Re: [CentOS] Apache mod_perl cross site scripting vulnerability

2015-08-11 Thread Eero Volotinen 
How about something like:



  # disallow public access
  Order Deny, Allow
  Deny from all
  Allow from 127.0.0.1

  SetHandler perl-script
  PerlResponseHandler Apache2::Status
  




2015-08-11 14:46 GMT+03:00 Proxy One :

> Hello,
>
> I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
> Red Hat Security Response Team has rated this issue as having moderate
> security impact and bug as wontfix.
>
> Explanation: The vulnerability affects non default configuration of
> Apache HTTP web server, i.e cases, when access to Apache::Status and
> Apache2::Status resources is explicitly allowed via  /perl-status> httpd.conf configuration directive.  Its occurrence can be
> prevented by using the default configuration for the Apache HTTP web
> server (not exporting /perl-status).
>
> I haven't used  but Trustwave still finds me
> vulnerable.
>
> Evidence:
> Request: GET /perl-
> status/APR::SockAddr::port/">alert('xss') HTTP/1.1
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: www.mydomain.com
> Content-Type: text/html
> Content-Length: 0
> Response: HTTP/1.1 404 Not Found
> Date: Mon, 07 Aug 2015 11:10:21 GMT
> Server: Apache/2.2.15 (CentOS)
> X-Powered-By: PHP/5.3.3
> Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/
>
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
> check=0
> Pragma: no-cache
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=UTF-8
> Body: contains '">alert('xss')'
>
>
> How can I get around this?
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache mod_perl cross site scripting vulnerability

2015-08-11 Thread Ellen Shull 
On Tue, Aug 11, 2015 at 4:46 AM, Proxy One  wrote:

> I haven't used  but Trustwave still finds me
> vulnerable.
>
[...]
> Response: HTTP/1.1 404 Not Found

You clearly aren't serving perl-status; that's a red herring here.

[...]
> Body: contains '">alert('xss')'

That's your problem; they're flagging you for an XSS "vulnerability".
I'm guessing you have a custom 404 page that naively echoes the entire
request URL as part of the page?  You need to be using
htmlspecialchars() or HTML::Entities or whatever your
language/environment has to escape strings for safe inclusion in HTML
content.

There is of course more to it than that (sigh), try for starters:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

--ln
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [CentOS-announce] Release for CentOS-6.7 LiveCD and LiveDVD for i386 and x86_64

2015-08-11 Thread Always Learning 

On Tue, 2015-08-11 at 17:33 -0500, Johnny Hughes wrote:
> On 08/11/2015 05:16 PM, Always Learning wrote:
> > 
> > On Tue, 2015-08-11 at 14:52 +0200, Fabian Arrotin wrote:
> > 
> > 
> >> We are pleased to announce the immediate availability of CentOS-6.7
> >> LiveCD and LiveDVD for the i386 and x86_64 architectures.
> >>
> >> Detailed Release Notes are available at
> >> http://wiki.centos.org/Manuals/ReleaseNotes/CentOSLiveDVD6.7
> >> http://wiki.centos.org/Manuals/ReleaseNotes/CentOSLiveCD6.7
> > 
> > Which is best for a USB3 device ?
> > 
> > 
> 
> It depends on what you are trying to do.  The CD has less stuff than the
> DVD (since it is significantly smaller).
> 
> If the device has room and you can use it, I would use the DVD.

The USB3 devices are 32G, so I'll use the DVD.

Thank you.


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [CentOS-announce] Release for CentOS-6.7 LiveCD and LiveDVD for i386 and x86_64

2015-08-11 Thread Johnny Hughes 
On 08/11/2015 05:16 PM, Always Learning wrote:
> 
> On Tue, 2015-08-11 at 14:52 +0200, Fabian Arrotin wrote:
> 
> 
>> We are pleased to announce the immediate availability of CentOS-6.7
>> LiveCD and LiveDVD for the i386 and x86_64 architectures.
>>
>> Detailed Release Notes are available at
>> http://wiki.centos.org/Manuals/ReleaseNotes/CentOSLiveDVD6.7
>> http://wiki.centos.org/Manuals/ReleaseNotes/CentOSLiveCD6.7
> 
> Which is best for a USB3 device ?
> 
> 

It depends on what you are trying to do.  The CD has less stuff than the
DVD (since it is significantly smaller).

If the device has room and you can use it, I would use the DVD.





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd problem with updates to the recent CR

2015-08-11 Thread Always Learning 

On Tue, 2015-08-11 at 12:59 -0400, m.r...@5-cent.us wrote:

> So, since I haven't yet found where /var/log/httpd is created, what would
> a default package make the ownership of the directory? Does it expect it
> to be apache:root?

On my C5.11 and C6.7 systems I get:-

 : .l  /var/log/|.g htt
24:drwx--  2 root  root 4096 Sep 16  2014 httpd



-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [CentOS-announce] Release for CentOS-6.7 LiveCD and LiveDVD for i386 and x86_64

2015-08-11 Thread Always Learning 

On Tue, 2015-08-11 at 14:52 +0200, Fabian Arrotin wrote:


> We are pleased to announce the immediate availability of CentOS-6.7
> LiveCD and LiveDVD for the i386 and x86_64 architectures.
> 
> Detailed Release Notes are available at
> http://wiki.centos.org/Manuals/ReleaseNotes/CentOSLiveDVD6.7
> http://wiki.centos.org/Manuals/ReleaseNotes/CentOSLiveCD6.7

Which is best for a USB3 device ?


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Dr J Austin 



On Tue, 11 Aug 2015, Alexander Dalloz wrote:


Am 11.08.2015 um 22:28 schrieb Dr J Austin:


Hi Alexander

[root@maui:/var/log]$ watch 'tail -n40 maillog

does not quiver when I try to connect


That's suspicious.

Let's exclude it is the client which causes the problem: Connect directly to 
the IMAPS server on CLI.


openssl s_client -connect :993

You hopefully see a greeting message from the IMAP server. Then issue

a1 LOGIN username password

If you see a success message that you logged in, then everything is fine with 
your cyrus-imapd.


Logout by entering

a2 LOGOUT

If you got that far, the troublemaker is Evolution. Can't help you with that 
one as I am not using it. Validate all the account settings to be valid.



In coming mail can be seen but nothing about evo connections as far as I
can see

There do seem to be some warnings/errors - they don't look relavant??


Right, irrelevant for your isse.


Many thanks for your help

John



You really should see your user login in this log file.

Alexander



Hmmm

Summary
On the server maui itself
Failure when using IP address but works with name maui for root and fred

On a separate machine paxos
Failure for both IP address and name maui and maui.jaa.org.uk
for both root and ja

However the error messages are different between maui and paxos

John

-
As user fred on the server maui itself
[fred@maui ~]$ openssl s_client -connect 148.197.29.5:993
socket: Connection refused
connect:errno=111

As root on the server maui itself
[root@maui:/var/log]$ 
openssl s_client -connect 148.197.29.5:993

socket: Connection refused
connect:errno=111

As root on maui using "name"
[root@maui:/var/log]$ openssl s_client -connect maui:993
CONNECTED(0003)
depth=0 C = UK, ST = Hampshire, L = Fareham, CN = maui.jaa.org.uk, 
emailAddress = j...@jaa.org.uk

verify error:num=18:self signed certificate
verify return:1
depth=0 C = UK, ST = Hampshire, L = Fareham, CN = maui.jaa.org.uk, 
emailAddress = j...@jaa.org.uk

verify return:1
---
Certificate chain
 0 
s:/C=UK/ST=Hampshire/L=Fareham/CN=maui.jaa.org.uk/emailAddress=j...@jaa.org.uk


i:/C=UK/ST=Hampshire/L=Fareham/CN=maui.jaa.org.uk/emailAddress=j...@jaa.org.uk
---
Server certificate
...
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR 
COMPRESS=DEFLATE] maui.jaa.org.uk Cyrus IMAP 
v2.3.16-Fedora-RPM-2.3.16-13.el6_6 server ready

a1 LOGIN username password
al OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED AUTH=PLAIN 
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS 
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE 
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in

a2 LOGOUT
* BYE LOGOUT received
a2 OK Completed
read:errno=0


These also work OK
[ja@maui ~]$ openssl s_client -connect maui:993
ja@maui ~ 4$ openssl s_client -connect maui.jaa.org.uk:9 
-

On a separate machine paxos - always fails

As user ja on a separate machine paxos
ja@paxos ~ 1$ openssl s_client -connect 148.197.29.5:993
socket: Bad file descriptor
connect:errno=9

As root on a separate machine paxos
[root@paxos:~]$ openssl s_client -connect 148.197.29.5:993
socket: Bad file descriptor
connect:errno=9

[root@paxos:~]$ openssl s_client -connect maui:993
socket: Bad file descriptor
connect:errno=9

[root@paxos:~]$ openssl s_client -connect maui.jaa.org.uk:993
socket: Bad file descriptor
connect:errno=9

[root@paxos:~]$ exit
logout
ja@paxos ~ 3$ openssl s_client -connect maui:993
socket: Bad file descriptor
connect:errno=9

ja@paxos ~ 4$ openssl s_client -connect maui.jaa.org.uk:993
socket: Bad file descriptor
connect:errno=9



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread m . roth 
Dr J Austin wrote:
> On Tue, 11 Aug 2015, Alexander Dalloz wrote:
>> Am 11.08.2015 um 21:47 schrieb Dr J Austin:

 What does cyrus-imapd log?

>
> There do seem to be some warnings/errors - they don't look relavant??

> Aug 11 21:17:43 maui lmtpunix[10038]: IOERROR: fstating sieve script
> /var/lib/imap/sieve/j/ja/defaultbc: No such file or directory
> 441773

> Aug 11 21:19:03 maui master[2515]: process 10038 exited, status 0
> Aug 11 21:19:13 maui master[2515]: process 10048 exited, status 0

Not sure about these last two, but what's that sieve script doing?

 mark


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Alexander Dalloz 

Am 11.08.2015 um 22:28 schrieb Dr J Austin:


Hi Alexander

[root@maui:/var/log]$ watch 'tail -n40 maillog

does not quiver when I try to connect


That's suspicious.

Let's exclude it is the client which causes the problem: Connect 
directly to the IMAPS server on CLI.


openssl s_client -connect :993

You hopefully see a greeting message from the IMAP server. Then issue

a1 LOGIN username password

If you see a success message that you logged in, then everything is fine 
with your cyrus-imapd.


Logout by entering

a2 LOGOUT

If you got that far, the troublemaker is Evolution. Can't help you with 
that one as I am not using it. Validate all the account settings to be 
valid.



In coming mail can be seen but nothing about evo connections as far as I
can see

There do seem to be some warnings/errors - they don't look relavant??


Right, irrelevant for your isse.


Many thanks for your help

John




Aug 11 21:17:29 maui lmtpunix[10038]: duplicate_check:
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> user.ja 0
Aug 11 21:17:29 maui lmtpunix[10038]: duplicate_check:
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> user.ja 0
Aug 11 21:17:29 maui lmtpunix[10038]: Delivered:
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> to
mailbox: user.ja
Aug 11 21:17:29 maui lmtpunix[10038]: mystore: starting txn 2147483715
Aug 11 21:17:29 maui lmtpunix[10038]: mystore: committing txn 2147483715
Aug 11 21:17:29 maui lmtpunix[10038]: duplicate_mark:
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us>
user.ja 1439324249 441771
Aug 11 21:17:29 maui lmtpunix[10048]: executed
Aug 11 21:17:43 maui lmtpunix[10038]: accepted connection
Aug 11 21:17:43 maui lmtpunix[10038]: lmtp connection preauth'd as postman
Aug 11 21:17:43 maui lmtpunix[10038]: IOERROR: fstating sieve script
/var/lib/imap/sieve/j/ja/defaultbc: No such file or directory


Cyrus-IMAPd tries to execute the default sieve but there is no sieve 
filter defined for the mailbox. You can ignore that or just configure 
your syslog to not log these debug messages.



Aug 11 21:17:43 maui lmtpunix[10038]: duplicate_check:

user.ja  0
Aug 11 21:17:43 maui lmtpunix[10038]: duplicate_check:

user.ja  0
Aug 11 21:17:43 maui lmtpunix[10038]: Delivered:
 to
mailbox: user.ja
Aug 11 21:17:43 maui lmtpunix[10038]: mystore: starting txn 2147483717
Aug 11 21:17:43 maui lmtpunix[10038]: mystore: committing txn 2147483717
Aug 11 21:17:43 maui lmtpunix[10038]: duplicate_mark:

user.ja  1439324263 441772
Aug 11 21:18:08 maui lmtpunix[10048]: accepted connection
Aug 11 21:18:08 maui lmtpunix[10048]: lmtp connection preauth'd as postman
Aug 11 21:18:08 maui lmtpunix[10048]: IOERROR: fstating sieve script
/var/lib/imap/sieve/j/ja/defaultbc: No such file or directory


Same as above.


Aug 11 21:18:08 maui lmtpunix[10048]: duplicate_check:
<55ca5873.7090...@htt-consult.com>   user.ja  0
Aug 11 21:18:08 maui lmtpunix[10048]: duplicate_check:
<55ca5873.7090...@htt-consult.com>   user.ja  0
Aug 11 21:18:08 maui lmtpunix[10048]: Delivered:
<55ca5873.7090...@htt-consult.com> to mailbox: user.ja
Aug 11 21:18:08 maui lmtpunix[10048]: mystore: starting txn 2147483718
Aug 11 21:18:08 maui lmtpunix[10048]: mystore: committing txn 2147483718
Aug 11 21:18:08 maui lmtpunix[10048]: duplicate_mark:
<55ca5873.7090...@htt-consult.com>   user.ja  1439324288
441773


So far just activity of the LMTP processes to deliver mail into the mailbox.


Aug 11 21:19:03 maui master[2515]: process 10038 exited, status 0
Aug 11 21:19:13 maui master[2515]: process 10048 exited, status 0


Processes get terminated. That's fine.


Aug 11 21:19:13 maui master[10160]: about to exec
/usr/lib/cyrus-imapd/lmtpd
Aug 11 21:19:13 maui lmtpunix[10160]: executed


You really should see your user login in this log file.

Alexander

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Dr J Austin 



On Tue, 11 Aug 2015, Alexander Dalloz wrote:


Am 11.08.2015 um 21:47 schrieb Dr J Austin:


What does cyrus-imapd log?

Alexander




Where should I be looking ?


/var/log/maillog is the default log file for the MAIL facility. Else check 
your syslog() daemon configuration.


Alexander

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



Hi Alexander

[root@maui:/var/log]$ watch 'tail -n40 maillog

does not quiver when I try to connect
In coming mail can be seen but nothing about evo connections as far as I 
can see


There do seem to be some warnings/errors - they don't look relavant??

Many thanks for your help

John



Aug 11 21:17:29 maui lmtpunix[10038]: duplicate_check: 
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> user.ja 
0
Aug 11 21:17:29 maui lmtpunix[10038]: duplicate_check: 
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> user.ja 
0
Aug 11 21:17:29 maui lmtpunix[10038]: Delivered: 
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> to 
mailbox: user.ja

Aug 11 21:17:29 maui lmtpunix[10038]: mystore: starting txn 2147483715
Aug 11 21:17:29 maui lmtpunix[10038]: mystore: committing txn 2147483715
Aug 11 21:17:29 maui lmtpunix[10038]: duplicate_mark: 
<2601564684-jvvyityrhuoromksrswvq...@mzdrthfhs35.com-internet.us> user.ja 
1439324249 441771

Aug 11 21:17:29 maui lmtpunix[10048]: executed
Aug 11 21:17:43 maui lmtpunix[10038]: accepted connection
Aug 11 21:17:43 maui lmtpunix[10038]: lmtp connection preauth'd as postman
Aug 11 21:17:43 maui lmtpunix[10038]: IOERROR: fstating sieve script 
/var/lib/imap/sieve/j/ja/defaultbc: No such file or directory
Aug 11 21:17:43 maui lmtpunix[10038]: duplicate_check: 
 
user.ja  0
Aug 11 21:17:43 maui lmtpunix[10038]: duplicate_check: 
 
user.ja  0
Aug 11 21:17:43 maui lmtpunix[10038]: Delivered: 
 to 
mailbox: user.ja

Aug 11 21:17:43 maui lmtpunix[10038]: mystore: starting txn 2147483717
Aug 11 21:17:43 maui lmtpunix[10038]: mystore: committing txn 2147483717
Aug 11 21:17:43 maui lmtpunix[10038]: duplicate_mark: 
 
user.ja  1439324263 441772

Aug 11 21:18:08 maui lmtpunix[10048]: accepted connection
Aug 11 21:18:08 maui lmtpunix[10048]: lmtp connection preauth'd as postman
Aug 11 21:18:08 maui lmtpunix[10048]: IOERROR: fstating sieve script 
/var/lib/imap/sieve/j/ja/defaultbc: No such file or directory
Aug 11 21:18:08 maui lmtpunix[10048]: duplicate_check: 
<55ca5873.7090...@htt-consult.com>   user.ja  0
Aug 11 21:18:08 maui lmtpunix[10048]: duplicate_check: 
<55ca5873.7090...@htt-consult.com>   user.ja  0
Aug 11 21:18:08 maui lmtpunix[10048]: Delivered: 
<55ca5873.7090...@htt-consult.com> to mailbox: user.ja

Aug 11 21:18:08 maui lmtpunix[10048]: mystore: starting txn 2147483718
Aug 11 21:18:08 maui lmtpunix[10048]: mystore: committing txn 2147483718
Aug 11 21:18:08 maui lmtpunix[10048]: duplicate_mark: 
<55ca5873.7090...@htt-consult.com>   user.ja  1439324288 
441773

Aug 11 21:19:03 maui master[2515]: process 10038 exited, status 0
Aug 11 21:19:13 maui master[2515]: process 10048 exited, status 0
Aug 11 21:19:13 maui master[10160]: about to exec 
/usr/lib/cyrus-imapd/lmtpd

Aug 11 21:19:13 maui lmtpunix[10160]: executed

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Alexander Dalloz 

Am 11.08.2015 um 21:47 schrieb Dr J Austin:


What does cyrus-imapd log?

Alexander




Where should I be looking ?


/var/log/maillog is the default log file for the MAIL facility. Else 
check your syslog() daemon configuration.


Alexander

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Dr J Austin 



On Tue, 11 Aug 2015, Richard wrote:




 Original Message 

Date: Tuesday, August 11, 2015 20:24:36 +0200
From: Alexander Dalloz 

Am 11.08.2015 um 17:56 schrieb Dr J Austin:

Hi

I have been using evolution/cyrus/exim for 10 years - until
yesterday!

I upgraded to C6.7 and now there is no way I can find of
connecting from evo to the cyrus imap(s) server

[root@maui:~]$ ps -ef|grep imap
cyrus27768 1  0 15:21 ?00:00:00
/usr/lib/cyrus-imapd/cyrus-master -d
cyrus27775 27768  0 15:21 ?00:00:00 imapd -s
cyrus27779 27768  0 15:21 ?00:00:00 imapd
cyrus27781 27768  0 15:21 ?00:00:00 imapd
cyrus27782 27768  0 15:21 ?00:00:00 imapd
cyrus27783 27768  0 15:21 ?00:00:00 imapd
cyrus27933 27768  0 15:36 ?00:00:00 imapd
cyrus28048 27768  0 15:46 ?00:00:00 imapd

evo is running on a fully updated F22 machine, cyrus/exim on C6.7
k-9 mail on a tablet and a mobile no longer connect
even tried thunderbird which also would not connect

When trying to connect with evo I get Failed to open folder
The reported error was "Could not connect to 148.197.29.5:
Connection refused"

If I try to change things by editing the "Recieving Email" menu
ie by changing the "Encryption method" from "SSL on a dedicated
port" 993 to "No encryption" it still fails
In fact just hitting Authentication "Check for supported types"
gives
Failed to query server for a list of supported authentication
mechanisms. Could not connect to 148.197.29.5: Connection refused

wireshark shows just two lines using tcp.port==993 filter
Unfortunately this does not mean much to me!

1243.276582000148.197.29.159148.197.29.5TCP74
54564→993 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
TSval=71392019 TSecr=0 WS=128

1253.27677148.197.29.5148.197.29.159TCP60
993→54564 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

I have tried the following to no avail
tcpdump -s 0 -w dump_file
ssldump -a -A -H -d -r dump_file
and
selinux in permissive mode
firewall off

Help!

John


What does cyrus-imapd log?

Alexander




A "connection refused" response generally means that the daemon
isn't allowing the connection (isn't listening or is configured to
reject), rather than something with the handshake protocol. So,
mucking with your clients' encryption/authentication settings
probably won't do anything.

You might also want to use netstat to confirm what's listening as
your imapd and to confirm that it's listening on the external
interface (not just localhost). Something like:

 netstat -pln | egrep ':993|:143'

as root, should get the interesting bits.

Also, you might want to check to see if the cyrus config files were
touched with the update (look also for rpmnew and rpmold cyrus
config files).


Hi Richard

Hopefully this will be threaded but I am forced to use Alpine at the 
moment!


netstat output shows

[root@maui:~]$ netstat -pln | egrep ':993|:143'
tcp0  0 :::993  :::* 
LISTEN  2515/cyrus-master
tcp0  0 :::143  :::* 
LISTEN  2515/cyrus-master
udp0  0 0.0.0.0:143 0.0.0.0:* 
1465/portreserve
udp0  0 0.0.0.0:993 0.0.0.0:* 
1465/portreserve

---
I did check whether cyrus type things were changed from 6.6 to 6.7
but it seems that nothing has been changed

Current (6.7 rpms)
[root@maui:~]$ rpm -qa|grep -i cyrus
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64
cyrus-imapd-utils-2.3.16-13.el6_6.x86_64
cyrus-imapd-2.3.16-13.el6_6.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

I have checked as follows (and the 6.6 and 6.7 repos)
root@maui:~]$ yum history list
Loaded plugins: refresh-packagekit
ID | Login user   | Date and time| Action(s)  | 
Altered

---
   296 |   | 2015-08-10 18:57 | E, I, U| 
441 EE


root@maui:~]$ yum history info 296 |grep cyrus
[root@maui:~]$

-
[root@maui:~]$ yum history info 296
Loaded plugins: refresh-packagekit
Transaction ID : 296
Begin time : Mon Aug 10 18:57:05 2015
Begin rpmdb: 1690:ba774adeba878250ee530bba04e9d21f3131213a
End time   :19:11:19 2015 (14 minutes)
End rpmdb  : 1700:3a7e6c33d354503cc503597393e85b8e82ed16e5
User   :  
Return-Code: Success
Command Line   : update
Transaction performed with:
Updated   rpm-4.8.0-38.el6_6.x86_64   @updates
Updated   yum-3.2.29-60.el6.centos.noarch @base
Packages Altered:
Updated ImageMagick-6.5.4.7-7.el6_5.x86_64 
@updates
Update

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Dr J Austin 



On Tue, 11 Aug 2015, Alexander Dalloz wrote:


Am 11.08.2015 um 17:56 schrieb Dr J Austin:

Hi

I have been using evolution/cyrus/exim for 10 years - until yesterday!

I upgraded to C6.7 and now there is no way I can find of connecting
from evo to the cyrus imap(s) server

[root@maui:~]$ ps -ef|grep imap
cyrus27768 1  0 15:21 ?00:00:00
/usr/lib/cyrus-imapd/cyrus-master -d
cyrus27775 27768  0 15:21 ?00:00:00 imapd -s
cyrus27779 27768  0 15:21 ?00:00:00 imapd
cyrus27781 27768  0 15:21 ?00:00:00 imapd
cyrus27782 27768  0 15:21 ?00:00:00 imapd
cyrus27783 27768  0 15:21 ?00:00:00 imapd
cyrus27933 27768  0 15:36 ?00:00:00 imapd
cyrus28048 27768  0 15:46 ?00:00:00 imapd

evo is running on a fully updated F22 machine, cyrus/exim on C6.7
k-9 mail on a tablet and a mobile no longer connect
even tried thunderbird which also would not connect

When trying to connect with evo I get Failed to open folder
The reported error was "Could not connect to 148.197.29.5: Connection
refused"

If I try to change things by editing the "Recieving Email" menu
ie by changing the "Encryption method" from "SSL on a dedicated port" 993
to "No encryption" it still fails
In fact just hitting Authentication "Check for supported types"
gives
Failed to query server for a list of supported authentication mechanisms.
Could not connect to 148.197.29.5: Connection refused

wireshark shows just two lines using tcp.port==993 filter
Unfortunately this does not mean much to me!

1243.276582000148.197.29.159148.197.29.5TCP74
54564→993 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
TSval=71392019 TSecr=0 WS=128

1253.27677148.197.29.5148.197.29.159TCP60
993→54564 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

I have tried the following to no avail
tcpdump -s 0 -w dump_file
ssldump -a -A -H -d -r dump_file
and
selinux in permissive mode
firewall off

Help!

John


What does cyrus-imapd log?

Alexander




Where should I be looking ?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Richard 


 Original Message 
> Date: Tuesday, August 11, 2015 20:24:36 +0200
> From: Alexander Dalloz 
>
> Am 11.08.2015 um 17:56 schrieb Dr J Austin:
>> Hi
>> 
>> I have been using evolution/cyrus/exim for 10 years - until
>> yesterday!
>> 
>> I upgraded to C6.7 and now there is no way I can find of
>> connecting from evo to the cyrus imap(s) server
>> 
>> [root@maui:~]$ ps -ef|grep imap
>> cyrus27768 1  0 15:21 ?00:00:00
>> /usr/lib/cyrus-imapd/cyrus-master -d
>> cyrus27775 27768  0 15:21 ?00:00:00 imapd -s
>> cyrus27779 27768  0 15:21 ?00:00:00 imapd
>> cyrus27781 27768  0 15:21 ?00:00:00 imapd
>> cyrus27782 27768  0 15:21 ?00:00:00 imapd
>> cyrus27783 27768  0 15:21 ?00:00:00 imapd
>> cyrus27933 27768  0 15:36 ?00:00:00 imapd
>> cyrus28048 27768  0 15:46 ?00:00:00 imapd
>> 
>> evo is running on a fully updated F22 machine, cyrus/exim on C6.7
>> k-9 mail on a tablet and a mobile no longer connect
>> even tried thunderbird which also would not connect
>> 
>> When trying to connect with evo I get Failed to open folder
>> The reported error was "Could not connect to 148.197.29.5:
>> Connection refused"
>> 
>> If I try to change things by editing the "Recieving Email" menu
>> ie by changing the "Encryption method" from "SSL on a dedicated
>> port" 993 to "No encryption" it still fails
>> In fact just hitting Authentication "Check for supported types"
>> gives
>> Failed to query server for a list of supported authentication
>> mechanisms. Could not connect to 148.197.29.5: Connection refused
>> 
>> wireshark shows just two lines using tcp.port==993 filter
>> Unfortunately this does not mean much to me!
>> 
>> 1243.276582000148.197.29.159148.197.29.5TCP74
>> 54564→993 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>> TSval=71392019 TSecr=0 WS=128
>> 
>> 1253.27677148.197.29.5148.197.29.159TCP60
>> 993→54564 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>> 
>> I have tried the following to no avail
>> tcpdump -s 0 -w dump_file
>> ssldump -a -A -H -d -r dump_file
>> and
>> selinux in permissive mode
>> firewall off
>> 
>> Help!
>> 
>> John
> 
> What does cyrus-imapd log?
> 
> Alexander
> 
>

A "connection refused" response generally means that the daemon
isn't allowing the connection (isn't listening or is configured to
reject), rather than something with the handshake protocol. So,
mucking with your clients' encryption/authentication settings
probably won't do anything.

You might also want to use netstat to confirm what's listening as
your imapd and to confirm that it's listening on the external
interface (not just localhost). Something like:

  netstat -pln | egrep ':993|:143'

as root, should get the interesting bits.

Also, you might want to check to see if the cyrus config files were
touched with the update (look also for rpmnew and rpmold cyrus
config files).


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd problem with updates to the recent CR

2015-08-11 Thread m . roth 
Richard wrote:
>> From: m.r...@5-cent.us
>> Richard wrote:
 From: m.r...@5-cent.us
>> 
 Anyway, starting late last week, we found issues - as in, its
 process, which runs under, and is started by, apache, was
 suddenly pegging a CPU or so. Trying to stop httpd, that
 worked... but this idiot process never did (and it's ugly to
 clean up after).

 What we just this morning found out to be the problem is that
 some package seems to change the permissions on /var/log/httpd
 to 700 from 770. The result was that this ...thing... couldn't
 write to its own logs, running as apache:root, while
 /var/log/httpd was root:root.

 I just did rpm -q httpd --scripts, and that doesn't show
 anything, so as I don't know what package did it If anyone
 knows, I'd like to know.
>>>
>>> I didn't try poking at the rpm too much, but just checked and
>>> found that the httpd-2.2.15-45 rpm, that's part of the (regular)
>>> 6.7 update, will change the permissions on the /var/log/httpd
>>> directory (but not the files in it) to 700 and the ownership
>>> (again, of the directory, not the included files) to root.root
>>> from whatever you may have set them to. Those are the same
>>> ownerships/permissions that are the default in 6.6.
>>

>> And there's no reference to /var/log/httpd.
>>
>> So, since I haven't yet found where /var/log/httpd is created,
>> what would a default package make the ownership of the directory?
>> Does it expect it to be apache:root?
>>
>> Or does it expect that httpd run as apache:apache, and then
>> /var/log/httpd should be apache:apache?
>>
>> Certainly, httpd shouldn't be running as root
>
> I simply mucked with the permissions and ownerships of the
> /var/log/httpd directory/files on a 6.7 system and then did "yum
> reinstall" of the httpd-2.2.15-45 rpm that's part of 6.7 and noted
> what happened. I happen to also have a 6.6 system and compared
> things between the two, so can say that the 6.7 and 6.6
> /var/log/httpd directory defaults are the same -- 700 / root.root.

Right. I can't do that. I don't have a system to set it up on that way.
>
> The default is that httpd starts as root and then spawns its worker
> tasks as the user set in the "User" directive in the httpd.conf.

Ahhh! I did know that, but had forgotten it.

> Given that, I found it slightly amusing that your "security tool",
> seemingly running as "apache", had write access to (and ownership
> control of?) the httpd log directory and files.

It ain't mine. It's a required thing (and note that the division that
mandates this stuff is very heavily WINDOWS!!!

SiteMinder is put out by Computer Associates, a huge company that was
putting out very expensive and popular mainframe software decades ago, and
hasn't gotten any smaller And I do not believe they've ever wrapped
their heads around Unix, much less Linux. Actually, I was talking to
someone from our internal SiteMinder support, and asked them to *please*
put an enhancement request into CA to add an selinux policy, so I don't
have to fight it with every release... and he says they've got two
requests in now

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Alexander Dalloz 

Am 11.08.2015 um 17:56 schrieb Dr J Austin:

Hi

I have been using evolution/cyrus/exim for 10 years - until yesterday!

I upgraded to C6.7 and now there is no way I can find of connecting
from evo to the cyrus imap(s) server

[root@maui:~]$ ps -ef|grep imap
cyrus27768 1  0 15:21 ?00:00:00
/usr/lib/cyrus-imapd/cyrus-master -d
cyrus27775 27768  0 15:21 ?00:00:00 imapd -s
cyrus27779 27768  0 15:21 ?00:00:00 imapd
cyrus27781 27768  0 15:21 ?00:00:00 imapd
cyrus27782 27768  0 15:21 ?00:00:00 imapd
cyrus27783 27768  0 15:21 ?00:00:00 imapd
cyrus27933 27768  0 15:36 ?00:00:00 imapd
cyrus28048 27768  0 15:46 ?00:00:00 imapd

evo is running on a fully updated F22 machine, cyrus/exim on C6.7
k-9 mail on a tablet and a mobile no longer connect
even tried thunderbird which also would not connect

When trying to connect with evo I get Failed to open folder
The reported error was "Could not connect to 148.197.29.5: Connection
refused"

If I try to change things by editing the "Recieving Email" menu
ie by changing the "Encryption method" from "SSL on a dedicated port" 993
to "No encryption" it still fails
In fact just hitting Authentication "Check for supported types"
gives
Failed to query server for a list of supported authentication mechanisms.
Could not connect to 148.197.29.5: Connection refused

wireshark shows just two lines using tcp.port==993 filter
Unfortunately this does not mean much to me!

1243.276582000148.197.29.159148.197.29.5TCP74
54564→993 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
TSval=71392019 TSecr=0 WS=128

1253.27677148.197.29.5148.197.29.159TCP60
993→54564 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

I have tried the following to no avail
tcpdump -s 0 -w dump_file
ssldump -a -A -H -d -r dump_file
and
selinux in permissive mode
firewall off

Help!

John


What does cyrus-imapd log?

Alexander



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd problem with updates to the recent CR

2015-08-11 Thread Richard 


> Date: Tuesday, August 11, 2015 12:59:58 -0400
> From: m.r...@5-cent.us
>
> Richard wrote:
>>> From: m.r...@5-cent.us
> 
>>> Anyway, starting late last week, we found issues - as in, its
>>> process, which runs under, and is started by, apache, was
>>> suddenly pegging a CPU or so. Trying to stop httpd, that
>>> worked... but this idiot process never did (and it's ugly to
>>> clean up after).
>>> 
>>> What we just this morning found out to be the problem is that
>>> some package seems to change the permissions on /var/log/httpd
>>> to 700 from 770. The result was that this ...thing... couldn't
>>> write to its own logs, running as apache:root, while
>>> /var/log/httpd was root:root.
>>> 
>>> I just did rpm -q httpd --scripts, and that doesn't show
>>> anything, so as I don't know what package did it If anyone
>>> knows, I'd like to know.
>> 
>> I didn't try poking at the rpm too much, but just checked and
>> found that the httpd-2.2.15-45 rpm, that's part of the (regular)
>> 6.7 update, will change the permissions on the /var/log/httpd
>> directory (but not the files in it) to 700 and the ownership
>> (again, of the directory, not the included files) to root.root
>> from whatever you may have set them to. Those are the same
>> ownerships/permissions that are the default in 6.6.
> 
> Really! Ok, how did you see that? When I ran rpm -q httpd
> --scripts, I got preinstall scriptlet (using /bin/sh):
># Add the "apache" user
> getent group apache >/dev/null || groupadd -g 48 -r apache
> getent passwd apache >/dev/null || \
>   useradd -r -u 48 -g apache -s /sbin/nologin \
> -d /var/www -c "Apache" apache
> exit 0
> postinstall scriptlet (using /bin/sh):
># Register the httpd service
> /sbin/chkconfig --add httpd
> /sbin/chkconfig --add htcacheclean
> preuninstall scriptlet (using /bin/sh):
> if [ $1 = 0 ]; then
> /sbin/service httpd stop > /dev/null 2>&1
> /sbin/chkconfig --del httpd
> /sbin/service htcacheclean stop > /dev/null 2>&1
> /sbin/chkconfig --del htcacheclean
> fi
> posttrans scriptlet (using /bin/sh):
> test -f /etc/sysconfig/httpd-disable-posttrans || \
>  /sbin/service httpd condrestart >/dev/null 2>&1 || :
> 
> And there's no reference to /var/log/httpd.
>> 
>> I.e., it appears that someone/thing modified the /var/log/httpd
>> directory permissions and ownerships from the default and the
>> updated httpd put them back.
>> 
>> Isn't there a bit of a security issue in your (modified) setup
>> with those files being able to be written to by the apache user?
> 
> So, since I haven't yet found where /var/log/httpd is created,
> what would a default package make the ownership of the directory?
> Does it expect it to be apache:root?
> 
> Or does it expect that httpd run as apache:apache, and then
> /var/log/httpd should be apache:apache?
> 
> Certainly, httpd shouldn't be running as root
> 
>   mark


I simply mucked with the permissions and ownerships of the
/var/log/httpd directory/files on a 6.7 system and then did "yum
reinstall" of the httpd-2.2.15-45 rpm that's part of 6.7 and noted
what happened. I happen to also have a 6.6 system and compared
things between the two, so can say that the 6.7 and 6.6
/var/log/httpd directory defaults are the same -- 700 / root.root.

The default is that httpd starts as root and then spawns its worker
tasks as the user set in the "User" directive in the httpd.conf. 

I believe that the security view is that if there is a hole in httpd
(directly, or more likely a (php/perl/...) script that someone is
using) you don't want apache (or whatever user the httpd worker
tasks are running as) to have write access to anything. That's why
it is generally considered bad form to have documentroot
directories/files owned by "apache" (or writeable by the apache
group) in the default setup.

Given that, I found it slightly amusing that your "security tool",
seemingly running as "apache", had write access to (and ownership
control of?) the httpd log directory and files. 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd problem with updates to the recent CR

2015-08-11 Thread m . roth 
Richard wrote:
>> From: m.r...@5-cent.us

>> Anyway, starting late last week, we found issues - as in, its
>> process, which runs under, and is started by, apache, was suddenly
>> pegging a CPU or so. Trying to stop httpd, that worked... but this
>> idiot process never did (and it's ugly to clean up after).
>>
>> What we just this morning found out to be the problem is that some
>> package seems to change the permissions on /var/log/httpd to 700
>> from 770. The result was that this ...thing... couldn't write to
>> its own logs, running as apache:root, while /var/log/httpd was
>> root:root.
>>
>> I just did rpm -q httpd --scripts, and that doesn't show anything,
>> so as I don't know what package did it If anyone knows, I'd
>> like to know.
>
> I didn't try poking at the rpm too much, but just checked and found
> that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7
> update, will change the permissions on the /var/log/httpd directory
> (but not the files in it) to 700 and the ownership (again, of the
> directory, not the included files) to root.root from whatever you
> may have set them to. Those are the same ownerships/permissions that
> are the default in 6.6.

Really! Ok, how did you see that? When I ran rpm -q httpd --scripts, I got
preinstall scriptlet (using /bin/sh):
# Add the "apache" user
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
  useradd -r -u 48 -g apache -s /sbin/nologin \
-d /var/www -c "Apache" apache
exit 0
postinstall scriptlet (using /bin/sh):
# Register the httpd service
/sbin/chkconfig --add httpd
/sbin/chkconfig --add htcacheclean
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service httpd stop > /dev/null 2>&1
/sbin/chkconfig --del httpd
/sbin/service htcacheclean stop > /dev/null 2>&1
/sbin/chkconfig --del htcacheclean
fi
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
 /sbin/service httpd condrestart >/dev/null 2>&1 || :

And there's no reference to /var/log/httpd.
>
> I.e., it appears that someone/thing modified the /var/log/httpd
> directory permissions and ownerships from the default and the
> updated httpd put them back.
>
> Isn't there a bit of a security issue in your (modified) setup with
> those files being able to be written to by the apache user?

So, since I haven't yet found where /var/log/httpd is created, what would
a default package make the ownership of the directory? Does it expect it
to be apache:root?

Or does it expect that httpd run as apache:apache, and then /var/log/httpd
should be apache:apache?

Certainly, httpd shouldn't be running as root

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync stuck at +- 50 MB/s, cp and scp are +- 200 MB/s

2015-08-11 Thread Eero Volotinen 
You can enable null cipher with hpn patches..

Eero
11.8.2015 7.35 ip. "Götz Reinicke" 
kirjoitti:

> Hi,
>
> I tried different encryptions like arc four, but always with the same
> result. BTW: googling shows some similar questions and they are stuck on
> set same speed +-.
>
> But non of that solutions helped me.
>
> /Götz
>
>
>
>
> > Am 11.08.2015 um 12:14 schrieb Eero Volotinen :
> >
> > Usually problem in encryption.
> >
> > try cipher arcfour or apply hpn patches to ssh. (
> http://www.psc.edu/index.php/hpn-ssh  >)
> >
> > --
> > Eero
> >
> > 2015-08-11 12:37 GMT+03:00 Götz Reinicke - IT Koordinator <
> goetz.reini...@filmakademie.de >:
> > Hi,
> >
> > i have two servers, connected to to the lan by 10Gb with 10Gb and DAS
> > hardware raid.
> >
> > Each system con read and write locally or to the 10G iscsi by more than
> > 200 MB/s.
> >
> > Now I have to transfer backups form A to B and doing this with rsync
> > always stuck at +- 48-50MB/s no matter which options, compressions,
> > encryption etc I use. Even the plain default rsync is at that 50 Mb
> limit.
> >
> > coyp by scp goes up to 200 MB/s.
> >
> > Copy from and to my workstation with scp from or to both servers is at
> > 1Gb limit (so +- 100 MB/s)
> >
> >
> > Why is rsync stuck at +- 50 MB/s ? Any suggestions hints ...
> >
> > Thanks and regards . Götz
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync stuck at +- 50 MB/s, cp and scp are +- 200 MB/s

2015-08-11 Thread Juan Bernhard 


El 11/08/2015 a las 06:37 a.m., Götz Reinicke - IT Koordinator escribió:

Hi,

i have two servers, connected to to the lan by 10Gb with 10Gb and DAS
hardware raid.

Each system con read and write locally or to the 10G iscsi by more than
200 MB/s.

Now I have to transfer backups form A to B and doing this with rsync
always stuck at +- 48-50MB/s no matter which options, compressions,
encryption etc I use. Even the plain default rsync is at that 50 Mb limit.

coyp by scp goes up to 200 MB/s.




Copy from and to my workstation with scp from or to both servers is at
1Gb limit (so +- 100 MB/s)


Why is rsync stuck at +- 50 MB/s ? Any suggestions hints ...


rsync is not a like a copy, it checks from both sides that the file to 
copy is not the same on the other side. Copying something is straight 
forward, it dont wait to a remote check of the files metadata or 
attributes (last modification, permissions, etc). Access disk time could 
explain this...
I dont know how you are using rsync... if you are using the network 
protocol or a nfs mount.
check this also, if the rsync is using a single tcp connection for each 
file, and you have a lot of small files, the problem could be the slow 
start congestion algorithm of tcp (scp uses a single conection to copy, 
im sure of that. i dont know how rsync protocol works)
Also, if you have a lot of small files, it will take a lot of access 
time (disk seek time) for each to fetch this information and then start 
the copy.


See if you can do a iostat on each server doing a scp and a rsync to see 
the disk usage diference... if you find that you have a large queue on 
disk when using rsync, thats the problem...



I hope this helps to point the way to solve your problem.
Saludos, Juan.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync stuck at +- 50 MB/s, cp and scp are +- 200 MB/s

2015-08-11 Thread Jason Warr 
Have you tried starting up an rsync daemon and running it without the ssh 
overhead? 

I occasionally do rsync over 10g lan and if I don't use a daemon or NFS then 
arc-four is enough to provide adequate speed.



On August 11, 2015 11:34:48 AM CDT, "Götz Reinicke" 
 wrote:
>Hi,
>
>I tried different encryptions like arc four, but always with the same
>result. BTW: googling shows some similar questions and they are stuck
>on set same speed +-.
>
>But non of that solutions helped me.
>
>   /Götz
>
>
>
>
>> Am 11.08.2015 um 12:14 schrieb Eero Volotinen
>:
>> 
>> Usually problem in encryption.
>> 
>> try cipher arcfour or apply hpn patches to ssh.
>(http://www.psc.edu/index.php/hpn-ssh
>)
>> 
>> --
>> Eero
>> 
>> 2015-08-11 12:37 GMT+03:00 Götz Reinicke - IT Koordinator
>>:
>> Hi,
>> 
>> i have two servers, connected to to the lan by 10Gb with 10Gb and DAS
>> hardware raid.
>> 
>> Each system con read and write locally or to the 10G iscsi by more
>than
>> 200 MB/s.
>> 
>> Now I have to transfer backups form A to B and doing this with rsync
>> always stuck at +- 48-50MB/s no matter which options, compressions,
>> encryption etc I use. Even the plain default rsync is at that 50 Mb
>limit.
>> 
>> coyp by scp goes up to 200 MB/s.
>> 
>> Copy from and to my workstation with scp from or to both servers is
>at
>> 1Gb limit (so +- 100 MB/s)
>> 
>> 
>> Why is rsync stuck at +- 50 MB/s ? Any suggestions hints ...
>> 
>> Thanks and regards . Götz
>
>___
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd problem with updates to the recent CR

2015-08-11 Thread Richard 


 Original Message 
> Date: Tuesday, August 11, 2015 11:43:21 -0400
> From: m.r...@5-cent.us
>
> We started updating via CR over a week ago, before 6.7 was
> official, and just today identified an issue For (alleged)
> security, the agency I work as a contractor for runs SiteMinder,
> from CA.
> 
># insert rant_against_CA.h
> 
> Anyway, starting late last week, we found issues - as in, its
> process, which runs under, and is started by, apache, was suddenly
> pegging a CPU or so. Trying to stop httpd, that worked... but this
> idiot process never did (and it's ugly to clean up after).
> 
> What we just this morning found out to be the problem is that some
> package seems to change the permissions on /var/log/httpd to 700
> from 770. The result was that this ...thing... couldn't write to
> its own logs, running as apache:root, while /var/log/httpd was
> root:root.
> 
> I just did rpm -q httpd --scripts, and that doesn't show anything,
> so as I don't know what package did it If anyone knows, I'd
> like to know.
> 
>mark

I didn't try poking at the rpm too much, but just checked and found
that the httpd-2.2.15-45 rpm, that's part of the (regular) 6.7
update, will change the permissions on the /var/log/httpd directory
(but not the files in it) to 700 and the ownership (again, of the
directory, not the included files) to root.root from whatever you
may have set them to. Those are the same ownerships/permissions that
are the default in 6.6. 

I.e., it appears that someone/thing modified the /var/log/httpd
directory permissions and ownerships from the default and the
updated httpd put them back.

Isn't there a bit of a security issue in your (modified) setup with
those files being able to be written to by the apache user?


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync stuck at +- 50 MB/s, cp and scp are +- 200 MB/s

2015-08-11 Thread Götz Reinicke 
Hi,

I tried different encryptions like arc four, but always with the same result. 
BTW: googling shows some similar questions and they are stuck on set same speed 
+-.

But non of that solutions helped me.

/Götz




> Am 11.08.2015 um 12:14 schrieb Eero Volotinen :
> 
> Usually problem in encryption.
> 
> try cipher arcfour or apply hpn patches to ssh. 
> (http://www.psc.edu/index.php/hpn-ssh )
> 
> --
> Eero
> 
> 2015-08-11 12:37 GMT+03:00 Götz Reinicke - IT Koordinator 
> mailto:goetz.reini...@filmakademie.de>>:
> Hi,
> 
> i have two servers, connected to to the lan by 10Gb with 10Gb and DAS
> hardware raid.
> 
> Each system con read and write locally or to the 10G iscsi by more than
> 200 MB/s.
> 
> Now I have to transfer backups form A to B and doing this with rsync
> always stuck at +- 48-50MB/s no matter which options, compressions,
> encryption etc I use. Even the plain default rsync is at that 50 Mb limit.
> 
> coyp by scp goes up to 200 MB/s.
> 
> Copy from and to my workstation with scp from or to both servers is at
> 1Gb limit (so +- 100 MB/s)
> 
> 
> Why is rsync stuck at +- 50 MB/s ? Any suggestions hints ...
> 
> Thanks and regards . Götz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Odd problem with updates to the recent CR

2015-08-11 Thread m . roth 
We started updating via CR over a week ago, before 6.7 was official, and
just today identified an issue For (alleged) security, the agency I
work as a contractor for runs SiteMinder, from CA.

#insert rant_against_CA.h

Anyway, starting late last week, we found issues - as in, its process,
which runs under, and is started by, apache, was suddenly pegging a CPU or
so. Trying to stop httpd, that worked... but this idiot process never did
(and it's ugly to clean up after).

What we just this morning found out to be the problem is that some package
seems to change the permissions on /var/log/httpd to 700 from 770. The
result was that this ...thing... couldn't write to its own logs, running
as apache:root, while /var/log/httpd was root:root.

I just did rpm -q httpd --scripts, and that doesn't show anything, so as I
don't know what package did it If anyone knows, I'd like to know.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] C6.7 evolution to cyrus imap(s) fails

2015-08-11 Thread Dr J Austin 

Hi

I have been using evolution/cyrus/exim for 10 years - until yesterday!

I upgraded to C6.7 and now there is no way I can find of connecting
from evo to the cyrus imap(s) server

[root@maui:~]$ ps -ef|grep imap
cyrus27768 1  0 15:21 ?00:00:00 
/usr/lib/cyrus-imapd/cyrus-master -d

cyrus27775 27768  0 15:21 ?00:00:00 imapd -s
cyrus27779 27768  0 15:21 ?00:00:00 imapd
cyrus27781 27768  0 15:21 ?00:00:00 imapd
cyrus27782 27768  0 15:21 ?00:00:00 imapd
cyrus27783 27768  0 15:21 ?00:00:00 imapd
cyrus27933 27768  0 15:36 ?00:00:00 imapd
cyrus28048 27768  0 15:46 ?00:00:00 imapd

evo is running on a fully updated F22 machine, cyrus/exim on C6.7
k-9 mail on a tablet and a mobile no longer connect
even tried thunderbird which also would not connect

When trying to connect with evo I get 
Failed to open folder
The reported error was "Could not connect to 148.197.29.5: Connection 
refused"


If I try to change things by editing the "Recieving Email" menu
ie by changing the "Encryption method" from "SSL on a dedicated port" 993
to "No encryption" it still fails
In fact just hitting Authentication "Check for supported types"
gives
Failed to query server for a list of supported authentication mechanisms.
Could not connect to 148.197.29.5: Connection refused

wireshark shows just two lines using tcp.port==993 filter
Unfortunately this does not mean much to me!

124	3.276582000	148.197.29.159	148.197.29.5	TCP	74 
54564→993 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=71392019 
TSecr=0 WS=128


125	3.27677	148.197.29.5	148.197.29.159	TCP	60 
993→54564 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0


I have tried the following to no avail
tcpdump -s 0 -w dump_file
ssldump -a -A -H -d -r dump_file
and
selinux in permissive mode
firewall off

Help!

John
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Update from 6.6 to 6.7 > automount logs error message

2015-08-11 Thread Ralf Aumüller 
Hello,

after an update from 6.6 to 6.7 the following error message is logged to
/var/log/messages when I login (per ssh):

Aug 11 16:31:21 a1234 automount[1598]: set_tsd_user_vars: failed to get passwd
info from getpwuid_r

Checked all log-files of my systems running 6.6 with same configuration -- never
got such a message (We use NFS/autofs for home-directories, NIS and tcsh (login
shell)).

Everything seems to work -- but before I update all machines to 6.7 I want to
know whats going on.

Any comments?

Best regards,
Ralf
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Apache mod_perl cross site scripting vulnerability

2015-08-11 Thread Proxy One 
Hello,

I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
Red Hat Security Response Team has rated this issue as having moderate
security impact and bug as wontfix. 

Explanation: The vulnerability affects non default configuration of
Apache HTTP web server, i.e cases, when access to Apache::Status and
Apache2::Status resources is explicitly allowed via  httpd.conf configuration directive.  Its occurrence can be
prevented by using the default configuration for the Apache HTTP web
server (not exporting /perl-status).

I haven't used  but Trustwave still finds me
vulnerable. 

Evidence:
Request: GET /perl-
status/APR::SockAddr::port/">alert('xss') HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.mydomain.com
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 404 Not Found
Date: Mon, 07 Aug 2015 11:10:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Body: contains '">alert('xss')'


How can I get around this?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsync stuck at +- 50 MB/s, cp and scp are +- 200 MB/s

2015-08-11 Thread Eero Volotinen 
Usually problem in encryption.

try cipher arcfour or apply hpn patches to ssh. (
http://www.psc.edu/index.php/hpn-ssh)

--
Eero

2015-08-11 12:37 GMT+03:00 Götz Reinicke - IT Koordinator <
goetz.reini...@filmakademie.de>:

> Hi,
>
> i have two servers, connected to to the lan by 10Gb with 10Gb and DAS
> hardware raid.
>
> Each system con read and write locally or to the 10G iscsi by more than
> 200 MB/s.
>
> Now I have to transfer backups form A to B and doing this with rsync
> always stuck at +- 48-50MB/s no matter which options, compressions,
> encryption etc I use. Even the plain default rsync is at that 50 Mb limit.
>
> coyp by scp goes up to 200 MB/s.
>
> Copy from and to my workstation with scp from or to both servers is at
> 1Gb limit (so +- 100 MB/s)
>
>
> Why is rsync stuck at +- 50 MB/s ? Any suggestions hints ...
>
> Thanks and regards . Götz
>
> --
> Götz Reinicke
> IT-Koordinator
>
> Tel. +49 7141 969 82420
> E-Mail goetz.reini...@filmakademie.de
>
> Filmakademie Baden-Württemberg GmbH
> Akademiehof 10
> 71638 Ludwigsburg
> www.filmakademie.de
>
> Eintragung Amtsgericht Stuttgart HRB 205016
>
> Vorsitzender des Aufsichtsrats: Jürgen Walter MdL
> Staatssekretär im Ministerium für Wissenschaft,
> Forschung und Kunst Baden-Württemberg
>
> Geschäftsführer: Prof. Thomas Schadt
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] rsync stuck at +- 50 MB/s, cp and scp are +- 200 MB/s

2015-08-11 Thread Götz Reinicke - IT Koordinator 
Hi,

i have two servers, connected to to the lan by 10Gb with 10Gb and DAS
hardware raid.

Each system con read and write locally or to the 10G iscsi by more than
200 MB/s.

Now I have to transfer backups form A to B and doing this with rsync
always stuck at +- 48-50MB/s no matter which options, compressions,
encryption etc I use. Even the plain default rsync is at that 50 Mb limit.

coyp by scp goes up to 200 MB/s.

Copy from and to my workstation with scp from or to both servers is at
1Gb limit (so +- 100 MB/s)


Why is rsync stuck at +- 50 MB/s ? Any suggestions hints ...

Thanks and regards . Götz

-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 82420
E-Mail goetz.reini...@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: Jürgen Walter MdL
Staatssekretär im Ministerium für Wissenschaft,
Forschung und Kunst Baden-Württemberg

Geschäftsführer: Prof. Thomas Schadt

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos