Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Cliff Pratt]

On Sat, Mar 22, 2014 at 2:05 PM, Always Learning  wrote:

>
> On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote:
>
> > > > On the other hand, what justifiable reason was there for the
> massively
> > > > increased complexity of grub2? And why do all configuration files
> > > > suddenly *desperately* need to be xml?
>
> On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote:
>
> > > Because misguided fools believe XML is wundervol and they don't want
> > > simplicity of use.
>
> On Sat, 2014-03-22 at 13:54 +1300, Cliff Pratt wrote:
>
> > The advantages of XML are that it is a common, mature standard, it is
> > easily parseable by humans and computers.
>
> Nothing is easier and simpler than
>
> [any-section]
> parameter1=value1
> parameter2=value2
>
> Compare to XML (= the WEB PAGE 'new idea'), plain text is common, well
> established and a significantly more mature standard. Plain text is
> easier to read with vastly improve clarity, compared to XML, and no line
> indentations or angular brackets required.
>
> I note your reference to XML being "common, mature standard" omits any
> praise for XML and also omits calling it "good" :-)
>  
>

That text format is simple. Too simple. If you have multiple similar
sub-sections you have to use some ad-hoc construction. For example if you
require sub entries with eg a default sub-section and a per-user
sub-section then the simple example doesn't work, or at least it is
rendered a lot less readable. It doesn't nest.

YAML is quite a good if you insist on a text type format, without the
complexity of JSON.

But back to XML. It is parseable using all sorts of libraries and on lots
of platforms. We have a number of apps that use XML for configuration data.
It is easy for the programmers to knock up a page to edit this and the app
itself can easily parse the results.

But I'm sorry, I must admit that there was an element of tongue in cheek in
my reference to XML's advantages. I've been reading and writing it for
years, so I speak it fluently, at least in the possibly limited set of
usages that we have.

Cheers,

Cliff
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Gregory P. Ennis]

Date: Thu, 20 Mar 2014 18:14:56 -0300

On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller  wrote:

> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
>

Please don't remove it. Why  this sudden idea in software circles that
stuff that works properly needs to be removed for no reason whatsoever
other than "it's old and we think nobody uses it". How do you know?. IF IT
AIN'T BROKEN, DON'T FIX IT. You might have heard of it.

Fail2ban is one piece of software which interfaces with tcp wrappers.
v0.9.0 just out
http://www.fail2ban.org/wiki/index.php/Main_Page

FC
---

I will have to add my 2 cent request with FC.  Please do not remove it

Greg Ennis

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Always Learning]

On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote:

> > > On the other hand, what justifiable reason was there for the massively
> > > increased complexity of grub2? And why do all configuration files
> > > suddenly *desperately* need to be xml?

On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote:

> > Because misguided fools believe XML is wundervol and they don't want
> > simplicity of use.

On Sat, 2014-03-22 at 13:54 +1300, Cliff Pratt wrote:

> The advantages of XML are that it is a common, mature standard, it is
> easily parseable by humans and computers.

Nothing is easier and simpler than

[any-section]
parameter1=value1
parameter2=value2

Compare to XML (= the WEB PAGE 'new idea'), plain text is common, well
established and a significantly more mature standard. Plain text is
easier to read with vastly improve clarity, compared to XML, and no line
indentations or angular brackets required.

I note your reference to XML being "common, mature standard" omits any
praise for XML and also omits calling it "good" :-)


-- 
Paul.
England,
EU.

   Our systems are exclusively Centos. No Micro$oft Windoze here.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Cliff Pratt]

On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote:

>
> On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote:
>
> > On the other hand, what justifiable reason was there for the massively
> > increased complexity of grub2? And why do all configuration files
> suddenly
> > *desperately* need to be xml?
>
> Because misguided fools believe XML is wundervol and they don't want
> simplicity of use.
>
> The advantages of XML are that it is a common, mature standard, it is
easily parseable by humans and computers.

Cheers,

Cliff
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync triggers oomkiller

[Les Mikesell]

On Fri, Mar 21, 2014 at 5:31 PM, SilverTip257  wrote:
>
>> Before very recent versions of rsync  (not sure exactly when it
>> changed), it would load the entire tree listing from both sides into
>> memory before walking them for the comparison.  What's the destination
>> side look like?  Maybe you aren't doing a --delete and a lot of cruft
>> has accumulated.
>>
>
> I avoid this problem by having the cronjob run more often and the script
> checks that syncs are running (which means on average it should sync less
> files and re-sync as soon as the previous sync is finished).

The number of files being sync'd isn't the big memory consumer - it is
the whole directory trees being traversed that are loaded into memory
for the comparison.  There is additional overhead it you use -H to
propagate hardlinks.

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Always Learning]

On Fri, 2014-03-21 at 08:33 -0400, James B. Byrne wrote:

> On Thu, March 20, 2014 17:34, Always Learning wrote:
> >
> > Nothing remains static. Software evolves into usually superior products.
> > Sentimentally longing for the past hampers the introduction of new and
> > better replacements.
> 
> Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^)

Thankfully and gratefully: Linux <> Microsoft. 

:-)

-- 
Paul.
England,
EU.

   Our systems are exclusively Centos. No Micro$oft Windoze here.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] biosdevname

[SilverTip257]

On Fri, Mar 21, 2014 at 6:28 PM, Warren Young  wrote:

> On 3/20/2014 10:33, SilverTip257 wrote:
> >
> > And an interface should only be detected as pXpY if it's a PCI NIC.
> > THOUGH I've seen it already where an onboard NIC in a Lenovo desktop was
> > detected as p5p1.
>
> Just because the MAC chip is soldered to the motherboard doesn't mean it
> can't be on the PCI[e] bus.
>

I'm in agreement on that.
( I just wanted to point out that there are some differences and quirks
[that may not be a bug]. )

I believe biosdevname applies only to Dell hardware, but maybe more
hardware support has been added for other manufacturers.  That particular
Lenovo hardware had an install of the latest Fedora release at the time...


>
> As far as I know, this new NIC naming scheme doesn't actually make
> distinctions based on whether a card-edge connector is involved.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync triggers oomkiller

[SilverTip257]

On Fri, Mar 21, 2014 at 1:16 PM, Les Mikesell  wrote:

> On Fri, Mar 21, 2014 at 11:49 AM, John Doe  wrote:
> 
> >>>kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0,
> oom_adj=0,
> >>>  oom_score_adj=0
> >>>...
> >>>kernel: Out of memory: Kill process 27974 (mysqld) score 361 or
> >>>  sacrifice child
> >>>kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB,
> >>>  anon-rss:2890828kB, file-rss:3324kB
> >>>
> >>>  rsync whines he wants more RAM and... mysql gets killed...
> >>>  That makes me a bit sad!
>
> > After more investigation, I found:
> > - a vm.swappiness=0 in sysctl.conf, which should not prevent the kernel
> to swap to prevent an oom.
> > - the rsync was part of 8 *sequential* rsyncs on 8 servers, rsyncing
> between 500 and 1000 files at most...
> >
>

In one of the rsync backup cronjobs I wrote for work, I added logic to
check for running rsync processes so they don't run "on top" of each other
(that's to prevent simultaneous syncs and not sequential as you noted in
your scenario).


>
> Before very recent versions of rsync  (not sure exactly when it
> changed), it would load the entire tree listing from both sides into
> memory before walking them for the comparison.  What's the destination
> side look like?  Maybe you aren't doing a --delete and a lot of cruft
> has accumulated.
>

I avoid this problem by having the cronjob run more often and the script
checks that syncs are running (which means on average it should sync less
files and re-sync as soon as the previous sync is finished).


>
> --
>   Les Mikesell
>   lesmikes...@gmail.com
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] biosdevname

[Warren Young]

On 3/20/2014 10:33, SilverTip257 wrote:
>
> And an interface should only be detected as pXpY if it's a PCI NIC.
> THOUGH I've seen it already where an onboard NIC in a Lenovo desktop was
> detected as p5p1.

Just because the MAC chip is soldered to the motherboard doesn't mean it 
can't be on the PCI[e] bus.

As far as I know, this new NIC naming scheme doesn't actually make 
distinctions based on whether a card-edge connector is involved.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: DELL PERC H200

[John R Pierce]

On 3/21/2014 2:52 PM, m.r...@5-cent.us wrote:
> Does anyone know if a PERC H200 is a real RAID controller?  I'm about to
> build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and
> this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno
> 'bout this one.

if it doesn't have a flash-backed or battery-backed write-back cache, 
then it hardly matters what it is.

the specs on that H200 sound like an LSI 2008 SAS2 HBA chip that has 
hardware mirroring, but without writeback cache.

I'd configure it for JBOD and do my raid in the OS.

-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: DELL PERC H200

[m . roth]

Digimer wrote:
> On 21/03/14 05:52 PM, m.r...@5-cent.us wrote:
>> Does anyone know if a PERC H200 is a real RAID controller?  I'm about to
>> build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and
>> this PE R610 has this I'm familiar with PERC 6 and 7s, but just
>> dunno 'bout this one.
>
> It says it's a hardware RAID controller, but it only supports RAID
> levels 0, 1 and 10. That tells me it has no real ASIC and so far as I
> can see with google, it doesn't support caching or a BBU. So while it
> might be "hardware", I doubt it's "real" in the sense that it can do
> parity calcs, read/write reordering and write-back caching.
>
Thanks! That's what I needed to know, esp. since they want RAID 6. Sounds
like software RAID to me, he said, cheerfully.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: DELL PERC H200

[Digimer]

On 21/03/14 05:52 PM, m.r...@5-cent.us wrote:
> Does anyone know if a PERC H200 is a real RAID controller?  I'm about to
> build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and
> this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno
> 'bout this one.
>
>   mark

It says it's a hardware RAID controller, but it only supports RAID 
levels 0, 1 and 10. That tells me it has no real ASIC and so far as I 
can see with google, it doesn't support caching or a BBU. So while it 
might be "hardware", I doubt it's "real" in the sense that it can do 
parity calcs, read/write reordering and write-back caching.

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without 
access to education?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] OT: DELL PERC H200

[m . roth]

Does anyone know if a PERC H200 is a real RAID controller?  I'm about to
build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and
this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno
'bout this one.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Linux malware attack

[m . roth]

Thomas Harold wrote:
> On 3/19/2014 2:50 PM, Ned Slider wrote:
>>
>> Just to add, I'm sure everyone has already read and implemented many of
>> the suggestions here:
>>
>> http://wiki.centos.org/HowTos/Network/SecuringSSH
>>
>> Numbers 2 and 7 have already been highlighted in this thread.
>
> #1 These days I would say that 8 chars minimum length is too few, even
> if they are completely random (and most won't be).  If you're not
> willing to type gibberish, then a more reasonable minimum length is
> 12-14.  Especially for your root password (or other administration
> accounts).

And most people can remember that? And then there's the annoyance factor.
>
> If you have your users creating 15+ character passwords, don't make them
> change it every 30/60/90 days.  Password aging hurts more then it helps
> as passwords grow longer.  Users are more likely to adopt poor behavior
> like simply adding or incrementing numbers from month to month.  Longer
> durations, like 3-5 years, give the users time to memorize the password
> rather then just keeping it on a sticky on the desk.

Unfortunately, the real issue on this is that I think most of us here do
*not* have control of that, that's upper management. And even though NIST
says, I think, 2 years, I'm at a US gov't agency and it's the inane 2
months Though I will say the *really* bad places are the folks who
compare it to previous passwords, and do their best to keep you from
having any pattern at all, and so making it a *lot* harder to remember
your current one. When I worked at AT&T, a few years back, for the very
first time, I had a *list* of passwords for different systems (not the
ones that we controlled)

As Bruce Schneir says, security theater.
>
> #2 (disable root login) is a must for any public facing box, and a
> strong recommendation for all other boxes.  It's the top target of
> attack, so why allow it to be attacked at all?

Other than at the console, yep. And as you note later, if someone can log
in as root to the console who shouldn't, you've got much larger security
issues.
>
> #5 (non-standard port) is very useful.  Not for protecting yourself
> against attack, but from not having your log files fill up with all of
> the automated attack scripts.  Which makes it easier to spot the more
> serious attackers who have taken the time and effort to find your SSH
> port.

Huh! That's the *only* rationale I've ever heard for security through
obscurity that actually makes sense. (One of my ongoing "goals" for the
annual review is cutting down the noise in our logs.)

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Linux malware attack

[Thomas Harold]

On 3/19/2014 2:50 PM, Ned Slider wrote:
> 
> Just to add, I'm sure everyone has already read and implemented many of 
> the suggestions here:
> 
> http://wiki.centos.org/HowTos/Network/SecuringSSH
> 
> Numbers 2 and 7 have already been highlighted in this thread.
> 

#1 These days I would say that 8 chars minimum length is too few, even
if they are completely random (and most won't be).  If you're not
willing to type gibberish, then a more reasonable minimum length is
12-14.  Especially for your root password (or other administration
accounts).

If you have your users creating 15+ character passwords, don't make them
change it every 30/60/90 days.  Password aging hurts more then it helps
as passwords grow longer.  Users are more likely to adopt poor behavior
like simply adding or incrementing numbers from month to month.  Longer
durations, like 3-5 years, give the users time to memorize the password
rather then just keeping it on a sticky on the desk.

#2 (disable root login) is a must for any public facing box, and a
strong recommendation for all other boxes.  It's the top target of
attack, so why allow it to be attacked at all?

#5 (non-standard port) is very useful.  Not for protecting yourself
against attack, but from not having your log files fill up with all of
the automated attack scripts.  Which makes it easier to spot the more
serious attackers who have taken the time and effort to find your SSH port.

#7 (public-key pairs) is also a must for any public-facing box.  It
defeats all attempts to brute-force account passwords remotely.

Now you just have to worry that someone will steal your private key
files.  But if someone has gotten far enough inside to steal your
private key file then you have bigger security problems to worry about.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Fernando Cassia]

On Fri, Mar 21, 2014 at 9:44 AM, Les Mikesell  wrote:

> Yes, but that reason is generally that someone changed the language
> syntax underneath it instead of settling on simple working APIs.
> What has actually stayed stable and backwards compatible over the
> years other than bourne shell syntax and perl (almost)?   Everything
> else has made you repeat your work every few years instead of letting
> you build on it and advance.
>

+1

FC


-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Les Mikesell]

On Fri, Mar 21, 2014 at 1:54 PM, James A. Peltier  wrote:
>>
> The case is being made to remove a tool that is considered to be legacy.  
> While it is understood that legacy = old/unmaintained/crap,

No, legacy = the foundation everything else builds on.  Change it at
the risk of forcing everyone who uses your product to rebuild
everything from scratch.  In my opinion, a new version of something
isn't better unless it is also completely backwards compatible.  It's
not a fashion show - things aren't better just because they are
different.

-- 
  Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mellanox ofed on centos kernel 3.x

[Andrew Holway]

On 21 March 2014 19:03, Robert Clove  wrote:
> I have an VPI card and will ofed ofed convert the infiniband ports to
> Ethernet ports.

I'm pretty sure it will. Check the docs!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Max Pyziur]

On Fri, 21 Mar 2014, Fernando Cassia wrote:

> On Fri, Mar 21, 2014 at 3:54 PM, James A. Peltier  wrote:
>
>>
>> I'd love to hear about the "old and unmaintainable code".  It's open
>> source code.  If somethings broken you can fix it right!?! That's the open
>> source mantra!  Either provide a set of reasons why it should be removed
>> and the alternatives that cover all the use cases of TCP Wrappers or let
>> the code, that obviously works remain there undisturbed.  It's an extra
>> layer of security that administrators can use to secure their systems and
>> it's dead simple to understand!
>>
>
> +1

+1

> If it works, it works. Period. It doesn't matter if it was coded by an
> ancient civilization carved in stone, or that it hasn't been updated in
> centuries.
>
> Perhaps it hasn't been updated in centuries precisely because it work,s so
> there's no need to update it!
>
> FC

MP
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Fernando Cassia]

On Fri, Mar 21, 2014 at 3:54 PM, James A. Peltier  wrote:

>
> I'd love to hear about the "old and unmaintainable code".  It's open
> source code.  If somethings broken you can fix it right!?! That's the open
> source mantra!  Either provide a set of reasons why it should be removed
> and the alternatives that cover all the use cases of TCP Wrappers or let
> the code, that obviously works remain there undisturbed.  It's an extra
> layer of security that administrators can use to secure their systems and
> it's dead simple to understand!
>

+1
If it works, it works. Period. It doesn't matter if it was coded by an
ancient civilization carved in stone, or that it hasn't been updated in
centuries.

Perhaps it hasn't been updated in centuries precisely because it work,s so
there's no need to update it!

FC


-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mellanox ofed on centos kernel 3.x

[Robert Clove]

I have an VPI card and will ofed ofed convert the infiniband ports to
Ethernet ports.

On Saturday, March 22, 2014, Andrew Holway  wrote:

> On 21 March 2014 18:24, Robert Clove >
> wrote:
> > Will non ofed also work as mellanox ofed or any other difference will I
> > face ?
>
> The Mellanox OFED stack is a development version maintained by
> Mellanox whereas the "OFED OFED" is maintained by the OpenFabrics
> Enterprise Distribution which is a consortium of all the IB vendors.
>
> > Where to get other ofed ?
>
> yum groupinstall "Infiniband Support" usually does it although if your
> using kernel-ml this might be broken.
>
> Read these for more info:
>
> https://www.openfabrics.org/resources/ofed-for-linux-ofed-for-windows/ofed-overview.html
> http://www.mellanox.com/page/products_dyn?product_family=26
>
> Thanks,
>
> Andrew
>
>
>
>
> >
> > On Friday, March 21, 2014, Andrew Holway 
> > >
> wrote:
> >
> >> On 21 March 2014 18:08, Robert Clove 
> >> >
> >> wrote:
> >> > Hi all,
> >> >
> >> > Has anyone installed mellanox ofed on linux kernel 3.x?
> >>
> >> I hear those guys over in Ubuntu land do that kind of thing a lot. Why
> >> Mellanox OFED and non OFED OFED?
> >>
> >> Ta
> >>
> >> Andrew
> >>
> >> >
> >> >
> >> > Regards
> >> > ___
> >> > CentOS mailing list
> >> > CentOS@centos.org  
> >> > http://lists.centos.org/mailman/listinfo/centos
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org  
> >> http://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org 
> > http://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org 
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[James A. Peltier]

- Original Message -
| Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And,
| would
| you care strongly if it went away (or would you just migrate to
| something
| else)?
| 

Yes, we do use TCP Wrappers.  We also use IPTables, edge gateway firewalls, 
VPNs and other tools.  The reason that we use them is to support additional 
security.

The case is being made to remove a tool that is considered to be legacy.  While 
it is understood that legacy = old/unmaintained/crap, it does remove an 
additional layer of security that can be applied for a base system.  So the 
question then is, what can be used as a suitable replacement?  If so what is 
that suitable replacement?  If one doesn't exist, how long until we can get one?

Security is about layering technology.  IPTables doesn't solve all of the 
problems out there.  People mentioned NFSv3 and moving to NFSv4 and while this 
may be suitable for some people it doesn't apply to others.  To simply remove a 
tool because it's code hasn't been modified in X number of 
days,months,years,decades is really in many cases what I like to call "version 
envy".

I'd love to hear about the "old and unmaintainable code".  It's open source 
code.  If somethings broken you can fix it right!?! That's the open source 
mantra!  Either provide a set of reasons why it should be removed and the 
alternatives that cover all the use cases of TCP Wrappers or let the code, that 
obviously works remain there undisturbed.  It's an extra layer of security that 
administrators can use to secure their systems and it's dead simple to 
understand!



-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices

"Around here, however, we don’t look backwards for very long.  We KEEP MOVING 
FORWARD, opening up new doors and doing things because we’re curious and 
curiosity keeps leading us down new paths." - Walt Disney
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mellanox ofed on centos kernel 3.x

[Andrew Holway]

On 21 March 2014 18:24, Robert Clove  wrote:
> Will non ofed also work as mellanox ofed or any other difference will I
> face ?

The Mellanox OFED stack is a development version maintained by
Mellanox whereas the "OFED OFED" is maintained by the OpenFabrics
Enterprise Distribution which is a consortium of all the IB vendors.

> Where to get other ofed ?

yum groupinstall "Infiniband Support" usually does it although if your
using kernel-ml this might be broken.

Read these for more info:
https://www.openfabrics.org/resources/ofed-for-linux-ofed-for-windows/ofed-overview.html
http://www.mellanox.com/page/products_dyn?product_family=26

Thanks,

Andrew




>
> On Friday, March 21, 2014, Andrew Holway  wrote:
>
>> On 21 March 2014 18:08, Robert Clove >
>> wrote:
>> > Hi all,
>> >
>> > Has anyone installed mellanox ofed on linux kernel 3.x?
>>
>> I hear those guys over in Ubuntu land do that kind of thing a lot. Why
>> Mellanox OFED and non OFED OFED?
>>
>> Ta
>>
>> Andrew
>>
>> >
>> >
>> > Regards
>> > ___
>> > CentOS mailing list
>> > CentOS@centos.org 
>> > http://lists.centos.org/mailman/listinfo/centos
>> ___
>> CentOS mailing list
>> CentOS@centos.org 
>> http://lists.centos.org/mailman/listinfo/centos
>>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mellanox ofed on centos kernel 3.x

[Robert Clove]

Will non ofed also work as mellanox ofed or any other difference will I
face ?
Where to get other ofed ?

On Friday, March 21, 2014, Andrew Holway  wrote:

> On 21 March 2014 18:08, Robert Clove >
> wrote:
> > Hi all,
> >
> > Has anyone installed mellanox ofed on linux kernel 3.x?
>
> I hear those guys over in Ubuntu land do that kind of thing a lot. Why
> Mellanox OFED and non OFED OFED?
>
> Ta
>
> Andrew
>
> >
> >
> > Regards
> > ___
> > CentOS mailing list
> > CentOS@centos.org 
> > http://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org 
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mellanox ofed on centos kernel 3.x

[Andrew Holway]

On 21 March 2014 18:08, Robert Clove  wrote:
> Hi all,
>
> Has anyone installed mellanox ofed on linux kernel 3.x?

I hear those guys over in Ubuntu land do that kind of thing a lot. Why
Mellanox OFED and non OFED OFED?

Ta

Andrew

>
>
> Regards
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] mellanox ofed on centos kernel 3.x

[Robert Clove]

Hi all,

Has anyone installed mellanox ofed on linux kernel 3.x?


Regards
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync triggers oomkiller

[Les Mikesell]

On Fri, Mar 21, 2014 at 11:49 AM, John Doe  wrote:

>>>kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0,
>>>  oom_score_adj=0
>>>...
>>>kernel: Out of memory: Kill process 27974 (mysqld) score 361 or
>>>  sacrifice child
>>>kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB,
>>>  anon-rss:2890828kB, file-rss:3324kB
>>>
>>>  rsync whines he wants more RAM and... mysql gets killed...
>>>  That makes me a bit sad!

> After more investigation, I found:
> - a vm.swappiness=0 in sysctl.conf, which should not prevent the kernel to 
> swap to prevent an oom.
> - the rsync was part of 8 *sequential* rsyncs on 8 servers, rsyncing between 
> 500 and 1000 files at most...
>

Before very recent versions of rsync  (not sure exactly when it
changed), it would load the entire tree listing from both sides into
memory before walking them for the comparison.  What's the destination
side look like?  Maybe you aren't doing a --delete and a lot of cruft
has accumulated.

-- 
  Les Mikesell
  lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Les Mikesell]

On Fri, Mar 21, 2014 at 7:33 AM, James B. Byrne  wrote:
>
>>
>> Nothing remains static. Software evolves into usually superior products.
>> Sentimentally longing for the past hampers the introduction of new and
>> better replacements.
>
> Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^)

Not sure when the capability was added, but the Windows Server
versions' ability to convert a standard single NTFS volume to dynamiic
and then add a RAID mirror is really quite nice.  And unlike the linux
counterparts it works on the fly with full backwards compatibility.
You don't have to load some fuse module to hook up some experimental
filesystem with some new bizarre configuration syntax and figure out a
different way to boot it.

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Want to create custom iso

[Anant]

Hi Guys,

I have made custom Centos DVD , I have copied ks.cfg in top directory of 
my DVD. and it is working fine.
My ks.cfg looks like :


%post --log=/root/my-post-log

yum remove libreoffice* -y ;
/usr/bin/wget http://210.X.X.52/LibreOffice_4.1.5_Linux_x86-64_rpm.tar.gz ;
tar -xvzf LibreOffice_4.1.5_Linux_x86-64_rpm.tar.gz ;
cd LibreOffice_4.1.5.3_Linux_x86-64_rpm/RPMS/ ;
yum install *.rpm -y ;

%end


I am downloading LibreOffice_4.1.5_Linux_x86-64_rpm.tar.gz from 
210.X.X.52 , which consume bandwidth each time , So i want to keep this 
package in side my DVD,
So i need Suggestion how can i do that , and access it on POST script 
run time.

Like can i mount my dvd in any /tmp folder OR any suggestion..

Thanks in Advance :)





On Monday 17 March 2014 11:34 PM, Earl A Ramirez wrote:
> On 17 March 2014 12:51, EljiUdia  wrote:
>
>>
>>
>> On Monday, March 17, 2014 6:41 PM, Anant 
>> wrote:
>>
>> Hello All,
>>
>> I want to make custom iso of Centos 6.4 and want some feature in it by
>> default
>>
>>
>>
>> Take a look here
>> http://smorgasbork.com/component/content/article/35-linux/128-building-a-custom-centos-6-kickstart-disc-part-1or
>> odesk.com
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> The following link [0] may help you with what you are trying to achieve.
>
> [0] http://centos.org/variants/
>
>
>


-- 
Anant Saraswat
System Admin (RHCVA,RHCE,RHCSA)

FOR AND ON BEHALF OF:
Techblue Software Pvt. Ltd.
73, Sector-5
IMT Manesar
Haryana

E: anant.saras...@techblue.co.uk
W: www.techblue.co.uk


The contents of this email are confidential and may be privileged, and are 
intended only for the use of the person or company named herein. Any views or 
opinions presented are solely those of the author and do not necessarily 
represent those of Technology Blueprint Limited.
If you are not the intended recipient of this email or a person responsible for 
delivering it to the intended recipient, you are hereby notified that any 
distribution, copying or dissemination of the information herein is strictly 
prohibited.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Bill Campbell]

On Thu, Mar 20, 2014, Keith Keller wrote:
>On 2014-03-21, Fernando Cassia  wrote:
>>
>> Interesting double negative. Implies that once the "technical barriers" are
>> removed, then it's OK to remove old features for change's sake. ;)
>
>If, as Matthew says, the codebase hasn't been maintained since 2001,
>then we should have concerns about unfound security issues, as well as
>concerns that, if others find security problems, nobody is responsible
>for fixing them.  If tcpwrappers had a current maintainer this wouldn't
>be an issue.
>
>There's certainly at least one technical reason to prefer other options
>like iptables over tcpwrappers.  I've had instances where an attacker
>made dozens of ssh probes per second; tcpwrappers was able to reject
>these, but sshd was so overwhelmed that it was unable to exchange host
>keys with legitimate clients.  iptables would have blocked these attacks
>more effectively, letting sshd handle the legitimate client sessions
>properly.

My solution to this is to have swatch watching the tcp_wrappers ssh, imap,
and pop3 logs and blocking with iptables any IP address that has more than
N (5 by default) failed connection attempts in a minute or that is listed
in our blacklist DNSRBL.  A postgresql database is used on each machine
with a history of IPs blocked which is used to automatically expire blocks
and to add them if a system is rebooted.

We maintain a couple of DNSRBLs for whitelisting and blacklisting IP
addresses and net blocks that are largely fed by the reports generated.
The /etc/hosts.allow files on all the systems we monitor use these DNSRBLs
on critical services (e.g. sshd) to ALLOW/DENY access.

The net result of this has been that it's rare when a particular IP gets
more than a few failed attempts before being blocked the first time, and
one or two if it's in our blacklist DNSRBL whether it's on the first
machine attacked or any of the other machines we monitor.

FWIW, the the majority of the attacks seem to be password guessing attempts
using IMAP, not ssh.  The successful cracks on Linux machines I've seen
were done via weak user accounts on ISPs that were then accessed via php to
the user's writeable public html directory.

As somebody already pointed out, no one tool is sufficient to limit access.

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

It takes no great insight or intelligence to see that the health
of a centralized economy built around dense concentrations of
economic power and a close business alliance with government can't
tolerate any considerable degree of intellectual schooling. 
John Taylor Gatto http://www.lewrockwell.com/gatto/gatto-uhae-8.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Bill Campbell]

On Fri, Mar 21, 2014, m.r...@5-cent.us wrote:
>Larry Martell wrote:
>> On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne 
>> wrote:
...
>>> Yes. For example look how MicroSoft has improved Windows since
>>> XPsp3.;-^)
>>
>> I wouldn't know. I don't use it. I've been programming professionally
>> since 1975 and I've managed to never use Windows.
>
>1980. and I've had to. But I worked long and hard to get into *Nix, and
>with one 1.25 year excursion otherwise, have managed to stay here.

1966, and I have never used anything Microsoft willingly other than their
"Natural" keyboard and wireless mice :-).

>So I *do* object to my toolset being cut down or mangled when it's
>unnecessary. tcp.wrappers, no big deal. Non-plain  text configuration
>files, or crap that invokes crap that invokes crap to do what was formerly
>done by one program that read one simple configuration file, not so
>much

Remember when SuSE's yast maintained a central configuration file, and
would overwrite manually changed Linux configuration files if one changed
something in the GUI?  So many experienced admins complained that they
finally went back to honoring the manual changes.

Then there's the infamous Windows Registry

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

I consider trial by jury as the only anchor ever yet imagined by
man, by which a government can be held to the principles of its
constitution. -- Thomas Jefferson in a letter to Thomas Paine, 1789.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync triggers oomkiller

[John Doe]

From: SilverTip257 

> To: CentOS mailing list 
> Cc: 
> Sent: Friday, March 21, 2014 5:40 PM
> Subject: Re: [CentOS] rsync triggers oomkiller
> 
> I added a subject so we can track this message on the list easier. ;)
> 
> On Fri, Mar 21, 2014 at 12:19 PM, John Doe  wrote:
> 
>>  Hey,
>> 
>>    kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0,
>>  oom_score_adj=0
>>    ...
>>    kernel: Out of memory: Kill process 27974 (mysqld) score 361 or
>>  sacrifice child
>>    kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB,
>>  anon-rss:2890828kB, file-rss:3324kB
>> 
>>  rsync whines he wants more RAM and... mysql gets killed...
>>  That makes me a bit sad!
>>  And from my nagios graphs, at that time, ram usage was only 75%
>>  (4.5GB/6GB) and swap usage 0.3% (/2GB)!
>>  I cannot believe an rsync suddenly needed 1.5GB+2GB and was not
>>  satisfied...
>>  And even after the out of memory, the graphs show no swap usage change at
>>  all.
>>  Anybody would have an idea about this "fake" out of memory?
>> 
> 
> Wild.
> I've not encountered oomkiller being triggered when the server has free
> memory and hasn't swapped to disk yet.
> 
> After the fact, it will probably be almost impossible to figure out the
> list of files that rsync was storing in memory.
> 
> This makes me wonder if there's an option to have rsync log the list of
> files (to be synced) to a log file of some sort.  I'll have to look into it
> later today when I have a moment.

Thx for the subject!
After more investigation, I found:
- a vm.swappiness=0 in sysctl.conf, which should not prevent the kernel to swap 
to prevent an oom.
- the rsync was part of 8 *sequential* rsyncs on 8 servers, rsyncing between 
500 and 1000 files at most...

Thx,
JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Tar Compression issue

[SilverTip257]

On Fri, Mar 21, 2014 at 8:57 AM, Fred Smith
wrote:

> On Fri, Mar 21, 2014 at 10:55:33AM +, Andrew Holway wrote:
> > Dear Bonnie,
> >
> > Your not getting an answer because the emails you are sending look
> > like spam to most email filters.
> >
> > Thanks,
> >
> > Andrew
> >
> >
> >
> >
> >
> > On 18 March 2014 09:22, Bonnie B Mtengwa  wrote:
> > > I have a file Server CentOS 5.10, its on the internet, so I compress
> all csv
> > > into one file using (tar -czvf compressed_files.tar.gz  *.csv)  on this
> > > server so that I can download them as one compressed file to save
> bandwidth,
> > > Disk space on this server available is 50Gig, so when I copy the files
> onto
> > > Redhat EL 5.9 and decompress them using (tar -zxvf *.gz) It
> decompresses
> > > maybe 80% then get error:
> > >
> > >
> > >
> > > gzip: stdin: unexpected end of file
> > >
> > > tar: Unexpected EOF in archive
> > >
> > > tar: Unexpected EOF in archive
> > >
> > > tar: Error is not recoverable: exiting now
> > >
> > >
> > >
> > > what might be the issue here?
>
> Wild guess:
> Is the file, by anychance, somewhat over 4 gigs?
>

Our grandfathered homegrown backup solution that is in place for web
hosting at work tars up customer web content, which ends up being 15GB in
some cases.  And it's web content, so there's lots of files!

I'm sure if I took the time, I might find an even larger tarball -- but
10-15GB is pretty hefty.

I've had a problem, years past, when a particular compression tool
>

Would you kindly share the name of the compression tool?


> blew up on files over 4 gigs, because it requires an integer
> larger than a 32-bit int to hold the file offsets. I wouldn't
> really expect that to be a problem on Centos 5.x, even on a
> 32-bit system, but one does wonder
>

However ... we have a mix of 32-bit and 64-bit CentOS 5.10 systems that
create the backups (I speak of above) without a problem.  So 32 vs 64-bit
may not be the cause.


-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync triggers oomkiller

[SilverTip257]

I added a subject so we can track this message on the list easier. ;)

On Fri, Mar 21, 2014 at 12:19 PM, John Doe  wrote:

> Hey,
>
>   kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0,
> oom_score_adj=0
>   ...
>   kernel: Out of memory: Kill process 27974 (mysqld) score 361 or
> sacrifice child
>   kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB,
> anon-rss:2890828kB, file-rss:3324kB
>
> rsync whines he wants more RAM and... mysql gets killed...
> That makes me a bit sad!
> And from my nagios graphs, at that time, ram usage was only 75%
> (4.5GB/6GB) and swap usage 0.3% (/2GB)!
> I cannot believe an rsync suddenly needed 1.5GB+2GB and was not
> satisfied...
> And even after the out of memory, the graphs show no swap usage change at
> all.
> Anybody would have an idea about this "fake" out of memory?
>

Wild.
I've not encountered oomkiller being triggered when the server has free
memory and hasn't swapped to disk yet.

After the fact, it will probably be almost impossible to figure out the
list of files that rsync was storing in memory.

This makes me wonder if there's an option to have rsync log the list of
files (to be synced) to a log file of some sort.  I'll have to look into it
later today when I have a moment.


>
> Thx,
> JD
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] (no subject)

[John Doe]

Hey,

  kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, 
oom_score_adj=0
  ...
  kernel: Out of memory: Kill process 27974 (mysqld) score 361 or sacrifice 
child
  kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB, 
anon-rss:2890828kB, file-rss:3324kB

rsync whines he wants more RAM and... mysql gets killed...
That makes me a bit sad!
And from my nagios graphs, at that time, ram usage was only 75% (4.5GB/6GB) and 
swap usage 0.3% (/2GB)!
I cannot believe an rsync suddenly needed 1.5GB+2GB and was not satisfied...
And even after the out of memory, the graphs show no swap usage change at all.
Anybody would have an idea about this "fake" out of memory?

Thx,
JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Bruce Ferrell]

On 03/20/2014 12:48 PM, Matthew Miller wrote:
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
>
> I bring this up because we are discussing dropping it from Fedora. This
> would be far enough in the future that it wouldn't impact RHEL 7, and
> therefore won't affect anyone here for Quite Some Time*, but here in the new
> world order of CentOS, I thought it might be useful to check with some
> actual downstream users.
>
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
>
> Your feedback appreciated. Thanks!
>
>
> * and the standard caveats that Fedora doesn't necessarily determine the
> path for RHEL apply, of course.
>
>
I use it in conjunction with other utilities... They modify the hosts.deny in 
response to log parsing.

Please keep in mind, security in layers.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Gilbert Sebenste]

On Fri, 21 Mar 2014, Leon Fauster wrote:

> its just used in a multiple layer protection / security model.

Bingo! Same here. And it works well!

> well i would say its more scary when humans are editing configuration files 
> :-)

I can speak for nearly 20 years of experience on this, including
blowing it myself and locking myself remotely out of my own system
once. For what it is supposed to do...it does extremely well.

Gilbert

***
Gilbert Sebenste
(My opinions only!)  **
***
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Les Mikesell]

On Fri, Mar 21, 2014 at 8:58 AM, Fernando Cassia  wrote:
>
>> The technical problem is that there's no maintainer.  Are you
>> volunteering (and capable)?
>>
>
> Then, for crying out loud... :) this discussion should have been started
> with a different subject line:
> "Looking for a new tcp wrappers maintainer".
>
> That is much more constructive than calling the bulldozer early.

Even more to the point, why is this a fedora/RHEL or even linux
specific issue?   I'd expect to matter to OpenBSD.  Do they maintain
their copy?

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Leon Fauster]

Am 20.03.2014 um 22:22 schrieb Matthew Miller :
> On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote:
>> Please don't remove it. Why  this sudden idea in software circles that
>> stuff that works properly needs to be removed for no reason whatsoever
>> other than "it's old and we think nobody uses it". How do you know?.
> 
> Well, that's why I'm asking.
> 
>> IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it.
> 
> Yes, I have heard of that.
> 
> But, are you actually using it? Do you need to?


we do and we also compile tcp wrappers support 
into service if the distro have't done it (e.g. mysql).
its just used in a multiple layer protection / security model.


> There are real downsides to carrying unmaintained code forward.
> 
> Someone put forth the possibility of developing and maintaining a
> maintaining a modern library implementing the same config files but with a
> an updated codebase and better API, but no one has actually volunteered to
> do that work. If you'd like to be that person, awesome.
> 
>> Fail2ban is one piece of software which interfaces with tcp wrappers.
>> v0.9.0 just out
>> http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> Yes, and know for sure people use that -- I do, for example. But I use it to
> manipulate IP tables, which is more secure and less fragile than the


why is iptables more secure? its just on an other level and the attack vector 
persists.
and by the way; you do not really want to run a "firewall" on the _same_ 
system, think
about that. 


> hosts.deny action (it's always a bit scary when configuration files are
> edited by a program!). Because it is actively maintained upstream, there's
> even support for new things like firewalld.



well i would say its more scary when humans are editing configuration files :-)


one think that i like on tcp_wrappers is the use of domain names. 
Even possible with iptables but not a good idea as with tcp_wrappers.



--
LF


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Fernando Cassia]

On Thu, Mar 20, 2014 at 11:13 PM, Keith Keller <
kkel...@wombat.san-francisco.ca.us> wrote:

> The technical problem is that there's no maintainer.  Are you
> volunteering (and capable)?
>

Then, for crying out loud... :) this discussion should have been started
with a different subject line:
"Looking for a new tcp wrappers maintainer".

That is much more constructive than calling the bulldozer early.

FC

-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Matthew Miller]

On Fri, Mar 21, 2014 at 09:29:01AM -0400, John Jasen wrote:
> https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf
> Also note, agencies or groups required to implement CIS or better who
> maintain a mixed environment may also use tcp_wrappers on all their
> platforms, as from a cursory glance, ever UNIX benchmark lists it.
> I would recommend against dropping tcp wrappers.

Thanks, that is helpful. Cross-platform compatibility is a strong argument.
I think this points towards the updated "libwrap2" idea, although that
does require someone who actually wants to do it.


-- 
Matthew Miller   mat...@mattdm.org  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[John Jasen]

On 03/20/2014 06:23 PM, Les Mikesell wrote:

> Not sure there's a one-to-one mapping or even a conceptual overlap in
> what tcpwrappers and iptables do.   Applications can be configured to
> use different ports than someone setting up iptables might expect -
> and how would you handle portmapper?
> 

As another case, read some of the extended use cases for vsftpd. They
require tcpd to pass an environmental variable telling vsftpd which
configuration file to use.


-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[John Jasen]

On 03/20/2014 04:13 PM, Matthew Miller wrote:
> On Thu, Mar 20, 2014 at 04:00:49PM -0400, John Jasen wrote:
>> Various government entities may use it extensively. I don't recall if
>> tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in
>> several CIS benchmarks.
> 
> Good question. I checked with both that and the DoD National Checklist
> Program, and neither mention it. Also, unless I missed something else, the
> USGCB covers RHEL 5, so there won't be any impact there.
> 
> Are the CIS benchmarks something you could point me to?
> 

https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf

Also note, agencies or groups required to implement CIS or better who
maintain a mixed environment may also use tcp_wrappers on all their
platforms, as from a cursory glance, ever UNIX benchmark lists it.

I would recommend against dropping tcp wrappers.


-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[m . roth]

Larry Martell wrote:
> On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne 
> wrote:
>>
>> On Thu, March 20, 2014 17:34, Always Learning wrote:
>>>
>>> Nothing remains static. Software evolves into usually superior
>>> products. Sentimentally longing for the past hampers the introduction
of new and
>>> better replacements.
>>
>> Yes. For example look how MicroSoft has improved Windows since
>> XPsp3.;-^)
>
> I wouldn't know. I don't use it. I've been programming professionally
> since 1975 and I've managed to never use Windows.

1980. and I've had to. But I worked long and hard to get into *Nix, and
with one 1.25 year excursion otherwise, have managed to stay here.

So I *do* object to my toolset being cut down or mangled when it's
unnecessary. tcp.wrappers, no big deal. Non-plain  text configuration
files, or crap that invokes crap that invokes crap to do what was formerly
done by one program that read one simple configuration file, not so
much

  mark


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Tar Compression issue

[Fred Smith]

On Fri, Mar 21, 2014 at 10:55:33AM +, Andrew Holway wrote:
> Dear Bonnie,
> 
> Your not getting an answer because the emails you are sending look
> like spam to most email filters.
> 
> Thanks,
> 
> Andrew
> 
> 
> 
> 
> 
> On 18 March 2014 09:22, Bonnie B Mtengwa  wrote:
> > I have a file Server CentOS 5.10, its on the internet, so I compress all csv
> > into one file using (tar -czvf compressed_files.tar.gz  *.csv)  on this
> > server so that I can download them as one compressed file to save bandwidth,
> > Disk space on this server available is 50Gig, so when I copy the files onto
> > Redhat EL 5.9 and decompress them using (tar -zxvf *.gz) It decompresses
> > maybe 80% then get error:
> >
> >
> >
> > gzip: stdin: unexpected end of file
> >
> > tar: Unexpected EOF in archive
> >
> > tar: Unexpected EOF in archive
> >
> > tar: Error is not recoverable: exiting now
> >
> >
> >
> > what might be the issue here?

