Re: [CentOS] ***Spam***Re: Recover from an fsck failure
On Fri, May 29, 2020 10:38, Simon Matter wrote: > How exactly did you create the cloned disk? > Clonezilla Live. Both systems were running clonezilla live from flash drives so there was no other disc activity on either system. > If the source disk still works and is in operation without system errors, > the cloned disk with its filesystems should really be without error as > well. > I agree. But that did not happen. And, as the cloning took place over a network, it is entirely possible that the error was introduced there. The thing takes 11 hours to complete so I am loath to redo it. But I will if needsbe. I will take the opportunity to run fsck on the system HDD while in a live dvd mode. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Recover from an fsck failure
On Thu, May 28, 2020 19:38, Robert Nichols wrote: > What output do you get from: > > file -s /dev/mapper/vg_voinet01-lv_log > lsblk -f /dev/mapper/vg_voinet01-lv_log > file -s /dev/mapper/vg_voinet01-lv_log /dev/mapper/vg_voinet01-lv_log: symbolic link TO '../DM-5' dm-f lsblk -f /dev/mapper/vg_voinet01-lv_log NAME FSTYPE LABEL UUID MOUNTPOINT vg_voinet01-lv_log (dm-5) The cloned source is a CentOS-6.6 based FreePBSX appliance using lvm. It has a single 500GB HDD. The source host is running and testing of its HDD shows no errors from the test. However, the number of recoverable read and write errors are abnormally high indicating that the HDD is approaching the end of its service life. I wish to replace it without having to rebuild the entire PBX system from scratch. All of the LVMs on the cloned HDD are ext4 file systems. The only one that failed is the log partition /var/log. If I cannot fix this then I wish to replace it with an empty fs and simply rsync the contents of /var/log from the running system to it. I need to do this anyway just prior to replacement as the PBX is running. However, it is about six years since I last had to do this and while I have my notes I would appreciate a short precis of the steps involved. This is the file system layout. /etc/fstab /dev/mapper/vg_voinet01-lv_root / ext4 defaults 1 1 UUID=302ab0fo-f985-4903-86e2-e218b1345e0/boot ext4 defaults 1 2 /dev/mapper/vg_voinet01-lv_home /home ext4 defaults 1 2 /dev/mapper/vg_voinet01-LogVol04/varext4 defaults 1 2 /dev/mapper/vg_voinet01-lv_log /var/logext4 defaults 1 2 /dev/mapper/vg_voinet01-lv_spool/var/spool ext4 defaults 1 2 /dev/mapper/vg_voinet01-lv_swap swapswap defaults 0 0 tmpfs /dev/shmtmpfs defaults,nodev,. . . parted -l Model: ATA WDC WD1002FAEX-0 (scsi) Disk /dev/sda: 1000GB Sector size (logical/physical): 512B/512B Partition Table: msdos Number StartEnd Size Type File system Flags 1 1094kB 525MB524MBprimaryext4 boot 2 525MB500GB500GBprimary lvm Model: Linux device-maper (linear) (dm) Disk: /dev/mapper/vg_voinet01-lv_spool: 68.7GB Sector size (logical/physical): 512B/512B Partition Table: loop Number StartEnd Size Type File system Flags 1 0.00B68.7GB 68.7GB primaryext4 Error: /dev/mapper/vg_voinet01-lv_log: unrecognized disk label Model: Linux device-maper (linear) (dm) Disk: /dev/mapper/vg_voinet01-lv_home: 3355MB Sector size (logical/physical): 512B/512B Partition Table: loop Number StartEnd Size Type File system Flags 1 0.00B3355MB 3355MB primaryext4 Model: Linux device-maper (linear) (dm) Disk: /dev/mapper/vg_voinet01-LogVol04: 336GB Sector size (logical/physical): 512B/512B Partition Table: loop Number StartEnd Size Type File system Flags 1 0.00B336GB336GBprimaryext4 Error: /dev/mapper/vg_voinet01-lv_swap: unrecognized disk label Model: Linux device-maper (linear) (dm) Disk: /dev/mapper/vg_voinet01-lv_spool: 67.1GB Sector size (logical/physical): 512B/512B Partition Table: loop Number StartEnd Size Type File system Flags 1 0.00B67.1GB 67.1GB primaryext4 I will have to do this from a live cd I presume as the shell that the failed boot process dropped me into give a "File-based locking initialisation failed." when I try to run vgdisplay or vgs. Any guidance appreciated. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Recover from an fsck failure
This is CentOS-6x. I have cloned the HDD of a CentOS-6 system. I booted a host with that drive and received the following error: checking filesystems /dev/mapper/vg_voinet01-lv_root: clean, 128491/4096000 files, 1554114/16304000 blocks /dev/sda1: clean, 47/120016 files, 80115/512000 blocks /dev/mapper/vg_voinet01-lv_home: clean, 7429/204800 files, 90039/819200 blocks /dev/mapper/vg_voinet01-LogVol04: clean, 770219/2048 files, 34881086/8102000 blocks fsck.ext4: Bad magic number in super-block while trying to open /dev/mapper/vg_voinet01-lv_log /dev/mapper/vg_voinet01-lv_log The superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesystem (and not swap or ufs or something else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsk -b 8193 /dev/mapper/vg_voinet-lv_spool: clean, 372/614400 files, 171186/2457600 blocks *** An error occurred during the file system check. *** Dropping you to a shell; the system will reboot *** when you leave the shell. Give root password for maintenance (or type Control-D to continue): I ran mke2fs to locate the backup superblocks: mke2fs -n /dev/mapper/vg_voinet01-lv_log . . . Superblock backups stored on blocks: 32768, 90304, 163840, 229376, 294912, 819200, 884736, 1605632 and ran: e2fsck -b 32768 /dev/mapper/vg_voinet01-lv_log The superblock could not be read or does not describe a correct ext2 The same thing happened for the next backup superblock addrees. And all the rest reported an invalid argument error from e2fsck. Is this recoverable? How? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 cannot get kvm guest to start - network error
Need to start a virtual machine but missing nic is preventing this: I have need to recover some data from a guest on host which has been shutddown for some time. The host had one of it nic removed at some point. It is not likely to be replaced either. When I try to start the guest in question I get this: error: Failed to start domain inet09.harte-lyne.ca error: Cannot get interface MTU on 'br1': No such device I tried editing (virsh edit guest) to remove the interface: I saved the changes and tried to start the guest. but I got the same error. Then edited the guest config to say: How do I configure this guest so it will start without the missing nic? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] reconfigure centos-6.9 host to ignore missing nic
I need to work on a host which has been offline and powered down for some time. I has CentOS-6.9 installed. At some point it had two nics, one on the motherboard (still present and working) and one as an expansion card. When booted the console displays: pciehp :00:1c:0:pcie04: Failed to check link status repeatedly. How do I tell the host to ignore the missing nic or remove it from the system configuration so that the error is removed. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Are linux distros redundant?
On Wed, April 24, 2019 11:14, Simon Matter wrote: > > I'm afraid too many clouds make the wider horizon invisible :-) > At that point it is called fog. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] netmask on aliases overriden by netmask on interface
CentOS-6.10
We have a host with the following ifcfg file contents:
BOOTPROTO=none
BROADCAST=""
DEFROUTE=yes
DEVICE=eth1
. . .
GATEWAY=X.Y.Z.234
IPADDR=A.B.C.2
IPV4_FAILURE_FATAL=yes
NAME="LAN Link - eth1"
NETMASK="255.255.255.128"
NETWORK="A.B.C.0"
NM_CONTROLLED=no
ONBOOT=yes
PREFIX=25
TYPE=Ethernet
USERCTL=no
And an aliased ifcfg containing this:
BOOTPROTO="none"
BROADCAST="192.168.8.255"
DEVICE="eth1:192008001"
IPADDR="192.168.8.1"
IPV6INIT="no"
NETMASK="255.255.255.0"
NETWORK="192.168.8.0"
ONPARENT="yes"
However, ifconfig shows this:
# ifconfig eth1:192008001
eth1:192008001 Link encap:Ethernet HWaddr 00:25:90:61:74:C1
inet addr:192.168.8.1 Bcast:192.168.8.255
Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:17 Memory:feae-feb0
Which shows that the network mask is determined by the interface mask
and is not overridden by the alias definition.
Is this expected behaviour? Does this mean that a particular physical
interface cannot belong to more than one network, or at least not to
networks having differing cidr masks?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SFTP - Private/Public Authentication Keysets Beyond The First Set
On Wed, December 12, 2018 16:40, Gary Braatz wrote: > Inclusion of the -i flag and the location of the private key solved > the > problem. > You can also set up a personalised ssh config file in the ~/.ssh directory of the user employed to establish the sftp/ssh connections: #BOF # /home/myuser/.ssh/config # Host parameter is any arbitrary string. # sftp remoteuse...@first.site.com == Host site1 HostName first.site.com User remoteuserid IdentityFile /home/myuser/.ssh/id_rsa # sftp otheruse...@second.other.com == Host site2 HostName second.other.com User otheruserid IdentityFile /home/myuser/.ssh/rsa_vendor2 #EOF Then just run 'sftp site1' or 'sftp site2' to connect as required. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Restarting Named on CentOS-6 gives SE Error
Restarting one of our named services produces this entry in the system
log file:
Oct 12 08:47:45 inet08 setroubleshoot: SELinux is preventing
/usr/sbin/named from search access on the directory . For complete
SELinux messages. run sealert -l 9eabadb9-0e03-4238-bdb8-c5204333a0bf
Checking the selinux incident reference shows this:
# sealert -l 9eabadb9-0e03-4238-bdb8-c5204333a0bf
SELinux is preventing /usr/sbin/named from search access on the
directory .
* Plugin catchall (100. confidence) suggests
***
If you believe that named should be allowed search access on the
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
# grep named /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextunconfined_u:system_r:named_t:s0
Target Contextsystem_u:object_r:sysctl_vm_t:s0
Target Objects [ dir ]
Sourcenamed
Source Path /usr/sbin/named
Port
Host inet08.hamilton.harte-lyne.ca
Source RPM Packages bind-9.8.2-0.62.rc1.el6_9.5.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.7.19-307el6_9.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModePermissive
Host Name inet08.hamilton.harte-lyne.ca
Platform Linux inet08.hamilton.harte-lyne.ca
2.6.32-696.30.1.el6.x86_64 #1 SMP Tue
May 22
03:28:18 UTC 2018 x86_64 x86_64
Alert Count 16
First SeenTue Aug 18 18:05:47 2015
Last Seen Fri Oct 12 08:47:35 2018
Local ID 9eabadb9-0e03-4238-bdb8-c5204333a0bf
Raw Audit Messages
type=AVC msg=audit(1539348455.165:43003): avc: denied { search } for
pid=31815 comm="named" scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
type=AVC msg=audit(1539348455.165:43003): avc: denied { read } for
pid=31815 comm="named" scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1539348455.165:43003): arch=x86_64 syscall=open
success=yes exit=ECHILD a0=7f3203a41f60 a1=8 a2=61f a3=26640
items=0 ppid=31813 pid=31815 auid=0 uid=25 gid=25 euid=25 suid=25
fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=6575 comm=named
exe=/usr/sbin/named subj=unconfined_u:system_r:named_t:s0 key=(null)
Hash: named,named_t,sysctl_vm_t,dir,search
audit2allow
#= named_t ==
allow named_t sysctl_vm_t:dir search;
allow named_t sysctl_vm_t:file read;
audit2allow -R
#= named_t ==
allow named_t sysctl_vm_t:dir search;
allow named_t sysctl_vm_t:file read;
Is this a bug or an unset boolean? Or something else? It appears to
have been present for quite some time and we have no DNS resolver
issues of which we are aware.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Which is better? Microsoft Exchange 2016 or Linux-based SMTP Servers?
On Thu, July 19, 2018 10:57, Valeri Galtsev wrote: > > . . . you don't need to recruit spies anymore, just roll out "free" > services, and information will trickle to you. I am old enough to know > what collection of information on everybody leads to (Hitler Germany, > Stalin Russia, ...), but I also know that the worst lesson of history > is: people do not learn lessons of history. . . > History is the practice of justifying the present by rewriting the past. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.9 Bind-9.8.2 error messages
On Wed, June 20, 2018 15:37, Gordon Messmer wrote: > On 06/20/2018 11:19 AM, James B. Byrne via CentOS wrote: >> I am encountering messages similar to this in the system logfile: >> >> Jun 20 13:38:18 inet03 named[3720]: malformed transaction: >> dynamic/efa1f375d76194fa51a3556a97e641e61685f914d446979da50a551a4333ffd7.mkeys.jnl >> last serial 103538 != transaction first serial 103361 >> >> I have no idea what this means, what caused it, nor how to fix it. >> Any suggestions relevant to any of the above are most welcome. >> > > I think I've seen this before. Are you auto-signing a zone for > DNSSEC, Yes > and does that zone appear in multiple views? No I stopped and restarted the BIND daemon and this appears to have corrected whatever issue was causing the errors to be generated. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.9 Bind-9.8.2 error messages
I am encountering messages similar to this in the system logfile: Jun 20 13:38:18 inet03 named[3720]: malformed transaction: dynamic/efa1f375d76194fa51a3556a97e641e61685f914d446979da50a551a4333ffd7.mkeys.jnl last serial 103538 != transaction first serial 103361 I have no idea what this means, what caused it, nor how to fix it. Any suggestions relevant to any of the above are most welcome. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: hardware: sanitizing a dead SSD?
On Thu, May 10, 2018 12:00, m.r...@5-cent.us wrote: > > > On the other hand... static, and unchanging, right, and how many > minutes of Amazon S3 will it take to break the encryption? None. If it is NSA certified there will be a backdoor. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NoScript allow scripts globally reversible?
On Wed, November 1, 2017 10:51, Michael Hennebry wrote: > > I'm running NoScript because otherwise Firefox freezes up a lot. > Recently I've had difficulty accessing a site. > I suspect the reason is that it uses redirection in a way that > frustrates my efforts to give it permission. > To test the notion, I'm considering temporarily allowing script > globally. > How hard is it to reverse? > Will I need to redo previous permissions one at a time? > The way I handle this is by creating a special profile which has no extensions or security settings. Inside your desktop manager open a terminal session and run 'firefox -P --no-remote' The no-remote option opens a new Firefox window and session whether or not you already have one running. Then press 'Create Profile', give it a name, and use that whenever you get into a Firefox / Extensions conflict on a particular web site. I have my Firefox panel launcher set up to use 'firefox -P --no-remote' always. Tthis allows me vastly more flexibility dealing with multiple websites at the price of a trivial delay during the browser start-up. This problem is the result of recent changes made to the extensions interface. I can hardly wait to see what is broken with v57. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to prevent files and directories from being deleted?
On Tue, October 3, 2017 13:12, hw wrote:
> Alexander Dalloz writes:
>
>> Am 01.10.2017 um 17:21 schrieb hw:
>>> Hi,
>>>
>>> how can I prevent files/directories like /var/run/mariadb from
>>> being deleted on reboot? Lighttpd has the same problem.
>>>
>>> This breaks services and makes servers non-restartable by anyone
>>> else but the administrator who needs to re-create the needed
>>> files and directories every time and has to figure out what
>>> selinux labels they need. This causes unnecessary downtimes.
>>>
>>> This is entirely inacceptable. This totally sucks.
It will help you to avoid future unpleasant surprises if you take the
time to read up on the Hierarchical File System (HFS) and its relation
the Filesystem Hierarchy Standard (FHS). The directories /run and
/var/run, which should be the same place on properly configured
systems, are solely to be used for run-time data ONLY. The phrase
run-time implies ephemeral data that is not preserved between restarts
of the service much less reboots.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum update problem - dependancy problem
You have a conflicting package installed from repository @atrpms. You need to remove that package and/or disable that repository to get past the dependency issue. 'Skip broken' is not going to handle this situation nor will any other set of yum options. On Tue, September 26, 2017 05:32, Gary Stainburn wrote: > --> Processing Dependency: /usr/sbin/ldconfig for package: > libbluray1-0.4.0-6.el7.x86_64 > --> Finished Dependency Resolution > Error: Package: libbluray1-0.4.0-6.el7.x86_64 (@atrpms) >Requires: /usr/sbin/ldconfig >Removing: glibc-2.17-157.el7_3.1.i686 (@updates) >Not found >Updated By: glibc-2.17-196.el7.i686 (base) >Not found > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > [root@lcomp5 ~]# > > -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Block internet access for some users on the LAN ?
On Monday, September 18, 2017 1:04 PM, Nicolas Kovacs wrote" > > This year the school's director wants to completely block Internet > access for all the student's personal devices. > The silent premise in this request is that all student Internet access occurs through the school's gateway. Which is of course false. If the objective is to prevent misuse of school resources for non-education purposes then the premise, while faulty, is fine. If the objective is to restrict students' Internet access in its entirety then this is doomed to fail. Have you clarified with the director that only access through your gateway can be affected by this policy and that student devices with cellular data plans will still have access? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] login case sensitivity
On Thu, September 7, 2017 14:07, hw wrote: > Gordon Messmer wrote: >> On 09/07/2017 08:11 AM, Stephen John Smoogen wrote: >>> This was always problematic because DNS hostnames and >>> email addresses in the RFC standards were case insensitive >> >> >> Not quite. SMTP is required to treat the "local-part" of the RCPT >> argument as case-sensitive, and to preserve case when relaying mail. >> The destination is allowed to treat addresses according to local >> policy, but in general SMTP is case sensitive with regard to the >> user identifier. > > Last time I checked, RFCs said that local parts *should not* be case > sensitive, and cyrus defaulted to treat them case sensitive, which > is a default that usually needs to be changed because senders of > messages tend to not pay any attention to the case sensitiveness > of recipient addresses at all, which then confuses them like any > other error. > > https://tools.ietf.org/html/rfc5321 Updated by: 7504DRAFT STANDARD Errata Exist Network Working Group J. Klensin Request for Comments: 5321October 2008 Obsoletes: 2821 Updates: 1123 Category: Standards Track . . . 2.4. General Syntax Principles and Transaction Model . . . Verbs and argument values (e.g., "TO:" or "to:" in the RCPT command and extension name keywords) are not case sensitive, with the sole exception in this specification of a mailbox local-part (SMTP Extensions may explicitly specify case-sensitive elements). That is, a command verb, an argument value other than a mailbox local-part, and free form text MAY be encoded in upper case, lower case, or any mixture of upper and lower case with no impact on its meaning. __The local-part of a mailbox MUST BE treated as case sensitive.__ Therefore, SMTP implementations MUST take care to preserve the case of mailbox local-parts. In particular, for some hosts, the user "smith" is different from the user "Smith". However, exploiting the case sensitivity of mailbox local-parts impedes interoperability and is discouraged. Mailbox domains follow normal DNS rules and are hence not case sensitive. . . . Case munging of the local part is handled by the local delivery agent in my experience. The Cyrus LMTP service can be, and often is, configured to force lower case munging (imapd.conf 'lmtp_downcase_rcpt: 1') of the local part. That decision is site specific. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] old hardware / minimal netinstall -> CPU fan control
On Tue, July 11, 2017 14:16, m.r...@5-cent.us wrote: > Fred Smith wrote: >> On Tue, Jul 11, 2017 at 12:05:55PM +0100, Gary Stainburn wrote: >>> I have just installed CentOS 6 i386 onto an old rack server (it's >>> gonna be a Bacula storeage server and is a 1U 1/2 depth chassis) >>> >>> I did a minimum netinstall and so far so good. However, I have one >>> problem. The CPU fan is going at full speed constantly. Not a real >>> problem apart from (a) it will affect the fan's lifespan and >>> (b) it's noisy. >> >> I used to have a HP 320 generation 2 server that I used as a >> desktop. it had a bunch of tiny fans that screamed like a banshee. >> >> it turns out that one of the RPMs they shipped with it (on CD, >> not actually installed) contained a driver that toned down the >> fans to a soft roar. I'm sorry to say I have no memory of what >> the driver was. >> >> but if this system is from a vendor that supports Linux, they >> might have some suitable driver. >> > That's in the firmware. You may, or may not, be able to do > something with ipmitool, but I don't think so. Reboot, and > look in system setup. It may be under performance settings. If this is a SuperMicro box then you can contact their support to if there is a BIOS update that deals with this issue. After an update to one our SM rack units its fans sounded like a jet taking off. This turned out to be a known problem and the final fix was a BIOS update from SM. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] rsync and cause/source of an empty file
We transfer files from a VAN provider at 15 minute intervals using rsync over ssh. The setup is somewhat complicated in that the VAN will not permit direct rsync access and so we establish the link via sshfs and then mount remote location as local. My question is, given the above conditions and the following rsync command: /usr/bin/rsync --chmod=o+r --chmod=g+w --itemize-changes --remove-sent-files --times /var/spool/imanet/pick_up/* /var/spool/imanet/drop_off Under what circumstances would a file containing data at the remote end (/var/spool/imanet/pick_up/) arrive at our end (/var/spool/imanet/drop_off) as an empty file? No transmission errors were logged and multiple files were transferred during the same session. All but one arrived with their contents intact. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] sha256sum a dvd
CentOS-6.9 I am trying to verify a locally created dvd. I am using sha256sum in this fashion: sha256sum /dev/sr0 Which gave this result: sha256sum: /dev/sr0: Input/output error So I tried this: sha256sum /dev/cdrom Which, after some time, also produces: sha256sum: /dev/cdrom: Input/output error What does this mean and how do I fix it? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
knowledge. However, I am past the point of
patience with gratuitous changes that offer no appreciable benefit to
the parties tasked with dealing them. Systemd is not the problem. It
is a symptom of a deeper malaise, indifference.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On Mon, April 17, 2017 17:13, Warren Young wrote: > > Also, Iâll remind the list that one of the *prior* times the systemd > topic came up, I was the one reminding people that most of our jobs > summarize as âCope with change.â > At some point 'coping with change' is discovered to consume a disproportionate amount of resources for the benefits obtained. In my sole opinion the Linux community appears to have a change-for-change-sake fetish. This is entirely appropriate for an experimental project. The mistake that I made many years ago was inferring that Linux was nonetheless suitable for business. To experimenters a ten year product cycle may seem an eternity. To many organisations ten years is barely time to work out all the kinks and adapt internal processes to automated equivalents. And the smaller the business the more applicable that statement becomes. I do not have any strong opinion about systemd as I have virtually no experience with it. But the regular infliction of massively disruptive changes to fundamental software has convinced us that Linux does not meet our business needs. Systemd and Upstart are not the cause of that. They are symptoms of a fundamental difference of focus between what our firm needs and what the Linux community wants. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll
On Sun, April 9, 2017 00:39, Anthony K wrote: > According to "Arthur Schopenhauer": > > "All truth passes through three stages. > First, it is ridiculed. > Second, it is violently opposed. > Third, it is accepted as being self-evident." > > I must admit that I skipped through the first and second stages - I > never found creating init scripts a joy and instead opted to write my > own scripts that I launched via inittab. As such, I welcomed the > simplicity systemd's service files without fuss. > > So, at which stage are you in w/ regards to adopting systemd? Are you > still ridiculing it, violently opposed to it, or have you mellowed to > it? > A. FreeBSD-11. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Timezone and date
On Tue, April 4, 2017 21:22, Jerry Geis wrote: > When I do the date +%Z I get the timezone. Which currently is EDT. > > I am sending information to another system, that says EDT is not a > valid > timezone. I have no way to modify the other system. > > My question is - is there a way to get the non-day-lite savings time > zone ? > For example EST is valid - EDT is not. > date -u Wed Apr 5 20:18:45 UTC 2017 -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On Mon, March 27, 2017 17:31, m.r...@5-cent.us wrote: > Mike wrote: >> Nice catch, Mr. Schumacher ---> The following modules are included >> as >> standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz >> Configure a Linux firewall using FirewallD, by editing allowed >> services and ports. >> >> This is likely the right tool for the job. >> > Webmin used to be considered insecure, and people would scream and > yell if you suggested using it. Has that changed? Webmin is as insecure as the administrator cares to make it. Our host systems' Webmin instances listen on a reserved IP address different from the host's DNS entry and that address is only reachable through the host's firewall from specified IP addresses originating on our internal LAN. Further, Webmin is configured to automatically switch to https and use a certificate generated by our corporate private CA. Our gateway firewall blocks all access to the port assigned to Webmin. One has to tunnel in to one of the pre-determined host addresses to obtain remote access. A separate webmin logon is set in the webmin configuration which has no existence on the host system. Webmin can also be configured to restrict the hours and day that asccess is allowed to specific users but we have not bothered with that. The main known weakness is Webmin's dependency on passwords which for all I know is due to my ignorance. If Webmin does support RSA certificate authentication then I would love to be told where it is configured. However,failing that, very long phase phrases mitigate the password issue somewhat. Further, Webmin does support two-factor authentication using Google or Authy. To my knowledge there are no CVEs reported for Webmin since 2015 and I believe that all known problems are resolved in the present release. Which is not to say that there are no exploits left to be uncovered but then again we can hardly claim that about any software. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] KVM guest fails to boot cleanly
the last working kernel. Nonetheless, I would like guidance on how to proceed with fixing/removing the broken one. Suggestions? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Centos-6.8 fsck and lvms
I have a CentOS-6.8 system which has a suspected HHD failure. I have booted it into rescue mode from a CentOS-6.5 minimal install CD in order to run fsck -c on it. The system hosts several vms. I have activated the lvs associated with these vm using pvscan -s ; vgscan ; vgchange -ay. An lvscan shows the lvs as ACTIVE. None are mounted. When I try to run fsck on any of them I see the following error: fsck from util-linux-ng.2.17.2 e2fsck 1.41.12.(17-May-2010) fsck.ext2: No such file or directory while trying to open /dev/vg. . . The superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesystem (and not swap or ufs or simething else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsck -b 8193 Trying to find alternate super-blocks proves futile: dump2fs /dev/sda2 | grep -i superblock dump2fs 1.41.12 (17-May-2010) dump2fs: Bad magic number in super-block while trying to open /dev/sda2 Couldn't find valid filesystem superblock The file systems on this host were all created as type ext4 and all are lvs with the exception of /boot, which is not an lv and has its own partition on /dev/sda1. I infer that the HDD is gone the way of all flesh; or ferrite as the case may be. But, my ignorance on this is profound so if I am missing some form of recovery step I would appreciate some guidance on how to proceed. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Processing Conflict: speexdsp-1.2-0.9.rc3.el6.x86_64
Processing Conflict: speexdsp-1.2-0.9.rc3.el6.x86_64 conflicts speex <= 1.2-0.21.rc1 I am loath to replace things on my primary workstation as I have far too much to do as it is without dealing with self-inflicted injuries. However, I do use Jitsi as a softphone and the latest version has a dependency on a package in EPEL which replaces something from the base distro. Can someone inform me of what issues, if any, would replacing speex with speexdsp likely cause? I have a lot of packages that depend upon speex. Installing speexdsp by itself seems to indicate that it is not considered an upgrade or replacement for speex. One just conflicts with the other. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.8 fsck report Maximal Count
On Fri, March 10, 2017 11:57, m.r...@5-cent.us wrote: > > Looks like only one sector's bad. Running badblocks should, > I think, mark that sector as bad, so the system doesn't try > to read or write there. I've got a user whose workstation has > had a bad sector running for over a year. However, if it > becomes two, or four, or 64 sectors, it's replacement > time, asap. > Bear with me on this. The last time I did anything like this I ended up having to boot into recovery mode from an install cd and do this by hand. This is not an option in the present circumstance as the unit is a headless server in a remote location. If I do this: echo '-c' > /fsckoptions touch /forcefsck shutdown -r now Will this repair the bad block and bring the system back up? If not then what other options should I use? The bad block is located in an LV assigned to a libvirt pool associated with a single vm. Can this be checked and corrected without having to deal with the base system? If so then how? Regards, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.8 fsck report Maximal Count
On Thu, March 9, 2017 09:46, John Hodrien wrote: > On Thu, 9 Mar 2017, James B. Byrne wrote: > >> This indicated that a bad sector on the underlying disk system might >> be the source of the problem. The guests were all shutdown, a >> /forcefsck file was created on the host system, and the host system >> remotely restarted. > > fsck's not good at finding disk errors, it finds filesystem errors. If not fsck then what? > > If it was a real disk issue, you'd expect matching errors in the host > logs. Yes, there are: Mar 9 09:14:13 vhost03 kernel: end_request: I/O error, dev sda, sector 1236929063 Mar 9 09:14:30 vhost03 kernel: end_request: I/O error, dev sda, sector 1236929063 Mar 9 09:14:48 vhost03 kernel: end_request: I/O error, dev sda, sector 1236929063 I am running an extended SMART test on the drive at the moment. I suspect that the drive is probably at its EOL for practical purposes. So likely we will be looking at an equipment upgrade given the age of the rest of the equipment. In the meantime what steps, if any, should I take to remediate this problem? > >> /var/log/messages:Mar 9 08:34:48 vhost03 kernel: EXT4-fs (dm-6): >> warning: maximal mount count reached, running e2fsck is recommended > > Unmount it and run fsck on it, and that message would go away. But > I'd not > worry about that one. > > jh > > -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.8 fsck report Maximal Count
We have a remote warm standby system running CentOS-6.8 as a KVM system with multiple guests. One of the guests began reporting an error when running aide. Caught SIGBUS/SEGV while mmapping. File was truncated while aide was running? Caught SIGBUS/SEGV. Exiting The /var/log/messages file contained this: Mar 9 09:14:13 inet12 kernel: end_request: I/O error, dev vda, sector 14539264 Mar 9 09:14:31 inet12 kernel: end_request: I/O error, dev vda, sector 14539296 Mar 9 09:14:48 inet12 kernel: end_request: I/O error, dev vda, sector 14539296 df Filesystem 1K-blocksUsed Available Use% Mounted on /dev/mapper/vg_inet02-lv_root 7932336 2262672 5260064 31% / tmpfs 961044 0961044 0% /dev/shm /dev/vda1 487652 139473322579 31% /boot . . . This indicated that a bad sector on the underlying disk system might be the source of the problem. The guests were all shutdown, a /forcefsck file was created on the host system, and the host system remotely restarted. However, this action did not remove the error. The host system log files had this to say about fsck: /var/log/messages:Mar 9 08:34:48 vhost03 kernel: EXT4-fs (dm-6): warning: maximal mount count reached, running e2fsck is recommended in /dev I see this: brw-rw. 1 root disk253, 6 Mar 9 08:34 dm-6 But, this device has nothing whatsoever to do with the kvm guests: ll /dev/vg_vhost03/ | grep dm-6 lrwxrwxrwx. 1 root root 7 Mar 9 08:34 lv_centos_repos -> ../dm-6 Rather this is an lv devoted to holding CentOS ISOs: /dev/mapper/vg_vhost03-lv_centos_repos 101016992 77160124 18718848 81% /var/data/centos So, my questions are: 1. How do I fix the problem with the guest system that Aide is stumbling over? 2. How do I get the fsck issue with dm-6 resolved? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Wich web browser on CentOS6 ?
On Fri, February 10, 2017 15:44, Alice Wonder wrote: > On 02/10/2017 12:34 PM, James B. Byrne wrote: >> >> On Fri, February 10, 2017 06:26, Patrick Begou wrote: >>> Hello >>> >>> I have more and more troubles using firefox in professional >>> environment with >>> CentOS6. The latest version is 45.7.0 But I can't use it anymore to >>> access some >>> old server hardware (IDRAC7 of DELL C6100) because of >>> "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old >>> Firefox32 >>> version >>> to administrate these servers. >>> >>> Today I upgrade the firmware of 2 DELL switch and now Firefox >>> cannot >>> connect to them anymore saying: /An error occurred during a >>> connection to xxx.xxx.xxx.xxx. The server rejected >>> the handshake because the client downgraded to a lower TLS version >>> than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT >>> >>> /Is there a CentOS6 recommended web browser allowing continuous >>> connections to olds and new base level (and local) system >>> administration services ? >>> >> >> This situation arises because older, dare I say old, equipment >> released with embedded software and using http/https as the >> administrative front end were shipped with minimally compliant x-509 >> certificates. Often self-signed with 1kb keys and md5 signature >> hashes. Not to mention many are past their expiry dates. >> >> However, given the revelations of state sanctioned snooping on >> network >> traffic browsers are being pushed to implement increased compliance >> checking for the overall security of users. Firefox is simply >> implementing what various 'authorities' are recommending as secure >> practices with respect to authentication using pki and x-509 >> certificates. >> >> The present situation is a PIA. It could be a lot more >> user-friendly >> if FF so chose. They could have easily allowed one to turn off these >> advanced compliance checks for specific IP and DNS addresses so that >> the intended benefit remained but the interference with existing >> infrastructure was minimised. >> >> But, FF is on its own chosen path to oblivion and the idea of >> compromise is totally absent from their project plan. >> >> > > IMHO FireFox is doing the right thing. Compromises in policy is how > system compromises often happen. > > If you can change the setting to be more forgiving of certain bad > vendors, then so can malware. > > What we really need to do is demand better from the manufacturers of > products we use in a "professional environment" - and it is extremely > important we demand better from them now, during the dawn of IoT. > > It is a bit difficult for an end user to insist that a vendor improve a ten year old piece of equipment. Sure, that might be as simple as a firmware update. But why not insist that people buy new product instead and thereby add to the bottom line? Which way do see most commercial firms going? FF is a consumer item that is being shipped with a supposedly Enterprise Linux distribution. This leads to problems that are created by the divergence between the target audience and Enterprise users. Enterprises tend to have a much more robustly secured gateware to the wider Internet than consumers. Which for that audience makes a lot of the more esoteric security enhancements rather useless. If an intruder can carry out a MTM attack on your internal LAN then nothing FF can do is going to have much of an effect. A professional organisation would not simply cut administrators off from the devices that they are required to manage. Nor would it dictate how a company spends its money on hardware. A bunch of self-righteous zealots might. Which may account for the fact that FF (all versions) market share is now less than 10%.[1] [1] https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qptimeframe=M&qpsp=216&qpfilter=ColumnName%09LK%09Fire* -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Wich web browser on CentOS6 ?
On Fri, February 10, 2017 06:26, Patrick Begou wrote: > Hello > > I have more and more troubles using firefox in professional > environment with > CentOS6. The latest version is 45.7.0 But I can't use it anymore to > access some > old server hardware (IDRAC7 of DELL C6100) because of > "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 > version > to administrate these servers. > > Today I upgrade the firmware of 2 DELL switch and now Firefox cannot > connect to them anymore saying: /An error occurred during a > connection to xxx.xxx.xxx.xxx. The server rejected > the handshake because the client downgraded to a lower TLS version > than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT > > /Is there a CentOS6 recommended web browser allowing continuous > connections to olds and new base level (and local) system > administration services ? > This situation arises because older, dare I say old, equipment released with embedded software and using http/https as the administrative front end were shipped with minimally compliant x-509 certificates. Often self-signed with 1kb keys and md5 signature hashes. Not to mention many are past their expiry dates. However, given the revelations of state sanctioned snooping on network traffic browsers are being pushed to implement increased compliance checking for the overall security of users. Firefox is simply implementing what various 'authorities' are recommending as secure practices with respect to authentication using pki and x-509 certificates. The present situation is a PIA. It could be a lot more user-friendly if FF so chose. They could have easily allowed one to turn off these advanced compliance checks for specific IP and DNS addresses so that the intended benefit remained but the interference with existing infrastructure was minimised. But, FF is on its own chosen path to oblivion and the idea of compromise is totally absent from their project plan. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firefox Issue
On Thu, January 5, 2017 17:23, Always Learning wrote: > > > Cyber attacks are gradually replacing armed conflicts. > Better fight with bits than blood. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Off-Topic: Travel Router and Firewall
On Thu, November 24, 2016 12:28, H wrote: > You are right, I had forgotten about needing two WiFi adapters... If > there is an Ethernet jack in the hotel room I would go with that but > that is, of course, far from assured and two WiFi nets would be > needed. I have found Ethernet RJ45 ports in hotel rooms with wi-fi frequently no longer active and simply relics of an earlier Internet service. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6, Apache 2.2.15 and SNI?
On Sun, November 20, 2016 12:43, Walter H. wrote: > > https://box.domain1.com works > but > https://box.domain2.com results in 'Certificate name mismatch' > > What are the contents of the certificate(s) you have configured for tls? What AltSubject names, if any, do the certificate(s) support? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] ldns-dane
This is an epel package but I thought that I would ask here first. I am encountering unexpected behaviour from this program and I would like to know if it is a bug, or I am configuring something wrong, of if this is intended behaviour. ldns-dane version 1.6.16 (ldns version 1.6.16) When I attempt to specify the entire certificate as the desired data source for this program I get the following error: ldns-dane \ -n -o 0 \ -c CA_HLL_ROOT_2016.pem \ create harte-lyne.ca 443 \ 2 0 2 should be in range [0-1] Likewise I cannot specify the output format as no-hash. ldns-dane \ -n -o 0 \ -c CA_HLL_ROOT_2016.pem \ create harte-lyne.ca 443 \ 2 1 0 should be in range [0-2] In fact, 0 is not an accepted value in any of these positions: ldns-dane \ -n -o 0 \ -c CA_HLL_ROOT_2016.pem \ create harte-lyne.ca 443 \ 0 1 1 should be in range [0-3] Why is zero invalid? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.8 PCI Hwdr issue?
0:1d.7 bus82801JI (ICH10 Family) USB2 EHCI Controll usb@2 usb2busEHCI Host Controller pci@:00:1e.0 bridge 82801 PCI Bridge pci@:00:1f.0 bridge 82801JIB (ICH10) LPC Interface Controller pci@:00:1f.2 scsi2 storage82801JI (ICH10 Family) 4 port SATA IDE Co scsi@2:0.0.0 /dev/cdrom disk DVDRAM GH20NS10 scsi@3:0.0.0 /dev/sdadisk 1TB ST31000524AS scsi@3:0.0.0,1/dev/sda1 volume 500MiB EXT4 volume scsi@3:0.0.0,2/dev/sda2 volume 931GiB Linux LVM Physical Volume partitio pci@:00:1f.3 bus82801JI (ICH10 Family) SMBus Controller pci@:00:1f.5 storage82801JI (ICH10 Family) 2 port SATA IDE Co Can anyone shed any light on this problem? The system in question has been running some years and is only lacking the most recent updates. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPMI ??
On Sun, September 18, 2016 19:08, Keith Keller wrote: > > Make sure you do not allow the IPMI's IP to be accessible > on a public network. Either keep the IP on a private network > (better), keep the IP firewalled to only certain IPs, > or change the admin password from the default. In order of importance: 1. ALWAYS change the administrative account credentials from their defaults to something reasonably difficult to infer. Supermicro allows one to select the user name of the administrative account in addition to setting the password. Change both. 2. Always restrict access to IPMI from specific source addresses. If you need to obtain access from from a different point of origin then set up one or more of the hosts having a permitted IP as an sshd/vpn service in advance and relay to the IPMI port from there. 3. Firewall any IPMI IP addresses at the gateway for all protocols and prevent any direct access to it whatsoever from the internet. 4. Where feasible place all IPMI IP addresses on their own private IP network ([192.168.X.0/24] or similar) and set up the gateway router internal interface to suit. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php55w-fpm on CentOS 7: settings location
On Wed, August 3, 2016 14:19, Always Learning wrote: > > On Wed, 2016-08-03 at 13:55 -0400, Jason Welsh wrote: > >> What I do is create a php.php file on the root of my fileserver >> with >> the following >> >> > > I use a text command: php -i > > > php -i > php-i.txt echo '' | php > php-echo.txt diff php-i.txt php-echo.txt 709,710c709,710 < _SERVER["PHP_SELF"] => < _SERVER["SCRIPT_NAME"] => --- > _SERVER["PHP_SELF"] => - > _SERVER["SCRIPT_NAME"] => - 714c714 < _SERVER["REQUEST_TIME"] => 1470317489 --- > _SERVER["REQUEST_TIME"] => 1470317531 716a717 > [0] => - 719c720 < _SERVER["argc"] => 0 --- > _SERVER["argc"] => 1 I do not see much to choose between them in terms of output and 'php -i' is certainly handier when in a terminal session on the host. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] curl build system is broken and so is mock
On Wed, August 3, 2016 22:53, Alice Wonder wrote: > > I didn't realize ldd was recursive. I may have known that at one > point (been using linux since MK Linux DR3 and building RPMs since > 1999), but have a head injury results in memory problems with > pieces of knowledge I don't frequently use. Most of us have that problem; head injuries or not. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] users unable to log into kde after 6.8 update
On Thu, July 21, 2016 07:56, Jose Maria Terry Jimenez wrote: > El 21/7/16 a las 8:53, geo.inbox.ignore escribió: > >> greetings to all. >> >> centos = 6.8 current >> system = toshiba l455d-s5976 laptop >> >> a new problem has developed after 1st updating of 6.8. >> >> regular user is not able to open kde desktop, can open >> gnome desktop. >> >> root user can open either kde or gnome desktop. >> >> as a user, when i try to open kde, after entering password, >> screen goes to a solid blue, then shows a quick full screen >> view of command line text, too quick to read, then screen >> changes back to login prompt. >> >> logged in as root, i created a second user, still have same >> results as above. >> >> searching thru 2+ years of local archives revealed nothing, >> nor does web searching. >> >> any advise, recommendation, suggestion appreciated. >> >> tia. >> > Hello > > If it works for root and not for users, it seems a permissions problem > > I'd try: > > chown -R username.username /home/username > > Hope it helps > > Is SELinux enabled? If so then what does 'audit2why -l -a' say? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS6 - Stop NUX Skype auto-start with gnome desktop
How does one configure Skype/Gnome such that one can have Skype installed but not auto-start when the Gnome desktop opens? I have looked in the 'System/Preferences/Startup Applications' menu but Skype is not listed there. There are no options in the Application itself that allow this setting either. If there no other way then I will remove the application package and re-install when I need it. But surely there is a way to control this behaviour and the problem is that I simply cannot find it. Thanks. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
On Mon, June 27, 2016 12:29, Gordon Messmer wrote: > On 06/26/2016 01:50 PM, James B. Byrne wrote: >> However, all I am seeking is knowledge on how to handle this using >> iptables. I am sure that this defect/anomaly has already been >> solved wherever it is an issue. Does anyone have an example on >> how to do this? > > > I think the bit you're missing is that you don't have to address every > detail that your auditors send you. You can label an item a false > positive. You can respond that you are aware, and that you don't > consider an item to be a security defect. Fingerprinting is an > excellent example thereof. As was already noted, the IP ID field is > just one of many aspects of IP networking that can be used to identify > Linux systems. If you don't address them all, addressing one is not a > useful exercise. I understand WRT false positive flagging. And that is exactly what I have done. However, the PCI DSS report piqued my interest in this matter and I thought to satisfy my curiosity. The other stuff flagged in the report seemed a little far-fetched to me. At least the explanation of why they were flagged did. As none of them affect our PCI status I have no interest in the rest. This one however I was previously unaware and so I wanted to discover more about it. Thank you for the information and especially for the references. Sincerely, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
On Fri, June 24, 2016 12:24, John R Pierce wrote: > On 6/24/2016 9:20 AM, James B. Byrne wrote: >> We received a notice from our pci-dss auditors respecting this: >> >> CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps >> the >> IP Identification field at 0 for all non-fragmented packets, which >> could allow remote attackers to determine that a target system is >> running Linux. > > > 2.4 kernels are kinda old. kinda really really old.are you still > running CentOS 4 on PCI audited systems ?!?? > > The CVE is from 2002 and the kernel mentioned refers to the original report. Linux core team said it was a non-problem and the issue remains in the kernel found in CentOS-6.8. Possibly the one in 7. Perhaps it is still present in the development branch. However, all I am seeking is knowledge on how to handle this using iptables. I am sure that this defect/anomaly has already been solved wherever it is an issue. Does anyone have an example on how to do this? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] UDP Constant IP Identification Field Fingerprinting Vulnerability
We received a notice from our pci-dss auditors respecting this: CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. The NVD entry for which contains this note: CHANGE> [Cox changed vote from REVIEWING to NOOP] Cox> So I asked some kernel guys about this - it's not considered an issue. There are several other ways to identify Linux on the wire and people who care about this kind of thing rewrite their packets in various ways via firewall technology to trick the identifier programs. So, what packet mangling may be done in iptables to solve this without breaking udp transmission? I take it that we are talking about something in the prerouting chain but what kind of mangelling is safe? Is there an example somewhere? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] https and self signed
On Mon, June 20, 2016 13:16, Gordon Messmer wrote: > On 06/20/2016 07:47 AM, James B. Byrne wrote: >> On Sat, June 18, 2016 18:39, Gordon Messmer wrote: >> >>> I'm not interested in turning this in to a discussion on >>> epistemology. >>> This is based on the experience (the evidence) of some of the >>> world's foremost experts in the field (Akamai, Cisco, EFF, >>> Mozilla, etc). I would rather look to Bruce Schneier and Noam Chomsky for guidance before I would take security advice from organisations that have already shown to be compromised in the matters of their clients' security -- the EFF being the sole exception in the list provided. Or so I presently believe. >> Really? Then why did you forward your reply a private message to a >> public mailing list if not to do exactly what you claim you wish to >> avoid? > > Accidents happen. I didn't intentionally mail you off-list, > and when I noticed that I had, seconds later, I re-sent the > message to the list, expecting that you'd notice and understand > that I intended to keep the conversation on the list. > Except that I get the list as a digest. Which means that your assumptions were wrong. Funny that think you not? > ..which isn't relevant to the question of what you consider "evidence" > of security practice implications. > > Look, go to https://www.google.com/ right now and tell me what you > see. A snoop that self-signs its own certificates? > Do you suddenly distrust the internet's single largest domain? Do you > think they implement poor security practices? > My distrust of Google developed over many years. There was nothing sudden about it. But it is deep now. >>> For someone who wants "evidence" you make a lot of unsupported >>> assertions. You do see the irony, don't you? I assert my opinions if that is what you are referring to. I do not claim them to be fact. I believe them to be true but I admit readily that I may be wrong. Indeed I most certainly must be wrong in some of them. My difficulty begin determining which ones. However, I have formed my opinions on the basis of a long term exposure to security matters both pre and post Internet. And I have seen before the same thoughtless enthusiasms for things shiny and different in the security community. Things adopted and put into practice without even the most cursory of trials and evaluations for effectiveness and efficacy -- not to mention lawfulness on some occasions --. Sometimes I have had to deal with the consequences of those choices at the pointy end of the stick. Thus if I am to adopt a different point of view then I require something in the way of supporting measurable evidence to show that I am wrong and that others are right. >> The difference is that I state this is my opinion and I do not claim >> it as a fact. Your statement claimed a factual basis. I was >> naturally curious to see what evidence supported your claim. > > Citation required. > > Allow me an example. To quote you: > "The usual way a private key gets compromised is by theft or by > tampering with its generation. Putting yourself on a hamster wheel of > constant certificate generation and distribution simply increases the > opportunities for key theft and tampering." > > Now, when you asked "what possible benefit accrues from changing > secured device keys on a frequent basis?" I pointed you to > letsencrypt's documentation, which describes the benefits of > 90-day certificates. Having actual software in the possession of users rendered unusable by a policy decision implemented in the name of security is not beneficial. Referring to others self-justification of measures they have already implemented is not evidence. It is argument. Which has its place providing that one accepts the fundamental postulates of the positions being argued. These, in this case, require evidence. Assertions that these measures solve certain perceived flaws without addressing the costs of those measures is a one-side argument and not very convincing in my opinion. Refusing to deal with that is simply ignoring the elephant in the room. > > So, please describe how I am "claiming a factual basis" while you are > not. > >> Automated security is BS. It has always been BS and it always will >> be BS. That is my OPINION. It may not be a fact for I lack >> empirical evidence to support it. However, it has long been my >> observation that when people place excessive trust in automation >> they are are eventually and inevitably betrayed by it. Often at >> enormous cost. > > This is what I consider "enormous cost": > https://en.wikipedia.org/wiki/Heartble
Re: [CentOS] https and self signed
On Sat, June 18, 2016 18:39, Gordon Messmer wrote: > On 06/18/2016 02:49 PM, James B. Byrne wrote: >> On Fri, June 17, 2016 21:40, Gordon Messmer wrote: >>> https://letsencrypt.org/2015/11/09/why-90-days.html >> With respect citing another person's or people's opinion in support >> of >> your own is not evidence in the sense I understand the word to mean. > > I'm not interested in turning this in to a discussion on epistemology. > This is based on the experience (the evidence) of some of the world's > foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc). Really? Then why did you forward your reply a private message to a public mailing list if not to do exactly what you claim you wish to avoid? > >> The assertion expressed in the link given above that 90-day >> certificate lives will serve to increase certificate renewal >> automation is at best a pious hope. > > You are ignoring the fact that the tool used to acquire letsencrypt > certificates automates the entire process. They're not merely hoping > that users will automate the process, they're automating it on behalf > of users. They've done everything but schedule it for their users. > >> One that is unlikely to be >> realised in my opinion for the simple reason that automated and >> therefore mostly unobserved security systems are a primary target >> for tampering. > > For someone who wants "evidence" you make a lot of unsupported > assertions. You do see the irony, don't you? The difference is that I state this is my opinion and I do not claim it as a fact. Your statement claimed a factual basis. I was naturally curious to see what evidence supported your claim. > >> Likewise the authors' opinion that pki certificates are in >> general just casually left laying around to be compromised displays >> a >> certain level of what reasonably could be considered elitist >> contempt >> for the average human's intelligence. > > Or, you know, a review of actual security problems in the real world. > >> Even as arguments I find these two positions are less than >> compelling. >> And in no respect could either opinion be considered evidence. > > That's fine. I don't really need to convince you, personally, of > anything. But for the security of the internet community in general, > I'll continue to advocate for secure practices, including pervasive > security (which means reducing barriers to the use of encryption at > all points along the process of setup). > > I know, and we put infants on no-fly lists for essentially the same religious beliefs. The benefit of so-called general security for the rest of us who do not have to bear its individual specific cost. The is no evidence that this sort of stuff works. It is just done so that if anything bad happens the authorities can claim that they did something preventative which they can point to. Regardless of how ineffectual it was. Automated security is BS. It has always been BS and it always will be BS. That is my OPINION. It may not be a fact for I lack empirical evidence to support it. However, it has long been my observation that when people place excessive trust in automation they are are eventually and inevitably betrayed by it. Often at enormous cost. Let me give you an example of stupidity in action with respect to signed certificates. I have a MacBookPro c. early 2009. There have been five or six major releases of OSX since then. Being a cautious type I download the upgrade installer apps and archive them before installing and upgrading. Over this past weekend my MB stopped booting. It would get to the Apple symbol and go black. Much trial, error, and research later I discover that this is sometimes occurs when a MB has been repeatedly upgraded and that a clean install is the recommended cure. Oh, by-the-way, if you ever have to do this then do not use the Apple Migration Assistant app when you are done. You will be sorry. So, I get out my archived Installer app, go to install it and BANG! My MB proclaims that "Somebody has tampered with the application or it is corrupted!". OH NO! This impediment however is strictly an artefact of signing code with short term certificates. I simply had to reset the date on my MB back to some future date when the certificate was valid and everything worked fine. Of course this took me a great deal of frustrating effort to discover what had happened to all of my archived copies and how to fix it. In the middle of a system recovery I might add. But hey, what is my time worth in comparison to the security those certificates provided? SECURITY that was trivially evaded in the end. Exactly what mindless person or committee of bike-shedd
Re: [CentOS] [Fwd: Re: https and self signed]
On Fri, June 17, 2016 13:08, Valeri Galtsev wrote: > > We do not expire accounts until the person leaves the Department > and grace period passes. Then we do lock account and after some > time person's files are being deleted. This is the policy, and > this is what we do. The only time when account expiration is being > set is for undergraduate students who temporarily work with some > professor. For them expiration is being changed when the continue > to work with the professor next academic year. > > Is this not what everybody does? > Every end-user account, including my own, is given an expiry date six to twelve months in the future and that is extended at intervals as needed. The only exception to this are the root users which have no expiry date set. A forgotten and disused user account that retains access to your system is a significant risk in my opinion. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] https and self signed
On Fri, June 17, 2016 11:06, Walter H. wrote: > On 17.06.2016 16:46, James B. Byrne wrote: >> On Thu, June 16, 2016 13:53, Walter H. wrote: >>> On 15.06.2016 16:17, Warren Young wrote: >>>> but it also affects the other public CAs: you canât get a >>>> publicly-trusted cert for a machine without a publicly-recognized >>>> and -visible domain name. For that, you still need to use >>>> self-signed certs or certs signed by a private CA. >>>> >>> A private CA is the same as self signed; >>> >> No it is not. A private CA is as trustworthy as the organisation >> that >> operates it. No more and not one bit less. >> >> We operate a private CA for our domain and have since 2005. We >> maintain a public CRL strictly in accordance with our CPS and have >> our >> own OID assigned. > for your understanding: every root CA certificate is self signed; > any SSL certificate that was signed by a CA not delivered as built-in > token in a browser is the same as self-signed; > > > For your understanding, a self-signed certificate is one that has been signed by itself. Naturally ALL root certificates are self-signed. The self-signed root cert is then used to sign a subordinate CA issuing cert and that issuing cert is used to sign other subordinate CAs and / or end-user certs depending upon the permissions given it by the original signing certificate. This establishes the certificate trust chain. If website presents an actual self-signed cert to Firefox for example, it will refuse it. I suppose there is a way to circumvent this behaviour but I am not aware of it. If you present a certificate that is not self-signed but is signed by an authority whose root certificate chain is not in the trusted root store then Firefox gives you a warning -- as given in a preceding message 'net::ERR_CERT_AUTHORITY_INVALID' -- but it none-the-less allows you to accept the certificate as an exception and proceed to the website. If you do not want to get warnings and you trust the issuer then you can add their issuing CA cert chain to your trusted root certificate store. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] [Fwd: Re: https and self signed]
On Fri, June 17, 2016 12:31, Valeri Galtsev wrote: > > On Fri, June 17, 2016 10:19 am, James B. Byrne wrote: > >> Keys issued to individuals certainly should have short time limits >> on them. In the same way that user accounts on systems should >> always have a near term expiry date set. People are careless. >> And their motivations are subject to change. > > James, though in general one is likely to agree with this, I still > consider the conclusion I came to after discussions more than decade > ago valid for myself. Namely: forcing everyone to change password > often pisses careful people off for nothing. Passwords they create > and carefully keep can stand for decades, and only can be > compromised on some compromised machine. But I never mentioned anything about passwords. I quite agree with you with respect to avoiding needless password churn. What I wrote was specifically user accounts and their expiry dates. These should be short. Say six to twelve months or so. When the account expires then it can be renewed for another six or 12 months. The password for it is not changed. One can always write a script to automatically search for and report pending expirations. There is no real need for accounts to actually expire. But, even if accounts do expire for active users then it is not much of a hardship to report the fact and to have them reactivated. On the other hand, disused accounts never get reported and remain deactivated. Also, when a person leaves our employ and somehow the cancellation of all or some their accounts gets overlooked in the out-processing then shortly their accounts will be deactivated automatically. A fail safe mechanism. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] https and self signed
On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: > > On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >> >> I doubt that most users check the dates on SSL certificates, >> unless they are familiar enough with TLS to understand that >> a shorter validity period is better for security. > > Oh, this is what he meant: Cert validity period. Though I agree > with you in general (shorter period public key is exposed smaller > chance secret key brute-force discovered), Like many things that appear to be common-sense these assumptions have no empirical basis. A properly generated RSA certificate and key of sufficient strength -- RSA k>=2048bits -- should provide protection from brute force attacks for decades if not centuries. The usual way a private key gets compromised is by theft or by tampering with its generation. Putting yourself on a hamster wheel of constant certificate generation and distribution simply increases the opportunities for key theft and tampering. Keys issued to individuals certainly should have short time limits on them. In the same way that user accounts on systems should always have a near term expiry date set. People are careless. And their motivations are subject to change. So having a guillotine date on a personal certificate makes sense from an administrative standpoint. One wants to fail safe. But modifying certificates on sealed servers?. Really, unless one has evidence of penetration and theft of the key store, what possible benefit accrues from changing secured device keys on a frequent basis? We mainly use 4096bit keys which will be secure from brute force until the advent of Quantum computing. At which point brute force attacks will become a pointless worry. Not because the existing RSA certificates and keys will withstand those attacks but because the encryption process itself will move onto quantum devices. That development, if and when it occurs, will prove more than the code breakers will ever be able to handle. Of course then one must worry about the people who build the devices. But we all have to do that already. Bought any USB devices from China recently? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] https and self signed
On Thu, June 16, 2016 13:53, Walter H. wrote: > On 15.06.2016 16:17, Warren Young wrote: >> but it also affects the other public CAs: you canât get a >> publicly-trusted cert for a machine without a publicly-recognized >> and -visible domain name. For that, you still need to use >> self-signed certs or certs signed by a private CA. >> > A private CA is the same as self signed; > No it is not. A private CA is as trustworthy as the organisation that operates it. No more and not one bit less. We operate a private CA for our domain and have since 2005. We maintain a public CRL strictly in accordance with our CPS and have our own OID assigned. Our CPS and CRL together with our active, expired and revoked certificate inventory is available online at ca.harte-lyne.ca. Our CPS states that we will only issue certificates for our own domain and furthermore we only issue them for equipment and personnel under our direct control. In a few years DANE is going to destroy the entire market of 'TRUSTED' root CA's -- because really none of them are trust 'worthy' --. And that development is long overdue. When we reach that point many domains, if not most, will have their DNS forward zones providing TLSA RRs for their domain CA certificates and signatures. And most of those that do this are going to be running their own private CA's simply to maintain control of their certificates. Our DNS TLSA flags tell those that verify using DANE that our private CA is the only authority that can issue a valid certificate for harte-lyne.ca and its sub-domains. Compare that to the present case wherein any 'trusted' CA can issue a certificate for any domain whatsoever; whether they are authorised by the domain owner or not[1]. So in a future with DANE it will be possible to detect when an apparently 'valid' certificate is issued by a rogue CA. The existing CA structure could not have been better designed for exploitation by special interests. It has been and continues to be so exploited. Personally I distrust every one of the preloaded root CAs shipped with Firefox by manually removing all of their trust flags. I do the same with any other browser I use. I then add back in those trusts essential for my browser operation as empirical evidence warrants. So I must trust certain DigiCert certificates for GitHub and DuckDuckGo, GeoTrust for Google, COMODO for Wikipedia, and so forth. These I set the trust flags for web services only. The rest can go pound salt as we used to say. [1] https://nakedsecurity.sophos.com/2013/12/09/serious-security-google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-france/ -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dnf replacing yum?
On Thu, May 26, 2016 10:51, Juan Bernhard wrote: > > El 26/05/2016 a las 11:39 a.m., Valeri Galtsev escribió: >> I guess, it is just me in general unhappy about all Linuxes >> getting much less "UNIX"y lately. > > I feel you Valerei, im switching new server instalations to FreeBSD. > Im tired to spend useful time learning new ways (systemd, firewalld, > dnf, etc) to do the same old sh*t. > > We are doing exactly the same thing and for the same reasons. We have been running RH or its derivatives since 1998 but now it is time for us to move on. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentosPlus
On Wed, May 18, 2016 07:39, Mauricio Tavares wrote: > On Wed, May 18, 2016 at 4:32 AM, James Hogarth > wrote: >> On 17 May 2016 20:52, "Mauricio Tavares" >> wrote: >>> >>> On Tue, May 17, 2016 at 3:04 PM, wrote: >>> > On 2016-05-17 12:09, jd1008 wrote: >>> >> Has anybody enabled this repo? >>> >> I understand that it can really mess up updates and upgrades >>> >> as the dependencies are rather different. . . . >>> > >>> Why not leave all the extra repos disabled, say >>> >>> sed -i -e 's/^enabled=1/enabled=0/' /etc/yum.repos.d/epel.repo >>> >>> and manually enable it when you need to get a package from said >>> repo: >>> >>> yum install -y libmcrypt --enablerepo=epel >>> >> >> Doing this means you won't get notified of updates in that repo. >> This is >> not a good idea. > > I see your point since you can setup repo priorities >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > > Having been bitten by this on several occasions I finally adopted the policy of using the -- includepkgs= -- option and specifically naming the packages that I want from a non-standard repo; and also using -- exclude= -- in the standard repo naming exactly the same packages as those included elsewhere. You can use globbing in the package names in both cases. It is a little more work to set up but it is a lot safer to my way of thinking, particularly where there are multiple sysadmins involved. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] google cloud compute with PEM file
On Tue, May 17, 2016 16:34, Dustin Kempter wrote: ere. >> > Here is the command and output > > > [test1@pgpool1 ~]$ ssh -v -i /home/test1/my-key.txt > upload@144.167.188.62 . . . > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more > information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure. Minor code may provide more > information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure. Minor code may provide more > information > > > debug1: Unspecified GSS failure. Minor code may provide more > information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Next authentication method: publickey > debug1: Offering public key: /home/test1/my-key.txt > debug1: Server accepts key: pkalg ssh-rsa blen 277 > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type > Enter passphrase for key '/home/test1/my-key.txt': > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > [test1@pgpool1 ~]$ > > > If SELinux is enabled then try this: restorecon -R ~/.ssh -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.7 problem updating kernel
On Mon May 9 2016 15:24:20 UTC, Jonathan Billings wrote: > >>On Mon, May 9, 2016 10:26, James B. Byrne wrote: >> >> Any ideas as to what happened and how to fix it? >> > > It looks like your package update was interrupted by a > SIGHUP signal (that's what the Hangup is from). The > %posttrans scriptlet for the kernel package was interrupted > by the SIGHUP signal. No idea what might have broken, but > I'd suggest reinstalling that package > 'yum resintall kernel-2.6.32-573.26.1.el6.x86_64' > and make sure it worked. Thank you. I have reinstalled the kernel package as instructed and will reboot the system after close of business today to see if that clears things up. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.5 - CD/DVD does not sense media
I dealing with problem 1 - see previous message - I set about creating a live DVD on my development system. Now I find that I cannot seem to mount a medium in that drive. wodim --devices reports it as present and so does cdrecode. I can use the eject utility to toggle the tray open and closed. But when I load a blank dvd or cd in that unit I get nothing on my desktop - in other words I am not getting an auto mount, and I cannot do anything with dd to that dev either. wodim --devices wodim: Overview of accessible drives (1 found) : 0 dev='/dev/scd0' rwrw-- : 'HL-DT-ST' 'DVD-RAM GH22NS30' cdrecord -inq Device was not specified. Trying to find an appropriate drive... Detected CD-R drive: /dev/cdrw Using /dev/cdrom of unknown capabilities Device type: Removable CD-ROM Version: 5 Response Format: 2 Capabilities : Vendor_info: 'HL-DT-ST' Identification : 'DVD-RAM GH22NS30' Revision : '1.01' Device seems to be: Generic mmc2 DVD-R/DVD-RW. But cdrecord says that their is no media present although I have empirically determined that a blank dvd is in fact loaded into the device: cdrecord -load wodim: Operation not permitted. Warning: Cannot raise RLIMIT_MEMLOCK limits.Device was not specified. Trying to find an appropriate drive... Detected CD-R drive: /dev/cdrw Using /dev/cdrom of unknown capabilities Device type: Removable CD-ROM Version: 5 Response Format: 2 Capabilities : Vendor_info: 'HL-DT-ST' Identification : 'DVD-RAM GH22NS30' Revision : '1.01' Device seems to be: Generic mmc2 DVD-R/DVD-RW. Using generic SCSI-3/mmc CD-R/CD-RW driver (mmc_cdr). Driver flags : MMC-3 SWABAUDIO BURNFREE Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R Errno: 5 (Input/output error), test unit ready scsi sendcmd: no error CDB: 00 00 00 00 00 00 status: 0x2 (CHECK CONDITION) Sense Bytes: 70 00 02 00 00 00 00 0A 00 00 00 00 3A 01 00 00 Sense Key: 0x2 Not Ready, Segment 0 Sense Code: 0x3A Qual 0x01 (medium not present - tray closed) Fru 0x0 Sense flags: Blk 0 (not valid) cmd finished after 0.000s timeout 40s wodim: No disk / Wrong disk! Any ideas as to what is happening here? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.7 problem updating kernel
We have four identical hardware system. On one of them the most recent kernel update yields this error: # yum history info 332 Loaded plugins: etckeeper, fastestmirror, priorities Transaction ID : 332 Begin time : Wed May 4 10:21:07 2016 Begin rpmdb: 831:9ef9185577e3d2adb2d1ff0045619e1e0d9ed23a User : root Return-Code: ** Aborted ** Command Line : update -y Transaction performed with: Installed rpm-4.8.0-47.el6.x86_64 @base Installed yum-3.2.29-69.el6.centos.noarch @base Installed yum-metadata-parser-1.1.2-16.el6.x86_64 @base Installed yum-plugin-fastestmirror-1.1.30-30.el6.noarch @base Packages Altered: ** Updated initscripts-9.03.49-1.el6.centos.4.x86_64 @updates Update 9.03.49-1.el6.centos.5.x86_64 installed ** Erase kernel-2.6.32-573.7.1.el6.x86_64 @updates Install kernel-2.6.32-573.26.1.el6.x86_64 installed ** Updated kernel-firmware-2.6.32-573.22.1.el6.noarch @updates Update 2.6.32-573.26.1.el6.noarch installed ** Updated kernel-headers-2.6.32-573.22.1.el6.x86_64 @updates Update 2.6.32-573.26.1.el6.x86_64 installed ** Updated perf-2.6.32-573.22.1.el6.x86_64@updates Update 2.6.32-573.26.1.el6.x86_64installed Scriptlet output: 1 error: %posttrans(kernel-2.6.32-573.26.1.el6.x86_64) scriptlet failed, signal 1 2 /sbin/dracut: line 1: 7063 Hangup ! ( umask 077; cd "$initdir"; find . | cpio -R 0:0 -H newc -o --quiet | $gzip -9 > "$outfile" ) history info Any ideas as to what happened and how to fix it? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum update (first in a long time) - /var/log/dovecot no longer used
On Fri, May 6, 2016 04:36, John Hodrien wrote: > On Fri, 6 May 2016, Gary Stainburn wrote: > >> What I didn't expect, and what really threw me was that this has >> been implemented via a simply 'yum update' of an existing system, >> not at a major release level. > > > Something like RHEL is stuck in a trap here. Either they never > change a default post-install (lots of rpmnew or deliberately > not introducing new behaviours), or they bring in defaults as > you update (to some extent doing things like rpmsave). Some > people would complain whichever option they chose. Or have packagers divide configuration files into system and local with local overriding system. Then restrict software updates such that they modify only system configs leaving locals alone. That way new things can be added with old things are left as they are. Some software already behaves like this. There is no evident technical reason why most of the rest could not as well. If an update is such that old things cannot be left alone then that is sufficient to require an rpmnew and a warning to the installer that manual intervention is required to complete the update. In fact, anything of that nature would benefit from requiring a special switch to install so that 'yum update' would not break a running system. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos in the Browser string ?
On Thu, March 24, 2016 11:56, g wrote:
>
>
> On 03/24/16 09:29, Richard wrote:
>>> Date: Thursday, March 24, 2016 14:10:41 +
>>> From: Always Learning
>>> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:
>>>
>>>> What purpose does it serve? I don't object to it being there
>>>> but I also don't see a benefit to it being there.
>>>>
>>>> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS
>>>> developers to emulate...
>>>
>>> Spread the successful Centos 'brand name' :-)
>>
>> The user-agent string is one of the items used in uniquely
>> identifying/fingerprinting a user/machine, so the more generic it is
>> the better. Including the details of the OS add to the "bits of
>> identifying information" available to trackers.
>>
>> See the EFF testing site for more details:
>>
>><https://panopticlick.eff.org/>
>>
> --
>
> aware of panopticlick.
>
> if you have a file in profile directory, add this to it. if not,
> create file and paste this in it.
>
> //set user agent to blank
> user_pref("general.useragent.override", " ");
>
> what makes you get a unique rating is that you report no agent. only
> info any site will know about you is your ip address.
>
> if you want to hide that, use a proxy server. ((GBWG))
>
>
On the other hand, setting it to 'Mozilla/5.0 (Windows NT 6.1;
rv:38.0) Gecko/20100101 Firefox/38.0' would make one look like the
latest TOR browser. Which, if CentOS set Firefox to that by default,
would make identifying TOR users a great deal harder.
Just a thought.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments or follow links sent by e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] IPv6 on CentOS-6 - IPTables
It appears likely that within the next two quarters we will be moving off of our IPv4 class C's and onto a single IPv6 /40 for our sites. We have a fairly complex IPTables setup which handles our gateways and internal hosts. My question is just how much effort is involved in moving these rules from IPv4 to IPv6? Are there elements in one that are not available in the other? Are there any fundamental incompatibilites? Does anyone have a good reference to a case history of moving from one to the other? Regards, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Utility to zero unused blocks on disk
On Tue, February 9, 2016 16:05, Chris Murphy wrote: > On Mon, Feb 8, 2016 at 11:18 PM, John R Pierce > wrote: >> On 2/8/2016 9:54 PM, Chris Murphy wrote: >>> >>> Secure erase is really the only thing to use on SSDs. >>> Writing a pile of zeros just increases wear (minor negative) >>> but also doesn't actually set the cells to the state required >>> to accept a new write, Secure erase of an SSD, or any solid state device, is problematic. See: http://www.techrepublic.com/article/erasing-ssds-security-is-an-issue/ The CSE requires physical destruction of these devices through pulverisation or incineration. See: https://cse-cst.gc.ca/en/system/files/pdf_documents/itsg06-eng.pdf The USDOD leaves disposal protocols to the individual commands. Essentially, due to the way data is stored on SSDs, it is impossible to access every memory cell during a software driven wipe; no matter how many passes are made. The possibility of significant fragments of residual data remaining is always greater than zero. However, if you entirely encrypt an SSD, BEFORE adding any confidential material, then secure destruction is assured by 'forgetting' the key. But encrypting an SSD after the material is put on it is not sufficient. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Latest version of kate editor
On Tue, February 2, 2016 12:02, H wrote: > > What do people use as a programming editor on CentOS 6? My first > impression of kate was favorable, not only did it support the usual > programming and scripting languages but also markdown which I have > recently discovered... > > I use vim/gvim together with numerous add-ons from Tim Pope. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CD-Mount on CentOS-6.7
When I load a blank cd into the optical drive on my CentOS-6.7 workstation I am not getting any window or visible mount action on my Gnome desktop. Formerly, when I mounted a writeable media in this drive on this host I would see a nautilus style file browser window open with inducements to add files. When I visit /mnt I see nothing: ll /mnt total 0 My fstab does not seem to have much to say either: cat /etc/fstab # # /etc/fstab # Created by anaconda on Mon Sep 24 12:57:28 2012 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/vg_vhost04-lv_root / ext4 defaults1 1 UUID=a9a7cc59-bd0c-4362-9ab6-f721e25df2f8 /boot ext4 defaults1 2 /dev/mapper/vg_vhost04-lv_home /home ext4 defaults1 2 /dev/mapper/vg_vhost04-lv_tmp /tmpext4defaults 1 2 /dev/mapper/vg_vhost04-lv_log /var/logext4defaults 1 2 /dev/mapper/vg_vhost04-lv_spool /var/spool ext4 defaults1 2 /dev/mapper/vg_vhost04-lv_swap swapswap defaults0 0 tmpfs /dev/shmtmpfs defaults 0 0 devpts /dev/ptsdevpts gid=5,mode=620 0 0 sysfs /syssysfs defaults 0 0 proc/proc procdefaults 0 0 /dev/vg_vhost04/lv_data_disk_images /var/data/disk_images ext4 defaults00 /dev/vg_vhost04/lv_home_byrnejb /home/byrnejb ext4defaults0 0 /dev/vg_vhost04/lv_var /var_newext3defaults0 0 The hardware seems to be there: lshw . . . *-cdrom description: DVD-RAM writer product: DVD-RAM GH22NS30 vendor: HL-DT-ST physical id: 1 bus info: scsi@3:0.0.0 logical name: /dev/cdrom logical name: /dev/cdrw logical name: /dev/dvd logical name: /dev/dvdrw logical name: /dev/scd0 logical name: /dev/sr0 version: 1.01 capabilities: removable audio cd-r cd-rw dvd dvd-r dvd-ram configuration: ansiversion=5 status=nodisc *-serial UNCLAIMED description: SMBus product: 82801JI (ICH10 Family) SMBus Controller vendor: Intel Corporation physical id: 1f.3 bus info: pci@:00:1f.3 version: 00 width: 64 bits clock: 33MHz configuration: latency=0 resources: memory:d0825800-d08258ff ioport:1180(size=32) . . . Now, I have not played with any of this stuff in quite some time and I used it late last year to cut CentOS-7 ISOs. So my question is: What has changed to cause this behaviour? Any ideas? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What to do when you've been hacked?
On Mon, January 25, 2016 19:12, Benjamin Smith wrote:
>
> Which I'd consider "best practices" and we do them.
> They are specifically asking about what to do *after* a
> breach. Despite all the best practices in
> place, there's *still* some risk.
>
If someone wants in to your network then they will get in. There is
no point in deluding yourself or your clients on that point.
The first thing that you must do after a breach is detected, or even
suspected, is to notify all affected parties. There is an
institutional bias against revelation of security incidents because of
the fear of embarrassment. This is often couched in terms using the
word 'premature'. Failure to disclose at the earliest opportunity is
unethical and ultimately self-defeating. You will never regain trust
thereafter.
The second thing to do, concurrently with the first, is to isolate the
affected systems from the rest of your network. If that means
physically pulling wires and putting the things on their own switch
and LAN segment blocked from the rest of your networks then do it. If
it means shutting down the affected hosts then do it. If if means
disconnecting from the network at your gateway then do it. They are in
and they are looking for ways to expand their foothold. Delaying
containment is pointless.
The third thing to do is to involve the authorities. Unauthorised
computer access is an indictable offence in Canada and the UK. It is
a federal felony in the U.S.A. If you have an incident then report
it. That means you should have computer emergency response contact
information and reporting protocols already in place.
Now, with your clients and the authorities notified and the suspect
systems isolated, you begin to map out your recovery strategy. The
basic bones of which you have already written down and implemented in
your backup and disaster recovery plan. A security breach is a
disaster. You need to start with that point clearly in mind and
proceed on that basis.
Once corporate and client services are restored on clean hosts and
reconnected to the Internet then begin your investigation. Use your
AIDE and syslog records to determine the point of entry, the length of
compromise and the extent of penetration. If possible identify the
nature of the attackers and their target. Where possible keep the
compromised hosts' disk drives unaltered for further technical
analysis. Where warranted bring in forensic investigators to examine
them.
It will likely prove impossible to positively identify them but you
should be able to glean some inkling if this was a targeted breach or
an opportunistic one. If the former then they will be back and you
will need to consider how to deal with the next assault.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hylafax without modems - SIP?
On Tue, January 26, 2016 04:57, Gary Stainburn wrote: > I've just had to replace my Hylafax server as the cooling fan in the > rack case has died and could not be replaced. > > My box runs three fax modems, one for each of the original 3 fax > machines that got skipped years ago. > > This means that I now have 3 lots of: > > USB to seral converter (new box doesn't have any COM ports. > 9pin->25-pin serial cable > Modem > power supply > phone line > analogue port on our Mitel 3300 controller > > I was wondering if there a better way? > > I've done lots of Googling and there is a lot of conflicting - and > mostly very old - information out there. > > Does anyone have any more up-to-date opinions or advice on doing this? > > Most of the concerns about reliability were based on IP latency, > but my fax server and my Mitel controller are both on the same > Procurv Gigabit switch so hopefully that would be quick enough > > We run Hylafax+ and use a Digium TDM800P analogue card in a Atom based Supermicro 1u running Asterisk to connect to our fax lines using standard RJ11 plugs. On the Asterisk host we run iaxmodem to listen to the analogue ports. Hylafax+ talks to the iaxmodem instances. This can be a network connection so it is not necessary to have Hylafax running on the host with the FXO connection. We have been running this setup with Avantfax as the UI since summer 2013 without problems. The load on the fax host is trivial. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
On Sun, January 24, 2016 11:45, Peter Duffy wrote: > > Trouble is that when you go from 6 to 7, you also have the delights of > systemd and grub 2 to contend with. > . . . > Similarly with others who have commented, I simply cannot > understand why the maintainers of crucial components in > linux have this thing about making vast changes which impact > (usually adversely) on users and admins, without (apparently) > any general discussion or review of the proposed changes. > What happened to RFCs? Maybe it's a power thing - we > can do it, so we're gonna do it, and if ya don't like it, tough! > Part of it is marketing. Most of it is ego. > It would be very interesting to know how many other users are > still on CentOS/Red Hat 6 as a result of reluctance to enjoy > all the - erm - improvements in 7. Maybe it's time to fork > CentOS 6 and make it look and behave like 7 without systemd > (or even better, with some way of selecting the init methodology > at install-time and afterwards), and with gnome2 (or a clear > choice between 2 and 3). Call it DeCentOS. > Depending on how the systemd drama plays out CentOS-6 may well be our last RH derivative, and perhaps our last Linux. At the moment we are withholding any judgement on the matter for want of clear empirical evidence respecting systemd's benefits and risks. On our test CentOS-7 systems we eventually switched to Mate. That in itself sorted out most of the most visceral negativity to RHEL7. But systemd, rightly or wrongly, remains a controversial issue here. And, being more interested in stability than features we will await further developments on that front. Maybe someone could convince Linus to embed an init processor into the kernel in a manner similar to how KVM made its way. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] HDD badblocks
On Tue, January 19, 2016 18:36, John R Pierce wrote: > On 1/19/2016 3:29 PM, J Martin Rushton wrote: >> I suspect that the gold layer on edge connectors 30-odd years ago >> was >> a lot thicker than on modern cards. We are talking contacts on 0.1" >> spacing not some modern 1/10 of a knat's whisker. (Off topic) I >> also >> remember seeing engineers determine which memory chip was at fault >> and >> replacing the chip using a soldering iron. Try that on a DIMM! > > indeed, I pretty much quit doing component level electronics when > everything went to surface mount. > > Kids these days! I remember taking the vacuum tubes to the testing centre in the corner drug-store to see which ones need replacing. Apologies to the four Yorkshiremen. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes
On Sat, January 9, 2016 19:48, Gordon Messmer wrote: > On 01/09/2016 03:30 PM, isdtor wrote: >> Search for policy routing. > > Policy routing isn't relevant. > > In order to communicate across a LAN, two hosts must be in the same > broadcast domain. Hosts in 192.168.51.0/24 cannot communicate with > hosts in 192.168.52.0/24. > > If I have all of the kvm guests on both hosts, together with the br0 bridge on both hosts, configured with addresses on the same a.b.c.0/24 network then will all communication on a.b.c.0/24 pass over br0 if the target address is on the other host? kvmh1g1 eth0=192.168.51.100 kvmh1 br0=192.168.51.41 kvmh2 br0=192.168.51.42 kvmh2g1 eth0=192.168.51.200 In other words, with the address configuration given above, will traffic from 192.168.51.200 reach 192.168.51.100 via the cross-over cable between 192.168.51.42/192.168.51.41? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.
Our firm uses a dedicated virtual host to provide ssh tunnels for remote employee access to various internal services and for http/s access to the outside world. For security reasons I would like to have the remote users forward their dns lookups over the tunnel as well. However, we recently chrooted a number of ssh users and these accounts cannot resolve dns queries passed over the tunnel. I infer from previous experience that the necessary libraries/binaries are not installed in the chroot home. I can install whatever is missing using yum --installroot=[path/to/chroot/home] but what I cannot determine is exactly what package(s) is/are required. What is the minimal package set needed to enable chrooted users to perform dns lookups on CentOS-6? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux context change on /etc/posfix/main.cf
This morning I received this report of a change to the SELinux context of /etc/posfix/main.cf on one of our hosts. from: system_u:object_r:postfix_etc_t:s0 to: unconfined_u:object_r:postfix_etc_t:s0 The contents of the file have been verified as unchanged. There was a yum update applied yesterday to this host and this may be an intended alteration. However, can anyone confirm this for me? Or, otherwise explain what has happened? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes
I have been looking at this problem on and off for a considerable period. Given my lack of knowledge I have been unable to resolve this quickly and in consequence it has been constantly shoved to the background as other issues arise. Here is the situation: I have two dual-homed kvm hosts both running CentOS-6.7 and identically configured. These are connected to the same LAN segment via br0/eth0 and to each other via a cross-over cable on br1/eth1. The IPv4 assigned to br0 on both is a publicly routeable address. The IPv4 assigned to br1 on both is a private address in the 192.168.0.0/16 address space. The guests on each host have their virtual eth0 bridged with their host's br0 and eth1 bridged with their host's br1. The addresses used by the guests on eth0 are publicly routeable, the addresses used on eth1 are private. I would like to configure br1/eth1 on both kvm hosts such that each is a gateway to the other. I then also would like to configure each kvm guest of each host such that their traffic to the private network segment on the opposite host routes through the x-over cable via br0 whilst everything else goes out through br1 to the LAN and gateway. Has anyone here done anything like this? If so, can you point me to any online resource that could more or less walk me through the process without me having to complete the coursework for a network engineer. I just want to keep data transfer traffic between pairs of kvm guests off of the public lan without having to install more hardware. The existing cabinets are not going to support it either space wise or power wise. An ASCII art diagram might help, or might not. kvmh1g1 eth0/192.168.51.1 eth1/aaa.bbb.ccc.151 <-> | | kvmh1 br1/aaa.bbb.ccc.51 | |---> br0/192.168.51.1 | X | kvmh2 |---> br0/192.168.52.1 | br1/aaa.bbb.ccc.52 | | kvmh2g1 eth0/192.168.52.1| eth1/aaa.bbb.ccc.251 <-> | | gateway eth1/aaa.bbb.ccc.1 <---> | I have tried multiple approaches without success and in so many variations that I no long can clearly recall the details. At the moment my thought is that if br0 was set to 192.168.51.1/24 on kvmh1 and to 192.168.52.1/24 on kvmh2 and a routing table entry was made on kvmh1 to send traffic addressed to 192.168.52.0/24 through 192.168.51.1/24. And on kvmh2 br0 was set to 192.168.52.1/24 and a routing table entry was made on kvmh2 to route traffic to 192.168.51.0/24 through 192.168.52.1/24. I thought that if the kvm virtual guests on kvmh1 were then configured to use addresses from 192.168.51.0/24 while those on kvmh2 used 192.168.52.0/24. And everything was configured to use their respective host's br1 address as their gateway then this should work. But I am evidently either fundamentally wrong or I have misconfigured things somehow. Should this set up work as I imaging? What would be the correct static routing table entries to make it work? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Calibre installation fails on C7
On Wed, December 23, 2015 00:33, John R Pierce wrote: > > prefixing this with, I have no idea what Calibre is... > Calibre is an open source e-reader that handles mobi files along with many other e-reader formats. See: http://calibre-ebook.com/ The last version supported on CentOS6 is v1.48. The latest version is v2.47.0. On Tue, December 22, 2015 22:06, Fred Smith wrote: > Attempting to install latest Calibre on Centos-7, getting: . . . > File "/usr/lib64/python2.7/httplib.py", line 1182, in __init__ > context.load_cert_chain(cert_file, key_file) > ssl.SSLError: [SSL] PEM lib (_ssl.c:2757) > > > Can anybody advise me what this tells me? (other than SOMETHING wrong > with some certificate...) The error you are reporting may be due to some misconfiguration of the certificate chain in the Python libraries. Likely the case if you recently updated to 7.2 as others have reported the same thing. You can try to perform a manual download and install, thus bypassing the whole SSL mess, and see if that works. Quoting from the Calibre website: http://calibre-ebook.com/download_linux Manual binary install or reverting to a previous version If you wish to revert to an earlier calibre release or download a calibre upgrade manually, download the tarball of that release from here (choose the 32-bit or 64-bit version, as appropriate). Assuming you want calibre in /opt/calibre, run the following command, changing the path to calibre-tarball.txz below as appropriate: sudo mkdir -p /opt/calibre && sudo rm -rf /opt/calibre/* && sudo tar xvf /path/to/downloaded/calibre-tarball.txz -C /opt/calibre && sudo /opt/calibre/calibre_postinstall HTH. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] libreoffice 4.4 or 5 in CentOS 6
On Mon, December 14, 2015 15:43, Patrick Bervoets wrote: > I need the ability to make signed PDFs in LibreOffice, so I tried LO 5 > and LO 4.4 rpms from LO.org but they are useless (menu and toolbar are > black). > Anyone been able to use a higher version of LO? > > Thanks > > I am running LO-5.0.3.2 on CentoS-6.7. without any known issues. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wifi on servers and fedora [was Re: 7.2 kernel panic on boot]
On Wed, December 9, 2015 16:50, James Hogarth wrote: > On 9 Dec 2015 9:07 p.m., "Lamar Owen" wrote: >> > >> No, it seems to me that a suitably motivated CentOS user needs to >> scratch this itch; and, no, I am not volunteering, as I've >> followed Fedora before..and just simply cannot give the >> time to it at this point in time in my life. >> > > > >> >> So who wants to be the CentOS-Users to Fedora liaison, likely to be >> one of the most thankless jobs on the planet? >> >> > > I'm an active Fedora packager and yet I dare say Mark would hate me as > liaison for I find the changes in EL7 most refreshing and look forward > to bring able to make better use of them in due course ;) > > But I really do question whether someone in this industry is really > not able to spend 30 minutes or so every six months checking changes > for anything interesting. > > And frankly if one isn't willing to get either get a subscription and > feedback as a paying customer or to get involved with the upstream > sources then no one does not have say in direction and one shouldn't > be surprised by that. > > If it was a democracy with a vote on every possible choice then we'd > never get anywhere given the time to carry out such a survey and the > vast differences in opinions. > > No, as the Debian folks say it is a meritocracy instead and those > who get stuck in and actively discuss at the right time provide > the influence on what happens next. > Since the import of what I was trying to convey has been lost, no doubt due to my poor choice of words, I will restate the obvious: If the bulk of the developers working on Fedora use laptops as their platform then, inevitably, Fedora will become in essence a laptop distribution and RHEL will follow. Talking about the server community monitoring the Fedora development channel once every six months, or every day for that matter, is simply not going to change this. A handful of voices representing server installations, who by definition are not development types, has no hope of dealing with the incremental changes introduced every day by hundreds of people that use laptops as their primary development platform and all of whom have their own 'itch' to scratch. That is just the way it is in open source. The choice to go to Fedora for RHEL development was a commitment to the laptop environment, whether consciously made or not. And it is not in the control of RH to dictate this. If the Fedora developers take up tablets en masse then guess what?: We will end up with a tablet distribution. The OS distro we get is the consequence of the culture and environment predominant in the development community. This is neither good nor bad. It just is. Our firm has specific requirements which to date have been more than adequately met by RHEL and CentOS. But that seems to us to be changing in ways that no longer meet our expectations from a server based distro. A server based distro to us has certain characteristics that are orientated to long running processes and system uptimes measured in months if not years. I have given up counting how many times I have to reboot all of our CentOS servers in the past year because of updates. On the other hand I have this task running on a different server with a different OS: Priority = DS; Inpri = 8; Time = UNLIMITED seconds. Job number = #j3719. TUE, NOV 4, 2014, 2:04 PM. We do not need plug-and-play; or usb hot-swapping; or hibernation; or screen savers; or audio-video players; or power optimisation. All of which are worthy things in their own right and certainly have their place in computing. While these occasionally have proved convenient for me none are really necessary for a server host and their presence undoubtedly significantly increases the complexity and maintenance burden of the distribution. What we need is simplicity, stability, reliability, and consistency. What seems to be happening instead is feature-creep, software-bloat and increased coupling. And lest I be accused of 'wingeing' from the sideline I have been contributing to Open Source in a modest way since 1995, starting with Sendmail-8.7 on HP-UX. I just have limited time to give over to these things. The selection of RHEL for our primary platform was, in large part, to reduce the resources given over to managing the software. It would be ironic in the extreme were the reverse prove the case. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wifi on servers and fedora [was Re: 7.2 kernel panic on boot]
On Tue, December 8, 2015 11:05, Matthew Miller wrote: > >> I have been bitten by things done in Fedora that only have any use >> on >> a laptop and that should never have been allowed into a server >> distribution. But I cannot see how I would have been aware of them >> until they manifested themselves on equipment under my care. By >> which > > ^ right, this. > >> time it is rather too late to influence the decision to include >> them. > > Well, not if you get involved early. That's the point. > > If you don't *want* to, that's fine, but there's only so much > complainy cake that you can have and eat at the same time. > So, the implication of your suggestion, if I understand it aright, is that I should audit all of the communication forums in use by Fedora developers and then point out whenever any of the many dozens or hundreds of contributors introduces something that in my opinion may impact a server installation. To do this I am required to obtain such intimate personal knowledge of the internal workings of the distribution as to be able to identify these items as soon as they are introduced. naturally, I am also supposed to be able to immediately identify the negative impact of these things and prepare and present a cogent argument against their adoption or propose patches to correct the deficiencies that I believe that I have detected. I am to do this whilst running a CentOS installation that will not allow Fedora onto the premises. SO, no doubt, the intent is that I should run Fedora on my home systems and work diligently in my off hours to protect any future version of CentOS from that vantage. And of course, if I miss something then it is my fault for not having paid enough attention to that item. Am I correct? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wifi on servers and fedora [was Re: 7.2 kernel panic on boot]
On Mon, December 7, 2015 13:41, Matthew Miller wrote: > On Fri, Dec 04, 2015 at 09:03:50AM -0500, James B. Byrne wrote: >> On Thu, Dec 03, 2015 at 02:50:38PM -0500, m.r...@5-cent.us wrote: >> > For laptops, great. For anything else, not so much. For example, >> > it's supposed to be an *ENTERPRISE* o/s... why does it >> > automatically, without ever asking, install anything wifi? I'm > [...] >> The short answer: Because RHEL is based on Fedora development. > > > This is roughly true, although "downstream" RHEL makes its own > decisions about many things. If you (Mark, or anyone else) would like > to make this different in the future, getting involved with Fedora > Server is a good way to do so. > I subscribe to the Fedora Server list digest. Which form also is how I get this list's messages. Thus the delay in my responses. However, to describe the Server List as an active forum for discussion would be somewhat overstating things. I have not received anything from it as yet in December and the total volume of traffic on that list in November was very light. I am not sure in what way you envisage additional involvement is to take place. I have been bitten by things done in Fedora that only have any use on a laptop and that should never have been allowed into a server distribution. But I cannot see how I would have been aware of them until they manifested themselves on equipment under my care. By which time it is rather too late to influence the decision to include them. Automatically powering down NICs comes to my mind; due the rather nasty consequences that resulted. The difficulty is that with Free and Open Source Software you are only going to see features that are of some immediate use to the writers; or whose value has already been entrenched such that it is difficult if not impossible to dispense with. Clearly, power saving features are of some interest to people that run their systems on batteries. However, there are batteries, and then there are batteries. We occasionally run run on batteries too. It is just that ours are measured in kilovolt-amp hours. Having a server distro configured by default to turn off a NIC because it has not had traffic for fifteen minutes is not going to save us enough power from now to the end of eternity to warrant the disruption that little 'feature' cost us when it was first encountered. The move to Systemd, and all the controversy that decision has generated, also provides 'features' whose benefits appear to me be be aimed principally at users who shut their systems off every day. These benefits are of far less value to people who measure uptime in months or years, while the discomfort, and expense, of this change must be borne regardless. Systemd will eventually be accepted or rejected on its own merits. I am not interested in debating them here since I have nothing upon which to base an opinion one way or the other. But it can hardly be denied that forcing highly qualified people to expend time, a very limited resource in my experience, to learn yet another way to start a computer system, without providing any readily discernible benefit to them, is not likely to engender much in the way of sympathy. We went to RedHat and ended up on CentOS because of its server orientation. Which to us implied something more than simple compatibility of the software components. If RedHats's intent is to end up as a laptop distro then we will probably part ways at some point. We have a laptop distro that works well for us. It is called OSX. And the hardware is pretty good too. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 7.2 kernel panic on boot
On Thu, December 3, 2015 14:50, m.r...@5-cent.us wrote: > Valeri Galtsev wrote: . . . >> That is my main complaint about parallelized boot. My brain is >> only capable to deal with serial sequence of events, and which >> next event is deterministically predictable from previous. As >> with fatal things like kernel panic, it is the previous before >> the fatalstep is the one that you still can see... >> >> It there some way to tell systemd kick in components serially? >> >> Severs aside (you can not have everything), this (CentOS 7) is a >> great system for laptops, the best I saw so far. Like machintosh. >> Only better. > > For laptops, great. For anything else, not so much. For example, > it's supposed to be an *ENTERPRISE* o/s... why does it > automatically, without ever asking, install anything wifi? I'm > still trying to figure out how to tell a *wired* CentOS 7 > workstation to stop even thinking about wifi or wimax, and stop > cluttering the logs with debugging garbage. > The short answer: Because RHEL is based on Fedora development. The long answer: Because RH believes/believed that the laptop environment is/was a key part of its growth strategy. The recent phenomenon of the widespread adoption of smart phones and tablets in place of laptops may bring that into question now, but the move to laptops was a deliberate business choice in my opinion. It remains to be seen whether or not RH can have its cake and eat it too. Sysadmins tend to be rather prickly people when it comes to people and things that appear to waste their time. It seems to me a strategy of dubious worth aggravating ones installed based chasing a chimera. However that may be, the world moves on and we perforce move with it or are left behind. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Newbie alert
On Thu, November 26, 2015 12:30, John R Pierce wrote: > > how open is RH to bug fix submissions from non-customers? > > I got the impression most of their bug fixes were done internally by > employees, a large part of which consists of backporting fixes from > upstream FOSS projects. > This is my experience as well. The only thing that RedHat has ever done with my bug reports is point me to the upstream projects to have it fixed/altered/added there. They will however, occasionally accept some nudges about updating software that the upstream project has already released. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld being stupid
On Mon, November 16, 2015 16:39, Nick Bright wrote: > On 11/6/2015 3:58 PM, James Hogarth wrote: >> I have a couple of relevant articles you may be interested in ... >> >> On assigning the zone via NM: >> https://www.hogarthuk.com/?q=node/8 >> >> Look down to the "Specifying a particular firewall zone" bit ... >> remember that if you edit the files rather than using nmcli you must >> reload NM (or do nmcli reload) for that to take effect. >> >> If you specify a zone in NM then this will override the firewalld >> configuration if the zone is specified there. >> >> Here's some firewalld stuff: >> https://www.hogarthuk.com/?q=node/9 >> >> Don't forget that if you use --permanent on a command you need to do >> a >> reload for it to read the config from disk and apply it. > Thanks for the articles, they're informative. > > Here's what's really irritating me though. > > firewall-cmd --zone=internal --change-interface=ens224 --permanent > > ^^ This command results in NO ACTION TAKEN. The zone IS NOT CHANGED. > > firewall-cmd --zone=internal --change-interface=ens224 > > This command results in the zone of ens224 being changed to internal, > as > desired. Of course, this is not permanent. > > As such, firewall-cmd --reload (or a reboot, ect) will revert to the > public zone. To save the change, one must execute firewall-cmd > --runtime-to-permanent. > > This is very frustrating, and not obvious. If --permanent doesn't work > for a command, then it should give an error - not silently fail > without doing anything! > This behaviour is congruent with SELinux. One utility adjusts the permanent configuration, the one that will be applied at startup. Another changes the current running environment without altering the startup config. From a sysadmin point of view this is desirable since changes to a running system are often performed for empirical testing. Leaving ephemeral state changes permanently fixed in the startup config could, and almost certainly would eventually, lead to serious problem during a reboot. Likewise, immediately introducing a state change to a running system when reconfiguring system startup options is just begging for an operations incident report. It may not be intuitive to some but it is certainly the logical way of handling this. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.6 SELinux questions
we have remote server running as a guest instance on a kvm host. This
server acts as a public MX service for our domains along with
providing a backup for our Mailman mailing lists. It also has a slave
named service.
while tracking down a separate problem I discovered these avc
anomalies and ran audit2allow to see what was required to eliminate
them. All the software is either from CentOS or EPEL.
#= amavis_t ==
allow amavis_t sysfs_t:dir open;
#= clamd_t ==
allow clamd_t sysctl_vm_t:dir search;
#= mailman_mail_t ==
# The source type 'mailman_mail_t' can write to a 'dir' of the
following types:
# mailman_log_t, mailman_data_t, mailman_lock_t, mailman_archive_t,
var_lock_t, tmp_t, mailman_mail_tmp_t, var_log_t, root_t
allow mailman_mail_t lib_t:dir write;
#= named_t ==
allow named_t sysctl_vm_t:dir search;
#= postfix_postdrop_t ==
allow postfix_postdrop_t fail2ban_tmp_t:file { read write };
#= syslogd_t ==
allow syslogd_t sysctl_vm_t:dir search;
Is there an epel/selinux forum to report these for repair or are they
caused by something I am doing wrong? If so then what do I need to do
to eliminate them?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 reboots
I am now in receipt of an update to qemu-img and qemu-kvm. My practice up to now has been to restart the virtual host after applying qemu updates. This in turn implies that all of the virtual guests on that host also will need restarting since suspending them takes much, much longer than a restart. The issue of whether or not the requirement to reboot servers based on CentOS was increasing or not was recently raised. My question then: Is a restart of the host following applying these updates actually necessary? If not then what is the procedure to get them to take effect on existing virtual guests? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP version not enough for developers
On Thu, October 22, 2015 17:25, Valeri Galtsev wrote: > . . . Still, disregarding the part some of us dislike personally > (plus often reboots necessary to install some vital updates > - which all Linuxes are prone to beginning somewhere around > 2.6 kernel) . . . I am glad to discover that I am not losing my mind. I too have been rather dismayed at the perceived increase in frequency with which I must reboot my servers. I wondered whether this was simply a misconception on my part or an actual change in the environment. Apparently it is the later. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 SSHD chroot SELinux problem
I run a sshd host solely to allow employees to tunnel secure connections to our internal hosts. Some of which do not support encrypted protocols. These connections are chroot'ed via the following in /etc/ssh/sshd_config Match Group !wheel,!xx,y AllowTcpForwarding yes ChrootDirectory /home/y X11Forwarding yes Where external users belong to group y (primary). We have a problem with SELinux in that chrooted users cannot tunnel https requests unless SELinux is set to permissive (or turned off altogether). This problem does not evidence itself unless the account is chrooted. The output from audit2allow is this: sudo audit2allow -l -a #= chroot_user_t == allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #= syslogd_t == # The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t allow syslogd_t user_home_t:dir write; My questions are: Do SE booleans settings exist that permit chrooted ssh access to forward https and log the activity? If so then what are they? If not, then have I made a configuration error in sshd_config? What is it? If not, then is this a defect in the SELinux policy? If not, then What are the implications of creating a custom policy to handle this using the output given above? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] [Fwd: Re: Can one construct an IPTables rule to block on NS records?]
Hit reply instead of reply all. This is for the list. -- Original Message -- Subject: Re: [CentOS] Can one construct an IPTables rule to block on NS records? From:"James B. Byrne" Date:Wed, October 7, 2015 08:52 To: "John R Pierce" -- On Tue, October 6, 2015 13:36, John R Pierce wrote: > On 10/6/2015 6:34 AM, Leon Fauster wrote: >> --On Monday, October 05, 2015 10:46 AM -0400 "James B. >> Byrne" wrote: >> >>> >So, is there any convenient way to construct an IPTables rule to >>> block >>> >all IPs associated with a given Domain Name server? >> IPs have the reversed lookup "assosiated" with a NS. >> >> What do you mean with "associated"? >> >> Do mean all IPs that this DNS server resolves to >> (A-Records in zone) (how do know for what zone >> the NS gives authoritative answers)? >> >> Or just the domain name server IPs of a given >> domain name (NS records)? >> >> What are you trying to solve? > > I wondered much the same.most NS servers won't allow you to do a > zone transfer to find all the A/ records in a given domain. doing > a > reverse DNS lookup on every incoming/outgoing socket connection would > be > beyond painful, it would bring your network to its knees as the > reverse > DNS zones are often broken. > > > I am well aware of the costs of dns lookups which is why I worded the question as broadly as I did. In the end whois provided the necessary information. Thanks to all who replied and provided advice. Regards -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.7 Kernel Panic
This is likely (almost certainly) a hardware issue. However, I would like any guidance available on diagnosing the exact cause and remedy. We have a warm standby server then went off line over the weekend. The problem manifests itself as a kernel panic during the centos boot process. The issue appears to be with auto-mounting a number of pci devices. Unfortunately the error messages scroll off the monitor that I attached to it. This is some of the residue text that I though might have some use in diagnosing the problem. Kernel panic not syncing: Fatal exception Comm pciehpd Tainted: G DW -- --- . . . drm_k,s_helper panic occurred switching back to text mode. At which point the system is non-responsive. Any ideas as to what is going on? Any other information I should be looking for? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Can one construct an IPTables rule to block on NS records?
This is the same origin that I reported on earlier. Apparently asking
for an explanation of why they were probing our sites only encouraged
them to make additional attempts.
sshd:
Authentication Failures:
unknown (ip-173-201-178-18.ip.secureserver.net): 2 Time(s)
unknown (ip-97-74-196-33.ip.secureserver.net): 2 Time(s)
unknown (ip-97-74-202-95.ip.secureserver.net): 2 Time(s)
root (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
root (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
root (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
root (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
root (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
root (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
unknown (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
unknown (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
unknown (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
unknown (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
unknown (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
unknown (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
Invalid Users:
Unknown Account: 12 Time(s)
So, is there any convenient way to construct an IPTables rule to block
all IPs associated with a given Domain Name server?
dig -x 173.201.178.18
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 173.201.178.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1357
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;18.178.201.173.in-addr.arpa. IN PTR
;; ANSWER SECTION:
18.178.201.173.in-addr.arpa. 3600
IN PTR ip-173-201-178-18.ip.secureserver.net.
;; AUTHORITY SECTION:
201.173.in-addr.arpa. 66199 IN NS cns2.secureserver.net.
201.173.in-addr.arpa. 66199 IN NS cns1.secureserver.net.
;; ADDITIONAL SECTION:
cns2.secureserver.net. 172800 IN A 216.69.185.100
cns2.secureserver.net. 172800 IN 2607:f208:303::64
cns1.secureserver.net. 172800 IN A 208.109.255.100
cns1.secureserver.net. 172800 IN 2607:f208:207::64
Like say, cns{1,2}.secureserver.net. Or an entire domain? Say
secureserver.net. ?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] {SOLVED] Re: CentOS-6.7 Passing delayed shutdown via ssh command line argument?
On Wed, September 30, 2015 09:33, James B. Byrne wrote: > If I log into a host via ssh from my workstation then I can enter > this: > > shutdown -r +90& > > and log out. The shutdown command will continue in effect and will > activae 90 minutes later. > > However, if I do this instead: > > ssh -t host.domain.tld 'shutdown -r +90&' > > then the shutdown command does not remain in effect. Why is this so > and is there some way to achieve this? > > Why is it that after beating my brains out and finally asking for help the answer appears? I have to close the stdxxx files before putting shutdown into the background. This seems to work: ssh host.domain.tld 'shutdown -r +90 > /var/log/shutdown_$(date +%Y%m%dT%H%M).log 2>&1 <&- &' -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6.7 Passing delayed shutdown via ssh command line argument?
If I log into a host via ssh from my workstation then I can enter this: shutdown -r +90& and log out. The shutdown command will continue in effect and will activae 90 minutes later. However, if I do this instead: ssh -t host.domain.tld 'shutdown -r +90&' then the shutdown command does not remain in effect. Why is this so and is there some way to achieve this? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] decode http hack attempt?
Can anyone de-cypher the second entry for me? - httpd Begin Requests with error response codes 403 Forbidden /: 9 Time(s) /?c=4e5e5d7364f443e28fbf0d3ae744a59a: 3 Time(s) I have found the string via Google but have not located any explanation. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Wed, September 23, 2015 00:11, Always Learning wrote:
>
>
> That is great. When I started on Linux that was one of the very
> first things I did. Every machine, including servers, has port 22
> replaced by a unique alternative port. Port 22 is also blocked in
> IPtables.
>
> There is an army of dangerous nutters attempting to break-in to
> everything. They often mask their attacks using compromised Windoze
> computers all around the world.
>
Changing the port that sshd listens on solves nothing from a security
perspective. The only people that this action deflects are the
script-kiddies. Who are admittedly numerous and who can be dangerous
but usually are just low-talent opportunists.
Moving the port by itself still opens a functioning connection to the
internet on a service that is inherently susceptible to brute force
and rainbow attacks. The 'dangerous' people on the Internet will find
this port in a heartbeat and they are far more worrisome than the
script-kiddies. Since you absolutely must build a defence against
these opponents anyway then you might as well leave the service on the
default port to avoid screwing up legitimate users expectations.
I grant that dealing with an excessive logfile volume can be a
consideration. However, this issue is often best dealt with through
scripting your own analysis and reporting programs or employing
someone else's. And is often solved with an aggressive set of
firewall rules. In fact, the volume of entries should be a good
indication of how well your defence is serving you. As you tighten
the access rules and dynamically block persistent abusers then the
volumes should drop and stay fairly low.
Moving the port by itself is like rearranging the deck chairs on a
sinking ship. It does not address the fundamental issue. Plus
assignment to a non-standard port adds to maintenance and support load
since it must be separately accounted for each time it is referenced.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?
On Mon, September 21, 2015 15:37, m.r...@5-cent.us wrote: > Gordon Messmer wrote: >> >>> > In other words, the >>> >hostkeys would be identical. >> >> I think what the error indicates is that a client tried to connect >> to SSH, and the host key there did not match the fingerprint in the >> client's "known_hosts" database. >> >>> It seems to me that someone attempted an ssh connection while >>> spoofing our internal address. Is such a thing even possible? >>> If so then how does it work? >> >> In the situation as you've described it, probably not. >> >> It would be best to go to your logs themselves for the full >>> log entry and context, rather than relying on a report that >>> summarizes log entries. > > Looks like someone trying to break in. You *are* running fail2ban, are > you not? If not, you need to install and fire it up, now. Yes, we run fail2ban. No, fail2ban did not catch this because the number of attempts was below the threshold for a single IP. The logwatch message reported is incomplete. Our address was the destination address. The source address was not reported by logwatch but it was logged in the syslog and it was not an internal address. It did belong to an organisation that bills itself as "a leader in enterprise security. . .". We have contacted them requesting an explanation of the probe. It could have been an error on someone's part. I suppose. We see a lot of cracker traffic from Chile, Romania, Russia and the Ukraine. China was such a PITA that eventually we simply cut off that range of addresses from reaching us by any ports other than 25/80/443 so we do not even see it any more, except via proxy. Taiwan is nearly in the same boat and Vietnam is next in the queue. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6 Logwatch 7.3.6 behaviour
On Sat, September 19, 2015 06:51, Tony Mountifield wrote:
> In article
> ,
James B. Byrne wrote:
>> After some experimenting I have observed that overriding settings from
>> /usr/share/logwatch/default.conf/logwatch.conf in
>> /etc/logwatch/conf/logwatch.conf does not produce consistent
>> results.
>> For example, if I replace the default detail configuration in
>> etc/logwatch/conf/logwatch.conf with:
>> Detail = High
>> It does indeed change the level of detail from the default Low set in
>> /usr/share/logwatch/default.conf/logwatch.conf.
>> However, if I comment out the line:
>> #Service = "-zz-sys" # Prevents execution of zz-sys service
in the overridden file then the fact that this line remains in the
default.conf version means that the sservice cannot be enabled to
run
>> by default without editing
>> /usr/share/logwatch/default.conf/logwatch.conf. Of course doing that
>> means that any update clobbers the local changes.
> Can you just add it back in /etc/logwatch/conf/logwatch.conf with:
Service = "zz-sys"
> I haven't tried it, but it looks like Service lines are cumulative.
/usr/sbin/logwatch --range 'today' --mailto supp...@harte-lyne.ca
--service zz-runtime --service All
Wrong configuration entry for "Service", if "All" selected, only "-"
items are allowed
As shown above, if you pass '--service All' then any later '--service
X' option must be prefaced with a '-' ('--service -X'). In other
words, once All is selected then one can only remove selected
services. In the config files this is the order used:
# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All
# You can also disable certain services (when specifying all)
Service = "-zz-network" # Prevents execution of zz-network
service, which
# prints useful network configuration
info.
Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service = "-eximstats" # Prevents execution of eximstats service,
which
# is a wrapper for the eximstats program.
So, no, one cannot restore a service that is deleted from the run in
default.conf by adding it back to the local config file.
I can understand what is happening here. The implementation of user
config files is conceived as being additive to the default
configuration. Anything not specified in
/etc/logwatch/conf/logwatch.conf is picked up from
/usr/share/logwatch/default.conf/logwatch.conf. Anything in
/usr/share/logwatch/default.conf/logwatch.conf is overridden by any
similar entry in an earlier config.
This implies that the order of processing is:
/etc/logwatch/conf/logwatch.conf
/usr/share/logwatch/dist.conf
/usr/share/logwatch/default.conf/logwatch.conf
This seems to be something that needs to be fixed in the
default.conf/logwatch.conf file.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS6 - Break in attempt? What is the Exploit?
This morning's log review revealed this sshd log entry on one of our web services hosts: Received disconnect: 11: disconnected by user : 2 Time(s) 3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 : 1 Time(s) The IP address used is that of a public facing database query page for our freight transit information. It is itself a virtual IP address hosted on the system reporting the error. In other words, if this were a legitimate connection then the situation would be that of an ssh client connecting to an sshd server running on the same host albeit each using a different IP address. In other words, the hostkeys would be identical. It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work? What is com.jcraft.jsch? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 Logwatch 7.3.6 behaviour
After some experimenting I have observed that overriding settings from
/usr/share/logwatch/default.conf/logwatch.conf in
/etc/logwatch/conf/logwatch.conf does not produce consistent results.
For example, if I replace the default detail configuration in
etc/logwatch/conf/logwatch.conf with:
Detail = High
It does indeed change the level of detail from the default Low set in
/usr/share/logwatch/default.conf/logwatch.conf.
However, if I comment out the line:
#Service = "-zz-sys" # Prevents execution of zz-sys service
in the overridden file then the fact that this line remains in the
default.conf version means that the sservice cannot be enabled to run
by default without editing
/usr/share/logwatch/default.conf/logwatch.conf. Of course doing that
means that any update clobbers the local changes.
I am not sure if this a bug or a design feature but it seems to me
that on should be able to override all of the default settings for
services.
The only way around this seems to be to specify '--service All' on the
command line. But then the service entries in logwatch.conf seem to
be ignored entirely so that one must also specify the service
exclusions on the command line.
I also ran across a rather bizarre 'feature' with the 'DisplayOrder'
setting. Evidently, if one gives the same DisplayOrder value to two
or more services (say zz-sys which has DisplayOrder = 0.4 and
zz-runtime which uses the default value of 0.5 otherwise) then only
the last service (ordered alphabetically) is reported. No errors are
logged or conflict notices are given either. The other service
reports just 'disappear'. However, one can explicitly assign multiple
services a DisplayOrder value of 0.5 and all are reported nonetheless,
in alphabetic order, along with the other services which simply take
the implicit default value.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 - LogWatch Cyrus-IMAPD script was CentOS-6 - LogWatch
On Mon, September 14, 2015 14:51, James B. Byrne wrote:
> The Logwatch imapd service script distributed with CentOS-6 does not
> generate anything when I run logwatch --service all on a cyrus-imapd
> host. Is this expected behaviour? Is there a separate script for
> cyrus-imapd or are their configuration options required to get the
> existing script to work.
>
> I have found an ancient (2004) logwatch service script for cyrus-imapd
> but I was sort of hoping that there was a more up-to-date and
> officially supported version available somewhere.
>
> Is there?
>
>
There was not, and so I wrote this. Given I know little or nothing of
Perl beyond the bare fact of its existence no doubt there are better
ways to get the results I obtained. But this is tested on CentOS-6
with
cyrus-imapd.2.3.16-13.el6_6,
It only handles IMAP logins so anyone using POP3 or Sieve needs to add
there own code for those. And, because this is e-mail,
linewraps/breaks in the code below may not be exactly as required and
do need to be hand checked and corrected.
#!/usr/bin/perl
###
# logwatch script for cyrus-imapd-2.3.16
# looks for imaps and lmtpunix services in /var/log/maillog
###
###
# script: /etc/logwatch/scripts/services/cyrus-imapd
# author: James B. Byrne
# date: 2015-09-16
# revision: v1.0.1 - 2015-09-17
#
# requires: /etc/logwatch/conf/services/cyrus-imapd.conf
# containing>
#
# > Title = "CYRUS IMAPD"
# > LogFile = maillog
# > *OnlyService = (imaps|lmtpunix)
# > *RemoveHeaders =
#
# based on Sebastian Hagedorn 2004
###
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
#
# Process log file on stdin
#
while ( defined( $ThisLine = ) ) {
chomp( $ThisLine );
use feature "switch";
given( $ThisLine ) {
when ( /accepted connection/ ) {
# Ignore
}
when ( /^badlogin: (.+) \[(.+)\] (\w+) (.+) (SASL.*authentication
failure:.+)/ ) {
#print( "Bad Login: " . $ThisLine . "\n" );
#$ThisLine =~ /^badlogin: (.+) \[(.+)\] (\w+) (.+)
(SASL.*authentication failure:.+)/;
#print( "BAD LOGIN PARSE: " . $1 . " : " . $2 . " : " . $3 . " :
" . $4 . " : " . $5 . "\n");
$IMAPbadlogin++;
$IMAPbadmech{$3}++;
$IMAPbadip{$2}++;
$IMAPbaduser{$4}++
}
when ( /DBMSG:/ ) {
# Ignore
}
when ( /Delivered:/ ) {
# Ignore
}
when ( /dupelim:/ ) {
# Ignore
}
when ( /duplicate_check:/ ) {
# Ignore
}
when ( /duplicate_mark:/ ) {
# Ignore
}
when ( /executed/ ) {
# Ignore
}
when ( /Expunged/ ) {
# Ignore
}
when ( /imapd:Loading hard-coded DH parameters/ ) {
# Ignore
}
when ( /lmtp connection preauth/ ) {
# Ignore
}
when ( /^login: (.+) \[(.+)\] (\w+) (.+) User logged in/ ) {
# print( "LOGIN PARSE: " . $1 . " : " . $2 . " : " . $3 . " : " .
$4 . "\n");
$IMAPlogin++;
$IMAPmech{$4}++;
$IMAPuser{$3}++;
$IMAPip{$2}++;
}
when ( /IOERROR: fstating sieve script/ ) {
# Ignore
}
when ( /mystore: committing txn/ ) {
$LMTPStore++;
}
when ( /mystore: starting/ ) {
# Ignore
}
when ( /open: / ) {
# Ignore
}
when ( /seen_db: / ) {
# Ignore
}
when ( /skiplist: checkpointed/ ) {
# Ignore
}
when ( /SQUAT/ ) {
# ignore
}
when ( /SSL_accept/ ) {
# ignore
}
when ( /starttls/ ) {
$IMAPTLS++;
}
# Save this till the end
when ( /ERROR/ ) {
push @ErrorList, "$ThisLine\n";
}
default {
# Report any unmatched entries...
push @OtherList, "$ThisLine\n";
}
}
# Process next stdin
next;
}
# Report
if ( $LMTPStore ) {
print " Mails stored: " . $LMTPStore . "\n";
}
if ( $IMAPlogin ) {
print "\n IMAP:\n";
print " Number of logins: " . $IMAPlogin . "\n";
if ( %IMAPmech ) {
print( "\n By mechanism\n" );
}
foreach $mech ( sort ( keys %IMAPmech ) ) {
print( " . . . using " . $mech . ": " . "$IMAPmech{$mech}\n" );
}
if ( %IMAPuser ) {
print( "\n By user\n" );
}
foreach $user ( sort ( keys %IMAPuser ) ) {
print( " . . . from " . $user . ": " . $IMAPuser{$user} .
"\n" );
}
if ( %IMAPip ) {
print( "\n By origin\n" );
}
fo
Re: [CentOS] CentOS-6 - LogWatch
On Mon, September 14, 2015 21:28, Always Learning wrote: > > On Mon, 2015-09-14 at 14:51 -0400, James B. Byrne wrote: > >> The Logwatch imapd service script distributed with CentOS-6 does not >> generate anything when I run logwatch --service all on a cyrus-imapd >> host. Is this expected behaviour? Is there a separate script for >> cyrus-imapd or are their configuration options required to get the >> existing script to work. > > 1. Check there is data in the log file(s). Yes. We have cyrus-imapd logging to /var/log/maillog. This appears to be the default setting as I can find no explicit reference to maillog in either /etc/imapd.conf or /etc/cyrus.conf and none to imapd in /etc/rsyslog.conf. > > 2. Ensure Logwatch has the correct location and names of your log > files. > > Check: /usr/share/logwatch/default.conf/logfiles/ - there should be a > 'imapd' file there. I don't use imapd and there is no such file on my > instances of C6. I do not have one either. yum provides /usr/share/logwatch/default.conf/logfiles/imapd.conf Loaded plugins: etckeeper, fastestmirror, priorities, refresh-packagekit Loading mirror speeds from cached hostfile * base: centos.mirror.rafal.ca * epel: mirror.steadfast.net * extras: less.cogeco.net * updates: mirror.netflash.net No Matches found The Logwatch related files that reference imapd are these: find /usr/share/logwatch -type f | xargs grep -l imapd /usr/share/logwatch/default.conf/services/imapd.conf /usr/share/logwatch/default.conf/services/secure.conf /usr/share/logwatch/scripts/services/secure /usr/share/logwatch/scripts/services/cron /usr/share/logwatch/scripts/services/courier /usr/share/logwatch/scripts/services/imapd Maillog is referenced in /usr/share/logwatch/default.conf/services/imapd.conf: cat /usr/share/logwatch/default.conf/services/imapd.conf ### # ### # You can put comments anywhere you want to. They are effective for the # rest of the line. # this is in the format of = . Whitespace at the beginning # and end of the lines is removed. Whitespace before and after the = sign # is removed. Everything is case *insensitive*. # Yes = True = On = 1 # No = False = Off = 0 Title = "IMAP" # Which logfile group... LogFile = maillog # Only give lines pertaining to courier... # I'm not sure if this is complete, especially for the new webmail daemon in 0.44.1 #but you will get at least all currently supported logs *OnlyService = (imapd|imapd-ssl|imapsd) *RemoveHeaders = # vi: shiftwidth=3 tabstop=3 et The only executable(sic) script available in /usr/share/logwatch/scripts/services/ referred to in /usr/share/logwatch/default.conf/services/imapd.conf is imapd and that script is specifically tailored to courier-imap. Which is likely the reason that it reports nothing. Which brings me back to my original question. Where can one find a current Logwatch script for cyrus-imap log analysis? The cyrus-imapd specific logwatch script that I have found and have placed into /etc/logwatch/scripts/services/imapd is old and has errors. I can probably fix the errors but my Perl skills are inadequate to do anything more. Does anyone know of a current Logwatch script for cyrus-imapd? And where it can be obtained? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 - LogWatch
The Logwatch imapd service script distributed with CentOS-6 does not generate anything when I run logwatch --service all on a cyrus-imapd host. Is this expected behaviour? Is there a separate script for cyrus-imapd or are their configuration options required to get the existing script to work. I have found an ancient (2004) logwatch service script for cyrus-imapd but I was sort of hoping that there was a more up-to-date and officially supported version available somewhere. Is there? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
