Re: [CentOS] DNS forwarding vs recursion
On Thu, 2013-03-28 at 11:29 -0700, John R Pierce wrote:
On 3/28/2013 11:11 AM, Jorge Fábregas wrote:
On 03/28/2013 02:05 PM, John R Pierce wrote:
is it as simple as adding allow-recursion{} with the appropriate private
subnets and localhost to named.conf ?
Yes. That's basically it.
k, thanks, looks like its working!
Disclamer
I'm one of the original founders of Internet Security Systems, now part
of IBM. I was a founder of the ISS X-Force and am still one of their
Senior Wizards and a senior security researcher. However! I am not
speaking for or on behalf or representing ISS or X-Force or IBM... I am
writing, personally, as a professional white hat hacker and security
researcher. This will be a bit of a long soap-box / tub thump.
/Disclaimer
I love to believe in coincidences and I'm a firm believer in
coincidences... But... The timing of your original post leads me to
think otherwise. The fact that you say looks like it's working tells
me that you're seeing something active on your network that makes me
believe that this is not a coincidence.
By any chance, might you have been one of the thousands of open
resolvers that got caught up in the Spamhaus / Cyberbunker debacle of
the last two weeks? Don't bother to answer that and don't worry about
it if you were. If you were, you were only one (or a handful) out of
thousands who were abused in this attack on Spamhaus. They all (you
all) were, in turn, only a small fraction of the tens (or hundreds) of
thousands of open resolvers present on the net, so you're actually in
good (large) company (unfortunately).
The suggested solution will solve a (BIG) part of the problem. It WILL
solve the problem being exploited in the Spamhaus attack, that of
abusing open resolvers in attacking others in a DNS resource
amplification attack. Unfortunately, it does NOT solve the problem of
someone attacking you exploiting your own resolvers against you.
Resource amplification attacks like this utilize spoofed packets
(packets spoofed to be from the actual target). The amplified
payloads are the replies back to the spoofed addresses.
Now, suppose someone has YOU in their crosshairs. They identify your
resolvers (not really a major task - especially if you make the mistake
of using your authoritative name servers as resolvers as well) and then
proceed to spoof packets into your resolvers as if they were coming from
your IP addresses. By the time the packets reach your resolvers, they
have no way to tell if the source address is legitimate or not, and will
match your recursion allow rules. It's the the job of your security
perimeter firewalls to filter local vrs foreign packets and on-session
vrs unsolicited packets. Consequently, your resolvers will amplify that
traffic (factor of 100 or more) and reflect it back to your internal
network.
It's actually amusing how attackers can abuse the very nature of the DNS
for this. They prime an authoritative name server with a MASSIVE
payload and then spoof the first request into the target resolver for
that resource. The resolver then caches it and then subsequent requests
are served out of the resolver's cache and doesn't load down the
attacker's name servers further. So, he can then hit you with hundreds
of thousands of spoofed requests delivering GB of data at his intended
target (possibly you) having only serviced a single query request for a
few K. Gotta love that for efficiency.
Years ago, I actually had a customer (a major multinational corporation
who shall remain unnamed) come under such an attack and was crying for
help. Restricting your resolvers to local networks does not help in
this case. They had an exposed resolver, outside of their firewall
perimeter, and the attacker was spoofing packets from their internal
addresses. Even if your firewall blocks those responses (stateful
firewall) it still overloads your pipe in front of the firewall. It was
crushing them with no way to filter it.
Let me make this clear. Any recursive name server, restricted or not,
which can be reached from the greater Internet can be abused to attack
the networks for which it is configured to allow recursion. The
restrictions limit what can be attacked. Without firewalling an
external filtering, it does not restrict where you can be attacked from,
since it's a spoofed attack in the first place.
Years before, I had published a series of articles for our customers on
Robust DNS Deloyments. One of the recommendations was to NOT have
your authoritative name servers be recursive name servers at all (except
for localhost). That was their only solution. They had to scramble and
shut down those external recursive resolvers entirely and switch to
internal ones protected behind their firewalls that could block the
spoofed packets.
The argument goes at this...
Your authoritative name servers (at least some of them) must be public.
That's their nature, to publicly advertise your domain name information
Re: [CentOS] Does CentOS support dual graphics cards with 2 monitors each?
On Mar 30, 2013, at 10:58, Tilman Schmidt wrote: Nouveau supports dual monitors on a single card just fine. Yes, I have no problems with this either and have most of my users running with two monitors and the nouveau driver. But I'm trying to set up one user with 4 monitors now. This morning I've had partial success after installing the kmod-nvidia RPM, playing with nvidia-settings, and manually editing the xorg.conf file. It's working as 2 (or 3?) separate X screens so that you can't drag windows around all monitors, but it's a start. Alfred ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
On 3/31/2013 12:06 PM, Les Mikesell wrote: On Sun, Mar 31, 2013 at 4:00 AM, Robert Benjamin benj...@cox.net wrote: WELL, I don't know what to say. I just put the HD in the PC turned it on and was waiting for the blue screen so I could login as root and type 'init 3'. BUT, guess what happened. A tiny clock appeared at the top left followed by a log in screen and here I am. Happened very quickly. A few seconds. Now, do I dare log out and try to get back or just wait for a reply from you. Yesterday I never did init 3 either. Maybe it is the Easter Bunny. I don't know. I'm a bit apprehensive about shutting off and trying again. What's your opinion? That's the way it is supposed to work, and since no one recognized the previous symptoms my best guess is that it was some sort of hardware issue. Maybe swapping the drive left a bad connection to the disk or network. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Looking for the book you recommended by Fraesch: Essential Systems Administration. Tried a local Barnes and Noble store and the author's name is different. They have it as Frisk, same title. Third Edition. Hope it's the same book. Can you double check please. I assume this is at a level I can deal with. Thanks. Bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
On Mon, Apr 1, 2013 at 8:11 AM, Michael H. Warfield m...@wittsend.com wrote: It's the the job of your security perimeter firewalls to filter local vrs foreign packets and on-session vrs unsolicited packets. You say that as though everyone has such tools. Or that they are such an integrated part of the TCP/IP standards that applications can simply assume that it is someone else's problem... But I don't think that is generally true - or that the concept even makes sense in the context of the redundant routing TCP/IP is clearly designed to handle. You might instead say that people are forced to add specialized tools like that by stupid applications that are easy to exploit if you don't... If you absolutely MUST combine them (and I would love to hear the rational as to why, beyond cost and laziness) then, by all means, restrict recursion to your local networks, with the understanding that they can still be abused to attack yourself.. The rationale is that the applications were written that way. Put the blame on the design where it belongs. And talk about it in terms of people later being essentially forced to deal with the fallout from the design by having to change the buried IP address configurations that the DNS system was supposed to avoid having to do in the first place. I don't know where you are in the Internet food chain (end consumer, ISP, Tier 1 provider, or backbone) but if you are in the routing chain (you manage or provide routing - anyone other than an end consumer) then it's also very important to implement BCP (Best Common Practice) 38. BCP 38 recommends router egress filtering. That is, you only route out what will route back in. That prevents you (or any of your customers) from being a spoofing source. That strikes at the heart of many of these types of attacks. So, what tools do that in combination with dynamic routing protocols? And with asymmetric routes? Routing issues and BCP38 aside, you really should separate your authoritative an recursive name servers if at all possible. I don't disagree with that, but I look as a workaround to fix an initial bad design and wouldn't call the people who haven't accomplished it yet lazy. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
Robert Benjamin wrote: On 3/31/2013 12:06 PM, Les Mikesell wrote: On Sun, Mar 31, 2013 at 4:00 AM, Robert Benjamin benj...@cox.net wrote: WELL, I don't know what to say. I just put the HD in the PC turned it on and was waiting for the blue screen so I could login as root and type 'init 3'. BUT, guess what happened. A tiny clock appeared at the top left followed by a log in screen and here I am. Happened very quickly. A few seconds. Now, do I dare log out and try to get back or just wait for a reply from you. Yesterday I never did init 3 either. Maybe it is the Easter Bunny. I don't know. I'm a bit apprehensive about shutting off and trying again. What's your opinion? That's the way it is supposed to work, and since no one recognized the previous symptoms my best guess is that it was some sort of hardware issue. Maybe swapping the drive left a bad connection to the disk or network. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Looking for the book you recommended by Fraesch: Essential Systems Administration. Tried a local Barnes and Noble store and the author's name is different. They have it as Frisk, same title. Third Edition. Hope it's the same book. Can you double check please. I assume this is at a level I can deal with. Thanks. They can't spell. On the cover is a non-ascii char, that when I was a kid in school, was the way some books spell Caesar, with the a and the e sharing a line. http://www.amazon.com/Essential-System-Administration-Third-Frisch/dp/0596003439 As I may have said, everyone I know in computers has a number of books from this publisher - he specializes in not only finding people who really, really know their subject, but CAN ALSO COMMUNICATE WHAT THEY KNOW (as opposed to, say, the BAL textbook I had in college, many years ago, that if I could have gotten the rights to, I'd put all the pharmaceutical co's market for sleeping pills out of business) mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
On 4/1/2013 6:11 AM, Michael H. Warfield wrote: it's also very important to implement BCP (Best Common Practice) 38. BCP 38 recommends router egress filtering. That is, you only route out what will route back in. That prevents you (or any of your customers) from being a spoofing source. of course, this breaks a bunch of types of ad-hoc multihoming, where you have multiple ISPs, each with their own subnets, and you're trying to load balance your outbound traffic. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
On 4/1/2013 2:07 PM, m.r...@5-cent.us wrote: Robert Benjamin wrote: On 3/31/2013 12:06 PM, Les Mikesell wrote: On Sun, Mar 31, 2013 at 4:00 AM, Robert Benjamin benj...@cox.net wrote: WELL, I don't know what to say. I just put the HD in the PC turned it on and was waiting for the blue screen so I could login as root and type 'init 3'. BUT, guess what happened. A tiny clock appeared at the top left followed by a log in screen and here I am. Happened very quickly. A few seconds. Now, do I dare log out and try to get back or just wait for a reply from you. Yesterday I never did init 3 either. Maybe it is the Easter Bunny. I don't know. I'm a bit apprehensive about shutting off and trying again. What's your opinion? That's the way it is supposed to work, and since no one recognized the previous symptoms my best guess is that it was some sort of hardware issue. Maybe swapping the drive left a bad connection to the disk or network. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Looking for the book you recommended by Fraesch: Essential Systems Administration. Tried a local Barnes and Noble store and the author's name is different. They have it as Frisk, same title. Third Edition. Hope it's the same book. Can you double check please. I assume this is at a level I can deal with. Thanks. They can't spell. On the cover is a non-ascii char, that when I was a kid in school, was the way some books spell Caesar, with the a and the e sharing a line. http://www.amazon.com/Essential-System-Administration-Third-Frisch/dp/0596003439 As I may have said, everyone I know in computers has a number of books from this publisher - he specializes in not only finding people who really, really know their subject, but CAN ALSO COMMUNICATE WHAT THEY KNOW (as opposed to, say, the BAL textbook I had in college, many years ago, that if I could have gotten the rights to, I'd put all the pharmaceutical co's market for sleeping pills out of business) mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Thanks. I'll browse the bookstore for books from O'Reilly Publisher and see what appeals to me. Texts can be boring as I well know as an Assoc Prof, retired, and many are sooo boing it is a shame. Anyhow, will look and I'm sure I'll find somethig suitable. Bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
On Mon, Apr 1, 2013 at 1:07 PM, m.r...@5-cent.us wrote: As I may have said, everyone I know in computers has a number of books from this publisher - he specializes in not only finding people who really, really know their subject, but CAN ALSO COMMUNICATE WHAT THEY KNOW (as opposed to, say, the BAL textbook I had in college, many years ago, that if I could have gotten the rights to, I'd put all the pharmaceutical co's market for sleeping pills out of business) I don't' know anything about this book or publisher, but you really need to learn in several different levels. One is the broad overview of what you are trying to do (and once you understand that, you won't want to revisit the theory every time you want to change some detail), another is the choice of OS/application programs and languages you are implementing (which may change, but relatively slowly), and another is the very version-specific details you need when you actually start changing things. I've never found a single book that could combine those levels in a way that works together at all or could avoid being out of date before it is printed. You really need a tutorial that you'll read once and throw away, plus a reference for the details you'll change. And for the reference side, the online man pages work, once you learn to read them and understand that they expect you to already know what the shell will do to command lines (wildcard/variable substitution, redirection, etc.) before the program itself runs. And the RHEL/CentOS docs are good too. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
On Sat, 2013-03-30 at 13:44 -0500, Les Mikesell wrote: On Sat, Mar 30, 2013 at 12:08 PM, Robert Benjamin benj...@cox.net wrote: snip Yes, installs that include X and a desktop will default to runlevel 5. Before trying 'startx' , do 'init 3' as root. That should shut down the existing session, but whatever is hanging on startup may prevent a clean shutdown too. So startx may complain that there is still a lock file and you may have to remove it manually and run startx again. I recall from arlier in the thread that the OP din't know his run level. So after a decent interval with no one suggesting it ... $ runlevel 3 5 The first digit is prior run level, the second is current. snip HTH, Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
Les Mikesell wrote: On Mon, Apr 1, 2013 at 1:07 PM, m.r...@5-cent.us wrote: As I may have said, everyone I know in computers has a number of books from this publisher - he specializes in not only finding people who really, really know their subject, but CAN ALSO COMMUNICATE WHAT THEY KNOW (as opposed to, say, the BAL textbook I had in college, many years ago, that if I could have gotten the rights to, I'd put all the pharmaceutical co's market for sleeping pills out of business) I don't' know anything about this book or publisher, but you really Les, you don't know O'Reilly? I'm shocked, shocked I tell you. Almost every programmer I know, and every admin, had somewhere between one O'Reilly book and a full shelf of them. (No, I'm not getting a kickback from O'Reilly). He became a publisher, as I understand, in the late eighties, when he put out five volume set, co-written by him, on working with and programming X. They actively encourage group book buys - I've both participated in them, and once set up one, back in the nineties (never again, trying to get 20 or so folks to pass in the selections and money). The discounts hit very quickly, starting at 10 books (10%? 15%?) and once you go over 50 books, I think, from there to 199 books, it's a 45% discount off cover. I know he's in wikipedia mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Don't understand how to re-partition this setup or why it was made like this
Hello, I did df -h on my CentOS 6.4 machine. $ df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/vg_ysg-lv_root 47G 8.8G 36G 20% / tmpfs 948M 372K 947M 1% /dev/shm /dev/sda1 485M 62M 398M 14% /boot /dev/mapper/vg_ysg-lv_home 4.6G 2.7G 1.7G 63% /home What I don't understand is why is /home so tiny and how can I re-partition this without having to nuke and rebuild my machine? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
On Mon, Apr 1, 2013 at 1:30 PM, Michael H. Warfield m...@wittsend.com wrote: Actually, it's pretty easy with netfilter / iptables. Other firewalls like pf filter on *BSD an proprietary work similar. If you know your inside networks you merely add a rule to block incoming packets on your external interface with source addresses that should be inside your firewall. What does 'inside' mean to TCP/IP? Are you saying it can't work if you are all public? Or if you expect to use redundant public routing among all of your systems? Do we all drop BIND in favor of nscd for our authoritative name servers and dnsmasq for our cachers? Well, first you have to come out and say that recursive resolvers are too fragile to survive in public. Or have too much potential for collateral damage and must be outlawed. Maybe define a way your network topology has to be arranged. Then move on to how BIND should be shipped. I don't think that's the answer either. Establishing best practices and discouraging people from misconfiguring applications would seem to be a better option and best current practices now were not always considered best practices 20 years ago. It's a challenge. It's a BIG challenge in my business. OK, but of course it is a challenge if you advocate using tools that most people don't have or understand - or don't work universally. Asymmetric routes (aka triangular routing) should be severely discourage and is generally considered a configuration error unless it's heavily justified. I don't think BGP shares this opinion. And I'd speculate that the simplicity of IP routing only needing to care about the forward route direction one hop at a time is the main reason that it became the network of choice. Well, that and a taxpayer funded directory service from the start. They're highly unreliable to begin with (you can forget about getting through stateful firewalls). Where it can be justified, then static rules allow it will cover things in ways that attackers can not exploit. So what you need to establish first is the location of the firewalls in respect to recursive servers. Perhaps. But I'm not quite so sure where the bad design is or if it's merely a confluence of extremely powerful tools, like BIND, that can be used in a multitude of ways. I might agree with you more if the bad design you are referring to is the overall network design, architecture, and layout. I've seen plenty of well designed tools misused in badly designed networks. So you envision an internet where it is impossible to reach a recursive resolver outside of your own organization's control? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Don't understand how to re-partition this setup or why it was made like this
On 04/01/2013 09:00 PM, Yves S. Garret wrote: Hello, I did df -h on my CentOS 6.4 machine. $ df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/vg_ysg-lv_root 47G 8.8G 36G 20% / tmpfs 948M 372K 947M 1% /dev/shm /dev/sda1 485M 62M 398M 14% /boot /dev/mapper/vg_ysg-lv_home 4.6G 2.7G 1.7G 63% /home What I don't understand is why is /home so tiny and how can I re-partition this without having to nuke and rebuild my machine? You'd have to resize the logical volumes your FS lives on (here: vg_ysg-lv_root and vg_ysg-lv_home) and resize the FS as well. Can be done booting off a rescue medium w/o any problems. Make sure you do have a complete backup, though. HTH, Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
On Mon, 2013-04-01 at 11:17 -0700, John R Pierce wrote: On 4/1/2013 6:11 AM, Michael H. Warfield wrote: it's also very important to implement BCP (Best Common Practice) 38. BCP 38 recommends router egress filtering. That is, you only route out what will route back in. That prevents you (or any of your customers) from being a spoofing source. of course, this breaks a bunch of types of ad-hoc multihoming, where you have multiple ISPs, each with their own subnets, and you're trying to load balance your outbound traffic. It doesn't have to and it's just as easy to argue that stateful firewalls also break such configurations (they do). It is possible to interface your load leveling and dynamic routing into your filter if it's done properly. The point there is that you have to do it properly up front. Once it's done, it should require little maintenance. Unfortunately, if you have to go back into an established architecture and retrofit one in, that can be a difficult and time consuming prospect, especially if you didn't design the network to begin with. If you're dealing with multihoming and multiple ISPs then you should be talking BGP (or IS-IS) to your ISPs (I have my own ASN and advertise my own routes on IPv4 and IPv6 but you can use private ASNs and many ISPs will cooperate if you have the address space to advertise) and it should all be integrated. If you are trying to do ad-hoc mutihoming without using BGP or IS-IS to manage the routing to your ISPs, then I have no sympathy for you. That's just inviting a never ending stream of self-inflicted trouble and grief when routing breaks (been there, done that, not pretty). Being abused for DNS amplification attacks is the least of your problems then. Once we had multiple connections to the same ISP (redundant fiber links running in different directions out the street outside of our building) we were running BGP to manage it. But I also understand that in many large organizations (particularly ones who are NOT ISPs and their primary business is not networking) much of the IT staff is even more terrified of BGP than they are DNS and probably for good reasons. That's a statement from personal experience. Years ago, I asked for a read-only BGP feed from our IT department way back then (10 or 15 years ago) and got a not no - hell no - are you insane? answer. Their reasoning was that they trusted me (as if they had a choice) but they didn't trust all of their mainline minions (err, staff) to stick their fingers in those routers. BGP is so critical to those who rely on it (especially if you are multihomed) that, if someone makes even a minor mistake, it can disasterously disconnect you from the net or worse. Unfortunately, even worse than DNS, once it's working people (management) want you to LEAVE IT ALONE lest you beak it. So, most IT people are even less familiar with BGP than DNS and plenty are scared shitless about breaking DNS. DNS itself can be just as bad. Simple mistakes can be amplified and obfuscated. Just ask Microsoft. They got dropped off the net for days several years ago after someone misconfigured a firewall so their slaves couldn't talk to their master and the TTL (Time To Live) expired several hours after the guilty party was off duty and had gone home. On top of that, they had all their public name servers on the same subnet (violation of several BCPs going back decades) compounding the problem AND opening them up to a DOS against the router leading into that subnet. We (IETF, IEEE, ACM, etc al) can publish and update BCPs but it doesn't mean people will follow them. It does mean that we can say we told you not to do that... after it breaks. You pays your nickel and you takes your chance. :-/ -- john r pierce 37N 122W somewhere on the middle of the left coast Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with thread Centos 6.4 won't reboot on install
On Mon, Apr 1, 2013 at 1:46 PM, m.r...@5-cent.us wrote: I don't' know anything about this book or publisher, but you really Les, you don't know O'Reilly? I'm shocked, shocked I tell you. Almost every programmer I know, and every admin, had somewhere between one O'Reilly book and a full shelf of them. (No, I'm not getting a kickback from O'Reilly). Oh sorry, I missed that. Yes, I do respect O'Reilly as a technical publisher (and have enjoyed the OSCON conferences several times). But, these days there are so many books on so many topics that even being published by O'Reilly isn't a guarantee that one will meet any particular needs. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Don't understand how to re-partition this setup or why it was made like this
Hi, thanks for your response. One more question. Would I need to have logical volumes or can I get away with having one massive volume/partition and then have everything on that one partition? In the interim I'll have a directory in / that I can use to just dump stuff in and will rebuild my machine at a later date. On Mon, Apr 1, 2013 at 3:04 PM, Timo Schoeler timo.schoe...@riscworks.netwrote: On 04/01/2013 09:00 PM, Yves S. Garret wrote: Hello, I did df -h on my CentOS 6.4 machine. $ df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/vg_ysg-lv_root 47G 8.8G 36G 20% / tmpfs 948M 372K 947M 1% /dev/shm /dev/sda1 485M 62M 398M 14% /boot /dev/mapper/vg_ysg-lv_home 4.6G 2.7G 1.7G 63% /home What I don't understand is why is /home so tiny and how can I re-partition this without having to nuke and rebuild my machine? You'd have to resize the logical volumes your FS lives on (here: vg_ysg-lv_root and vg_ysg-lv_home) and resize the FS as well. Can be done booting off a rescue medium w/o any problems. Make sure you do have a complete backup, though. HTH, Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Don't understand how to re-partition this setup or why it was made like this
Yves S. Garret wrote: Hi, thanks for your response. One more question. Would I need to have logical volumes or can I get away with having one massive volume/partition and then have everything on that one partition? In the interim I'll have a directory in / that I can use to just dump stuff in and will rebuild my machine at a later date. You can - in fact, that's what we do here at work... BUT: we have *all* home directories NFS mounted, and we do online backups on mounted filesystems that are NOT /. It's really ugly when /var/log fills up / mark PS: please don't top post. On Mon, Apr 1, 2013 at 3:04 PM, Timo Schoeler timo.schoe...@riscworks.netwrote: On 04/01/2013 09:00 PM, Yves S. Garret wrote: Hello, I did df -h on my CentOS 6.4 machine. $ df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/vg_ysg-lv_root 47G 8.8G 36G 20% / tmpfs 948M 372K 947M 1% /dev/shm /dev/sda1 485M 62M 398M 14% /boot /dev/mapper/vg_ysg-lv_home 4.6G 2.7G 1.7G 63% /home What I don't understand is why is /home so tiny and how can I re-partition this without having to nuke and rebuild my machine? You'd have to resize the logical volumes your FS lives on (here: vg_ysg-lv_root and vg_ysg-lv_home) and resize the FS as well. Can be done booting off a rescue medium w/o any problems. Make sure you do have a complete backup, though. HTH, Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
On Mon, Apr 1, 2013 at 2:54 PM, Michael H. Warfield m...@wittsend.com wrote: AFA how BIND should be shipped... Last time I looked (just a couple of days ago) BIND ships in a fairly secure manner (local caching resolver listening on localhost only) and the default IP tables blocks DNS queries and response that are not on-session. The OP mentioned that his name server was an authoritative name server (it was servicing a zone for which it was configured). That's NOT a shipped configuration. You have to configure it for a zone. Sooo... We are NOT talking about OOB (Out Of the Box) configurations here at all. Someone had to configuration it this way, post installation. So everyone has to add your own zones. I don't see how that leads to the conclusion that it is shipped with appropriate defaults to force/encourage separation of authoritative/recursive instances. I don't think that's the answer either. Establishing best practices and discouraging people from misconfiguring applications would seem to be a better option and best current practices now were not always considered best practices 20 years ago. It's a challenge. It's a BIG challenge in my business. OK, but of course it is a challenge if you advocate using tools that most people don't have or understand - or don't work universally. Don't have: Disagree - most have. Where? I'd say it is much more common for firewalls to be separate entities that don't know much about routing. Don't understand: I'll grant you that. They don't understand the tools, they don't understand the problem, and they don't understand best current practices. You got me on that one. There in lies the problem and the challenge. Exactly. If you can't clearly define the problem or a required topology you can't expect people to re-arrange things. Asymmetric routes (aka triangular routing) should be severely discourage and is generally considered a configuration error unless it's heavily justified. I don't think BGP shares this opinion. I'm not sure I follow you on that statement. BGP is a protocol and I've done some coding on that (I'm the author of the MD5 signature code in bgpd of the Quagga suite). The crowd on NANOG (North American Network Operators Group) generally frowns upon asymmetric routing as something that is occasionally necessary and unavoidable but not admitted to loudly in public, much akin to an aunt that like to sit in the corner of a room at a party and frequently farts loudly. Are you saying that something in BGP cares about anything except the best forward path seen at the moment? Or that as this changes dynamically it even tries to keep the reverse path symmetrical? Asymmetric routing also breaks stateful firewalls badly if they are in the way... Sure. Do you want reliability or control? Pick one. And I'd speculate that the simplicity of IP routing only needing to care about the forward route direction one hop at a time is the main reason that it became the network of choice. Well, that and a taxpayer funded directory service from the start. This was very true back then but proved to be as problematical as spoofing attacks abusing the DNS resolvers. Both are rooted in the early ages of the Internet. Fascinating that you bring up that point. Packets are packets - the concepts of widely distributed, widely available transports aren't going to change, we just do it faster now. Counter point is in the policy routing present in modern systems and that IPsec in particular is a policy oriented VPN where triangular / asymmetric routing frequently break. Hence the continuing popularity of ssl-based VPNs that work better under real-world conditions. OpenVPN, Juniper's, etc. I would concur with that. I think that's part and parcel of establishing your nominal security perimeters anyways. Maybe - as organizations grow, merge, relocate, etc. it becomes hard to deal with perimeters or to assume that all the bad guys are outside. So you envision an internet where it is impossible to reach a recursive resolver outside of your own organization's control? Not impossible and not under your own organizations control. Certainly, ISPs provide recursers for their clients. Yeah, but they mostly do that so they can redirect failed lookups to their own search engines or link farms and show some ads. As though web browsers were the only clients for DNS. But... What is the purpose of an indeterminant anonymous client connecting to your recursive server and making arbitrary queries? Use case: You provide a subscription service to institutions that like strict outbound firewalling. Your servers are located in a few contiguous ranges and you work with their firewall admins to permit access. Then you find out that the desktop clients in question don't have access to full internet DNS. Yes, there are some of us who are involved in Internet infrastructure and maintenance
Re: [CentOS] Don't understand how to re-partition this setup or why it was made like this
On 2013-04-01, Yves S. Garret yoursurrogate...@gmail.com wrote: $ df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/vg_ysg-lv_root 47G 8.8G 36G 20% / tmpfs 948M 372K 947M 1% /dev/shm /dev/sda1 485M 62M 398M 14% /boot /dev/mapper/vg_ysg-lv_home 4.6G 2.7G 1.7G 63% /home What I don't understand is why is /home so tiny and how can I re-partition this without having to nuke and rebuild my machine? I doubt anyone can tell you why /home is so tiny. But depending on the filesystem used, you may be able to resize on the fly, without even needing a reboot. The LVM HOWTO is a bit out of date, but describes the process here: http://www.tldp.org/HOWTO/LVM-HOWTO/extendlv.html Growing XFS filesystems online is required; they can't be grown offline. Growing ext4 online should be easy, but I've only tested it once in CentOS 6. As Timo notes, you should have a backup before proceeding in any case. I believe there are GUI tools to manipulate LVM and filesystems (system-config-lvm IIRC), but I haven't used this tool so can't give you any helpful guidance. You can put everything on one filesystem if you wish. This is mostly a matter of personal taste for many desktop uses (and some server uses). --keith -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Don't understand how to re-partition this setup or why it was made like this
On 4/1/2013 12:00 PM, Yves S. Garret wrote: What I don't understand is why is /home so tiny and how can I re-partition this without having to nuke and rebuild my machine? what do you get from # vgs ? if there's VFree, you can lvextend the backing LV behind /home, then grow the file system to use that additional space. # lvextend -L +8G vg_ysg/lv_home # resize2fs /home if there's no VFree, and you want everything in / you could reboot to single user mode, and do something like... # cd / # mkdir /home2 # mv /home/* /home2 # this will take awhile # umount /home # rmdir /home # mv /home2 /home and vi /etc/fstab and remove the mount for /home now, you can lvremove vg_ysg/lv_home to free up the space it used (will probably need a --force), then lvextend the vg_ysg/lv_root volume, and grow /that/ file system to suit. note. I typed all that off the top of my head. TRUST NOTHING, VERIFY EVERYTHING, UNDERSTAND THE MEANING OF EVERY COMMAND YOU ARE DOING!!! Caveat Emptor. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] [Possibly OT] - General question: state of internet traffic
Greetings, I've read reports that there has been degradation in Internet traffic over the last month. Until today, I haven't experienced any. However, getting bank record data from chase.com here in NYC seems impossible. I also noticed erratic ftp behavior today; connections can be made but data can't be transferred. This isn't consistent, though. (I have a machine in LA while being in NYC; ftp traffic is difficult to establish westbound; no problem eastbound). I haven't done any sort of consistent test, so I am not sounding alarms. I'm just trying to get a sense of where this is happening. And is there a reliable source of information. Much thanks Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [Possibly OT] - General question: state of internet traffic
On Mon, 2013-04-01 at 18:04 -0400, Max Pyziur wrote: Greetings, I've read reports that there has been degradation in Internet traffic over the last month. Until today, I haven't experienced any. However, getting bank record data from chase.com here in NYC seems impossible. /me trying not to laugh... Yeah, there have been some problems over the last couple of weeks. You might review this list for the DNS thread. Seems that SpamHaus and Cyberbunker got into a pissing contest with some of the Cyberbunker sympathizers (not I) directing a DDoS attack against them exploiting open DNS resolvers around the net to the tune of upwards of 300Gbps against Spamhaus. I also noticed erratic ftp behavior today; connections can be made but data can't be transferred. This isn't consistent, though. (I have a machine in LA while being in NYC; ftp traffic is difficult to establish westbound; no problem eastbound). Might check out the Internet Health Report here: http://www.internetpulse.net/ Pretty much everything looks reasonable. Nothing red. No major congestion, ATM. I haven't done any sort of consistent test, so I am not sounding alarms. I'm just trying to get a sense of where this is happening. And is there a reliable source of information. Much thanks Max Pyziur p...@brama.com Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [Possibly OT] - General question: state of internet traffic
the last month. Until today, I haven't experienced any. However, getting bank record data from chase.com here in NYC seems impossible. What do you mean by getting bank record data ? Every major US bank is under a constant DoS attack, which sometimes causes the sites to be slow. This is unrelated to the little squabble going on between SpamHaus and CyberBunker, though. (I have a machine in LA while being in NYC; ftp traffic is difficult to establish westbound; no problem eastbound). I'm in NJ and able to contact servers in Fremont, Dallas, NYC and Amsterdam without any issue. I suspect you have local issues. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Can't find root device with lvm root after moving drive on CentOS 6.3
On 30/03/13 7:18, Joakim Ziegler wrote: On 29/03/13 10:38, Gordon Messmer wrote: On 03/29/2013 01:23 AM, Joakim Ziegler wrote: Immediately after getting dropped to rdshell, I looked around in /dev, which brought me a few surprises... /dev/mapper contains only control, that is, vg_resolve02-lv_root is missing. Did you get to look at or for /dev/vg_resolve02 as well? /dev/root is a symlink to /dev/dm-0 Does /dev/dm-0 exist? Does the system boot if you just exit from the rdshell? What about if you vgchange -a y without changing the symlink? I checked this a bit more thoroughly. The status is as follows: When I boot up and get dropped to rdshell, neither /dev/root nor /dev/vg_resolve02, nor /dev/dm-0 exist. Just exiting at this point drops me back into rdshell. Waiting a few minutes makes no difference. Doing lvm vgscan finds the volume group, but creates no device nodes. Just exiting at this point drops me back into rdshell as well. When I do lvm vgchange -ay, /dev/dm-0 is created, /dev/root is created as a symlink to it, as well as /dev/vg_resolve02/ with lv_root inside it, and /dev/mapper/vg_resolve02-lv_root. I don't need to change the symlink or do anything else, if I exit after doing lvm vgchange -ay, everything is ok. That means /dev/root already is correct, so the only thing I'm actually changing to make the system boot is to scan for volume groups and activate them. The big question then becomes: Why do I have to do this manually? How do I make Dracut (I assume this is Dracut's job) make this automatically? udev should be doing this. And... I was just looking at this again, because the last time I came up with nothing useful. Look at /usr/share/dracut/modules.d/90lvm/64-lvm.rules. If I'm reading this correctly, udev will look for dm-0 in /sys and will not run lvm_scan if it's found. I wonder if it's possible that the /sys nodes are getting set up, but device-mapper isn't setting up the nodes in /dev? It turns out I was wrong about dm-0 already existing, it's created on vgchange -ay. I'm looking at the file you mention, but I'm afraid I don't know LVM well enough to make that much sense of it. From what I can tell, it calls lvm_scan for each device, and there's an lvm_scan.sh in there that looks like it should be doing lvchange -ay, but if dm-0 doesn't already exist, I don't think this will do anything, am I wrong? I'm really at a loss... it seems like a much simpler explanation is simply that the devices take so long to detect that init gives up. When you run vgchange, they've had the time they need. That idea is inconsistent with the fact that your dmesg output shows what I assume is the correct devices and partition tables. You could try adding rdinitdebug rdudevdebug to your kernel command line, but you're going to see a LOT of output, and it's only really going to be meaningful if you've read the /init script that Dracut creates, and understand more or less what it's doing, particularly in the main_loop section. I can try this, but it might be a bit beyond my area of expertise, I'm afraid. If I were to just try a brute force approach, what RPM packages should I reinstall/update to get all this stuff reinstalled as it was the first time I installed the system? Just bumping this up, any ideas about this? It's a little annoying not having this box boot by itself... -- Joakim Ziegler - Supervisor de postproducción - Terminal joa...@terminalmx.com - 044 55 2971 8514 - 5264 0864 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Vsftpd configuration problem
Greetings, Beginning today, I started to receive the following when ftp'ing to my CentOS 6 machine: ncftp /home/pyz2 dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. I can make a connection, but I can't get a directory listing or transfer data/files. I'm flummoxed. What I had been doing is adding more directives to my /etc/hosts.deny file, today to include certain categories of ip addresses for the vsftpd service. I unwound that after I saw the problem starting to occur, and have restarted vsftpd several times. That hasn't changed the above issue. And yes, I've googled. My firewall setting has port 21 open. I can remotely telnet to hostname 21 and I get a response indicating that the port is open. Any advice would be appreciated. Much thanks. Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd configuration problem
On Tue, 2 Apr 2013, Reindl Harald wrote: Am 02.04.2013 01:12, schrieb Max Pyziur: Beginning today, I started to receive the following when ftp'ing to my CentOS 6 machine: ncftp /home/pyz2 dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. I can make a connection, but I can't get a directory listing or transfer data/files My firewall setting has port 21 open I can remotely telnet to hostname 21 and you understood that ftp needs also a data-channel and not only the control-connection? I assume that you are referring to the following vsftpd configuration file setting: # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES Btw, When ftping to another user on the same machine, there is no problem in making a connection or in transferring data; it's connections that our outside the box. http://slacksite.com/other/ftp.html MP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd configuration problem
On Mon, 1 Apr 2013, lists-centos wrote: Original Message Date: Monday, April 01, 2013 07:12:53 PM -0400 From: Max Pyziur p...@brama.com To: centos@centos.org Cc: Subject: [CentOS] Vsftpd configuration problem Greetings, Beginning today, I started to receive the following when ftp'ing to my CentOS 6 machine: ncftp /home/pyz2 dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. I can make a connection, but I can't get a directory listing or transfer data/files. I'm flummoxed. What I had been doing is adding more directives to my /etc/hosts.deny file, today to include certain categories of ip addresses for the vsftpd service. I unwound that after I saw the problem starting to occur, and have restarted vsftpd several times. That hasn't changed the above issue. And yes, I've googled. My firewall setting has port 21 open. I can remotely telnet to hostname 21 and I get a response indicating that the port is open. Any advice would be appreciated. Much thanks. Max Pyziur p...@brama.com ftp uses port 21 for the connection and port 20 for the data, which includes directory listings as well as the file transfer proper - see /etc/services. so if you have port 20 blocked that would explain your problem. Does port 20 have to be open in the firewall? If so, this would be the first machine where I have explicitly set this. - Richard Max ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd configuration problem - followup
On Tue, 2 Apr 2013, Reindl Harald wrote: Am 02.04.2013 01:12, schrieb Max Pyziur: Beginning today, I started to receive the following when ftp'ing to my CentOS 6 machine: ncftp /home/pyz2 dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. I can make a connection, but I can't get a directory listing or transfer data/files My firewall setting has port 21 open I can remotely telnet to hostname 21 and you understood that ftp needs also a data-channel and not only the control-connection? http://slacksite.com/other/ftp.html When ftping to the machine, the following is reported from an lsof -i: ~ lsof -i | grep ftp vsftpd18051 root3u IPv4 47313973 0t0 TCP *:ftp (LISTEN) vsftpd18448 nobody0u IPv4 47318710 0t0 TCP brama.com:ftp-pool-72-89-118-134.nycmny.east.verizon.net:50298 (ESTABLISHED) vsftpd18448 nobody1u IPv4 47318710 0t0 TCP brama.com:ftp-pool-72-89-118-134.nycmny.east.verizon.net:50298 (ESTABLISHED) vsftpd18448 nobody2u IPv4 47318710 0t0 TCP brama.com:ftp-pool-72-89-118-134.nycmny.east.verizon.net:50298 (ESTABLISHED) vsftpd18465 pyz20u IPv4 47318710 0t0 TCP brama.com:ftp-pool-72-89-118-134.nycmny.east.verizon.net:50298 (ESTABLISHED) vsftpd18465 pyz21u IPv4 47318710 0t0 TCP brama.com:ftp-pool-72-89-118-134.nycmny.east.verizon.net:50298 (ESTABLISHED) vsftpd18465 pyz22u IPv4 47318710 0t0 TCP brama.com:ftp-pool-72-89-118-134.nycmny.east.verizon.net:50298 (ESTABLISHED) fyi, MP p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd configuration problem
On Tue, 2 Apr 2013, Reindl Harald wrote: Am 02.04.2013 01:25, schrieb Max Pyziur: On Tue, 2 Apr 2013, Reindl Harald wrote: Am 02.04.2013 01:12, schrieb Max Pyziur: Beginning today, I started to receive the following when ftp'ing to my CentOS 6 machine: ncftp /home/pyz2 dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. I can make a connection, but I can't get a directory listing or transfer data/files My firewall setting has port 21 open I can remotely telnet to hostname 21 and you understood that ftp needs also a data-channel and not only the control-connection? I assume that you are referring to the following vsftpd configuration file setting: # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES no - port 20 has NOTHING t do with passive FTP Btw, When ftping to another user on the same machine, there is no problem in making a connection or in transferring data beause it is nor firewalled nor NAted it's connections that our outside the box. i bet you are behind a nat iptables or the firewall needs to translate he answers of the servers you need to read some documentations how FTP works and how NAT works to undersatdn the details Ok. [root@srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES=nf_conntrack_ftp nf_nat_ftp So, are you saying this last line is key? Because on the CentOS 5 setup I see: IPTABLES_MODULES=ip_conntrack_netbios_ns ip_conntrack_ftp While on the CentOS 6 setup I see: IPTABLES_MODULES= What is the correct/recommended setting? http://slacksite.com/other/ftp.html Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] [SOLVED] it was an iptables-config setting, was Re: Vsftpd configuration problem
On Tue, 2 Apr 2013, Reindl Harald wrote: Am 02.04.2013 02:04, schrieb Max Pyziur: [root@srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES=nf_conntrack_ftp nf_nat_ftp So, are you saying this last line is key? it is on my fedora machines acting as FTP behind a NAT Because on the CentOS 5 setup I see: IPTABLES_MODULES=ip_conntrack_netbios_ns ip_conntrack_ftp While on the CentOS 6 setup I see: IPTABLES_MODULES= What is the correct/recommended setting? there is no correct/recommended setting if you are behind a NAT you need a different config as if you are have a public IP on your machine, that is why configs exists Not behind a NAT ... with passive FTP the server anserwers with port AND ip-address for the data-connection (which is a idiotic design but it is how it is) and if the client follows this response it fails so the way to go is translate the response in whatever stateful filter in fornt of the FTP server this is called ALG (application layer gateway) and part of any relieable stateful packet filter Adding the following line to /etc/sysconfig/iptables-config got me home: IPTABLES_MODULES=ip_conntrack_ftp Along with the above dialogue, the following page helped (me): http://www.linuxquestions.org/questions/linux-networking-3/iptables-configuration-for-passive-ftp-connection-633774/ Thanks. Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd configuration problem
Hi Max, It looks like a network issue instead of the software. Falling back to PORT sounds like to ACTIVE mode from PASV mode. In PASV, you will be connecting to a random port told by server with a random port from your side. Do you have a firewall to block such traffic that the system will send out port unreachable ICMP? Maybe you can do a tcpdump to see what it is going on. For PASV, you can only use host client and host server and tcp and not port 22 as the filter. It's not effective but it will collect what you want to locate the issue. Best regards, Banyan He Blog: http://www.rootong.com Email: ban...@rootong.com On 4/2/2013 7:12 AM, Max Pyziur wrote: Greetings, Beginning today, I started to receive the following when ftp'ing to my CentOS 6 machine: ncftp /home/pyz2 dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. I can make a connection, but I can't get a directory listing or transfer data/files. I'm flummoxed. What I had been doing is adding more directives to my /etc/hosts.deny file, today to include certain categories of ip addresses for the vsftpd service. I unwound that after I saw the problem starting to occur, and have restarted vsftpd several times. That hasn't changed the above issue. And yes, I've googled. My firewall setting has port 21 open. I can remotely telnet to hostname 21 and I get a response indicating that the port is open. Any advice would be appreciated. Much thanks. Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Repartitioning issues - advice needed, and info.
Hello all, I have a couple problems with two Centos installs. One is my Dedicated hosting plan. I have been trying very hard to build some strong skills in system administration because the task apparently is more complex than I imagined... or it appeared that way to a web developer, who reported he was not a system admin and so even though he could do quite a bit on the server - more than I could at the time - he felt my task of needing to fix a partitioning problem on my systems needed to be referred to a system administrator ( a role I'm trying to take on). On my dedicated server, I have had a couple partitions that are quite often full and one of them tends to fill up very quickly now. The other partition, I believe the /var partition seems ok now that I have moved most of my accounts elsewhere. I believe the databases were there and so by moving accounts elsewhere, much space was freed up. Not it is the /etc partition that is full every other day. It is a 10GB partition and most of the data is in the mail spool directories. I don't have many accounts, so I'm not sure how to fix the issue. I get thousands of spam messages and yet, I just realized, they don't seem to be going to the email addresses I have on that particular dedicated server - or the domains hosted there. All manner of problems develop when this happens. So, this is on a 500GB disk with a good bit of free space, such as in the home partitions. My domains are setup like this: /home/username/public_html. So, If I setup the domain mydomain.com, I'd use a username of mydom. Anyway, this partition has available space on it. How can I (maybe?) shrink one partition, moving files as necessary, and then increase the storage size for the 10GB partitions, /etc and /var? Can this be done without breaking things? Second issue... My business/development server... Centos 6.4. I cannot boot into it now because the /tmp partition is full. Most of the fixes I found online involve what you do once you boot into it. Initially I was getting an error about Power Management and googling this turned up info. Saying that a disk partition is full. Indeed, checking the boot log, that was the case. It could not create files in the /tmp partition/directory - no more space. So, I was trying to get to a place where I could delete some tmp files as a first step. Since I cannot boot up, and didn't know what to do from grub to address the issue, I tried booting to live CD. The files are locked, of course, and/or protected, or I don't have permission to delete anything. Is there any way to from adjust the size of the different partitions, shrink some space in one partition and expand it/reclaim it elsewhere, e.g. the /etc partition? Again, I cannot boot to the desktop. I got as far as the grub boot loader and didn't find anything that would let me adjust partitions. Thanks in advance for any help, Bruce ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Repartitioning issues - advice needed, and info.
On 4/1/2013 5:54 PM, Bruce Whealton wrote: Not it is the /etc partition that is full every other day. It is a 10GB partition and most of the data is in the mail spool directories. the /etc directory A) shouldn't be a separate partition, it should be on / and B) should just contain system configuration files, in no way should there be anything like mail spools in there.the standard place for mail spools is /var/spool/mail the rest of your message was just a little too run on and too many different things jammed together for me to want to make sense of. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