Wild guess:
Is the file, by anychance, somewhat over 4 gigs? 
I've had a problem, years past, when a particular compression tool
blew up on files over 4 gigs, because it requires an integer
larger than a 32-bit int to hold the file offsets. I wouldn't
really expect that to be a problem on Centos 5.x, even on a
32-bit system, but one does wonder

Fred

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
  "For him who is able to keep you from falling and to present you before his 
 glorious presence without fault and with great joy--to the only God our Savior
 be glory, majesty, power and authority, through Jesus Christ our Lord, before
 all ages, now and forevermore! Amen."
- Jude 1:24,25 (niv) -
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Les Mikesell]

On Fri, Mar 21, 2014 at 7:37 AM, James B. Byrne  wrote:
>
> On Thu, March 20, 2014 18:52, Les Mikesell wrote:
>
>> xml isn't intended for humans - it is supposed to be parsed and
>> verified by machines.  The bigger question is why the machines aren't
>> managing the config files themselves yet?
>>
> Possibly because the machines are running programs written by humans that need
> to understand what they think they have told the machine to do in order to
> determine why it is not doing what they want it to?

Yes, but that reason is generally that someone changed the language
syntax underneath it instead of settling on simple working APIs.
What has actually stayed stable and backwards compatible over the
years other than bourne shell syntax and perl (almost)?   Everything
else has made you repeat your work every few years instead of letting
you build on it and advance.

-- 
  Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Larry Martell]

On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne  wrote:
>
> On Thu, March 20, 2014 17:34, Always Learning wrote:
>>
>>
>> Nothing remains static. Software evolves into usually superior products.
>> Sentimentally longing for the past hampers the introduction of new and
>> better replacements.
>
> Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^)

I wouldn't know. I don't use it. I've been programming professionally
since 1975 and I've managed to never use Windows.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[John R. Dennison]

On Fri, Mar 21, 2014 at 08:33:19AM -0400, James B. Byrne wrote:
> 
> On Thu, March 20, 2014 17:34, Always Learning wrote:
> >
> >
> > Nothing remains static. Software evolves into usually superior products.
> > Sentimentally longing for the past hampers the introduction of new and
> > better replacements.
> 
> Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^)

This whole conversation is meaningless.  Our opinions on what Fedora
does or doesn't do or what Puttering does or doesn't wreck next are
irrelevant.






John
-- 
Most people hate the idea of evolution because they realize that if it were
working properly, they'd be dead.

-- Anonymous


pgpipiYfBvdDr.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[James B. Byrne]

On Thu, March 20, 2014 18:52, Les Mikesell wrote:

> xml isn't intended for humans - it is supposed to be parsed and
> verified by machines.  The bigger question is why the machines aren't
> managing the config files themselves yet?
>
Possibly because the machines are running programs written by humans that need
to understand what they think they have told the machine to do in order to
determine why it is not doing what they want it to?

-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[James B. Byrne]

On Thu, March 20, 2014 17:34, Always Learning wrote:
>
>
> Nothing remains static. Software evolves into usually superior products.
> Sentimentally longing for the past hampers the introduction of new and
> better replacements.

Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^)


-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Phelps, Matt]

On Thu, Mar 20, 2014 at 3:48 PM, Matthew Miller  wrote:

> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
>
> I bring this up because we are discussing dropping it from Fedora. This
> would be far enough in the future that it wouldn't impact RHEL 7, and
> therefore won't affect anyone here for Quite Some Time*, but here in the
> new
> world order of CentOS, I thought it might be useful to check with some
> actual downstream users.
>
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
>
> Your feedback appreciated. Thanks!
>
>
> * and the standard caveats that Fedora doesn't necessarily determine the
> path for RHEL apply, of course.
>
>
> --
> Matthew Miller   mat...@mattdm.org  
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


We still use tcpwrappers extensively behind our firewalls to control many
things. We still have a mixed CentOS 5/6 and older Solaris environment, so
it would be big hassle to switch to something else.

Of course, if it left Fedora today, it would still be in CentOS for years
to come, and even then we could probably build our own pretty easily, but
we'd rather not have to!


-- 
Matt Phelps
System Administrator, Computation Facility
Harvard - Smithsonian Center for Astrophysics
mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Tar Compression issue

[Andrew Holway]

Dear Bonnie,

Your not getting an answer because the emails you are sending look
like spam to most email filters.

Thanks,

Andrew





On 18 March 2014 09:22, Bonnie B Mtengwa  wrote:
> I have a file Server CentOS 5.10, its on the internet, so I compress all csv
> into one file using (tar -czvf compressed_files.tar.gz  *.csv)  on this
> server so that I can download them as one compressed file to save bandwidth,
> Disk space on this server available is 50Gig, so when I copy the files onto
> Redhat EL 5.9 and decompress them using (tar -zxvf *.gz) It decompresses
> maybe 80% then get error:
>
>
>
> gzip: stdin: unexpected end of file
>
> tar: Unexpected EOF in archive
>
> tar: Unexpected EOF in archive
>
> tar: Error is not recoverable: exiting now
>
>
>
> what might be the issue here?
>
>
>
> Bonnie B Mtengwa
>
> Email:   bonnie.mten...@potraz.gov.zw |
>  bonni...@gmail.comWeb:
>  www.potraz.gov.zw
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Matthew Miller
> Sent: den 20 mars 2014 20:49
> To: centos@centos.org
> Subject: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny)
> anymore?
>
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And,
> would you care strongly if it went away (or would you just migrate to 
> something
> else)?

I do use them both, together with some iptables-rules.

As for caring of they disappear, well, maybe not to much, as most everything 
can be set in iptables as well.
It will take an effort to redo our standard iptables rule list though, in 
order to cover up for the missing hosts.deny and hosts.allow files.
--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos