez intente implementar un script de servidor de correo en teoría facil y daba errores de compilación por todos lados. Me gustaría adentrarme en FreeBSD porque como servidor es una roca. De todas formas, si alguien conoce alguna página de tutoriales o doc de FreeBSD lo agradecería. Saludos. El 29/12/11 00:09, Victor Padro escribió: 2011/12/28 Jose Manuel Ajhuacho Vargasjose_t...@yahoo.es [6]: +1 a pfsense pero tienes otras opciones zential es otro appliance que tal vez te pueda interesar Atte Jose Manuel GPG Key ID: UBCMEOLVQMHEILINJBE --- El mié, 28/12/11, Edg@r Rodolfoedgarr...@gmail.com [1] escribió: De: Edg@r Rodolfoedgarr...@gmail.com [2] Asunto: Re: [CentOS-es] Eleccion distro cortafuegos Para: centos-es@centos.org [3] Fecha: miércoles, 28 de diciembre, 2011 19:00 Edguit@r http://espejobinario.blogspot.com [4] El día 28 de diciembre de 2011 07:15,may...@maykel.sytes.net [5] escribió: Hola muy buenas estoy pensando en poner un cortafuegos en mi casa para practicar routing y cacharrear un poco con el tráfico y aprender. Iptables es muy bueno, va integrado en el kernel de linux y todo esto está muy bien porque está muy agilizado, pero estaba buscando una distro que se administre via web y venga implementado, he encontrado las siguientes: Lo mas limpio y donde se aprende de verdad es si FreeBSD, OpenBSD), ipfilter (NetBSD), ipfw (Nativo FreeBSD), yo prefiero pf en FreeBSD y NetBSD para cortafuegos, se hacen muchas cosas interesantes. Pfsense usa pf como cortafuegos es muy bueno si deseas las cosas rapido, pero en mi opinion se puede hacer la mayoria de cosas con Freebsd puro como router, nat, proxy, etc., es mas sabes lo que haces, con pfsense no, pero es muy bueno. smoothwall, clearos, ipcop, pfsense, ebox Yo me decantaría por pfsense(freeBSD), ya que la pila TCP/IP la maneja muy bien. También me ha gustado mucho clearOS. Alguien ha probado alguno y me puede aconsejar?? He probado FreeBSD (de este nacio pfsense) y NetBSD (miralo es muy bueno tambien), si te animas a usarlos para servidores no te arrepentiras, tan bueno como CentOS, pero no es gnu/linux. Sería para proteger puertos, enrutar tráfico, realizar vpn, posibles problemas de tráfico, estadísticas...etc. Una maravilla pf para todo eso, freebsd tiene phpsysinfo en ports, con eso vez como va el server. Saludos.___ CentOS-es mailing list CentOS-es@centos.org [8] ___ CentOS-es mailing list CentOS-es@centos.org [9] http://lists.centos.org/mailman/listinfo/centos-es [10] Pfsense es lo mejor que hay...es lo más cercano a appliances de Nokia, Sonicwall, Cisco, etc. Y lo mejor de todo es que es muy amigable y tiene una comunidad tan grande como la de CentOS. Yo te recomendaría que eligieras Pfsense, veras que no te arrepientes. Saludos. ___ CentOS-es mailing list CentOS-es@centos.org [11] http://lists.centos.org/mailman/listinfo/centos-es [12] -- Carlos Restrepo M. Administrador de Sistemas. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Links: -- [1] mailto:edgarr...@gmail.com [2] mailto:edgarr...@gmail.com [3] mailto:centos-es@centos.org [4] http://espejobinario.blogspot.com [5] mailto:may...@maykel.sytes.net [6] mailto:jose_t...@yahoo.es [7] mailto:CentOS-es@centos.org [8] mailto:CentOS-es@centos.org [9] mailto:CentOS-es@centos.org [10] http://lists.centos.org/mailman/listinfo/centos-es [11] mailto:CentOS-es@centos.org [12] http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] OCFS2 y OCFS2 Tools para CentOS 6 64 bit
Hola a todos, alguien conoce donde podría descargarme los paquetes RPM de ocfs2 tools y ocfs2??? A las malascompilaré los tar.gz Gracias. Un saludo. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] OCFS2 y OCFS2 Tools para CentOS 6 64 bit
On 12/29/2011 03:48 PM, Sergio Villalba wrote: Hola a todos, alguien conoce donde podría descargarme los paquetes RPM de ocfs2 tools y ocfs2??? en el sitio de linux de oracle, ahi les encuentras saludos epe A las malascompilaré los tar.gz Gracias. Un saludo. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Fwd: Re: Eleccion distro cortafuegos
El día 29 de diciembre de 2011 09:48, Maykel Franco Hernández may...@maykel.sytes.net escribió: Desde hacia unos 6 años vengo administrando debian, ubuntu, centos y opensuse. Me gustaría aprender más sobre FreeBSD porque nada más que escucho que maravillas pero recuerdo que una vez intente implementar un Esas maravillas las tienes que experimentar y no quedarte con las ganas script de servidor de correo en teoría facil y daba errores de compilación por todos lados. Seguro algo estuvo mal y no creo que es culpa de FreeBSD Me gustaría adentrarme en FreeBSD porque como servidor es una roca. De todas formas, si alguien conoce alguna página de tutoriales o doc de FreeBSD lo agradecería. Pasaste por el handbook??, es la mejor que hay, por ahi deberias de comenzar y luego practicar. Saludos. El 29/12/11 00:09, Victor Padro escribió: 2011/12/28 Jose Manuel Ajhuacho Vargasjose_t...@yahoo.es: +1 a pfsense pero tienes otras opciones zential es otro appliance que tal vez te pueda interesar Atte Jose Manuel GPG Key ID: UBCMEOLVQMHEILINJBE --- El mié, 28/12/11, Edg@r Rodolfoedgarr...@gmail.com escribió: De: Edg@r Rodolfoedgarr...@gmail.com Asunto: Re: [CentOS-es] Eleccion distro cortafuegos Para: centos-es@centos.org Fecha: miércoles, 28 de diciembre, 2011 19:00 Edguit@r http://espejobinario.blogspot.com El día 28 de diciembre de 2011 07:15,may...@maykel.sytes.net escribió: Hola muy buenas estoy pensando en poner un cortafuegos en mi casa para practicar routing y cacharrear un poco con el tráfico y aprender. Iptables es muy bueno, va integrado en el kernel de linux y todo esto está muy bien porque está muy agilizado, pero estaba buscando una distro que se administre via web y venga implementado, he encontrado las siguientes: Lo mas limpio y donde se aprende de verdad es sin interface, puedes conectarte por ssh y meterte a tu box, puedes hacer todo lo que escribes con pf (NetBSD, FreeBSD, OpenBSD), ipfilter (NetBSD), ipfw (Nativo FreeBSD), yo prefiero pf en FreeBSD y NetBSD para cortafuegos, se hacen muchas cosas interesantes. Pfsense usa pf como cortafuegos es muy bueno si deseas las cosas rapido, pero en mi opinion se puede hacer la mayoria de cosas con Freebsd puro como router, nat, proxy, etc., es mas sabes lo que haces, con pfsense no, pero es muy bueno. smoothwall, clearos, ipcop, pfsense, ebox Yo me decantaría por pfsense(freeBSD), ya que la pila TCP/IP la maneja muy bien. También me ha gustado mucho clearOS. Alguien ha probado alguno y me puede aconsejar?? He probado FreeBSD (de este nacio pfsense) y NetBSD (miralo es muy bueno tambien), si te animas a usarlos para servidores no te arrepentiras, tan bueno como CentOS, pero no es gnu/linux. Sería para proteger puertos, enrutar tráfico, realizar vpn, posibles problemas de tráfico, estadísticas...etc. Una maravilla pf para todo eso, freebsd tiene phpsysinfo en ports, con eso vez como va el server. Saludos. No te olvides DE PONER OT en el asunto cuando trates algo que no es relacionado con CentOS ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Pfsense es lo mejor que hay...es lo más cercano a appliances de Nokia, Sonicwall, Cisco, etc. Y lo mejor de todo es que es muy amigable y tiene una comunidad tan grande como la de CentOS. Yo te recomendaría que eligieras Pfsense, veras que no te arrepientes. Saludos. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] why not have yum-updatesd running by default?
On Wed, Dec 28, 2011 at 11:33 AM, Jim Wildman j...@rossberry.com wrote: The 'E' in CentOS stands for Enterprise. Enterprises use change control. Servers do not update themselves whenever they see an update. Updates are tested (not so much), approved and scheduled, hopefully in line with a maintenance window. In most enterprises that I've been in, a server can't even contact the default repo servers. And remember that for a RHEL server, it has to be registered with RHN before it can officially receive updates. Defaulting yum-updatesd to on will be a no-op in almost every 'enterprise' case. Enterprises also don't hang servers directly off the Internet. There are many layers betwixt the wild web and the OS. In the decade plus that I've been running RHEL, I've seen 1 update that was worthy of an emergency change to push it out RIGHT NOW to the servers. And even that one didn't really need to be done. -- Jim Wildman, CISSP, RHCE j...@rossberry.com http://www.rossberry.net Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one. Thomas Paine ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos To be more clear, I wasn't saying that for the particular people on this list, of whom many are professional sysadmins, that it would be the best option. I'm talking about the majority of users who have leased a dedicated server or a VPS for $5-$50 per month, and cannot ever be realistically expected to change much of the defaults. In that situation, you're weighing the likelihood, and the undesirability, of two outcomes: either (1) the machine ends up going down temporarily because of a bad update, or (2) the machine ends up being hacked and attacking other networks because it wasn't receiving updates. (Side note: my friend replied to clarify that the kernel exploit he was talking about that was found in March of this year, was one that allowed a local user to gain root privilege, not one that allowed a remote user to get in through the webserver or sshd. So let's say it really is true that running automatic yum updates is not the most important thing to keep out remote users, and that the majority of webserver hacks do occur through out-of-date web apps. Then replace everything I said with update the web apps instead of installing the yum update patches.) Would it not be best for the vast majority of those users to have updates turned on by default? If not, why not? (Power users can always turn them off, after all.) Look, one may think that root access to dedicated servers (and virtual/dedicated servers, which are almost as powerful/dangerous) should never be given out to people who haven't been professionally trained. (Some people still say that about net-connected computers generally!) But that can never be rolled back now, as long as hosting companies can legally sell unmanaged dedicated/VPS machines to the public, they will. So what can be done to reduce the risks? Or look at it this way: Suppose the government or some foundation offered a $1 million prize for any proposal that permanently lowered the rate at which CentOS servers were compromised. If you actually come up with a solution that lowers the rate, you get the money, but if you say that all end users should do such-and-such (and they don't), then you get nothing. What would your proposal be? My suggestion would be: 1) Implement an API call on the OS for send this message to the machine owner. When the OS is installed on the machine, the person installing it decides how the notify call would be implemented -- send an email to an address, send a SMS message, whatever. If a hosting company sets it up, they could implement the call so that it automatically opens a new support ticket waiting for the customer's attention. The reason for #1 is that if the OS wants to notify the machine admin that there's a problem, then -- at least in the case of a remotely hosted cheap server or VPS -- you can't rely on the admin logging in and seeing the message. You have to proactively grab their attention somehow. Then you could use this function call for lots of things, but most importantly for #2: 2) Implement some sort of scanner program (enabled by default) that would regularly scan the machine, not just for known viruses, but for *anything* that was known to be a frequent vector for attacks, that was not configured to update itself automatically. And: - If the scanner finds an app that is not configured to update itself automatically, it sends a low-priority message (using #1) saying There are no known exploits for this thing right now, but you really ought to turn on updates for it. - If the scanner finds a web app like WordPress that *cannot* update itself automatically, say This
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Wed, Dec 28, 2011 at 6:10 AM, Johnny Hughes joh...@centos.org wrote: On 12/27/2011 10:42 PM, Bennett Haselton wrote: Everything installed on the machine had been installed with yum. So I assumed that meant that it would also be updated by yum if an update was available from the distro. 1. Are you running PHP apps on the web server? Perl apps? Bad code in dynamic apps is the main way security breaches happen if via apache. And in those cases is usually the ability to execute some script (sometimes one that the bad guys upload first) that is the issue. Many times this happens because programmers of the dynamic (php, perl, python, ruby, etc.) do not properly vet the input of some form or other item. The only popular third-party script on the server was glype from www.glype.com. I don't know if it's popular enough (compared to, say, WordPress) to make it worthwhile for the bad guys to have developed an exploit against it. On the other hand, if they used an automated tool that can be pointed to *any* PHP script and probe it for weaknesses, they could have found something. 2. Why have password logins at all? Using a secure ssh key only for logins makes the most sense. Well that's something that I'm curious about the reasoning behind -- if you're already using a completely random 12-character password, why would it be any more secure to use an ssh key? Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. 3. Please do not top post. My bad. Gmail default. :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] RHEV guest tools
Hi all, We're running RHEV as our main virtualization platform. Most of our guests are CentOS though. Do you guys know if there's a guest tools package for CentOS available like there is for Windows for example? Can't really find an answer here. -- Met vriendelijke groeten / With kind regards, Johan Kooijman T +31(0) 6 43 44 45 27 F +31(0) 162 82 00 01 E m...@johankooijman.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ad integration with centos 6
I wrote an article some time ago for CentOS 6 and have been using this setup in production since. http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/ My servers that interact with AD allow both AD based file sharing and also SSH access. The most updated configs I use can be found here, https://github.com/treydock/puppet-samba. I just added recent changes where I use AD groups to delegate access to the Linux server. This works with 2008 R2. - Trey On Fri, Dec 23, 2011 at 12:23 AM, dnk d.k.emailli...@gmail.com wrote: Can anyone point me to a tutorial on using Active Directory to authenticate a centos 6 server? I just want to use it to authenticate, ssh and restrict access to a particular ad group. I prefer to use the lightest method possible. I know you can use ldap, or winbind, etc. I have been trying to follow the ones I have been googling, but none of them seem quit complete. My issue is that I have no ldap experience. Dnk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Dec 29, 2011 2:25 AM, Johan Kooijman m...@johankooijman.com wrote: Hi all, We're running RHEV as our main virtualization platform. Most of our guests are CentOS though. Do you guys know if there's a guest tools package for CentOS available like there is for Windows for example? Can't really find an answer here. -- Met vriendelijke groeten / With kind regards, Johan Kooijman T +31(0) 6 43 44 45 27 F +31(0) 162 82 00 01 E m...@johankooijman.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I dont use RHEV (yet) but being that its based on KVM and libvirt I dont think you need guest tools. When you configure in RHEV Manager does it identify the paravirtual devices as virtio? If so then its standard in the kernel used by CentOS since around 5.5. I run all my CentOS VMs on the KVM / libvirt platform and systems install fine without any additional tools. The only additional thing I install is acpid to allow the VM manager to perform shutdowns and reboots. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
I dont use RHEV (yet) but being that its based on KVM and libvirt I dont think you need guest tools. When you configure in RHEV Manager does it identify the paravirtual devices as virtio? If so then its standard in the kernel used by CentOS since around 5.5. I run all my CentOS VMs on the KVM / libvirt platform and systems install fine without any additional tools. The only additional thing I install is acpid to allow the VM manager to perform shutdowns and reboots. My bad, indeed, the guest OS works perfect. What I'm looking for is the extra data RHEVM can provide that it get's from the guest tools, like IP, memory use etc. See http://bastion.jkit.nl/~jkooijman/rhev.png. The bottom one is a Windows machine with the guest tools installed. -- Met vriendelijke groeten / With kind regards, Johan Kooijman T +31(0) 6 43 44 45 27 F +31(0) 162 82 00 01 E m...@johankooijman.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS options in fstab
On 29/12/2011 14:25, Daniel Bird wrote: Hi All, I've a quick question I'm hoping someone can help out on; One of our NFS servers has an intermittent hard lock problem under high load. This is a CentOS 5.7 box. It's due for replacement sometime next year. However... The issue is when this box dies the boxes that mount the NFS exports have trouble with the mount and some processes time out casing the system mounting the file system to become unresponsive also. Of course un-monuting the file system with -l fixes it. This is an example of our current mount options in fstab hostname:/share1/ /mountpoint nfs rw,intr,soft,bg 0 0 The question is, what (other) options should we be using to allow the mounting server to ignore/fail/timeout the mount, or at least continue normal processing, when the NFS server packs up? Ahhh, I should read the man pages more carefully!! Just found this retry=n The number of minutes to retry an NFS mount operation in the foreground or background before giving up. The default value for forground mounts is 2 minutes. The default value for background mounts is 1 minutes, which is roughly one week. So retry=2 would give the same behavior on background mounts as foreground mounts I reckon. FYI we can't move to NFS4 since we've some old boxes running Solaris 8 mounting this filesystem also, which cannot be upgraded Solaris 10 to support v4. All the best Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] asus-wmi.ko for Asus G73Sw running CentOS 6.2
On 29/12/11 04:27, Rob Kampen wrote: Hi List, Just loaded our favorite OS onto my new ASUS laptop. Practically everything worked out of the box - I used the live DVD to check things out and installed from there. I have followed http://forum.notebookreview.com/asus-gaming-notebook-forum/553474-g73-asus-wmi-linux-driver-i-need-your-help-6.html to get suspend working and also to get function keys working for LCD screen backlight controls working (Fn F5 and Fn F6). Upon further searches I find that there is a kernel module asus-wmi.ko available in some distros that also allows some of the other Asus functions to operate - of particular interest is the keyboard backlight (Fn F3 and Fn F4) as well as the master backlight on/off key to function. Question, does anyone know where and how to locate this (asus-wmi.ko) and get it functioning under CentOS 6.2? Well, lets see if it's a part of el6: $ find /lib/modules/ -name asus-wmi.ko No, that doesn't find it. Looking at more recent kernel sources, I see it's present in kernel-2.6.39 but not present in 2.6.35, so it was introduced somewhere between the two. I am prepared to set up the required build environment - but need some assistance as this is really at the limits of my experience. I have rebuilt the kernel to remove patches with some success previously and will have to dust off this knowledge if required. As mentioned previously, this is exactly what elrepo.org does, so if you pop over to: http://elrepo.org/bugs and file an RFE against el6 for asus-wmi.ko we will attempt to backport the module to el6 for you. All we ask in return is that you test the module and provide feedback as to whether it works for you. Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
å¤ç¥ãå²©ç· wrote: On 12/30/2011 12:00 AM, m.r...@5-cent.us wrote: å¤Å神ãâ¬â¬Ã¥Â²Â©Ã§â· wrote: On 12/29/2011 10:21 PM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: snip When traveling I log in to my home server and work servers with my laptop. Its really a *lot* easier than using a bunch of pasword schemes. snip Ah, that brings to mind another issue with only passwords: synchronization. I worked as a subcontractor for a *huge* US co a few years ago. I've *never* had to write passwords down... but for there, I had a page of them! Our group's, the corporate test systems, the corporate *production* systems, and *each* had their own, along with their own password aging (there was *no* single sign-on), the contracting co's Ah, forgot about that because its no longer a problem for me anymore. Using the same password on two systems is a religiously-to-be-observed rule that *most* users violate. snip Yeah, but this was *corporate*: systems I had no access to other than as a user, with very limited sudo. I was *appalled* that they didn't have single sign-on. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 6.2 release: a thank you
On Thu, 2011-12-29 at 11:42 +0100, Leonard den Ottolander wrote: The pango warning is an issue with the old package that got removed, but the gtk2 package current on that system (gtk2-2.18.9-6.el6.x86_64 from the CR repo) still has that incorrect directory (/etc/gtk-2.0/x86_64-unknown-linux-gnu/) After downloading the same package from the 6.2 tree I see this got fixed. How do I update old packages from CR to the current tree again? Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 12/29/2011 01:19 PM, m.r...@5-cent.us wrote: Johnny Hughes wrote: On 12/29/2011 01:01 PM, John Broome wrote: On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote: On 12/29/11 4:30 AM, mcclnx mcc wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, so I wouldn't plan on using it for any sort of production where you expect support. there were some minor ignorable issues in install, like it claimed the system is missing some old packages So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? No, they rolled it out as a Linux distribution. Believe it or not, people do other things besides run Oracle databases on Linux :) I am sure they will certify their database systems on OEL 6.x in the future. They can't very well (at least not with a straight face) tell Red Hat that RHEL6 is not certified while saying that OEL6 is certified can they? If they do that for very long, they will be breaching their support agreements. snip Let me also note that whatever else Oracle is, they're not stupid when it comes to selling, and there are many, many more RHEL installations than there are OUL. But if you have a license for rhel6, you can also run rhel5 ... therefore, they get their supported sales by supporting rhel5, while still claiming their kernel is better and trying to drive people to their product. Where is their incentive to support rhel6 until much closer to March 31, 2017 (rhel5 EOL Date). signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On 12/29/2011 10:26 AM, Trey Dockendorf wrote: On Dec 29, 2011 9:50 AM, Karanbir Singh mail-li...@karan.org wrote: On 12/29/2011 02:21 PM, Johnny Hughes wrote: Would this spec file (and source tar ball) built the proper package? If not, where would I get it. I would be happy to build the proper source for centos extras for CentOS guests. lets see if we can get the entire ovirt stack done - its quite a pain building it at the moment though, but if a couple of people want to help - we might be able to get that in - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I can attest to the difficulty of that build. I tried using FC16 srpms against 6.1 using mock and I spent an entire day with no luck. Wrote scripts that would yumdownload srpms then attempt a build the download missing deps and retry. Got to the point where only one new package would build then failed on kernel versions. Though 6.2 should much more closely match what upstream uses as I believe RHEV 3 will be released for 6.2. Any idea if the full RHEV suite will be open sourced and eventually available in CentOS? Both the rhev hypervisor and manager. Ive lost the fight at my org to buy the product. If you need any extra help with the build Id be willing to assist. Been following Ovirt closely. Do you specifically have the guest tools SRPMS, which is something we can do first and also come up with the whole stack later. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Centos 6.X compatible to ORACLE DB verssion????
Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. Any official document say that? Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 12/29/2011 01:01 PM, John Broome wrote: On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote: On 12/29/11 4:30 AM, mcclnx mcc wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, so I wouldn't plan on using it for any sort of production where you expect support. there were some minor ignorable issues in install, like it claimed the system is missing some old packages So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? No, they rolled it out as a Linux distribution. Believe it or not, people do other things besides run Oracle databases on Linux :) I am sure they will certify their database systems on OEL 6.x in the future. They can't very well (at least not with a straight face) tell Red Hat that RHEL6 is not certified while saying that OEL6 is certified can they? If they do that for very long, they will be breaching their support agreements. If their goal is to move people off RHEL and to OEL (I think it is), then not certifying the latest version while trying to convert people seems like the way to go. Once they have a bunch of converts, then they certify OEL6 and some short time later RHEL6. They need to wait though, until they make the kernel better support the Oracle database though, like they did for OEL5. In the meantime, they get their super whamidyne kernel for OEL5 in the press ... the only real thing they promote as different between RHEL5 and OEL5 ... which gives their linux better and quicker Oracle database support and they try grabbing customers with that difference. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why not have yum-updatesd running by default?
On Thu, Dec 29, 2011 at 1:10 PM, Bennett Haselton benn...@peacefire.org wrote: If your service is important, then it is worth testing changes before making them on your important server. But no one else can tell you whether your server is that important or not... It's fairly trivial to run a 'yum update' on a lab server daily, and if anything updates, make sure that things still work before repeating it on the production box(es). The update checks can be scripted, but the does it still work test will be unique to your services. But these are all considerations mainly for power users; I'm still talking just about the vast majority of hosting company customers who just lease a dedicated or virtual private server, and don't even have a test server and a production server. Why wouldn't it be best for those servers just to pick up and install updates automatically? There's a chance it will break your service. If that isn't important enough for you to test, then yes, you should update automatically, but you don't get to blame someone else when it does break. It has to be your choice. But you are pretty much guaranteed to have known vulnerabilities if you don't update. All you have to do is look at the changelogs to see that. Mine is to assume that there are very good reasons for 'Enterprise' distributions to go to the trouble of publishing updates. Install them. Always assume that there are still more vulnerabilities that you don't know about yet - and if you have to ask the question, you aren't going to do better than the developers and Red Hat at keeping up with them. Yes this is good advice for the individual user; what I was asking is what set of *defaults* would improve security the most for the vast majority of users (who cannot be counted on to change defaults -- or, indeed, to follow any advice that anyone thinks everyone should do!). There is always a tradeoff between convenience and security and one size doesn't fit all. If everything on the site is public anyway then the most you have to lose is the service of the machine. If there is something valuable to steal then you should be prepared to do some extra work to protect it. In any case don't install or expose any services that aren't absolutely needed. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why not have yum-updatesd running by default?
Bennett Haselton wrote: On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell lesmikes...@gmail.comwrote: Would it not be best for the vast majority of those users to have updates turned on by default? If not, why not? (Power users can always turn them off, after all.) If your service is important, then it is worth testing changes before making them on your important server. But no one else can tell you whether your server is that important or not... It's fairly trivial to run a 'yum update' on a lab server daily, and if anything updates, make sure that things still work before repeating it on the production box(es). The update checks can be scripted, but the does it still work test will be unique to your services. But these are all considerations mainly for power users; I'm still talking just about the vast majority of hosting company customers who just lease a dedicated or virtual private server, and don't even have a test server and a production server. Why wouldn't it be best for those servers just snip A. If you are a business, and don't have a test/development server, you're an idiot, and will be out of business shortly, broke, after too many errors in production. And before you say anything, in addition to huge companies, I've worked for companies as small as 12 and even 6, and *everyone* had a test/development servers. B. Hosting providers, if you're not buying colo, do the testing and rollout of updates themselves, not trusting to the vast majority of hosting company customers to update with bug and security fixes. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
Johnny Hughes wrote: On 12/29/2011 01:01 PM, John Broome wrote: On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote: On 12/29/11 4:30 AM, mcclnx mcc wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, so I wouldn't plan on using it for any sort of production where you expect support. there were some minor ignorable issues in install, like it claimed the system is missing some old packages So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? No, they rolled it out as a Linux distribution. Believe it or not, people do other things besides run Oracle databases on Linux :) I am sure they will certify their database systems on OEL 6.x in the future. They can't very well (at least not with a straight face) tell Red Hat that RHEL6 is not certified while saying that OEL6 is certified can they? If they do that for very long, they will be breaching their support agreements. snip Let me also note that whatever else Oracle is, they're not stupid when it comes to selling, and there are many, many more RHEL installations than there are OUL. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why not have yum-updatesd running by default?
On Thu, Dec 29, 2011 at 10:49 AM, Les Mikesell lesmikes...@gmail.comwrote: Would it not be best for the vast majority of those users to have updates turned on by default? If not, why not? (Power users can always turn them off, after all.) If your service is important, then it is worth testing changes before making them on your important server. But no one else can tell you whether your server is that important or not... It's fairly trivial to run a 'yum update' on a lab server daily, and if anything updates, make sure that things still work before repeating it on the production box(es). The update checks can be scripted, but the does it still work test will be unique to your services. But these are all considerations mainly for power users; I'm still talking just about the vast majority of hosting company customers who just lease a dedicated or virtual private server, and don't even have a test server and a production server. Why wouldn't it be best for those servers just to pick up and install updates automatically? What would your proposal be? (Remembering that you can't change human nature, so if it relies on the majority of end users devoting time that you think they should do, it won't happen :) ) Mine is to assume that there are very good reasons for 'Enterprise' distributions to go to the trouble of publishing updates. Install them. Always assume that there are still more vulnerabilities that you don't know about yet - and if you have to ask the question, you aren't going to do better than the developers and Red Hat at keeping up with them. Yes this is good advice for the individual user; what I was asking is what set of *defaults* would improve security the most for the vast majority of users (who cannot be counted on to change defaults -- or, indeed, to follow any advice that anyone thinks everyone should do!). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Refresh all packages?
Hello, I have dedicated server on CentOS Linux 6.1 with webmin/virtualmin and it tell me: Package updates 145 updates to system packages are available. Use the Virtualmin Package Updates module to install them selectively. 4 updates to Virtualmin packages are available. Use the Virtualmin Package Updates module to install them selectively. Should I update all packages? Sure, if you want to stay current and move along to 6.2 Update Webmin too. Yum update should take care of it. Of coarse it's always nice to make a snapshot/backup in case things go screwy. Which really should not unless you've gone off the standard install. (beside Webmin) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 12/29/11 11:01 AM, John Broome wrote: So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? who knows? You'd need to ask them, and I doubt you'd get an answer. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Hi Marko, Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. this is only correct when you use SSH keys without a sufficiently secure passphrase. Which you obviously should never do. If you have a passphrase with your key, finding or stealing the USB stick is completely useless, and even if someone gets at your key, your no worse off than with password authentication. Human brain is still by far the most secure information-storage device. :-) I strongly disgree. Social engineering is a very efficient way to get at other people's data. It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware- controlled environment). Agreed. Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? One key is indefinitely better than a password. The additional security you gain when you add another key is, however, disputable. Best regards, Peter. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Refresh all packages?
On 12/29/11 10:33 AM, Weplica wrote: Hello, I have dedicated server on CentOS Linux 6.1 with webmin/virtualmin and it tell me: Package updates 145 updates to system packages are available. Use the Virtualmin Package Updates module to install them selectively. 4 updates to Virtualmin packages are available. Use the Virtualmin Package Updates module to install them selectively. Should I update all packages? this is a production system? you should test any and all packages on an identically configured test or staging platform and verify your workload is compatible before deploying any updates in production. webmin/virtualmin is not part of CentOS Linux, so you're on your own there. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 12/29/11 4:30 AM, mcclnx mcc wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, so I wouldn't plan on using it for any sort of production where you expect support. there were some minor ignorable issues in install, like it claimed the system is missing some old packages -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote: On 12/29/11 4:30 AM, mcclnx mcc wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, so I wouldn't plan on using it for any sort of production where you expect support. there were some minor ignorable issues in install, like it claimed the system is missing some old packages So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Reindl Harald wrote: Am 29.12.2011 14:21, schrieb Marko Vojinovic: so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) this is bullshit most people have their ssh-key on a usb-stick normally a ssh-key is protected by a password this can be your 12-char password snip Many US companies have gone past that. A number that I've worked for, and the one I work for, all have used RSA keyfobs. To open the VPN link, you need three pieces of information: userid, PIN (which is up to 8 chars min) and the six digit code from the fob. The US gov't has gone a different way: it issues CaC or PIV-II cards, and you need a) a card reader attached or builtin to your system, b) the card, and c) your PIN (8 digits). In both cases, once you've got your VPN, *then* it will frequently be asking for username passwords for each different kind of access. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On Dec 29, 2011, at 7:30, mcclnx mcc mcc...@yahoo.com.tw wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. Any official document say that? OEL6 is rebuilt RHEL6. CentOS 6 is rebuilt RHEL6. I think it'll be ok. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 29/12/11 03:38, Craig White wrote: On Wed, 2011-12-28 at 00:40 -0700, Bennett Haselton wrote: On Tue, Dec 27, 2011 at 10:17 PM, Rilindo Fosterrili...@me.com wrote: What was the nature of the break-in, if I may ask? I don't know how they did it, only that the hosting company had to take the server offline because they said it was sending a DOS attack to a remote host and using huge amounts of bandwidth in the process. The top priority was to get the machine back online so they reformatted it and re-connected it, so there are no longer any logs showing what might have happened. (Although of course once the server is compromised, presumably the logs can be rewritten to say anything anyway.) the top priority was to get the machine back online? Seems to me that you threw away the only opportunity to find out what you did wrong and to correct that so it doesn't happen again. You are left to endlessly suffer the endless possibilities and the extreme likelihood that it will happen again. I'm with Craig on this, you need to re-evaluate your priorities. Top priority is to ensure it doesn't happen again. In order to achieve the top priority it is important to understand what happened and how it happened. If you don't understand that how do you expect to possibly prevent it happening again. The problem is that your security was flawed - that is what you need to fix. A symptom of the problem was the DoS attack. That will only ever be fixed by addressing the problem that caused it. You have confused the symptom with the problem. A symptom of the DoS attack was excessively high bandwidth usage and that is probably why your host intervened - they probably don't care your server was hacked and they probably don't care you are DoSing someone else - all they care about is you're using too much of their bandwidth. That all sounds to me like you need to choose another more responsible hosting provider. Last priority is getting the server back online after you have fixed the problem. Case in point - earlier this year kernel.org had a break in. Did they a) make it top priority to get kernel.org back online as quickly as possible, or b) take the time necessary to fully investigate the incident and put in place procedures so as to prevent it happening again. I'll give you a clue - the website was off line for well over a month. Lets consider an analogy, the regular highway vs the information superhighway. Are you allowed to run a vehicle on the highway that isn't fit for purpose? No, because it endangers others. But you expect to be able to put a server on the information superhighway that isn't fit for purpose and expect no repercussions. If I were a large (rich) corporation and I experienced a DoS attack of the nature your server participated in I would sue you for damages, and my job would be made significantly easier if I could demonstrate wilful neglect on your part to take even the most rudimentary steps to ensure your server was fit for purpose and not a danger to others. Sooner or later someone big will sue someone little for this kind of neglect and the whole game will change. Do you have the funds to defend such an action? Until then security will continue to remain as an afterthought and/or inconvenience. Your wilful neglect makes you complicit and puts me at risk as we both share the same Internet. Ignorance is no defence in law. Act responsibly or get off the net. You may find this harsh but next time it might be my servers on the other end of your DoS attack. Disclaimer: my rant is aimed as much towards the thousands of others out there that would no doubt have done exactly as you did, as it is directly at you, so please don't take it as a personal attack of your actions as it is not intended as such. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
Johnny Hughes wrote: On 12/29/2011 01:19 PM, m.r...@5-cent.us wrote: Johnny Hughes wrote: On 12/29/2011 01:01 PM, John Broome wrote: On Thu, Dec 29, 2011 at 13:57, John R Pierce pie...@hogranch.com wrote: On 12/29/11 4:30 AM, mcclnx mcc wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. 11.2.0.3(I think is latest?) seems to work fine on CentOS 6.1, however RHEL6 (and all versions of CentOS) are completely unsupported by Oracle, so I wouldn't plan on using it for any sort of production where you expect support. there were some minor ignorable issues in install, like it claimed the system is missing some old packages So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? No, they rolled it out as a Linux distribution. Believe it or not, people do other things besides run Oracle databases on Linux :) I am sure they will certify their database systems on OEL 6.x in the future. They can't very well (at least not with a straight face) tell Red Hat that RHEL6 is not certified while saying that OEL6 is certified can they? If they do that for very long, they will be breaching their support agreements. snip Let me also note that whatever else Oracle is, they're not stupid when it comes to selling, and there are many, many more RHEL installations than there are OUL. But if you have a license for rhel6, you can also run rhel5 ... therefore, they get their supported sales by supporting rhel5, while still claiming their kernel is better and trying to drive people to their product. Where is their incentive to support rhel6 until much closer to March 31, 2017 (rhel5 EOL Date). As I said, there are many, many more RHEL installations, and most of them will want to go to RHEL6 within the coming year. And, of course, some of those installations are LARGE$$$ customers of Oracle (for example, I have personal knowledge that ATT uses RHEL extensively). When they lean, Oracle will fall all over themselves, if only to make more money. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 12:41 AM, Marc Deop wrote: On Thursday 29 December 2011 14:59:14 Reindl Harald wrote: the hughe difference is: while having the same password (for the key) it can not be used directly for brute-force und you need the password and at least one time access to the key file Explain me how having a key protected by a password avoids brute forcing if you loose the usb stick holding that key? Technology is developing at a scary pace, have a look at this: http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/ And this is with a simple card, imagine what you can do with a system with multiple paralel cards... Just to be clear: I'm not arguing which system is better/more secure. I'm just pointing out one downside of having the key in a usb memory. And bruteforcing against ssh servers are really difficult as some others have commented (and even more difficult if you limit failed connections...) My IC card fries itself after 10 unsucessful attempts. That is one way. The military CACs fry themselves after 3. They are not just disks, they are tiny 8-bit systems embedded in the chip. The key never actually leaves the card. The benefit is that your key is never exposed, even in an encrypted state. The downside is that signing really huge things can take a few seconds (like ~5 secs for, say, signing a decent sized RPM or email attachment, 15 secs or so for signing the a kernel RPM) because the card processor, not the host system, is doing the signing. I don't know about the security of USB dongles. I've never used them before, but I'm sure that secured versions of them are much more than simple USB drives with a directory full of keys, but rather discrete USB devices which probably operate in the same way. I'm speculating, but I can't imagine this isn't the case with good USB systems. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NFS options in fstab
Hi All, I've a quick question I'm hoping someone can help out on; One of our NFS servers has an intermittent hard lock problem under high load. This is a CentOS 5.7 box. It's due for replacement sometime next year. However... The issue is when this box dies the boxes that mount the NFS exports have trouble with the mount and some processes time out casing the system mounting the file system to become unresponsive also. Of course un-monuting the file system with -l fixes it. This is an example of our current mount options in fstab hostname:/share1/ /mountpoint nfs rw,intr,soft,bg 0 0 The question is, what (other) options should we be using to allow the mounting server to ignore/fail/timeout the mount, or at least continue normal processing, when the NFS server packs up? FYI we can't move to NFS4 since we've some old boxes running Solaris 8 mounting this filesystem also, which cannot be upgraded Solaris 10 to support v4. All the best Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 01:33 AM, m.r...@5-cent.us wrote: Marko Vojinovic wrote: On Thursday 29 December 2011 14:59:14 Reindl Harald wrote: Am 29.12.2011 14:21, schrieb Marko Vojinovic: so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) this is bullshit most people have their ssh-key on a usb-stick And how are you going to access your servers if the stick gets broken or lost? I guess you would have to travel back to where the server is hosted, in order to copy/recreate the key. Um, yep: you're SOL, same as if you spilled coffee on your laptop, or whatever. And if you loose it, you should then create a new one. I did not argue that the key is not more secure than a password. I was just pointing out that sometimes it can be more inconvenient. All security is inconvenient. What's implemented is a balance between convenience and security - really secure is a system not connected to any network, and with no USB ports, that runs off a DVD ...at the bottom of the ocean... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Thu, Dec 29, 2011 at 04:07, Johan Kooijman m...@johankooijman.com wrote: My bad, indeed, the guest OS works perfect. What I'm looking for is the extra data RHEVM can provide that it get's from the guest tools, like IP, memory use etc. See http://bastion.jkit.nl/~jkooijman/rhev.png. The bottom one is a Windows machine with the guest tools installed. I'm getting everything you mentioned in RHEV-M from my linux guests except ip address with no guest tools installed. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On 12/29/2011 02:21 PM, Johnny Hughes wrote: Would this spec file (and source tar ball) built the proper package? If not, where would I get it. I would be happy to build the proper source for centos extras for CentOS guests. lets see if we can get the entire ovirt stack done - its quite a pain building it at the moment though, but if a couple of people want to help - we might be able to get that in - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/29/2011 05:17 PM, Bennett Haselton wrote: On Wed, Dec 28, 2011 at 6:10 AM, Johnny Hughesjoh...@centos.org wrote: On 12/27/2011 10:42 PM, Bennett Haselton wrote: 2. Why have password logins at all? Using a secure ssh key only for logins makes the most sense. Well that's something that I'm curious about the reasoning behind -- if you're already using a completely random 12-character password, why would it be any more secure to use an ssh key? Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. I'm almost afraid to see the responses to this comment... If you believe that passwords are as secure as SSH2 keys, then you've got some homework to do before second guessing anyone's security policy. I don't say that as a jab, I'm being totally serious. The good side of this conversation is that you may become motivated to learn about security as a hobby after this. Its a lot more interesting than watching TV after work (but a lot less interesting than playing with real people (friends, kids, wife, whatever)). 3. Please do not top post. My bad. Gmail default. :) It is the devil. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Thursday 29 December 2011 14:59:14 Reindl Harald wrote: Am 29.12.2011 14:21, schrieb Marko Vojinovic: so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) this is bullshit most people have their ssh-key on a usb-stick And how are you going to access your servers if the stick gets broken or lost? I guess you would have to travel back to where the server is hosted, in order to copy/recreate the key. I did not argue that the key is not more secure than a password. I was just pointing out that sometimes it can be more inconvenient. Your question was why discuss to use or not to use the best currently availbale method in context of security?, and my answer was there can be a tradeoff between security and convenience. I don't see why do you consider this to be bullshit. Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 6.2 release: a thank you
On 12/29/2011 04:47 AM, Leonard den Ottolander wrote: On Thu, 2011-12-29 at 11:42 +0100, Leonard den Ottolander wrote: The pango warning is an issue with the old package that got removed, but the gtk2 package current on that system (gtk2-2.18.9-6.el6.x86_64 from the CR repo) still has that incorrect directory (/etc/gtk-2.0/x86_64-unknown-linux-gnu/) After downloading the same package from the 6.2 tree I see this got fixed. How do I update old packages from CR to the current tree again? I have since released a new version of pango into updates ... a yum update will pull the new version in. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 6.2 release: a thank you
On Wed, 2011-12-21 at 14:11 -0600, Johnny Hughes wrote: There was also the fact that several packages did not build correctly because of a change in the default environment: https://bugzilla.redhat.com/show_bug.cgi?id=743229 That reminds me. I saw this recently on yum update: Non-fatal POSTUN scriptlet failure in rpm package gtk2 Cleanup: 1:cups-libs-1.4.2-39.el6_1.1.x86_64 146/230 /usr/bin/update-gdk-pixbuf-loaders: line 54: /etc/gtk-2.0/x86_64-unknown-linux-gnu/gdk-pixbuf.loaders: No such file or directory /usr/bin/update-gtk-immodules: line 54: /etc/gtk-2.0/x86_64-unknown-linux-gnu/gtk.immodules: No such file or directory warning: %postun(gtk2-2.18.9-6.el6.x86_64) scriptlet failed, exit status 1 /var/tmp/rpm-tmp.QyhGhF: line 23: /etc/pango/x86_64-unknown-linux-gnu/pango.modules: No such file or directory The pango warning is an issue with the old package that got removed, but the gtk2 package current on that system (gtk2-2.18.9-6.el6.x86_64 from the CR repo) still has that incorrect directory (/etc/gtk-2.0/x86_64-unknown-linux-gnu/) And yes, of course, thank you team for all the hard work you put into CentOS! Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/29/2011 08:06 AM, Reindl Harald wrote: Am 29.12.2011 14:59, schrieb Johnny Hughes: That flaw as absolutely no access component. It allows a DDOS attack, not provide remote access to a machine. From the bug: A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192) How is that relevant to allowing access to someone's server. and if you have a webserver and the webserver can be easily killed with a DOS the bug is CRITICAL, if you can kill any PUBLIC SERVICE remote a bug is CRITICAL I did not define it bozo, so stop your bullshit on this list. I have already pointed to how the classifications are done. what exactly do you not understand while these are simple facts - your definition of critical is broken if you think anything where you can not get into the machine is not Who the hell do you think yo0u are? You will be banned from posting on this list of you can not act appropriately. and yes i tried the demo-exploits which killed a quad-core with 16 GB memory within some seconds For those of you who did not see how the categories are defined, here it is: https://access.redhat.com/security/updates/classification/ signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/29/2011 03:53 PM, 夜神 岩男 wrote: On 12/29/2011 10:21 PM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: Hello Reindl, On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security Bennett clearly states that he understands the ssh key is more random, but wonders why a 12 char password (of roughly 6 bits entropy per byte assuming upper lower case characters and numbers) wouldn't be sufficient. so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware- controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? Best, :-) Marko Hi Marko! What about IC cards? I use that a lot, and its reduced my need for a password to something tiny (6 numbers) and requires a physical key (my card). I have the root certificates, private keys, etc. stored offline just in case my card goes nuts, which has happened before, but I've never had a problem with this. When traveling I log in to my home server and work servers with my laptop. Its really a *lot* easier than using a bunch of pasword schemes. I was initially worried that I'd run into a situation where I'd either lose my card traveling, or it would get crushed, or whatever -- but that hasn't happened in 5 years. What has happened in 5 years of doing this is intermittent network outages, work server crashing, web applications failing, database corruption, etc. So from experience (mine and coworkers, at least), it is a lot more likely that problems will arise from totally different vectors than having ssh keys and ic cards making life complicated -- because from this user's perspective its made things a LOT simpler. But it requires a bit of study. Which most people don't do. More to the point most people don't even read popups on the screens, even the big red scary ones, so... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I like to use serial numbers from MB, HDD, etc., as passwords. I never use normal words for my passwords, and few other users (with ssh/cli access) are carefully checked for their passwords. If this formula is true (1/2 . 2 ^ 54 . 1s / 10) for 9 *random* character password, then 0.5 * 18014398509481984 /10 gives 900719925474099 seconds to crack it, or 10424999137 days per attacker. If you use denyhosts or fail2ban, attacker needs 10,000 attack PC's that never attacked any denyhosts or fail2ban server in recent time. So for army of 10,000 attacker PC's, bruteforce ssh needs 1042499 days, or 2856 years to crack it. Is this correct figure? -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/28/2011 08:57 PM, Craig White wrote: On Wed, 2011-12-28 at 07:43 -0600, Johnny Hughes wrote: There have been NO critical kernel updates. A critical update is one where someone can remotely execute items at the root users. Almost all critical updates are Firefox, Thunderbird, telnetd (does anyone still allow telnet?), or samba (never expose that directly to the internet either :D). There was one critical issue on CentOS-5.x for exim: http://rhn.redhat.com/errata/RHSA-2010-0970.html All the other issues (non-critical) will require the user to get a user shell and then elevate their privileges some way perhaps he is referring to RHSA 2011:1245 http://lists.centos.org/pipermail/centos/2011-September/118075.html which CentOS was very slow in getting the update out the door but as you said, it was labeled 'important' and not 'critical' and of course concerned apache and not kernel. That flaw as absolutely no access component. It allows a DDOS attack, not provide remote access to a machine. From the bug: A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192) How is that relevant to allowing access to someone's server. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Ljubomir Ljubojevic wrote: snip I like to use serial numbers from MB, HDD, etc., as passwords. I never The one problem with this is that *if* the attacker has the slightest idea of the hardware, their task is vastly smaller. I trust, for example, that you don't use Dell's s/n/express code; Penguin, not having sold 5 gazillion servers, has the first few digits all the same, for years (they're being optimistic with s/n's that long). snip mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Am 29.12.2011 09:17, schrieb Bennett Haselton: 2. Why have password logins at all? Using a secure ssh key only for logins makes the most sense. Well that's something that I'm curious about the reasoning behind -- if you're already using a completely random 12-character password, why would it be any more secure to use an ssh key? Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. because the key is MUCH longer than 12 chars becasue it is NOT bruteforceable because brute-force-attacks are trying password-login if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS options in fstab
On Thursday 29 December 2011 14:35:34 Daniel Bird wrote: retry=n The number of minutes to retry an NFS mount operation in the foreground or background before giving up. The default value for forground mounts is 2 minutes. The default value for background mounts is 1 minutes, which is roughly one week. So retry=2 would give the same behavior on background mounts as foreground mounts I reckon. Have you tried this? I'd love to know if it really works. You could as well try automount with your nfs shares... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 29 December 2011 12:30, mcclnx mcc mcc...@yahoo.com.tw wrote: Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and X86_64) version like 9.X, 10GR2, 11G and 11GR2. It is not. Any official document say that? See Metalink 1304727.1. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/29/2011 07:21 AM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: Hello Reindl, On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security Bennett clearly states that he understands the ssh key is more random, but wonders why a 12 char password (of roughly 6 bits entropy per byte assuming upper lower case characters and numbers) wouldn't be sufficient. so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware- controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? This is absolutely ludicrous. Requiring a physical key to be present for access can not be compared to a 12 character password, random or not. Bottom line ... if you want people to crack your server, use passwords and they way. For the love of God, do not allow password access your machines people. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Hello Reindl, On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security Bennett clearly states that he understands the ssh key is more random, but wonders why a 12 char password (of roughly 6 bits entropy per byte assuming upper lower case characters and numbers) wouldn't be sufficient. I'm fairly confident the 9 to 12 char (54 to 72 bit) passwords I use are sufficiently strong to protect my machines against remote brute force attacks via ssh. Seeing that every login attempt takes at least a second and in the default setup sshd allows a maximum of 10 threads at a time a remote brute force is not really feasible (1/2 . 2 ^ 54 . 1s / 10). Imho of course :) Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Am 29.12.2011 14:21, schrieb Marko Vojinovic: so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) this is bullshit most people have their ssh-key on a usb-stick normally a ssh-key is protected by a password this can be your 12-char password if you put an non-proctected key on a stick this is really your problem - per default it is requestet from ssh-keygen the hughe difference is: while having the same password (for the key) it can not be used directly for brute-force und you need the password and at least one time access to the key file signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Am 29.12.2011 14:59, schrieb Johnny Hughes: That flaw as absolutely no access component. It allows a DDOS attack, not provide remote access to a machine. From the bug: A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192) How is that relevant to allowing access to someone's server. and if you have a webserver and the webserver can be easily killed with a DOS the bug is CRITICAL, if you can kill any PUBLIC SERVICE remote a bug is CRITICAL what exactly do you not understand while these are simple facts - your definition of critical is broken if you think anything where you can not get into the machine is not and yes i tried the demo-exploits which killed a quad-core with 16 GB memory within some seconds signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Thu, Dec 29, 2011 at 1:05 PM, Johnny Hughes joh...@centos.org wrote: On 12/29/2011 10:26 AM, Trey Dockendorf wrote: On Dec 29, 2011 9:50 AM, Karanbir Singh mail-li...@karan.org wrote: On 12/29/2011 02:21 PM, Johnny Hughes wrote: Would this spec file (and source tar ball) built the proper package? If not, where would I get it. I would be happy to build the proper source for centos extras for CentOS guests. lets see if we can get the entire ovirt stack done - its quite a pain building it at the moment though, but if a couple of people want to help - we might be able to get that in - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I can attest to the difficulty of that build. I tried using FC16 srpms against 6.1 using mock and I spent an entire day with no luck. Wrote scripts that would yumdownload srpms then attempt a build the download missing deps and retry. Got to the point where only one new package would build then failed on kernel versions. Though 6.2 should much more closely match what upstream uses as I believe RHEV 3 will be released for 6.2. Any idea if the full RHEV suite will be open sourced and eventually available in CentOS? Both the rhev hypervisor and manager. Ive lost the fight at my org to buy the product. If you need any extra help with the build Id be willing to assist. Been following Ovirt closely. Do you specifically have the guest tools SRPMS, which is something we can do first and also come up with the whole stack later. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I don't have the guest tools no. I only got as far as about 1/2 of the Maven2 deps and maybe half the jboss deps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 29 December 2011 12:42, John Broome jbro...@gmail.com wrote: OEL6 is rebuilt RHEL6. CentOS 6 is rebuilt RHEL6. Funnily enough, OEL6 is excluded from the certified list of Linux distributions hence no, it is not a good idea to install it and then expect Oracle to support it even though RedHat has submitted it for certification in August 2011. It looks like Oracle has no incentive to get on with the certification. RHEL/OEL 6 has been out for ages now, the only obvious thing is merge with Sun must have given them an other OS to push instead of Oracle. Baffles me. 11.2 OS versions and minimum levels: Asianux 3 SP2 and higher Oracle Linux 4 Update 7 and higher Oracle Linux 5 Update 2 and higher Red Hat Enterprise 4 Update 7 and higher Red Hat Enterprise 5 Update 2 and higher SLES 10 SP2 and higher SLES 11 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
å¤ç¥ãå²©ç· wrote: On 12/29/2011 10:21 PM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security snip It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware-controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? snip When traveling I log in to my home server and work servers with my laptop. Its really a *lot* easier than using a bunch of pasword schemes. snip Ah, that brings to mind another issue with only passwords: synchronization. I worked as a subcontractor for a *huge* US co a few years ago. I've *never* had to write passwords down... but for there, I had a page of them! Our group's, the corporate test systems, the corporate *production* systems, and *each* had their own, along with their own password aging (there was *no* single sign-on), the contracting co's mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/29/2011 06:45 PM, m.r...@5-cent.us wrote: Ljubomir Ljubojevic wrote: snip I like to use serial numbers from MB, HDD, etc., as passwords. I never The one problem with this is that *if* the attacker has the slightest idea of the hardware, their task is vastly smaller. I trust, for example, that you don't use Dell's s/n/express code; Penguin, not having sold 5 gazillion servers, has the first few digits all the same, for years (they're being optimistic with s/n's that long). snip mark No. I got the idea from my first second-hand MB for NOC router/firewall, while I was on the grain silo needing to reinstall ClarkConnect on it (don't ask :-D ). You can use s/n from some old PC you have at your home, or discarded MB (or whatever). Of course, using s/n's would be same as using some good random-generator script. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: Hello Reindl, On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security Bennett clearly states that he understands the ssh key is more random, but wonders why a 12 char password (of roughly 6 bits entropy per byte assuming upper lower case characters and numbers) wouldn't be sufficient. so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware- controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
You are using RHEV2.2 right? There are no such tools for this version. That's right, explains why I haven't been able to find 'em. RHEV3.0 has RHEL guest agent for both RHEL5 guests and RHEL6 guest, the sources should be open in ovirt.org in the near future http://www.ovirt.org/project/subprojects/ If you use CentOS as the guest then you'll have to compile it yourself :) Thanks, that's helpful! -- Met vriendelijke groeten / With kind regards, Johan Kooijman T +31(0) 6 43 44 45 27 F +31(0) 162 82 00 01 E m...@johankooijman.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why not have yum-updatesd running by default?
On Thu, Dec 29, 2011 at 2:01 AM, Bennett Haselton benn...@peacefire.org wrote: (Side note: my friend replied to clarify that the kernel exploit he was talking about that was found in March of this year, was one that allowed a local user to gain root privilege, not one that allowed a remote user to get in through the webserver or sshd. Look back through the changelogs if you want to see what vulnerabilities have existed for long intervals before being fixed - but perhaps not long after being found and published. If you have a web service running, I'd say it is a fairly safe bet that there is a vulnerability somewhere in the server, language(s), libraries, or the application itself that can be exploited to execute some arbitrary command. That turns what is classified as a local root exploit into something anyone on the internet can do. And I've seen some very sophisticated attempts show up in the logs... So let's say it really is true that running automatic yum updates is not the most important thing to keep out remote users, and that the majority of webserver hacks do occur through out-of-date web apps. I'm not convinced. Assume that some people will know the vulnerabilities before they are published (otherwise they obviously would never be published/fixed) and that a lot of other people will start attempting exploits immediately after publication. Look through your logs to see how many hits you are getting that are likely to be probes for vulnerabilities to get a feeling for how much of this is going on. Would it not be best for the vast majority of those users to have updates turned on by default? If not, why not? (Power users can always turn them off, after all.) If your service is important, then it is worth testing changes before making them on your important server. But no one else can tell you whether your server is that important or not... It's fairly trivial to run a 'yum update' on a lab server daily, and if anything updates, make sure that things still work before repeating it on the production box(es). The update checks can be scripted, but the does it still work test will be unique to your services. What would your proposal be? (Remembering that you can't change human nature, so if it relies on the majority of end users devoting time that you think they should do, it won't happen :) ) Mine is to assume that there are very good reasons for 'Enterprise' distributions to go to the trouble of publishing updates. Install them. Always assume that there are still more vulnerabilities that you don't know about yet - and if you have to ask the question, you aren't going to do better than the developers and Red Hat at keeping up with them. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
- Original Message - From: Johan Kooijman m...@johankooijman.com To: CentOS mailing list centos@centos.org Sent: Thursday, December 29, 2011 11:07:57 AM Subject: Re: [CentOS] RHEV guest tools I dont use RHEV (yet) but being that its based on KVM and libvirt I dont think you need guest tools. When you configure in RHEV Manager does it identify the paravirtual devices as virtio? If so then its standard in the kernel used by CentOS since around 5.5. I run all my CentOS VMs on the KVM / libvirt platform and systems install fine without any additional tools. The only additional thing I install is acpid to allow the VM manager to perform shutdowns and reboots. My bad, indeed, the guest OS works perfect. What I'm looking for is the extra data RHEVM can provide that it get's from the guest tools, like IP, memory use etc. See http://bastion.jkit.nl/~jkooijman/rhev.png. The bottom one is a Windows machine with the guest tools installed. You are using RHEV2.2 right? There are no such tools for this version. RHEV3.0 has RHEL guest agent for both RHEL5 guests and RHEL6 guest, the sources should be open in ovirt.org in the near future http://www.ovirt.org/project/subprojects/ If you use CentOS as the guest then you'll have to compile it yourself :) -- Met vriendelijke groeten / With kind regards, Johan Kooijman T +31(0) 6 43 44 45 27 F +31(0) 162 82 00 01 E m...@johankooijman.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Refresh all packages?
Hello, I have dedicated server on CentOS Linux 6.1 with webmin/virtualmin and it tell me: Package updates 145 updates to system packages are available. Use the Virtualmin Package Updates module to install them selectively. 4 updates to Virtualmin packages are available. Use the Virtualmin Package Updates module to install them selectively. Should I update all packages? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Am 29.12.2011 15:24, schrieb m.r...@5-cent.us: Reindl Harald wrote: Am 29.12.2011 14:21, schrieb Marko Vojinovic: so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) this is bullshit most people have their ssh-key on a usb-stick normally a ssh-key is protected by a password this can be your 12-char password snip Many US companies have gone past that. A number that I've worked for, and the one I work for, all have used RSA keyfobs. To open the VPN link, you need three pieces of information: userid, PIN (which is up to 8 chars min) and the six digit code from the fob. The US gov't has gone a different way: it issues CaC or PIV-II cards, and you need a) a card reader attached or builtin to your system, b) the card, and c) your PIN (8 digits). In both cases, once you've got your VPN, *then* it will frequently be asking for username passwords for each different kind of access. why do you not tell this the idiot who is argumentating against kyes and thinks using password-login is smart? signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] asus-wmi.ko for Asus G73Sw running CentOS 6.2
On 12/29/2011 05:27 AM, Rob Kampen wrote: Hi List, Just loaded our favorite OS onto my new ASUS laptop. Practically everything worked out of the box - I used the live DVD to check things out and installed from there. I have followed http://forum.notebookreview.com/asus-gaming-notebook-forum/553474-g73-asus-wmi-linux-driver-i-need-your-help-6.html to get suspend working and also to get function keys working for LCD screen backlight controls working (Fn F5 and Fn F6). Upon further searches I find that there is a kernel module asus-wmi.ko available in some distros that also allows some of the other Asus functions to operate - of particular interest is the keyboard backlight (Fn F3 and Fn F4) as well as the master backlight on/off key to function. Question, does anyone know where and how to locate this (asus-wmi.ko) and get it functioning under CentOS 6.2? I am prepared to set up the required build environment - but need some assistance as this is really at the limits of my experience. I have rebuilt the kernel to remove patches with some success previously and will have to dust off this knowledge if required. Best course of action is to ask help from ElRepo repository. they build and maintain many kernel modules. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 12:00 AM, m.r...@5-cent.us wrote: 夜神 岩男 wrote: On 12/29/2011 10:21 PM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security snip It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware-controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? snip When traveling I log in to my home server and work servers with my laptop. Its really a *lot* easier than using a bunch of pasword schemes. snip Ah, that brings to mind another issue with only passwords: synchronization. I worked as a subcontractor for a *huge* US co a few years ago. I've *never* had to write passwords down... but for there, I had a page of them! Our group's, the corporate test systems, the corporate *production* systems, and *each* had their own, along with their own password aging (there was *no* single sign-on), the contracting co's mark Ah, forgot about that because its no longer a problem for me anymore. Using the same password on two systems is a religiously-to-be-observed rule that *most* users violate. I can put my public keys on any system and not worry about it. Hitting the number pad for my digits is a lot faster than typing in a password, a lot more convenient than remembering a bunch of them (and a big motivator to buy laptops with full-blown 10-keys, which is common now anyway, as are internal card readers...). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS options in fstab
On 29/12/2011 15:23, Marc Deop wrote: On Thursday 29 December 2011 14:35:34 Daniel Bird wrote: retry=n The number of minutes to retry an NFS mount operation in the foreground or background before giving up. The default value for forground mounts is 2 minutes. The default value for background mounts is 1 minutes, which is roughly one week. So retry=2 would give the same behavior on background mounts as foreground mounts I reckon. Have you tried this? I'd love to know if it really works. I've got it down to a reasonable timeout (1m 30 sec) now with these options proto=udp,timeo=1,retrans=0,retry=1,intr,soft,bg with proto=tcp it's about 4mins You could as well try automount with your nfs shares... Yes, that is an option. We use it for some services. Cheers D ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Am 29.12.2011 12:56, schrieb Leonard den Ottolander: Hello Reindl, On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security Bennett clearly states that he understands the ssh key is more random, but wonders why a 12 char password (of roughly 6 bits entropy per byte assuming upper lower case characters and numbers) wouldn't be sufficient. so explain me why discuss to use or not to use the best currently availbale method in context of security? this is a secure configuration with no costs so why not use it? PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthenticationno GSSAPICleanupCredentialsno RSAAuthentication yes PubkeyAuthenticationyes PermitEmptyPasswordsno PermitRootLogin without-password AllowGroups root verwaltung AllowUsers root harry IgnoreRhostsyes HostbasedAuthentication no StrictModes yes UseDNS no UsePrivilegeSeparation yes UsePAM yes LoginGraceTime 25 MaxAuthTries10 MaxStartups 25 signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/29/2011 10:21 PM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: Hello Reindl, On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security Bennett clearly states that he understands the ssh key is more random, but wonders why a 12 char password (of roughly 6 bits entropy per byte assuming upper lower case characters and numbers) wouldn't be sufficient. so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware- controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? Best, :-) Marko Hi Marko! What about IC cards? I use that a lot, and its reduced my need for a password to something tiny (6 numbers) and requires a physical key (my card). I have the root certificates, private keys, etc. stored offline just in case my card goes nuts, which has happened before, but I've never had a problem with this. When traveling I log in to my home server and work servers with my laptop. Its really a *lot* easier than using a bunch of pasword schemes. I was initially worried that I'd run into a situation where I'd either lose my card traveling, or it would get crushed, or whatever -- but that hasn't happened in 5 years. What has happened in 5 years of doing this is intermittent network outages, work server crashing, web applications failing, database corruption, etc. So from experience (mine and coworkers, at least), it is a lot more likely that problems will arise from totally different vectors than having ssh keys and ic cards making life complicated -- because from this user's perspective its made things a LOT simpler. But it requires a bit of study. Which most people don't do. More to the point most people don't even read popups on the screens, even the big red scary ones, so... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
I'm getting everything you mentioned in RHEV-M from my linux guests except ip address with no guest tools installed. Hm, that's odd. I'm seeing only CPU, but no memory for example. See screenshort earlier in the thread. -- Met vriendelijke groeten / With kind regards, Johan Kooijman T +31(0) 6 43 44 45 27 F +31(0) 162 82 00 01 E m...@johankooijman.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Marko Vojinovic wrote: On Thursday 29 December 2011 14:59:14 Reindl Harald wrote: Am 29.12.2011 14:21, schrieb Marko Vojinovic: so explain me why discuss to use or not to use the best currently availbale method in context of security? Using the ssh key can be problematic because it is too long and too random to be memorized --- you have to carry it on a usb stick (or whereever). This provides an additional point of failure should your stick get lost or stolen. Human brain is still by far the most secure information-storage device. :-) this is bullshit most people have their ssh-key on a usb-stick And how are you going to access your servers if the stick gets broken or lost? I guess you would have to travel back to where the server is hosted, in order to copy/recreate the key. Um, yep: you're SOL, same as if you spilled coffee on your laptop, or whatever. And if you loose it, you should then create a new one. I did not argue that the key is not more secure than a password. I was just pointing out that sometimes it can be more inconvenient. All security is inconvenient. What's implemented is a balance between convenience and security - really secure is a system not connected to any network, and with no USB ports, that runs off a DVD snip mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Thursday 29 December 2011 14:59:14 Reindl Harald wrote: the hughe difference is: while having the same password (for the key) it can not be used directly for brute-force und you need the password and at least one time access to the key file Explain me how having a key protected by a password avoids brute forcing if you loose the usb stick holding that key? Technology is developing at a scary pace, have a look at this: http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/ And this is with a simple card, imagine what you can do with a system with multiple paralel cards... Just to be clear: I'm not arguing which system is better/more secure. I'm just pointing out one downside of having the key in a usb memory. And bruteforcing against ssh servers are really difficult as some others have commented (and even more difficult if you limit failed connections...) Regards ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On 12/29/2011 04:34 AM, Johan Kooijman wrote: You are using RHEV2.2 right? There are no such tools for this version. That's right, explains why I haven't been able to find 'em. RHEV3.0 has RHEL guest agent for both RHEL5 guests and RHEL6 guest, the sources should be open in ovirt.org in the near future http://www.ovirt.org/project/subprojects/ If you use CentOS as the guest then you'll have to compile it yourself :) Thanks, that's helpful! Would this spec file (and source tar ball) built the proper package? If not, where would I get it. I would be happy to build the proper source for centos extras for CentOS guests. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Dec 29, 2011 9:50 AM, Karanbir Singh mail-li...@karan.org wrote: On 12/29/2011 02:21 PM, Johnny Hughes wrote: Would this spec file (and source tar ball) built the proper package? If not, where would I get it. I would be happy to build the proper source for centos extras for CentOS guests. lets see if we can get the entire ovirt stack done - its quite a pain building it at the moment though, but if a couple of people want to help - we might be able to get that in - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I can attest to the difficulty of that build. I tried using FC16 srpms against 6.1 using mock and I spent an entire day with no luck. Wrote scripts that would yumdownload srpms then attempt a build the download missing deps and retry. Got to the point where only one new package would build then failed on kernel versions. Though 6.2 should much more closely match what upstream uses as I believe RHEV 3 will be released for 6.2. Any idea if the full RHEV suite will be open sourced and eventually available in CentOS? Both the rhev hypervisor and manager. Ive lost the fight at my org to buy the product. If you need any extra help with the build Id be willing to assist. Been following Ovirt closely. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 29 December 2011 19:01, John Broome jbro...@gmail.com wrote: So if oracle isn't certified to run on OEL 6, did oracle roll it out just for shits and giggles? coughsolariscough ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 29 December 2011 19:31, m.r...@5-cent.us wrote: As I said, there are many, many more RHEL installations, and most of them will want to go to RHEL6 within the coming year. And, of course, some of those installations are LARGE$$$ customers of Oracle (for example, I have personal knowledge that ATT uses RHEL extensively). When they lean, Oracle will fall all over themselves, if only to make more money. I suspect we will see RHEL/OEL6 officially supported when they decide to release Oracle 12, since they have already released the new grid manager (12c for cloud, unfortunately not for Cthulhu, now that'd be really awesome!)... OEM 12c is certified for RHEL/OEL 6.1. It looks like 11g will not be ever certified. If anyone knows when DB 12c is expected... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 x86_64 can't detect raid 10
Dear All, I just got a new server with the following specifications: motherboard : Intel S5500BC CPU : Xeon Quad Core 2.6Ghz RAM : 8GB HDD : 4 x 2TB SATA with configured raid 10 using raid embedded server. The problem is the centos installer can't detect raid virtual disk. I can't find any log error with the following error messages during installation process: Disks sda, sdb, sdc, sdd contain BIOS RAID metadata but are not part of any recognized BIOS RAID sets. I'm already use search engine to find the information regarding to this issue, but I can't find the solutions for CentOS. Thanks in advance -- -- Best regards, David http://blog.pnyet.web.id ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 x86_64 can't detect raid 10
Am 30.12.2011 00:41, schrieb David: Dear All, I just got a new server with the following specifications: motherboard : Intel S5500BC CPU : Xeon Quad Core 2.6Ghz RAM : 8GB HDD : 4 x 2TB SATA with configured raid 10 using raid embedded server. The problem is the centos installer can't detect raid virtual disk. I can't find any log error with the following error messages during installation process: Disks sda, sdb, sdc, sdd contain BIOS RAID metadata but are not part of any recognized BIOS RAID sets. I'm already use search engine to find the information regarding to this issue, but I can't find the solutions for CentOS. Thanks in advance Simply Intel fake RAID. See http://www.intel.com/content/www/us/en/servers/server-board-s5500bc-family-brief.html Either get a real RAID controller which does hardware RAID or use CentOS's software raid function. Regards Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Fri, Dec 30, 2011 at 4:00 AM, m.r...@5-cent.us wrote: 夜神 岩男 wrote: On 12/29/2011 10:21 PM, Marko Vojinovic wrote: On Thursday 29 December 2011 13:07:56 Reindl Harald wrote: Am 29.12.2011 12:56, schrieb Leonard den Ottolander: On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at least hundreds of years to get in by trial and error. if you really think your 12-chars password is as secure as a ssh-key protcected with this password you should consider to take some education in security snip It is very inconvenient for people who need to login to their servers from random remote locations (ie. people who travel a lot or work in hardware-controlled environment). Besides, it is essentially a question of overkill. If password is not good enough, you could argue that the key is also not good enough --- two keys (or a larger one) would be more secure. Where do you draw the line? snip When traveling I log in to my home server and work servers with my laptop. Its really a *lot* easier than using a bunch of pasword schemes. snip Ah, that brings to mind another issue with only passwords: synchronization. I worked as a subcontractor for a *huge* US co a few years ago. I've *never* had to write passwords down... but for there, I had a page of them! Our group's, the corporate test systems, the corporate *production* systems, and *each* had their own, along with their own password aging (there was *no* single sign-on), the contracting co's We use PasswordSafe to solve that one. There are other similar products. Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos