Re: [CentOS] Size limitations in .htaccess
You could try ipset (yum install ipset) and create live lists of ips/blocks and create a single lined rule in iptables to handle the lists. The only downside is the lists are lost on a reboot, which can be overcome with a little scripting. > -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of Max Pyziur > Sent: Wednesday, May 29, 2013 10:08 PM > To: CentOS mailing list > Subject: Re: [CentOS] Size limitations in .htaccess > > On Wed, 29 May 2013, m.r...@5-cent.us wrote: > > > Max Pyziur wrote: > >> > >> Greetings, > >> > >> It seems that I've hit a size limitation when adding unwanted IPs to > >> a "Deny From" line. > >> > >> Is there any place where this is specified? > >> > >> Also, if I hit the max length on a "Deny From" line, can I add > >> another "Deny From" line? > >> > >> (Running CentOS 6, and the following version of Apache: > >> httpd-2.2.15-28.el6.centos.x86_64) > > > > Have you considered running fail2ban, and banning them using iptables? > > I've considered that. > > But I'm tied to my (little?/not-so-little?) home-grown system of mining > threatening IPs from BL sites (spam, sshd, forumspam), running them > through an sql database, and outputing /etc/hosts.deny files to block via tcp > wrappers, and now starting to output "Deny from" lines to place in .htaccess > files. "Deny From" lines longer than somewhere around 8000 characters > seem to be the limit; I was curious if there was a specified limit somewhere, > and whether or not I could put multiple Deny From lines? > > WHile fail2ban looks good, the little that I've tried it, I like keeping the firewall > iptables neat, and doing the blocking as I have described above (maybe it's > familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a learning > curve ...) > > > mark > > > > Much thanks for the advice. > > Max Pyziur > p...@brama.com > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure
You could deny all by default and only allow your locations in tcp_wrappers. Add this to /etc/hosts.deny: sshd: ALL And this to /etc/hosts.allow sshd: 12.34.56.78 your.ip.here123.12.34. I exaggerated the spaces. You'd still get the failures in your logs, but access to the service won't be granted as it wouldn't match the allow. > -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of Tilman Schmidt > Sent: Thursday, March 07, 2013 11:45 AM > To: CentOS mailing list > Subject: Re: [CentOS] CentOS 5 sshd does not log IP address of reverse > mapping failure > > Am 06.03.2013 19:20, schrieb Gordon Messmer: > > On 03/06/2013 09:45 AM, Tilman Schmidt wrote: > >> Any ideas how to remedy that situation? > > > > As long as you get the IP address for failed logins, ignore reverse > > mapping failures. > > Trouble is, I don't: > > Feb 8 00:03:09 dns01 sshd[6119]: reverse mapping checking getaddrinfo for > mbl-99-61-82.dsl.net.pk failed - POSSIBLE BREAK-IN ATTEMPT! > Feb 8 00:03:10 dns01 sshd[6120]: Disconnecting: Too many authentication > failures for root Feb 8 00:03:19 dns01 sshd[6121]: reverse mapping checking > getaddrinfo for mbl-99-61-82.dsl.net.pk failed - POSSIBLE BREAK-IN > ATTEMPT! > Feb 8 00:03:20 dns01 sshd[6122]: Disconnecting: Too many authentication > failures for root Feb 8 00:03:22 dns01 sshd[6123]: reverse mapping checking > getaddrinfo for mbl-99-61-82.dsl.net.pk failed - POSSIBLE BREAK-IN > ATTEMPT! > Feb 8 00:03:23 dns01 sshd[6124]: Disconnecting: Too many authentication > failures for root [...] > > And at the end of the day, logwatch tells me: > > - SSHD Begin > > Disconnecting after too many authentication failures for user: > root : 149 Time(s) > > Not good. > > -- > Tilman Schmidt > Phoenix Software GmbH > Bonn, Germany ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Replacing Multiple Servers with One
> -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of Vipul Agarwal > Sent: Wednesday, March 06, 2013 12:14 PM > To: CentOS mailing list > Subject: Re: [CentOS] Replacing Multiple Servers with One > > On Wed, Mar 6, 2013 at 4:40 PM, Tim Evans wrote: > > > We are replacing four servers, running mail, web, ftp, and dns, > > respectively, with a single server to run all four services. > > > > The new server will have a new IP address. > > > > It seems fairly straightforward to redirect mail, web, and ftp > > services to the new server via DNS CNAMES, but I'm not quite sure > > about how to do the change for the DNS service itself. > > > > Is there a need to maintain the old DNS server's IP address during a > > transition, or longer? Via a virtual IP with the old DNS server's IP > > address on the new machine, perhaps? Or a second NIC with the old > > address? Or just have the router redirect incoming DNS requests? > > > > Thanks. > > -- > > Tim Evans | 5 Chestnut Court > > Linux/UNIX Consulting | Owings Mills, MD 21117 > > http://www.tkevans.com/ | 443-394-3864 > > tkev...@tkevans.com > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > Hi Tim, > > To migrate the DNS server, ideally the steps as follows, > >- Provision the new server and setup as the secondary DNS server >- Sync the zones >- Reduce the TTL of the nameservers >- Change the new server to primary >- Change the glue DNS records (from domain registrar panel - if >applicable) >- Let the old server running for few days and monitor for any traffic > > Regards, > Vipul > ___ Also, if you want to be really safe, you could set the old server to forward requests to the new one via a redirect in apache, in the mailertable (if using sendmail), and change the welcome message on old ftp server to use the new one until DNS propogates. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
