Re: [CentOS] Relabel /usr directory
On 2/4/20 9:59 AM, Sergio Belkin wrote: > Hi, > I've done the following: > - Copy usr content with rsync to another partition: > > rsync -av --partial --progress /usr/ /mnt > > Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not > the directory itself). But I've found that is bad labeled: > > ls -Z /usr > unconfined_u:object_r:unlabeled_t:s0 bin > unconfined_u:object_r:unlabeled_t:s0 local > unconfined_u:object_r:unlabeled_t:s0 games > unconfined_u:object_r:unlabeled_t:s0 sbin > unconfined_u:object_r:unlabeled_t:s0 include > unconfined_u:object_r:unlabeled_t:s0 share > unconfined_u:object_r:unlabeled_t:s0 lib > unconfined_u:object_r:unlabeled_t:s0 src > unconfined_u:object_r:unlabeled_t:s0 lib64 > unconfined_u:object_r:unlabeled_t:s0 tmp > > How can I restore the default contexts? > > I've tried with restorecon and with fixfiles, but no luck, for example: > > matchpathcon -V /usr > /usr error: No data available > > How can I fix this? > > Thanks in advance. The -X option to rsync will copy all extended attributes from the old to the new filesystem. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7: UPD packet checksum verification?
On 1/29/20 3:26 PM, hw wrote: > On Wednesday, January 29, 2020 6:52:50 PM CET Nataraj wrote: > [...] >> By burst, I mean that you don't have a bandwidth commitment with an SLA >> from your provider. A bandwidth commitment means that you are paying a >> provider to guarantee you so many MB or GB of bandwidth and this is >> guaranteed to you. This means it is allocated to you in their network >> allotments and you can use it at any time. > Isn't that called more like "guarantied bandwith" than "burst"? burstable bandwidth is the opposite of guaranteed bandwidth. > > [...] >>>> Well it sounds like you know where your problem is then. If your >>>> current provider can't solve the problems to your satisfaction then you >>>> probably need to find a different provider. >>> Well, I don't know, I can only be like 99% sure that the problem is with >>> the VOIP provider. Changing the VOIP provider would be very difficult >>> because there aren't many left to begin with, and even fewer allow >>> encrypted connections. And try to find one that has a useful support ... >>> I might end up with not having a phone anymore, and that would make >>> things extremely difficult. >> I can't really speak for the situation in your country. One more thing >> comes to mind. I don't remember if anyone has mentioned that the 1 way >> voice problem can be caused by an issue with the stateful packet filter >> in your firewall. I.E. your firewall has become confused and thinks >> the UDP connection (we'll not really a connection) is no longer active, >> so it blocks the packets, creating the one way voice scenario. Most >> phone switch software and VOIP phones have things that can be configured >> to send extra packets to fool the stateful packet filter into allowing >> necessary packets to flow. I've never set this up in asterisk, but I >> suggest you look into it. > How does a firewall allow the desireable SRTP packets to traverse it in the > first place? My firewall is CentOS running iptables, so you would use something like iptables -A INPUT -p udp -m state [OTHER MATCH OPTIONS] --state ESTABLISHED -j ACCEPT You would similarly code an OUTPUT rule. You obviously need to permit whatever packets/ports your voice thisapplications requires i.e. SIPS srtp etc. I generally limit my voip packets to the IP addresses of any pops that I connect to. There are hackers out there that will connect to your phone switch if you allow voip packets from any source. Most commercial firewalls have options to enable VOIP services. > > How would the packets being blocked explain asterisk showing replay errors > and > authentication failures? Packets that aren't there can hardly cause such > errors. I don't know. Maybe the 1 way voice problem is different than the replay errors. I'm just throwing out ideas, you'll have to determine if they apply to your situation or not. > > BTW, the VOIP provider is fixing or has fixed the problem now. It turned out > that they need or needed to update the firmware of some network adapters > because the old firmware has been causing issues. A test call showed no > errors on both sides for over 45 minutes. > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7: UPD packet checksum verification?
On 1/29/20 4:48 AM, hw wrote: > On Wednesday, January 29, 2020 10:10:48 AM CET Nataraj wrote: >> On 1/28/20 12:39 PM, hw wrote: >>> On Tuesday, January 28, 2020 9:00:22 AM CET Nataraj wrote: >>>> On 1/26/20 5:44 PM, hw wrote: >>>>> On Sunday, January 26, 2020 11:18:36 PM CET Pete Biggs wrote: >>>>>> First of all - disclaimer - I'm no network specialist, I just read and >>>>>> am interested in it. I may get things wrong!! >>>>>> >>>>>>> Both physical interfaces show the same. But does this mean it's on as >>>>>>> in >>>>>>> "rx- checksumming: on" or off as in "tx-checksum-ipv4: off [fixed]"? >>>>>> As far as I understand it rx-checksum is the underlying wire >>>>>> checksumming - and from what I've read about it, disabling that >>>>>> disables the UDP checksums. >>>>> You mean layer 1 checksumming? Is there such a thing with ethernet? I >>>>> think I read something about encoding, when I was trying to understand >>>>> what "bandwidth" actually means, being involved in signal transmissions; >>>>> and I seem to remember that there was no checksumming involved and it >>>>> had >>>>> to do with identifying signals as a requirement for the very possibility >>>>> to transmit something before anything could be transmitted at all. >>>>> >>>>>>> Assuming that I do not receive packets with invalid UPD checksums, >>>>>>> then >>>>>>> the >>>>>>> packages must be somehow altered and their UPD checksums recalculated >>>>>>> to >>>>>>> arrive here. Does bad hardware etc. do that? Why would the UDP >>>>>>> checksums >>>>>>> just happen to get recalculated correctly but like randomly without >>>>>>> intent? >>>>>> I'm not sure I understand what you are asking. >>>>> It is about VOIP calls via SRTP being interrupted at irregular >>>>> intervals. >>>>> The intervals appear to depend on the time of day: Such phone calls can >>>>> last for a duration of about 5--25 minutes during the day to up to 1.5 >>>>> hours at around 3am before being interrupted. >>>> My sense is you may be starting at too low of a level in trying to debug >>>> this. >>> One of the reasons I have to look into it is that it is usually good to >>> know more/better. >>> >>>> I have seen the same kind of problems with my voip service when >>>> there is a problem with my Internet connection. When this happens I >>>> also see high retransmission rates for tcp connections and other signs >>>> of network problem. >>> How do you monitor such retransmissions to be able to see if and when they >>> occur? >> netstat -s | grep -i retrans > Cool, that gives a lot of information. Retransmissions are at ~0.012/~0.029 > percent on the server/workstation, and the UPD statistics look good. > >>>> If I check the modem for my Internet connection >>>> there are issues with the signal levels and high error rates reported by >>>> the modem. If you believe your Internet connection is reliable, then if >>>> you run managed switches, check your switch logs for any reported errors. >>>> >>>> You could try tools like iperf to check for problems on your internal >>>> network. You could run some of the basic tools for testing voip >>>> performance of your Inetnet connection and if necessary run iperf to a >>>> cloud hosted system. >>> Can you suggest useful tools to analyze VOIP performance, and how do you >>> define VOIP performance? >> Well there used to be a number of speedtest like sites that use to >> report more accurately , latency, jitter and packet loss. It seems most >> of them have now scaled down their output, but you could use ping. mean >> deviation is basically jitter. >> >> I think a few of the tests listed on this site, still work. >> >> https://getvoip.com/blog/2014/05/12/20-best-voip-speed-test-tools/ > Most seem to be test for bandwidth, and none of the VOIP related sites work. > Besides, ping times to the US are usually around 200ms, so if there were any > results to be abtained, they might be questionable. > >> There used to be sites that did a calculation for something
Re: [CentOS] Centos 7: UPD packet checksum verification?
On 1/28/20 12:39 PM, hw wrote: > On Tuesday, January 28, 2020 9:00:22 AM CET Nataraj wrote: >> On 1/26/20 5:44 PM, hw wrote: >>> On Sunday, January 26, 2020 11:18:36 PM CET Pete Biggs wrote: >>>> First of all - disclaimer - I'm no network specialist, I just read and >>>> am interested in it. I may get things wrong!! >>>> >>>>> Both physical interfaces show the same. But does this mean it's on as >>>>> in >>>>> "rx- checksumming: on" or off as in "tx-checksum-ipv4: off [fixed]"? >>>> As far as I understand it rx-checksum is the underlying wire >>>> checksumming - and from what I've read about it, disabling that >>>> disables the UDP checksums. >>> You mean layer 1 checksumming? Is there such a thing with ethernet? I >>> think I read something about encoding, when I was trying to understand >>> what "bandwidth" actually means, being involved in signal transmissions; >>> and I seem to remember that there was no checksumming involved and it had >>> to do with identifying signals as a requirement for the very possibility >>> to transmit something before anything could be transmitted at all. >>> >>>>> Assuming that I do not receive packets with invalid UPD checksums, then >>>>> the >>>>> packages must be somehow altered and their UPD checksums recalculated to >>>>> arrive here. Does bad hardware etc. do that? Why would the UDP >>>>> checksums >>>>> just happen to get recalculated correctly but like randomly without >>>>> intent? >>>> I'm not sure I understand what you are asking. >>> It is about VOIP calls via SRTP being interrupted at irregular intervals. >>> The intervals appear to depend on the time of day: Such phone calls can >>> last for a duration of about 5--25 minutes during the day to up to 1.5 >>> hours at around 3am before being interrupted. >> My sense is you may be starting at too low of a level in trying to debug >> this. > One of the reasons I have to look into it is that it is usually good to know > more/better. > >> I have seen the same kind of problems with my voip service when >> there is a problem with my Internet connection. When this happens I >> also see high retransmission rates for tcp connections and other signs >> of network problem. > How do you monitor such retransmissions to be able to see if and when they > occur? netstat -s | grep -i retrans > >> If I check the modem for my Internet connection >> there are issues with the signal levels and high error rates reported by >> the modem. If you believe your Internet connection is reliable, then if >> you run managed switches, check your switch logs for any reported errors. >> >> You could try tools like iperf to check for problems on your internal >> network. You could run some of the basic tools for testing voip >> performance of your Inetnet connection and if necessary run iperf to a >> cloud hosted system. > Can you suggest useful tools to analyze VOIP performance, and how do you > define VOIP performance? Well there used to be a number of speedtest like sites that use to report more accurately , latency, jitter and packet loss. It seems most of them have now scaled down their output, but you could use ping. mean deviation is basically jitter. I think a few of the tests listed on this site, still work. https://getvoip.com/blog/2014/05/12/20-best-voip-speed-test-tools/ There used to be sites that did a calculation for something called MOS score, which is a measure of expected voice quality based on the performance of a connection. Don't know if anyone does that anymore. In the VOIP industry there is fancy/expensive equipment for measuring end to end performance, but in practice simple ping output with regular sampling from something like a cron job can tell you alot. Basically, what you want is that if your phone system relies on your Internet connection, the pop that your connecting too needs to be relatively close and have minimal packet loss and similar latency/jitter characteristics on both the up/down stream. Generally that is not too hard to find these days, but if the Internet connectivity to your voip pop takes a route half way across the country over the Internet, that's not it. I have one of the lowest cost voip providers, voip.ms, and I find the voip quality to be excellent and call drop rate to be low except when I have problems with my Internet provider. > > The performance is kinda acceptable as long as the calls are not interrupted. > > It's still
Re: [CentOS] Centos 7: UPD packet checksum verification?
On 1/26/20 5:44 PM, hw wrote: > On Sunday, January 26, 2020 11:18:36 PM CET Pete Biggs wrote: >> First of all - disclaimer - I'm no network specialist, I just read and >> am interested in it. I may get things wrong!! >> >>> Both physical interfaces show the same. But does this mean it's on as in >>> "rx- checksumming: on" or off as in "tx-checksum-ipv4: off [fixed]"? >> As far as I understand it rx-checksum is the underlying wire >> checksumming - and from what I've read about it, disabling that >> disables the UDP checksums. > You mean layer 1 checksumming? Is there such a thing with ethernet? I think > I read something about encoding, when I was trying to understand what > "bandwidth" actually means, being involved in signal transmissions; and I > seem > to remember that there was no checksumming involved and it had to do with > identifying signals as a requirement for the very possibility to transmit > something before anything could be transmitted at all. > >>> Assuming that I do not receive packets with invalid UPD checksums, then >>> the >>> packages must be somehow altered and their UPD checksums recalculated to >>> arrive here. Does bad hardware etc. do that? Why would the UDP checksums >>> just happen to get recalculated correctly but like randomly without >>> intent? >> I'm not sure I understand what you are asking. > It is about VOIP calls via SRTP being interrupted at irregular intervals. > The > intervals appear to depend on the time of day: Such phone calls can last for > a duration of about 5--25 minutes during the day to up to 1.5 hours at around > 3am before being interrupted. My sense is you may be starting at too low of a level in trying to debug this. I have seen the same kind of problems with my voip service when there is a problem with my Internet connection. When this happens I also see high retransmission rates for tcp connections and other signs of network problem. If I check the modem for my Internet connection there are issues with the signal levels and high error rates reported by the modem. If you believe your Internet connection is reliable, then if you run managed switches, check your switch logs for any reported errors. You could try tools like iperf to check for problems on your internal network. You could run some of the basic tools for testing voip performance of your Inetnet connection and if necessary run iperf to a cloud hosted system. I think it is highly unlikely that you are only having issues with srtp packets and I would look at the broader picture first to try to isolate some other problem in your network or Internet connection. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (SOLVED) YUM (DNF) Possible Confusion Centos 8
On 1/23/20 4:20 PM, david wrote: > At 03:46 PM 1/23/2020, Nataraj wrote: >> On 1/23/20 2:29 PM, Nataraj wrote: >> > >> > I would agree. I have the same behavior in a Redhat 8 development >> > system, so it's not a problem with the Centos build. I have not >> added >> > any repositories other then the Redhat >> > codeready-builder-for-rhel-8-x86_64-rpms. I original installed 8.0 and >> > have applied all updates. I did not notice the problem until >> recently. >> > >> > # dnf list installed | head -20 >> > Updating Subscription Management repositories. >> > Modular dependency problems: >> > >> > Problem 1: conflicting requests >> > - nothing provides module(perl:5.26) needed by module >> perl-DBD-SQLite:1.58:8010020190322125518:073fa5fe-0.x86_64 >> > Problem 2: conflicting requests >> > - nothing provides module(perl:5.26) needed by module >> perl-DBI:1.641:8010020190322130042:16b3ab4d-0.x86_64 >> > Installed Packages >> > GConf2.x86_64 3.2.6-22.el8 @AppStream >> > ModemManager.x86_64 1.10.4-1.el8 @rhel-8-for-x86_64-baseos-rpms >> > . >> > . >> > . >> > >> This appears to be a known problem. I found the following >> workaround on >> the redhat site. (you need to login and it might require either a >> license or a developer subscription (which is what I have). >> >> https://access.redhat.com/solutions/4678261 >> >> The instructions were a little unclear to me, but I did the following >> and it appears to have solved the problem. >> >> root@rhel8mail nataraj]# dnf check >> Updating Subscription Management repositories. >> Modular dependency problems: >> >> Problem 1: conflicting requests >> - nothing provides module(perl:5.26) needed by module >> perl-DBD-SQLite:1.58:8010020190322125518:073fa5fe-0.x86_64 >> Problem 2: conflicting requests >> - nothing provides module(perl:5.26) needed by module >> perl-DBI:1.641:8010020190322130042:16b3ab4d-0.x86_64 >> >> >> [root@rhel8mail nataraj]# yum module enable perl:5.26 >> Updating Subscription Management repositories. >> Last metadata expiration check: 1:02:48 ago on Thu 23 Jan 2020 >> 01:42:25 PM PST. >> Dependencies resolved. >> >> >> Package Architecture Version >> Repository Size >> ==== >> >> Enabling module streams: >> perl 5.26 >> >> Transaction Summary >> >> >> >> Is this ok [y/N]: y >> Complete! >> [root@rhel8mail nataraj]# dnf check >> Updating Subscription Management repositories. >> [root@rhel8mail nataraj]# > > > >>>>>>>>>> SOLVED <<<<<<<<<<<<< > > Nataraj > > Yes, this does eliminate the diagnostic. Exactly what else it does I > don't know, because I haven't grasped the concept of the module > streams yet. One thing bothers me, tho. My sense is it just renables the module (which I believe was already enabled), possibly setting a bit somewhere that was not previously set or was set incorrectly. > > Apparently, the problem was identified and workaround described in mid > December. I encountered the problem in early January, and Google > searches gave me no clue. Apparently, the RedHat forum on which this > workaround was described didn't show up, and if it did, I couldn't > access it. It was your useful "feet in both RedHat and Centos" that > made the link, but after a few people spent considerable time trying > to help. If I might be so bold as to suggest that somehow workarounds > for RedHat problems that would show up in the corresponding CentOS > release be made visible to the Centos community to avoid duplication > of effort. The redhat access page comes up in both google and duckduckgo when I put in the entire 4 lines of the error message. You still have to login to see the solution. https://www.google.com/search?client=ubuntu&channel=fs&q=+Problem+1%3A+conflicting+requests+++-+nothing+provides+module%28perl%3A5.26%29+needed+by+module+perl-DBD-SQLite%3A1.58%3A8010020190322125518%3A073fa5fe-0.x86_64++Problem+2%3A+conflicting+requests+++-+nothing+provides+module%28perl%3A5.26%29+needed+by+module+perl-DBI%3A1.641%3A8010020190322130042%3A16b3ab4d-0.x86_64&ie=utf-8&oe=utf-8 Other than that you could create a login on the redhat site and register as a developer (free of charge) and have access to some of their online resources including the access knowledgebase. I am mostly a CentOS user, and installed redhat 8 so I could start working on my applications before CentOS 8 was released. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] YUM (DNF) Possible Confusion Centos 8
On 1/23/20 2:29 PM, Nataraj wrote: > > I would agree. I have the same behavior in a Redhat 8 development > system, so it's not a problem with the Centos build. I have not added > any repositories other then the Redhat > codeready-builder-for-rhel-8-x86_64-rpms. I original installed 8.0 and > have applied all updates. I did not notice the problem until recently. > > # dnf list installed | head -20 > Updating Subscription Management repositories. > Modular dependency problems: > > Problem 1: conflicting requests > - nothing provides module(perl:5.26) needed by module > perl-DBD-SQLite:1.58:8010020190322125518:073fa5fe-0.x86_64 > Problem 2: conflicting requests > - nothing provides module(perl:5.26) needed by module > perl-DBI:1.641:8010020190322130042:16b3ab4d-0.x86_64 > Installed Packages > GConf2.x86_64 3.2.6-22.el8 > @AppStream > ModemManager.x86_641.10.4-1.el8 > @rhel-8-for-x86_64-baseos-rpms > . > . > . > This appears to be a known problem. I found the following workaround on the redhat site. (you need to login and it might require either a license or a developer subscription (which is what I have). https://access.redhat.com/solutions/4678261 The instructions were a little unclear to me, but I did the following and it appears to have solved the problem. root@rhel8mail nataraj]# dnf check Updating Subscription Management repositories. Modular dependency problems: Problem 1: conflicting requests - nothing provides module(perl:5.26) needed by module perl-DBD-SQLite:1.58:8010020190322125518:073fa5fe-0.x86_64 Problem 2: conflicting requests - nothing provides module(perl:5.26) needed by module perl-DBI:1.641:8010020190322130042:16b3ab4d-0.x86_64 [root@rhel8mail nataraj]# yum module enable perl:5.26 Updating Subscription Management repositories. Last metadata expiration check: 1:02:48 ago on Thu 23 Jan 2020 01:42:25 PM PST. Dependencies resolved. Package Architecture Version Repository Size Enabling module streams: perl 5.26 Transaction Summary ==== Is this ok [y/N]: y Complete! [root@rhel8mail nataraj]# dnf check Updating Subscription Management repositories. [root@rhel8mail nataraj]# ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] YUM (DNF) Possible Confusion Centos 8
> > Simon and others > Here's a very simple and hopefully reproducible test-case > > Select as your boot ISO: > CentOS-8.1.1911-x86_64-dvd1.iso > Choose to reclaim all space on the disk > Choose 'Minimal Install' as the software selection > Connect yourself to the network (I use a wired connection) > Don't bother creating a user, just provide your root password. > complete the install. > > After the reboot, issue as root: > yum -y install perl chrony perl-libwww-perl perl-App-cpanminus gcc > > When that is complete, issue: > yum list installed >nul > and you get conflicting requests as follows: > > > Modular dependency problems: > > Problem 1: conflicting requests > - nothing provides module(perl:5.26) needed by module > perl-App-cpanminus:1.7044:8010020191120175858:a9207fc6-0.x86_64 > Problem 2: conflicting requests > - nothing provides module(perl:5.26) needed by module > perl-YAML:1.24:8010020191114031501:a5949e2e-0.x86_64 > > > This doesn't seem like the expected results from a clean install. > No changes were made in the repo files as supplied on the boot disc. I would agree. I have the same behavior in a Redhat 8 development system, so it's not a problem with the Centos build. I have not added any repositories other then the Redhat codeready-builder-for-rhel-8-x86_64-rpms. I original installed 8.0 and have applied all updates. I did not notice the problem until recently. # dnf list installed | head -20 Updating Subscription Management repositories. Modular dependency problems: Problem 1: conflicting requests - nothing provides module(perl:5.26) needed by module perl-DBD-SQLite:1.58:8010020190322125518:073fa5fe-0.x86_64 Problem 2: conflicting requests - nothing provides module(perl:5.26) needed by module perl-DBI:1.641:8010020190322130042:16b3ab4d-0.x86_64 Installed Packages GConf2.x86_64 3.2.6-22.el8 @AppStream ModemManager.x86_641.10.4-1.el8 @rhel-8-for-x86_64-baseos-rpms . . . > > David > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Blocking attacks from a range of IP addresses
On 1/9/20 2:08 AM, Pete Biggs wrote: >> Has anyone created a fail2ban filter for this type of attack? As of >> right now, I have manually banned a range of IP addresses but would >> like to automate it for the future. >> > As far as I can see fail2ban only deals with hosts and not networks - I > suspect the issue is what is a "network": It may be obvious to you > looking at the logs that these are all related, but you run the risk > that getting denied accesses from, say, 1.0.0.1 and 1.1.0.93 and > 1.2.0.124 may be interpreted as a concerted attack and you banning half > the internet - but that may not be a bad thing :-) > > What I've done in times of trouble is to be a bit more aggressive in > why and how hosts are banned. It depends on how you are being attacked, > but setting the threshold to 1 or 2 failures resulting in a ban and > then setting the ban time to something fairly short. Repeat offenders > will then quickly be picked up by the recidive filter and permanently > banned. > > A downside to this is that your firewall filters get very large and > things will inevitably slow down, but it will at least give you the > chance to manually block a whole range but still give you a level of > automated protection. > > P. > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos Since you can configure fail2ban to invoke scripts, I would think it would be possible to get it to block CIDRs (variable size subnets, i.e. 12.12.0.0/20). That said, I don't have a quick and easy implementation on hand. One thing that has proven useful to me in dealing with these kind of attacks is to lookup the route for the specified IP address in the Internet routing tables and then block the entire CIDR block. You can also determine which autonomous system (AS number) the attack is coming from and block other routes owned by that provider. Other options include determining the GEOIP location, i.e. country of origin of the attacks and block by country. "whois 12.12.12.12" will also provide useful information about the CIDR block that you are dealing with. To look up routes on the Internet, connect to one of the route views servers, such as this: $ telnet route-server.ip.att.net Follow login instructions provided in login banner, then give the command: show route 12.12.12.12 and it will show you that this IP is part of the larger cidr block 12.12.0.0/20. So block 12.12.0.0/20 instead of just one IP (assuming your attacks are coming from a particular block. You'll have to consider weather the cidr block that you are considering blocking will impact your users or not. The att route-server is a juniper. Some route servers are Cisco's and there you would use commands like: show ip route 12.12.12.12 or show ip bgp 12.12.12.12 An example of a cisco based route server would be to: telnet route-views.routeviews.org http://routeviews.org/ lists a bunch of route views servers down near the bottom, which appear to be accessable by telnet. Note, quagga based route servers are open source immitations of the Cisco command interface and have similar commands to the cisco's. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Virtual problem
On 12/6/19 4:59 AM, Nikos Gatsis - Qbit wrote: > Hello list. > > I have already install winserver 2019 on centos 7 qemu and works fine. > > Now I install a second image with win 2019 and It connects to internet > but I cant ping it or connect to it. > > Both installations use the same br0. Is that correct? > > Any other suggestions? > > Thank you. > > Nikos. > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos If the VM's only network connection is on a bridge on its hosts, then it will only be reachable from the local host or other VMs that are also connected to that bridge (assuming you have not setup routing the network of the bridge to the rest of your LAN). If you want to be able to connect to the VM from other hosts on your LAN, then you probably want to give the VM an interface on one of the LAN interfaces on your HOST. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to increase DNS reliability?
On 7/26/19 6:52 AM, Giles Coochey wrote: > > On 26/07/2019 14:45, Leroy Tennison wrote: >> This brings up one of the caveats for (at least ISC) DNS, if the >> master goes down the slaves will take over for a time but eventually >> will stop serving for the domains of the master if it remains down >> too long. If my (sometimes faulty) memory serves me well it is in >> the three day range (but configurable) which is ample time unless the >> problem occurs early in a holiday weekend and and the >> notification/escalation process isn't what it should be (Murphey's >> Law)... > > The value you refer to is the SOA record _expire_ value for a zone, I > believe is should be set to between 14 and 28 days. > > https://en.wikipedia.org/wiki/SOA_record > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos If you administer the secondary slave servers, there is no reason not to use a very large number, 30 days or more for the SOA expiration. Only reason to use a lower number would be if you don't have control over the slave servers and don't want to have old zone files that you can't update. Another alternative, which many people did for years in the early days when zone transfers were unreliable, is to use a script which replicates the entire DNS configuration to the secondaries and then run all the servers as primary masters. If the script is written cleanly, you can then edit the zone on any server and rsync it to the other servers. Main thing is to prevent multiple people applying updates simultaneously. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to increase DNS reliability?
On 7/25/19 4:31 PM, Nataraj wrote: > It doesn't really help those clients I can not run name servers on, > though. Another alternative is to look at the multicast dns (mdns) protocol. I have no experience with it, so I can't say very much, but I know it exists. I'm pretty sure it's inplemented in avahi daemon, so it may just be an issue of enabling it on the client. If your client supports it then I would think that all you have to do is enable it. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to increase DNS reliability?
On 7/25/19 1:10 PM, hw wrote: >> >> Configure all dns servers as primary slaves (plus 1 primary master) for >> your own domains. I have never seen problems with resolution of local >> dns domains when the Internet was down. > > It seemed to have to do with the TTL for the local names being too > short and DNS being designed to generally query root servers rather > than sticking to their local information. It has nothing to do with the ttl. The TTL does cause expiration in an authoritative server. TTLs only affect caching servers. The primary master gets changed when you edit the local zone database. The secondary slave gets updated when the serial number in the SOA record on the primary master gets bumped. You must either do that manually or use a zone database management tool that does it for you. If a dns server is configured as a primary master or a secondary slave for a domain, then it is authoritative for that domain and does not require queries to any other server on your network or on the Internet. The difference between a primary master and a secondary slave is the primary master is where you edit the zone records and the secondary slave replicates the zone database from the primary master. Even if the primary master goes down, the secondary slave still has a copy of the zone files in it's disk files (or other database format that you configure) and will server them flawlessly. One way to see if a server is properly configured as authoritative for a domain is: nataraj@pygeum:~$ dig mydomain.com. soa @127.0.0.1 ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> mydomain.com. soa@127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52104 ;; flags: qr *aa* rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 64f402c0c22d57aa2bbb10fc5d3a340d8c19377b924d01c2 (good) ;; QUESTION SECTION: ;mydomain.com. IN SOA ;; ANSWER SECTION: Mydomain.Com. 14400 IN SOA ns1.mydomain.com. postmaster.Mydomain.COM. 2019072505 1200 600 15552000 14400 ;; AUTHORITY SECTION: Mydomain.Com. 14400 IN NS ns1.Mydomain.Com. Mydomain.Com. 14400 IN NS ns2.Mydomain.Com. Mydomain.Com. 14400 IN NS ns3.Mydomain.com. ;; ADDITIONAL SECTION: ns1.mydomain.com. 14400 IN A 8.8.8.8 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 25 15:58:21 PDT 2019 ;; MSG SIZE rcvd: 243 The AA flag in the flags section tells you that you have queried a dns server that is authoritative for the domain that you queried. If it doesn't have the AA flag then you have not properly set up the primary master or secondary slave for that domain. If your masters and slaves are all configured correctly for a domain then they will all have the same serial number in the SOA record (and same results for any query in that domain). If they don't then something is wrong and your zone transfers are not occuring properly. > >> Depending on the size of your network, you can run a caching server on >> each host (configured as a primary slave for your own domains) and then >> configure that local server to use forwarders. When you use multiple >> forwarders the local server does not have to wait for timeouts before >> querying another server. Then you just run 2 or more servers to use for >> forwarding. Use forward-only to force all local servers to use only >> forwarding (for security and caching reasons). Much simpler than using >> keepalived. > > Hm. I thought about something like that, but without the separation > into local slaves using forwarders and the forwarders. I will > probably do that; it seems like the most reasonable solution, and I > should have at least one forwarder anyway so as not to leak > information to the internet-only VLANs. It would be an improvement in > several ways and give better reliability. The local server can have forward-only either on or off. If off, It will go out directly to the Internet if it does not receive a response from a forwarder. Using forward only and putting your forwarders on a seperate network away from your inside network means if there is a security hole in the nameserver, your inside hosts are less likely to be compromised. You could also configure your ISP's or google or other public recursive name servers as forwarders if you don't want to run your own. > > It doesn't really help those clients I can not run name servers on, > though. > > > In recent years I *have not had any* problems with bind9 or >> powerdns crashing. >> >> As far as using the ISC server vs powerdns, you may want to check on >> peoples recent experiences. There was a time when
Re: [CentOS] how to increase DNS reliability?
On 7/25/19 8:14 AM, Nataraj wrote: > On 7/25/19 6:48 AM, rai...@ultra-secure.de wrote: >> Am 2019-07-25 15:41, schrieb hw: >>> On 7/25/19 2:53 PM, rai...@ultra-secure.de wrote: >>>> Am 2019-07-25 14:51, schrieb hw: >>>>> Hi, >>>>> >>>>> how can DNS reliability, as experienced by clients on the LAN who are >>>>> sending queries, be increased? >>>>> >>>>> Would I have to set up some sort of cluster consisting of several >>>>> servers all providing DNS services which is reachable under a single >>>>> IP address known to the clients? >>>>> >>>>> Just setting up several name servers and making them known to the >>>>> clients >>>>> for the clients to automatically switch isn't a good solution because >>>>> the clients take their timeouts and users lacking even the most basic >>>>> knowledge inevitably panic when the first name server does not answer >>>>> queries. >>>> Run a local cache (unbound) and enter all your local resolvers as >>>> upstreams. >>> That can fail just as well --- or be even worse when the clients >>> can't switch >>> over anymore. I have that and am avoiding to use it for some clients >>> because >>> it takes a while for the cache to get updated when I make changes. >>> >>> However, if that cache fails, chances are that the internet >>> connection is also >>> down in which case it can be troublesome to even get local host names >>> resolved. >>> When that happens, trouble is to be expected. >> >> Anything else is - IMHO - much more work, much more complicated and >> much more likely to fail, in a more spectacular way. >> Especially all those keepalive "solutions". >> >> I have found that I need to restart unbound if all upstreams had failed. > > Configure all dns servers as primary slaves (plus 1 primary master) for > your own domains. I have never seen problems with resolution of local > dns domains when the Internet was down. I meant to say: Configure all dns servers as secondary/slaves (one should be the primary master) for your own domains. Thos means that all of your servers are authoritative for your own domains, so they cannot fail on local dns lookups due to Internet problems. > > Depending on the size of your network, you can run a caching server on > each host (configured as a primary slave for your own domains) and then > configure that local server to use forwarders. When you use multiple > forwarders the local server does not have to wait for timeouts before > querying another server. Then you just run 2 or more servers to use for > forwarding. Use forward-only to force all local servers to use only > forwarding (for security and caching reasons). Much simpler than using > keepalived. In recent years I *have not had any* problems with bind9 or > powerdns crashing. > > As far as using the ISC server vs powerdns, you may want to check on > peoples recent experiences. There was a time when many thought powerdns > had much better performance and fewer security issues. For various > reasons I've seen some people including myself, switch back to ISC > bind9. I switched about 1.5 years ago because I was getting better > performance from bind9. You may want to check out other peoples > experience before switching to powerdns. > > > Nataraj > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to increase DNS reliability?
On 7/25/19 6:48 AM, rai...@ultra-secure.de wrote: > Am 2019-07-25 15:41, schrieb hw: >> On 7/25/19 2:53 PM, rai...@ultra-secure.de wrote: >>> Am 2019-07-25 14:51, schrieb hw: >>>> Hi, >>>> >>>> how can DNS reliability, as experienced by clients on the LAN who are >>>> sending queries, be increased? >>>> >>>> Would I have to set up some sort of cluster consisting of several >>>> servers all providing DNS services which is reachable under a single >>>> IP address known to the clients? >>>> >>>> Just setting up several name servers and making them known to the >>>> clients >>>> for the clients to automatically switch isn't a good solution because >>>> the clients take their timeouts and users lacking even the most basic >>>> knowledge inevitably panic when the first name server does not answer >>>> queries. >>> >>> Run a local cache (unbound) and enter all your local resolvers as >>> upstreams. >> >> That can fail just as well --- or be even worse when the clients >> can't switch >> over anymore. I have that and am avoiding to use it for some clients >> because >> it takes a while for the cache to get updated when I make changes. >> >> However, if that cache fails, chances are that the internet >> connection is also >> down in which case it can be troublesome to even get local host names >> resolved. >> When that happens, trouble is to be expected. > > > Anything else is - IMHO - much more work, much more complicated and > much more likely to fail, in a more spectacular way. > Especially all those keepalive "solutions". > > I have found that I need to restart unbound if all upstreams had failed. Configure all dns servers as primary slaves (plus 1 primary master) for your own domains. I have never seen problems with resolution of local dns domains when the Internet was down. Depending on the size of your network, you can run a caching server on each host (configured as a primary slave for your own domains) and then configure that local server to use forwarders. When you use multiple forwarders the local server does not have to wait for timeouts before querying another server. Then you just run 2 or more servers to use for forwarding. Use forward-only to force all local servers to use only forwarding (for security and caching reasons). Much simpler than using keepalived. In recent years I *have not had any* problems with bind9 or powerdns crashing. As far as using the ISC server vs powerdns, you may want to check on peoples recent experiences. There was a time when many thought powerdns had much better performance and fewer security issues. For various reasons I've seen some people including myself, switch back to ISC bind9. I switched about 1.5 years ago because I was getting better performance from bind9. You may want to check out other peoples experience before switching to powerdns. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Rhel8 guest and window resizing (possible OT)
I have installed a redhat 8 server in a KVM/Qemu VM guest to prepare for CentOS 8. The host is running Ubuntu 18.04. Window resizing does not work at all (it works in ubuntu and windows guests). Is this a problem with incompatible versions of spice or is there something else besides the spice daemon that I should be looking at. Does this work correctly under CentOS 6 & 7 Host? Display device is set as follows (same as ubuntu guest) Type: spice server listen type: address Address: localhost only port: auto (5900) TLS port: auto passowrd: (none, field is blank) keymap: (none, field is blank) OpenGL: (not checked) Spice agent is running in RHEL8 vm gdm 2900 0.0 0.2 256148 7992 ? Ssl 08:32 0:00 /usr/bin/spice-vdagent root 2909 0.0 0.0 49152 336 ? Ss 08:32 0:00 /usr/sbin/spice-vdagentd nataraj 7640 0.0 0.1 256148 7736 ? Ssl 08:32 0:00 /usr/bin/spice-vdagent Following spice packages are installed in RHEL8 GUEST. spice-server-0.14.0-7.el8.x86_64 spice-glib-0.35-7.el8.x86_64 spice-gtk3-0.35-7.el8.x86_64 spice-vdagent-0.18.0-3.el8.x86_64 Following packages are installed on KVM/Qemu host: ii gir1.2-spiceclientglib-2.0:amd64 0.34-1.1build1 amd64 GObject for communicating with Spice servers (GObject-Introspection) ii gir1.2-spiceclientgtk-3.0:amd64 0.34-1.1build1 amd64 GTK3 widget for SPICE clients (GObject-Introspection) ii libspice-client-glib-2.0-8:amd64 0.34-1.1build1 amd64 GObject for communicating with Spice servers (runtime library) ii libspice-client-gtk-3.0-5:amd64 0.34-1.1build1 amd64 GTK3 widget for SPICE clients (runtime library) ii libspice-server1:amd64 0.14.0-1ubuntu2.4 amd64 Implements the server side of the SPICE protocol ii spice-client-glib-usb-acl-helper 0.34-1.1build1 amd64 Helper tool to validate usb ACLs ii spice-vdagent 0.17.0-1ubuntu2 Ubuntu Guest has following packages installed: ii spice-vdagent 0.17.0-1ubuntu2 amd64 Spice agent for Linux Thank You, Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7 and backup solution
My primary backups are done with dar, http://dar.linux.free.fr/ I also periodically do backups in other formats such as rsync and tar for redundancy. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager and /etc/resolv.conf
On 11/17/18 8:31 AM, Alice Wonder wrote: > On 11/17/2018 07:01 AM, Alice Wonder wrote: >> On 11/17/2018 06:43 AM, Alice Wonder wrote: >>> CentOS 7.5 image running on linode. >>> >>> unbound running on localhost. >>> >>> Have to use a cron job once a minute to keep /etc/resolv.conf using >>> the localhost for name resolution - whenever NetworkManager gets >>> restarted (usually only a system boot) it gets over-written. >>> >>> It seems every distro has a different way of preventing >>> NetworkManager from replacing that file. >>> >>> I found instructions for Fedora that said create >>> /etc/NetworkManager/conf.d/no-dns.conf containing >>> >>> [main] >>> dns=none >>> >>> That doesn't seem to have any effect. >>> >>> Poking around, I find a file on boot seems to be created called >>> >>> /var/run/NetworkManager/resolv.conf >>> >>> It has most of the contents of what ends up in /etc/resolv.conf - >>> except w/o the last line, which just reads rotate in generated >>> /etc/resolv.conf. >>> >>> It says it's generated by NetworkManager (both /etc/resolv.conf and >>> the one in /var/run/NetworkManager) but neither are specific enough >>> to indicate what is causing them to be created so I can turn it off. >>> >>> Anyone know how to tell NetworkManager to just not create that file? >>> >>> Using a cron job to overwrite it once a minute works but there must >>> be a proper way. >>> >>> I really wish KISS was a design goal when designing system >>> configuration. >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> Just found this - >> >> # cat dhclient-exit-hooks >> echo 'options rotate' >> /etc/resolv.conf >> >> That's where the last line in /etc/resolv.conf is coming from. > > Okay replacing the contents of dhclient-exit-hooks with > > echo -e 'nameserver 127.0.0.1\nnameserver ::1' > /etc/resolv.conf > > seems to do what I need. > > I hope RHEL/CentOS 8 do networking better, as in, not have spaghetti > scripts called here and there making something that should be a config > option hard to do. > > With DNS the only way to trust results is if the zone is signed and > local resolver validates. You can't ever trust external nameservers > defined by dhcp to validate. So there's very valid reasons to want to > use local unbound. > ___ I don't know about CentOS 7 because I'm running CentOS 6, but on other systemd distributions where I've run into similar issues I was either able to add a hardcoded DNS server to network manager or resolve the problem through systemd-resolved. In one case I resolved the issue best by disabling systemd-resolved, but if you check the man page for systemd-resolved as wells as the man page for resolved.conf (/etc/systemd/resolved.conf on other distributions) my sense is you will find a cleaner solution. It would seem to me that if you are running bind or powerdns on your local host, then it would make sense to me to disable systemd-resolved, since you don't need so many layers of caching dns resolvers. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 8 Public Beta Released
On 11/15/18 8:12 PM, Simon Matter wrote: >> >> >> Its upstreams decision to not support lists anymore. >> >> The Customer Portal is part of the substitution > Thanks, that's exactly what I was afraid to hear. > > Simon > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos According to https://developers.redhat.com/blog/2018/11/15/red-hat-enterprise-linux-8-beta-is-here/ You can sign up and become a redhat developer in order to be a beta tester for RHEL 8. I haven't done it yet, but I intend to try. I would hope that it would provide some type of mechanism for reporting bugs and some type of forum access. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] XPS 13 9370 / CentOS compat
On 11/7/18 9:09 AM, Nataraj wrote: -- I have an xps 13 9360 and had problems with the killer wireless. I got virtually 0 support from Dell on this issue. Some people who upgraded their warranty to Dell Pro Support were able to get dell to send them a new ethernet card, but some upgraded their support and still got no help. I am running Ubuntu 18.04 on mine. A while back, I don't know the exact date, there was a substanial bugfix in the mainline kernel which appeared in the Ubuntu kernel roughly in the May/June 2018 timeframe which improved support for the killer chip. You might check to see if this bugfix got backported to redhat/centos. Also some people have tweaked some parameters in the driver and improved the performance of their killer ethernets. Before you order a card, I suggest you verify that your laptop actually has one. (I believe if you download the manuals for your xps, it will include instructions for replacing the card if it is replacable). My understanding was that as of the 2018 models, most, if not all of these laptops switched from using cards to soldering the chips directly on the motherboard. I did replace my ethernet card with an Intel 8265 card (my xps is a 2017 model). For me the 8265 works well with some wifi hubs, but has packet loss problems with others, particularly some older hubs that I have. I did verify that the killer card performed well under windows 10 with the same hubs which did not work well under Linux. Nataraj I don't have reference to this bug in redhat/centos, but you might check... https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1670041 Other than this wireless issue, everything else works on my XPS 9360, including the touch screen. You might try booting various live CD's. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] XPS 13 9370 / CentOS compat
On 11/7/18 7:28 AM, Leon Fauster via CentOS wrote: Am 07.11.2018 um 15:15 schrieb Jim Perrin : On 11/3/18 12:32 PM, Leon Fauster via CentOS wrote: Anyone with some Dell laptop XPS 13 9370 (2018) experience here? Especially with that "Killer 1435 (802.11ac 2x2 und Bluetooth)" device? Supported by the stock kernel (EL7)? I had reasonably unreliable performance with that particular chip(sometimes wireless wouldn't wake up from sleep and I'd have to reboot), and ended up replacing it with an intel 8265 chip. It takes about 10 minutes to swap, and got me much better performance on my 9370. Link below is the one I picked up, but you may be able to find it for cheaper. Dell tells me that swapping it doesn't void the warranty, so I'm good with it. https://www.amazon.com/gp/product/B01MZA1AB2 Thank you for taking the time. A valuable information! The 9365 variant seems to be shipped with a Intel8265 card. I will get in contact with DELL and try to request it for the 9370 model ... -- I have an xps 13 9360 and had problems with the killer wireless. I got virtually 0 support from Dell on this issue. Some people who upgraded their warranty to Dell Pro Support were able to get dell to send them a new ethernet card, but some upgraded their support and still got no help. I am running Ubuntu 18.04 on mine. A while back, I don't know the exact date, there was a substanial bugfix in the mainline kernel which appeared in the Ubuntu kernel roughly in the May/June 2018 timeframe which improved support for the killer chip. You might check to see if this bugfix got backported to redhat/centos. Also some people have tweaked some parameters in the driver and improved the performance of their killer ethernets. Before you order a card, I suggest you verify that your laptop actually has one. (I believe if you download the manuals for your xps, it will include instructions for replacing the card if it is replacable). My understanding was that as of the 2018 models, most, if not all of these laptops switched from using cards to soldering the chips directly on the motherboard. I did replace my ethernet card with an Intel 8265 card (my xps is a 2017 model). For me the 8265 works well with some wifi hubs, but has packet loss problems with others, particularly some older hubs that I have. I did verify that the killer card performed well under windows 10 with the same hubs which did not work well under Linux. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] reading old dump backups from 2009
On 11/3/18 5:17 AM, Jonathan Billings wrote: On Nov 3, 2018, at 06:26, Pete Biggs wrote: I don't think dump has changed anything in 20 years or so! And I certainly can't see it changing such that it can't read old files - that is, sort of, it's raison d'etre. A bit off topic but... Funny story, at a previous job, my boss was able to extract the data off tapes made in the 80s on tops-20 systems (iirc) with the version of restore on FreeBSD, but couldn’t get the tape drive to work on anything but Linux, so he had to extract the tapes on a RHL system then copy them to FreeBSD to read into the restore program. He actually was able to find the data he was looking for. -- Jonathan Billings I actually had some of those tapes written on a tops-20 system as well as ebcdic tapes written on an IBM 370. Though at one point I had 3, 7 foot tall racks filled with servers in my home, I decided I was never going to get a TU77 or other similar tape drive, so I disposed of those old tapes. There is actually a KL10 running tops-20 still on the Internet today... https://sdf.org/twenex/? Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] reading old dump backups from 2009
On 11/3/18 9:35 AM, Nataraj wrote: On 11/3/18 3:26 AM, Pete Biggs wrote: restore tvf u1_l0_04-29-09_md1.dump Verify tape and initialize maps Input is from a local file/pipe Checksum error 2030402, inode 0 file (null) restore: Tape is not a dump tape what does 'file' think the file is - i.e. what does file u1_l0_04-29-09_md1.dump u1_l0_04-29-09_md1.dump: data Which I did think was odd. I had also tried bzcat u1_l0_04-29-09_md1.dump bzcat: u1_l0_04-29-09_md1.dump is not a bzip2 file. but I didn't remember if dump might have it's own headers before the compressed data. The dump is compressed. What was the command line you used to create the dump file? Have you tried using restore tzvf u1_l0_04-29-09_md1.dump Problem solved. Thanks to everyone who gave me suggestions. Turns out that I had encrypted the backup with a GPG key, but didn't put that info into the filename. Backup reads just fine when I pipe it through gpg and then to restore. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Red Hat is Planning To Deprecate KDE on RHEL By 2024
On 11/3/18 6:41 AM, Alice Wonder wrote: On 11/03/2018 01:22 AM, Nicolas Kovacs wrote: Le 02/11/2018 à 21:19, mark a écrit : Odd, I've never had that problem. On the other hand, I *really* dislike gnome. I think their target is 16 yr olds. My reaction to GNOME 3 has been roughly the same as with systemd. At first, I hated it with a passion. Then I saw everyone else seemed to use it. So I started to read the docs and experiment a little bit. And now I'm using it on a daily basis, and to my bewilderment, I've grown to like it. What really did me in when I was trying to like it, the scroll bars were gone and I was told they could be put back in place with configuration. So I tried to find the configuration option and couldn't find it. Then I was told that I had to hand-code CSS to get them back. On top of that there are seperate css files for the various versions of gtk, and the syntax was changed over time, but to get the scrollbars back for applications built under all different versions of gtk, you have to edit css files for all the different versions. Then there are some applications like thunderbird where what you put in the css files doesn't seem to change the scrollbars. The one that I could never figure out is this... I run reverse video in many windows because it's easier on my eyes. The windows have no borders, so when they overlap there's no separation between windows. If you goggle for it, dozens of solutions come up, but none of them have worked for me. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] reading old dump backups from 2009
On 11/3/18 3:26 AM, Pete Biggs wrote: restore tvf u1_l0_04-29-09_md1.dump Verify tape and initialize maps Input is from a local file/pipe Checksum error 2030402, inode 0 file (null) restore: Tape is not a dump tape what does 'file' think the file is - i.e. what does file u1_l0_04-29-09_md1.dump u1_l0_04-29-09_md1.dump: data Which I did think was odd. I had also tried bzcat u1_l0_04-29-09_md1.dump bzcat: u1_l0_04-29-09_md1.dump is not a bzip2 file. but I didn't remember if dump might have it's own headers before the compressed data. The dump is compressed. What was the command line you used to create the dump file? Have you tried using restore tzvf u1_l0_04-29-09_md1.dump The version of restore that I have under CentOS 6 does not have any compression options except for -l. Only dump has the compression options and restore is supposed to recognize the compression I believe. The z option definitely does not work. Maybe the file is bad. I am going to look to see if I can find any other backups of that system. Thank You, Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] reading old dump backups from 2009
I have and old dump format backup done under fedora 7 which is stored on disk and has an sha256sum file that indicates there are no data errors in the backup file. When I try to read the file with restore under CentOS 6, I get the following error: cat /etc/redhat-release CentOS release 6.10 (Final) restore tvf u1_l0_04-29-09_md1.dump Verify tape and initialize maps Input is from a local file/pipe Checksum error 2030402, inode 0 file (null) restore: Tape is not a dump tape I have another copy of the backup on another disk with the same checksum and it gets the same error as well. Here's a log file from when the backup was done back in 2009: DUMP: Date of this level 0 dump: Wed Apr 29 09:24:36 2009 DUMP: Dumping /dev/md1 (/u1) to u1_l0_04-29-09_md1.dump DUMP: Label: /u1 DUMP: Writing 10 Kilobyte records DUMP: Compressing output at compression level 2 (bzlib) DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 95176885 blocks. DUMP: writing QFA positions to u1_l0_04-29-09_md1.qindex DUMP: Volume 1 started with block 1 at: Wed Apr 29 09:25:05 2009 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 0.96% done at 3032 kB/s, finished in 8:38 . . . DUMP: 100.00% done at 4075 kB/s, finished in 0:00 DUMP: Closing u1_l0_04-29-09_md1.dump DUMP: Volume 1 completed at: Wed Apr 29 16:00:09 2009 DUMP: Volume 1 took 6:35:04 DUMP: Volume 1 transfer rate: 2146 kB/s DUMP: Volume 1 96607840kB uncompressed, 50878096kB compressed, 1.899:1 DUMP: 96607840 blocks (94343.59MB) on 1 volume(s) DUMP: finished in 23704 seconds, throughput 4075 kBytes/sec DUMP: Date of this level 0 dump: Wed Apr 29 09:24:36 2009 DUMP: Date this dump completed: Wed Apr 29 16:00:09 2009 DUMP: Average transfer rate: 2146 kB/s DUMP: Wrote 96607840kB uncompressed, 50878096kB compressed, 1.899:1 DUMP: DUMP IS DONE Have there been any changes to the format of dump files and if so, is there a version available that can read this older backup? Any other suggestions on how to read this backup would be helpful. Thank You, Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos on Dell XPS15
I have a Dell XPS 13 9360, though I am running ubuntu 18.04 on it. I remember there being a patch to the mainline kernel which addressed many of the wireless problems. I'm not sure if those changes ever made it into the CentOS kernels. Some of the Dell XPS 13's had removable ethernet interfaces while most of the more recent ones had the killer interfaces on the motherboard. I'm not sure about the 15 inch models. Mine had a removable interface and I replaced the killer card with an intel card and that helped quite a bit. Regarding the CPU throttleing issue, there are a bunch of posts out there that claimed that the thermal pasted was not well applied to the CPU heatsink and some people had success with carefully removing the heatsink and applying a good quality thermal paste and then reinstalling the heat sink. Would be much better if Dell support would address these issues properly, but the response from Dell on these issues have been very hit or miss. Some people have had them fixed by Dell and others, including myself never reached a customer support person willing to address them. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux question
On 08/21/2018 05:45 PM, Warren Young wrote: > >> I could be convinced otherwise if I could see where running the php as the >> app users, would make more sense. > That depends on whether the boundary between user php and this unknown > “appuser” is bidirectional or not. > > If there are things owned by user “php” that “appuser” should not see, then > continuing to run the web app as two separate users makes sense. > > If “appuser” can be said to own everything in the web app, and the only > reason you’re converting user php privileges to “appuser” privileges is so > you don’t have to give user php access to everything in the web app, then I’d > say my prior suggestion holds. > > Now that I know you’re using PHP, I can recommend something like PHP-FPM: > > https://php-fpm.org/ > > That’s the old external project. It’s now part of the PHP core: > > https://secure.php.net/manual/en/install.fpm.php > > You’ll have to use the old version with C5, though, as that happened after C5 > was released. > > FPM isn’t the only way to go, just one idea, which happens to be > well-supported within the PHP community. > > Regardless of the exact method, this lets you run your PHP code as a non-php > user, letting Apache proxy to it using mod_fcgi. Now you’ve got strong > separation between things Apache is allowed to read and things it must talk > down through PHP to get access to. > >> It could be that giving sudo sys_ptrace access could increase the risk to >> the security of the system > Once you give a process ptrace ability, it’s pretty much game over when it > comes to security. The scope of what one process can do to another via > ptrace(2) is HGE. I’d very much resist placating SELinux in this way. > > SELinux might in fact be warning you about a real attack here, which would > explain why it’s intermittent. > _______ Thank you, this information was helpful. I will solve the problem without allowing ptrace capability. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux question
On 08/21/2018 02:20 PM, Warren Young wrote: > On Aug 21, 2018, at 1:27 PM, Nataraj wrote: >> I have a web application which uses sudo to invoke python scripts as the >> user under which the application runs (NO root access). > Why is the web app not running with that user’s permissions in the first > place? > > If your answer is that it needs root access to bind to port 80, there are two > common solutions: > > 1. Start the service as root, set up the port 80 listener, then drop > privileges internally with getpwent(“myuser”) and setuid(my_uid). > > 2. Use an HTTP[S] proxy server, such as Apache with mod_proxy configured. > Bind the actual web app to localhost and a high-numbered random port, then > forward external port 80 hits to the internal service. This method has the > additional advantage that you can use the path part of the URL to relieves > the web app of having to serve hits for the static resources — *.js, *.png, > *.css… — which can speed the application up. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos The php code runs as user apache under the webserver. If the php ran as the app users it would have full access to all of the data in the app. Using sudo the app can only invoke one specific python script (which is the command name in the sudoers file) to do what it needs to do, without having access to the rest of the apps data and other python scripts used by other functions in the app). Could be that I'm not seeing something, but this approach seems sensible to me, though I could be convinced otherwise if I could see where running the php as the app users, would make more sense. It could be that giving sudo sys_ptrace access could increase the risk to the security of the system, but giving the php code app user access, increases the risk of data compromise in the app. Thank You, Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux question
On 08/21/2018 12:41 PM, Jonathan Billings wrote: > On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote: >> Source RPM Packages sudo-1.7.2p1-29.el5_10 >> Policy RPMselinux-policy-2.4.6-351.el5 >> Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 >> SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 > CentOS 5 was end of life on 31 March, 2017. There have bee no > updates for over a year. > > Might as well turn off SELinux, you're so behind on security updates > it probably doesn't matter. > Thank you. I'm well aware that CentOS 5 is eol, and hoping to replace this server soon. I'm sitting here right now in heavy smoke (which has been going on since early June) in Northern Ca, just miles from huge fires and have spent the last 3 years rebuilding after damage in a 2015 fire. It kind of shakes up ones life a little bit. In the meantime, keeping selinux enabled helps me to keep the server from getting broken into. Since incoming services are limited for the most part to my userbase, I am doing very well so far. There is no remote login access. Thank you, Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux question
I have a web application which uses sudo to invoke python scripts as the user under which the application runs (NO root access). Is there any reason why sudo would would require sys_ptrace access for this? I only get this violation intermittenly, and not with every call to sudo. Here's the violation: Summary: SELinux is preventing sudo (httpd_t) "sys_ptrace" to (httpd_t). Detailed Description: SELinux denied access requested by sudo. It is not expected that this access is required by sudo and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:httpd_t Target Contextsystem_u:system_r:httpd_t Target ObjectsNone [ capability ] Sourcesudo Source Path /usr/bin/sudo Port Host myhost.mydomain.com Source RPM Packages sudo-1.7.2p1-29.el5_10 Target RPM Packages Policy RPMselinux-policy-2.4.6-351.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name myhost.mydomain.com Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 Alert Count 359 First SeenTue Oct 8 09:24:50 2013 Last Seen Tue Aug 21 10:26:26 2018 Local ID 717eb9a4-cc7f-4ed1-b638-5db1a841abe4 Line Numbers Raw Audit Messages host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc: denied { sys_ptrace } for pid=8458 comm="sudo" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=4003 syscall=3 success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null) Thank You, Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mail has quit working
On 07/23/2018 06:46 PM, TE Dukes wrote: > >> -Original Message- >> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of >> tdu...@palmettoshopper.com >> Sent: Monday, July 23, 2018 9:28 PM >> To: CentOS mailing list >> Subject: Re: [CentOS] Mail has quit working >> >> >> >> >> Original Message ---- >> Subject: Re: [CentOS] Mail has quit working >> From: Nataraj >> Date: Mon, July 23, 2018 9:01 pm >> To: centos@centos.org >> >> On 07/23/2018 03:39 PM, TE Dukes wrote: >>> Hello, >>> >>> Mail has come to an abrupt stop. Running C7, postfix and dovecot. Using >>> Roundcube as the client. >>> >>> Mail stopped working Saturday and I cannot figure was has happened. I >> have >>> not touched this server except to upgrade packages. I believe Roundcube >> was >>> updated maybe a week ago but know I was getting mail since then. >>> >>> Crond is no longer send mail. I checked /var/spool/mail as well as > /Maildir >>> in home directories. Zero byte files. >>> >>> Checked all logs and the only thing I could find was in /var/log/maillog > : >>> warning hostname localhost does not resolve to address 127.0.0.1 >>> >>> I corrected that by changing inet_interfaces to localhost from all in >>> postfix.cf >>> >>> When I try to log in with Roundcube, it just times out. >>> >>> I'm stuck! >>> >>> TIA for any suggestions!! >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> More information would be helpful to troubleshoot this. Try sending >> output from: >> >> postfix status >> >> mailq >> >> Try telnetting to your smtp server and sending a message like this from >> the local system: >> substitute a valid user/domain on the mail from line and a valid email >> address in your domain >> on the rcpt to line. Do this, logged onto the mailserver. >> >> telnet localhost 25 >> helo mydomain.com (substitute a valid domain here) >> mail from: >> rcpt to: >> data >> From: someu...@validdomain.com >> to: youremailaddr...@yourdomain.com >> subject: test >> >> This is a test mesage >> . >> >> note: blank line between mail headers and body >> >> end data with line containing only '.'. >> >> Then check your maillog and send the output to the list. >> >> >> Nataraj >> >> postfix status: >> >> postfix/postfix-script: the Postfix mail system is running: PID 5936 >> >> mailq: Mail queue is empty >> >> Did the telnet localhost 25, it answered but not sure I understood you >> what I needed to do. >> >> Thanks!! > Tried following your instructions and got 227 2.7.0 Error: I can break > rules, too. Goodbye. > Connection closed by foreign host. > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos If your grabbing text and stuffing it with the mouse, you need to send only 1 line at a time and wait for a reply for each line, except for the data section where you can send multiple lines. If you get errors, run script before running telnet and post a log of the session or else tell us which line caused the error. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mail has quit working
On 07/23/2018 06:28 PM, tdu...@palmettoshopper.com wrote: > > > Original Message > Subject: Re: [CentOS] Mail has quit working > From: Nataraj > Date: Mon, July 23, 2018 9:01 pm > To: centos@centos.org > > On 07/23/2018 03:39 PM, TE Dukes wrote: >> Hello, >> >> Mail has come to an abrupt stop. Running C7, postfix and dovecot. Using >> Roundcube as the client. >> >> Mail stopped working Saturday and I cannot figure was has happened. I have >> not touched this server except to upgrade packages. I believe Roundcube was >> updated maybe a week ago but know I was getting mail since then. >> >> Crond is no longer send mail. I checked /var/spool/mail as well as /Maildir >> in home directories. Zero byte files. >> >> Checked all logs and the only thing I could find was in /var/log/maillog : >> warning hostname localhost does not resolve to address 127.0.0.1 >> >> I corrected that by changing inet_interfaces to localhost from all in >> postfix.cf >> >> When I try to log in with Roundcube, it just times out. >> >> I'm stuck! >> >> TIA for any suggestions!! >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > More information would be helpful to troubleshoot this. Try sending > output from: > > postfix status > > mailq > > Try telnetting to your smtp server and sending a message like this from > the local system: > substitute a valid user/domain on the mail from line and a valid email > address in your domain > on the rcpt to line. Do this, logged onto the mailserver. > > telnet localhost 25 > helo mydomain.com (substitute a valid domain here) > mail from: > rcpt to: > data > From: someu...@validdomain.com > to: youremailaddr...@yourdomain.com > subject: test > > This is a test mesage > . > > note: blank line between mail headers and body > > end data with line containing only '.'. > > Then check your maillog and send the output to the list. > > > Nataraj > > postfix status: > > postfix/postfix-script: the Postfix mail system is running: PID 5936 > > mailq: Mail queue is empty > > Did the telnet localhost 25, it answered but not sure I understood you > what I needed to do. Simply telnet to mailserver on port 25 and type what I've shown, substituting valid email addresses and valid addresses in your domain as indicated. You can use your own domain for the hello command, i.e. "helo mydomain.com". Everything between the data command and the '.' is input to the data command. After you type the '.' the message will be sent and should be delivered to the user on the "rcpt to" line. You should see logging of successful delivery or errors in the maillog. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mail has quit working
On 07/23/2018 03:39 PM, TE Dukes wrote: > Hello, > > Mail has come to an abrupt stop. Running C7, postfix and dovecot. Using > Roundcube as the client. > > Mail stopped working Saturday and I cannot figure was has happened. I have > not touched this server except to upgrade packages. I believe Roundcube was > updated maybe a week ago but know I was getting mail since then. > > Crond is no longer send mail. I checked /var/spool/mail as well as /Maildir > in home directories. Zero byte files. > > Checked all logs and the only thing I could find was in /var/log/maillog : > warning hostname localhost does not resolve to address 127.0.0.1 > > I corrected that by changing inet_interfaces to localhost from all in > postfix.cf > > When I try to log in with Roundcube, it just times out. > > I'm stuck! > > TIA for any suggestions!! > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos More information would be helpful to troubleshoot this. Try sending output from: postfix status mailq Try telnetting to your smtp server and sending a message like this from the local system: substitute a valid user/domain on the mail from line and a valid email address in your domain on the rcpt to line. Do this, logged onto the mailserver. telnet localhost 25 helo mydomain.com (substitute a valid domain here) mail from: rcpt to: data From: someu...@validdomain.com to: youremailaddr...@yourdomain.com subject: test This is a test mesage . note: blank line between mail headers and body end data with line containing only '.'. Then check your maillog and send the output to the list. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] database node / possible SYN flooding on port 3306
On 07/21/2018 03:48 AM, Leon Fauster via CentOS wrote: >> Am 20.07.2018 um 18:52 schrieb Nataraj : >> >> On 07/20/2018 03:56 AM, Leon Fauster via CentOS wrote: >>> Hi folks, >>> >>> I have here a database node running >>> >>> # rpm -qa | grep mysql-server >>> mysql55-mysql-server-5.5.52-1.el6.x86_64 >>> >>> on >>> >>> # virt-what >>> vmware >>> >>> >>> that seems to have a connection problem: >>> >>> # dmesg |grep SYN |tail -5 >>> possible SYN flooding on port 3306. Sending cookies. >>> possible SYN flooding on port 3306. Sending cookies. >>> possible SYN flooding on port 3306. Sending cookies. >>> possible SYN flooding on port 3306. Sending cookies. >>> possible SYN flooding on port 3306. Sending cookies. >>> >>> >>> I adapted already following: >>> >>> # sysctl -a |grep -E 'maxconn|syn_backlog' >>> net.core.somaxconn = 2048 >>> net.ipv4.tcp_max_syn_backlog = 2048 >>> >>> >>> but ListenOverflows and ListenDrops values are still high >>> >>> # cat /proc/net/netstat | awk '{print $21 "-" $22 }' >>> ListenOverflows-ListenDrops >>> 13568-13568 >>> >>> any suggestion? >> Use tools like tcpdump/wireshark and further examination of logfiles to >> determine where your attack is coming from, i.e. single IP address or >> multiple ip addresses (BOT attack). >> >> If attack is impairing your Internet service, contact your ISP. Most >> decent ISP's should deal with this situation for you.disabled >> >> If attack is not impairing your service and you choose to deal with it >> yourself, then, if from a fixed IP address block that IP from your >> firewall if you have one, otherwise, use IPtables on the server. If >> your having bot attacks, or blocking attack causes source IP address to >> be changed, then look at fail2ban. Basically you want to configure >> fail2ban to limit the number of requests per unit of time and block IPs >> that exceed that. Also, consider weather your database needs to be >> publicly accessible from the Internet. > > Actually the database node is a backend system in a private network, so "all" > traffic is legitimate. The main traffic comes from the web node (cms/php). > Resources > of the db node seems all to be okay (cpu/mem/load). So i do not see any > bottleneck ... > > -- > LF > https://www.google.com/search?client=ubuntu&channel=fs&q=mysql+possible+syn+flooding&ie=utf-8&oe=utf-8 > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos I would still use tcpdump and/or wireshark to find out more what is going on and if all the incoming connections seem correct, you may have to tune some parameters to allow a greater number of connections. Also, if you have iptables connection tracking turned on, this might need to be bypassed for connection on your database port. Connection tracking does not always work well for large numbers of connections. But check to see weather one or more clients are somehow failing to connect and retrying the connection at a high rate for some reason. Also Try https://www.google.com/search?client=ubuntu&channel=fs&q=mysql+possible+syn+flooding&ie=utf-8&oe=utf-8 and maybe this: https://help.marklogic.com/Knowledgebase/Article/View/182/0/possible-syn-flooding-messages-in-system-logs Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] database node / possible SYN flooding on port 3306
On 07/20/2018 03:56 AM, Leon Fauster via CentOS wrote: > Hi folks, > > I have here a database node running > > # rpm -qa | grep mysql-server > mysql55-mysql-server-5.5.52-1.el6.x86_64 > > on > > # virt-what > vmware > > > that seems to have a connection problem: > > # dmesg |grep SYN |tail -5 > possible SYN flooding on port 3306. Sending cookies. > possible SYN flooding on port 3306. Sending cookies. > possible SYN flooding on port 3306. Sending cookies. > possible SYN flooding on port 3306. Sending cookies. > possible SYN flooding on port 3306. Sending cookies. > > > I adapted already following: > > # sysctl -a |grep -E 'maxconn|syn_backlog' > net.core.somaxconn = 2048 > net.ipv4.tcp_max_syn_backlog = 2048 > > > but ListenOverflows and ListenDrops values are still high > > # cat /proc/net/netstat | awk '{print $21 "-" $22 }' > ListenOverflows-ListenDrops > 13568-13568 > > any suggestion? Use tools like tcpdump/wireshark and further examination of logfiles to determine where your attack is coming from, i.e. single IP address or multiple ip addresses (BOT attack). If attack is impairing your Internet service, contact your ISP. Most decent ISP's should deal with this situation for you. If attack is not impairing your service and you choose to deal with it yourself, then, if from a fixed IP address block that IP from your firewall if you have one, otherwise, use IPtables on the server. If your having bot attacks, or blocking attack causes source IP address to be changed, then look at fail2ban. Basically you want to configure fail2ban to limit the number of requests per unit of time and block IPs that exceed that. Also, consider weather your database needs to be publicly accessible from the Internet. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] C7, just updated firefox, bugs
On 07/12/2018 07:36 AM, mark wrote: > I just updated the "critical" firefox update, and it is *seriously* buggy. > > 1. I killed my old session, and started a new. Many (all?) tabs show > *nothing* until I put my cursor in the URL bar and hit > 2. I cannot open a link in an email in thunderbird. I click the link, and > after a bit (30 sec? more?) a small windows tells me that firefox is > running, but not responding, which it certainly responds when I focus on > firefox. > > mark > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos You can try running 'firefox -safe-mode' to see if you have a problem with installed extensions. Also, you can create a new profile (and stlil leave the old one there), to see if your profile database is corrupt. These are both problems that come up with both firefox and thunderbird. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] usb problem on Dell Latitude 3570
e Jul 1 07:15:06 pygeum kernel: [ 48.212366] usb 3-1: new full-speed USB device number 4 using xhci_hcd Jul 1 07:15:06 pygeum kernel: [ 53.468442] xhci_hcd :39:00.0: Timeout while waiting for setup device command Jul 1 07:15:06 pygeum kernel: [ 58.88] xhci_hcd :39:00.0: Timeout while waiting for setup device command Jul 1 07:15:06 pygeum kernel: [ 59.052359] usb 3-1: device not accepting address 4, error -62 Jul 1 07:15:06 pygeum kernel: [ 59.180277] usb 3-1: new full-speed USB device number 5 using xhci_hcd Jul 1 07:15:06 pygeum kernel: [ 64.220453] xhci_hcd :39:00.0: Timeout while waiting for setup device command Jul 1 07:15:06 pygeum kernel: [ 69.596378] xhci_hcd :39:00.0: Timeout while waiting for setup device command Jul 1 07:15:06 pygeum kernel: [ 69.804359] usb 3-1: device not accepting address 5, error -62 Jul 1 07:15:06 pygeum kernel: [ 69.805459] usb usb3-port1: unable to enumerate USB device Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7.5 on Vmware
On 06/28/2018 02:03 PM, Gregory P. Ennis wrote: > Everyone, > > I am in the initial study phase of putting together a larger virtual > server while using Centos 7.5 as the operating system of choice for the > individual virtual machines. > > How do you all like VMware for this, or what other software allows for > the development of virtural servers that use Centos 7.5 > > Thanks ahead of time for giving me a head start with your > experiences > It would be helpful if you gave more details about what you were looking for? Are you planning to run a bare metal hypervisor, or vmware under Linux or windows? What are you performance requirements? IO? CPU? What will the VM's be used for? Do guests requre a graphics console? Various vmware products ranging from ESXI to vmware workstation are very popular. I've run several of them. They work. I now use the Linux included, kvm/qemu based Red Hat/CentOS virtualization and it meets my needs very well for general testing/development, email server, web server kind of stuff. I also use this setup along with spice to run test systems with various graphic GUI's. I would not say that my virt servers are very heavily loaded. I have a Dell R210 running CentOS6 KVM/Qemu and a Dell XPS 9360 running Ubuntu 18.04 with kvm/qemu. If you prefer fancy mangement GUI's over writing scripts and editing config files, vmware might be better for you. kvm/qemu does include virt-manager which is a fairly simply GUI to create and manage VM's, but the user interface is not as comprehensive as the interface for managing ESXi. Red Hat does have their high end virtualization products, of which I believe at least 1 is a bare metal hypervisor. I have no personal experience with those products, though if client came to me with need, I would examine and seriously consider the Redhat products. One advantage to the kvm/qemu solution or possibly the redhat virtualization product is more integrated support. When I ran vmware, I used to run into situations where I wanted to beta test the newest release of some random linux distribution only to find out that vmware had not yet implemented support for the graphics driver or some other new hardware feature being used in the OS that I was trying to test. In this way, kvm/qemu feels more integrated. Like other software, kvm/qemu has bugs here and there, but overall, I'm very happy with it and I like the price of using it under CentOS and Ubuntu. I see clients all the time, go out and spend a fortune on huge vmware clusters, that end up very lightly loaded and could easily be run on a simple kvm/qemu server running under CentOS (or even one of the desktop virtualization solutions) with a backup server for redundancy, so I suggest to consider what your requirements really are. You could always go with Redhat if you require support. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Convert from LVM
On 06/08/2018 02:36 PM, Nataraj wrote: > On 06/08/2018 12:34 PM, Ulf Volmer wrote: >> On 08.06.2018 19:11, Matt wrote: >>> I have a Centos 7 install using EXT4 on LVM. Its running as a VM >>> inside KVM. Issue I have run into is that fstrim does not work due to >>> the LVM. Without fstrim snapshots have gotten huge. Is there a way >>> convert it from LVM to non-LVM without a complete reinstall? I think that what your dealing with is an issue of file systems in a virtual machine. I don't think you can shrink a filesystem in a virtual machine just by deleting files from it. Here's one explanation of how to do this. I'm not sure about zeroing out the free space on the partition (might be necessary, I don't know), but you do need to recover space from the qemu image using something similar to what is show in this post. It is the "qemu-img convert" that actually recovers the space, but only after you have reduced the usage in the VM. https://mindref.blogspot.com/2011/07/shrink-qcow2.html This has nothing to do with trim (though still a good idea to enable trim for your SSD for other reasons). Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Convert from LVM
On 06/08/2018 12:34 PM, Ulf Volmer wrote: > On 08.06.2018 19:11, Matt wrote: >> I have a Centos 7 install using EXT4 on LVM. Its running as a VM >> inside KVM. Issue I have run into is that fstrim does not work due to >> the LVM. Without fstrim snapshots have gotten huge. Is there a way >> convert it from LVM to non-LVM without a complete reinstall? > please consider to enable trim over LVM. You have just to set > > issue_discards = 1 > > in /etc/lvm/lvm.conf. > > best regards > Ulf > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos I believe that it is possible to use trim on an LVM, but I don't think that is what that option is. In my /etc/lvm/lvm.conf file, it describes that option as follows: # Configuration option devices/issue_discards. # Issue discards to PVs that are no longer used by an LV. # Discards are sent to an LV's underlying physical volumes when the LV # is no longer using the physical volumes' space, e.g. lvremove, # lvreduce. Discards inform the storage that a region is no longer # used. Storage that supports discards advertise the protocol-specific # way discards should be issued by the kernel (TRIM, UNMAP, or # WRITE SAME with UNMAP bit set). Not all storage will support or # benefit from discards, but SSDs and thinly provisioned LUNs # generally do. If enabled, discards will only be issued if both the # storage and kernel provide support. issue_discards = 1 My understanding of issue_discards is that the trims will be issued automatically if you delete a logical volume. If you are running lvm on an encrypted volume then you may also need to set the discard option in /etc/crypttab. Still probably a good idea to enable this, but possible downside is that if you accidently incorrectly lvremove the wrong LVM, you can't get it back cause blocks are returned to the free pool inside the logic of the SSD. Note that whether you use or don't use trim is not going to directly effect the size of your snapshots (or other files). If you have a problem with that, then you may need to look at how your managing snapshots. When you enable trim it will free blocks for reuse in the logic of your ssd (which is a good thing) but your kvm files will not appear to be a different size with "ls -l" or "du". Here's an interesting post on using trim with an LVM on top of an encrypted partition: https://unix.stackexchange.com/questions/85865/trim-with-lvm-and-dm-crypt Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network Performance
On 04/30/2018 10:43 AM, Chris Olson wrote: > ftp> > ftp> put "|dd if=/dev/zero bs=32768 count=8000" /dev/null > 200 PORT command successful. > 150 Binary data connection for /dev/null (IP Address). > 8000+0 records in > 8000+0 records out > 226 Transfer complete. > local: |dd if=/dev/zero bs=32768 count=8000 remote: /dev/null > 262144000 bytes sent in 23 seconds (11081.79 Kbytes/s) > ftp> Though I haven't tried this, my first guess would be your ftp server is running in some kind of a chroot environment. You would have to either disable this for the test or put whatever programs and libraries are needed inside the chroot environment. You might also try specifying the full path, i.e. /bin/dd. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: thunderbird annoyance
On 04/27/2018 01:33 PM, m.r...@5-cent.us wrote: > incoming-cen...@rjl.com wrote: >> Is the folder that you have selected inside of an account whose email >> address is exactly the same as the one that get's cc'ed? I could see >> where if the messages were forwarded to a different email account, it >> would do this. If this is not the case, go into >> edit->preferences->advanced-config->config editor (like the about:config >> in firefox) and search for cc_ and see if any of those variables are >> turned on. >> > Nothing, there, and looking for reply, I see > mailnews.reply_to_self_check_all_ident;false > > Only other thing that comes to mind is to delete (or rename) your .thunderbird directory and create a new profile from scratch. Next thing would be to file a bug report. If your running this under CentOS, then you might try a direct download from mozilla and then you'll know weather to file a bug report with CentOS/Redhat or with Mozilla. I believe Redhat backports bug fixes into their released version of firefox and thunderbird. You could check the various bug databases before filing a bug report. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] formating DVR-RW
On 04/25/2018 09:33 AM, fred roller wrote: > [snip] >>> I have DVD-RWs. > [snip] >> I am assuming (and we all know what that > means :) ) that the OP has such a disk. > [snip] > > It is not an assumption. OP has Re-Write (RW) disks. > I suggest that you try xorriso. In recent years I've had much better results with xorriso for writing DVD's and Blue Rays then any of the older programs. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] please block user
On 08/27/2015 07:29 AM, m.r...@5-cent.us wrote: > Gary Stainburn wrote: >> Bad news Guys, they've just moved the emails to somewhere else and have >> started again: > > > A suggestion: there should be a way to filter using *domain* AND mailhost; > that is, if emails come from a domain, and through one mailhost, then > block the domain. If many domains, and the same mailhost, only then block Here's a sure way to block this kind of spam, though there is a price for doing so. For each mailing list that I subscribe to (or for all of the mailing lists on a particular mailman server) I create a unique email address that I use to subscribe to that list. That userid forwards to my real email address. I then run some software capable of whitelisting/blacklisting at the smtp level. The one I run can whitelist or blacklist based on the following (regular expressions are supported): * envelope sender * envelope recipient * helo name * remote ip address * remote hostname So I create the following two rules (which must be processed in the specified order): Whitelist remotehostname: *mail.centos.org* Blacklist envelope recipient: This method works 100% of the time. The price of doing this is: 1) You can't receive private emails from list members with out having some type of on list exchange or adding their email to your whitelist. 2) You must post to the list using the address that you used to subscribe. This has stopped all of the spam that I was getting from spammers that harvest email addresses on mailing lists. My whitelisting and blacklisting is done using vpostmaster (which is no longer maintained), but I believe there are other packages which can be used with postfix or exim to do this type of thing. Nataraj ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Some subscribers posts to the list ending up in Gmail spam
On 04/08/2015 09:40 AM, Laurent Blume wrote: > Le 2015/04/08 17:50 +0200, Les Mikesell a écrit: >> No, I don't think it will ever learn from that,, but there is a way >> you can set a rule to 'never mark as spam' based on the sender. Which >> wouldn't be fun on a list with a lot of yahoo.com members. > FWIW, I recently solved one reason GMail was always marking my emails as > spam: my MTA has IPv6, and to send emails, it was by default using the > rfc3041 temporary addresses as source, so each time a different address > when connecting to Google's MX's. > > As soon as I set it up to use the propre static IPv6, marking them as > «not spam» in Gmail subsequently worked. So it looks like they also keep > track of the sender's MTA address, not only of the email address. > > Obviously not the reason for everybody, but hopefully it can help others :-) > > Laurent > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Gmail has many different criteria that it uses for detecting spam. One of the things they do is to keep a credibility score based on the IP address of a mailserver. In general, they like to see all of the mail for a domain coming from a single IP address. Since mail.centos.org uses a single IP address, this is not the problem here. If one wanted to improve this situation, my sense is that the next thing to do would be to strip off the DKIM signatures which have incorrect checksums. After that, the next thing that would improve gmail's spam scoring of list mail would be to add a valid DKIM signature, but that is messier for a mailing list because it would mean ugly rewriting of the from header. It is possible that simply stripping the original senders DKIM's would solve the problem. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] filesystem corruption?
On 04/06/2015 02:37 PM, m.r...@5-cent.us wrote: > > I then loaded the drive in another server, and examined it. fsck reported > both / and /boot were clean, but when I redid this with fask -c, to check > for bad blocks, it found many multiply-claimed blocks. Just running fsck with no arguments will not do anything unless the filesystem is unclean or the time interval between checks has expired. I suspect that fsck -f would have found problems as well. Time will tell if there is a hardware problem with the system, but I would probably run some hardware diagnostics on the server including memory and IO tests if you wanted to be on the safe side. You could also reformat the disk and run some write/readback diagnostics if you wanted to find out if the disk is bad. Nataraj > > First question: anyone have an idea why it showed as clean, until I > checked for bad blocks? Would that just be because I'd gracefully shut > down the original server, and it mounted ok on the other server? > > Mounting it on /mnt, I found no driver errors being reported in the logs, > nor anything happening, including logons, before an automated contact from > another server, which failed. AND I checked our loghost, and nothing odd > shows there, neither in message nor in secure. > > At this point, I *think* it's filesystem corruption, rather than a > compromised system, but I'd really like to hear anyone's thoughts on this. > > mark > > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Some subscribers posts to the list ending up in Gmail spam
On 04/04/2015 09:59 AM, Andrew Holway wrote: > Did we work out the technical reason why some users that post to the list > are getting dumped into gmail spam? > > Ta, > > Andrew > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos It is most probably due to the various issues around dmarc, dkim and mailing list servers for which there is currently no great solution to the problem. If, for example I look at the your message (in this case, the one I am responding to), I see the following: 1. The message has intact a dkim signature from gmail, so the Centos mailman server is not stripping the dkim sig from the original sender, which recent versions of mailman can be configured to do. 2. The CentOS mailman server adds its own footer, changing the checksum of the message, so the dkim signature is no longer valid, therefore when any receiving mail server checks the DKIM sig it fails as it did with my own mailserver. 3. The centos server does NOT add its own DKIM sig and appears to have no DMARC record in the DNS (dig txt _dmarc.centos.org.) These are not necessarily a good idea anyway for mail coming from a mailing list server because in order to add a DKIM sig the from of the message would have to be changed to n...@centos.org since the mailman server can't itself sign for a sender from another domain. I'm not suggesting that DKIM or DMARC are a good solution to anything, however several of the FREEMAIL providers do pay attention to these things, so the CentOS mailserver admin might want to consider having mailman strip existing DKIM sig's from the mail (or alternatively not adding a footer). You can check the mailman doc/mailing list for other relevent options for working around these problems. . I believe that if, in your gmail account, you keep marking as "NOT SPAM" any false positives it will send more of these messages to the right folder. There has been an abundance of discussions in the past about these issues on the various mailman, dmarc and dkim mailing lists as well as in many other places. This whole issue hit the fan early in 2014 when yahoo and aol changed their DMARC policy to reject incoming mail that failed the DMARC test. Gmail, however, does not enforce the "reject" in others DMARC policy, but instead sends the email to the spambox (gmail also may send email to the spambox if it has no DKIM signature at all). I found that when I added (valid) DKIM signatures and a DMARC record for my domains, recipient freemail users messages started going to their inbox instead of their spambox. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OpenSSL vulnerability fix
On 03/30/2015 11:57 PM, Venkateswara Rao Dokku wrote: > just for my curiosity, How can we make sure that its not affected? > > Is there any script to check whether its vulnerable or not (as in bash > shell shock vulnerability test)? You can run both client and server tests from: https://www.ssllabs.com/ Nataraj > > On Tue, Mar 31, 2015 at 12:25 PM, Eero Volotinen > wrote: > >> Centos 5 is not affected by this bug, so fix is not available. >> >> Eero >> 31.3.2015 9.48 ap. kirjoitti "Venkateswara Rao Dokku" >> : >>> Hi All, >>> >>> I wanted to fix the openssl vulnerabilities (CVE-2014-3569, >> CVE-2014-3570, >>> CVE-2014-3571, CVE-2014-3572) in my CentOS 5.5 and found out that 0.9.8zd >>> has the fixes I am looking for (from the >>> https://www.openssl.org/news/vulnerabilities.html link). >>> >>> But, When I tried to find the openssl-0.9.8zd rpm package, I did not find >>> it in http://mirror.centos.org/centos/5/updates/x86_64/RPMS/. >>> >>> The latest that I could find was 0.9.8e-31-el5. >>> >>> Can you please help me on how can I find the rpm I am looking for or How >>> can I fix the vulnerabilities.? >>> >>> Thanks for your help. >>> >>> -- >>> Thanks & Regards, >>> Venkateswara Rao Dokku. >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos >>> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] favorite cheap VPS services
On 01/15/2015 06:24 PM, Tim Dunphy wrote: > Hey all, > > I'm trying to learn how to use some of the big data stores. Specifically I > want to learn how to use CassandraDB and Hadoop. Originally I'd had the > idea of trying to setup a cassandra ring on the Amazon AWS free tier. > However it seems that neither will run on a t2.micro instance. > > So I was wondering.. what are some really cheap VPS services that you like > to use for one off projects like this and why. I'm looking for dirt cheap > as possible. > > I'd love to hear any opinions on this !! > > Thanks > Tim > I've seen linux vps's out there for $3-$5/month, but generally they have pretty bad reviews. I'd probably go for something like linode's $10/month vps which works and the company is reasonable to deal with. Linode does charge you for the VPS if it exists, even if it's not running, though you won't pay much if you use the vps for a few hours and then delete it. There are some cloud providers who have higher rates than linode, but charge you only a small fee for storage if you shut the vps down when your not using. One example who I have no experience with is: http://www.phoenixnap.com/secured-cloud/about-our-cloud/pricing.php Here's a $3.99/month cheapie, but I have no experience with it: http://lowendbox.com/blog/serverhub-4-99-1536mb-openvz-vps-2-ipv4-addresses-in-phoenix-az/ Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DJBDNS: very weird dnscache issue
On 01/13/2015 08:53 AM, Boris Epstein wrote: > Hello all, > > We have put a DNS server online running DJBDNS v1.06 > (ndjbdns-1.06-1.el6.x86_64) on a 64-bit CentOS 6.6 server. We have done > some limited testing on the machine which it passed - i.e., dnscache was > talking to tinydns, the queries went through fine, etc. > > As soon as we put it online subjecting it to live load the following > happened: > > 1) Within a short time period (about a minute) the dnscache process reached > the CPU utilisation level of 100%. > > 2) The process would then die reporting the following message to the log: > > dnscache: BUG: out of in progress slots > > NOTE: Random sampling indicates that at no point sampled did the load > exceed 200 requests per second. In tests conducted earlier the DNS server > successfully demonstrated speeds in tens of thousands of requests per > second. > > We then proceeded to edit the following parameters in the dnscache.conf as > they seemed to be the only ones that seemed relevant: DATALIMIT and > CACHESIZE. They are described as limints (in bytes) on the total data > memory allocation and cache, default values are 8000 and 5000 > respectively. > > Playing with these demonstrated some highly counterintuitive results: > > 1) Setting the values lower (say, an order of magnitude lower) made the > dnscache process run longer. > > 2) Shortening the relative gap between the two values (for instance, > setting DATALIMIT at 52000 and CACHE at 5) made it run for about an > hour vs about 1 minute, load seeming to be about the same. > > 3) Running it with DATALIMIT not set was possible though it eventually > failed anyways. > > 4) Running it with CACHESIZE not set was not possible at all. > > So the issue is currently still not resolved and we are stuck. > > Any advice will be much appreciated. > > Cheers, > > Boris. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Powerdns is supposed to have excellent performance and supports both a caching configuration and a database backend. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Emacs problem
On 12/23/2014 08:55 AM, Jason Ricles wrote: > I am currently running the latest kept yum version of emacs on Centos > 6.6. The issues I am having is that sometimes when I type input, some > of the input randomly disappears and will then reappear when I > highlight where the missing input should be. > > Why might this annoying thing be happening, and is there a way to fix > it? Also I have not made any edits to emacs preferences so they are > set to the defaults, and never happened in Centos 6.5 but now does in > 6.6. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Are you running emacs as an X window or inside of a terminal emulation window such as gnome-terminal or xterm? If running in a terminal emulation window, try a different terminal emulator, i.e. xterm instead of gnome-terminal. Is it running on the same machine as your desktop or on a remote server? In the last several years I see a lot of display issues with remote x applications. Natarau ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail SMTP Brute-Force Attack
On 06/15/2012 09:33 AM, John R Pierce wrote: > On 06/15/12 9:25 AM, Shiv. Nath wrote: >> 1.) install& configure fail2ban > each of the connections shown in the log fragment was from a different > IP. how would fail2ban help? > > > If you were to switch to postfix, I believe that postscreen may be able to handle this type of spambot attack. http://www.postfix.org/postscreen.8.html Unless you happen to already be a sendmail guru, my sense is that postfix is easier to configure to deal with these complex situations. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] resource efficient log scanning tools
On 06/08/2012 02:48 PM, Steven Tardy wrote: > simple-evcorr.sourceforge.net (sec.pl) > the rules are a bit of a bear to learn, but it can do anything. > 300 syslogs/second using ~5% cpu and 20MB of ram with 600+ rules. > > On 06/08/2012 04:26 PM, Nataraj wrote: >> I'm looking for a logfile scanner that can search for regular >> expressions in logfiles and send immediate email notifications. I'd >> like to try to find something that doesn't use huge amounts of memory. >> I'm currently running fail2ban and used it to do some of this scanning, >> but I'm finding that it can suck up memory and CPU resources when there >> is a lot of logging going on. >> >> I am aware of swatch, but most people say that it is pretty resource >> intensive as well. I came across logsurfer in google search and was >> wondering if anyone has experience with it or what other good >> alternatives might exist. >> >> While fancy features are nice, I'm willing to forgo them for lower >> resource consumption. >> >> Thanks, >> Nataraji > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Thank you. sec looks like a useful tool. I will try it. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] resource efficient log scanning tools
I'm looking for a logfile scanner that can search for regular expressions in logfiles and send immediate email notifications. I'd like to try to find something that doesn't use huge amounts of memory. I'm currently running fail2ban and used it to do some of this scanning, but I'm finding that it can suck up memory and CPU resources when there is a lot of logging going on. I am aware of swatch, but most people say that it is pretty resource intensive as well. I came across logsurfer in google search and was wondering if anyone has experience with it or what other good alternatives might exist. While fancy features are nice, I'm willing to forgo them for lower resource consumption. Thanks, Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 75% - 80% Rebuild Complete
On 06/07/2012 11:38 PM, Bob Hoffman wrote: > On 6/8/2012 1:13 AM, Nataraj wrote: >> On 06/07/2012 03:48 PM, Les Mikesell wrote: >> >> And if the server is colocated, but you have remote console access, you >> can leave a recovery CD in the drive, but set the boot order to boot the >> hard drive and then remotely change the boot order if you have problems. >> >> Nataraj >> >> > out of curiosity, how do you prevent centos from ejecting the dvd when > it is done installing? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos That I don't know, but once CentOS is installed, if my memory serves me correctly, I think you can leave a CD/DVD in the drive over reboots as long as you don't eject it. Alternatively, I think it would work to use a USB stick to boot a recovery system remotely. Dell actually provides the ability to boot a remote CD over the DRAC interface but it's extremely slow unless you have a very high bandwidth connection, and at least a few years ago when I last looked, most people did not recommend using that functionality. Actually now that I think about it, I believe that if you have a CD/DVD drive with a self loading tray, it will suck the tray back in when the BIOS resets. This will not work with the slim drives with manual trays that they put in most servers, so you would have to have rack space that allows you to leave an external drive plugged in. The USB stick or other flash drive is probably a better solution. The main thing is having remote access to the BIOS. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 75% - 80% Rebuild Complete
On 06/07/2012 03:48 PM, Les Mikesell wrote: > On Thu, Jun 7, 2012 at 4:48 PM, Scott Silva wrote: >> In older versions sdb would become sda, but I don't have enough time on the 6 >> series to know for sure... Maybe I will fire up a virtual machine with a >> couple emulated sata drives and see > Sda/sdb are the kernel's conventions. What matters is what bios sees. > And that may be different depending not only on the hardware but also > the failure mode - sometimes a drive will fail but not really > disappear from detection and it is hard to emulate that. Also, back > in ATA days it was pretty common for a failed drive to lock both > channels on the controller. > > As long as you have physical access to the box you can fix it fairly > quickly by booting a rescue iso and re-installing grub, even if you > have to try a couple of times to get it right. > And if the server is colocated, but you have remote console access, you can leave a recovery CD in the drive, but set the boot order to boot the hard drive and then remotely change the boot order if you have problems. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] question for those who run mail servers
On 05/31/2012 10:35 AM, Craig White wrote: > On May 31, 2012, at 6:09 AM, Bob Hoffman wrote: > >> Not technically a centos question, but a lot of you guys seem to manage >> some large systems >> and I could use some clarification on a postfix setting.* >> >> *reject_unknown_client_hostname >> (in postfix < 2.3 reject_unknown_client) >> >> When I first used this there were issues with users trying to send mail >> through the server >> from hotels, wireless spots, etc. This was solved by pushing up permit >> sasl_authenticated. >> >> I took it out after those issues. I read many online posts from 2008 >> saying too many >> false positives. (though none were clear if those were incoming mail or >> from mail users) >> >> Do you use reject_unknown_client_hostname? >> >> Other than someone trying to access the server to send mail through it >> as a user I do >> not see how this could be a bad setting and am thinking of using it. >> A person sending out a mail to the server, even if in that badly set up >> hotel wireless >> should be using their gmail, yahoo, own server, isp mail servers and >> should not >> be directly sending from their iphoneis that correct? >> >> or do you ignore the use of this setting still? >> >> -thanks for any updates on the use of this setting. > > if the goal is to minimize spam then this is a really good option as it > duplicates methodologies employed by a lot of the large e-mail providers (ie, > AOL) which require both the forward and reverse addresses to resolve. > > Requiring someone to authenticate to a known SMTP host is reasonable and > prudent - and I would agree that the senders should be using a registered SPF > (sender permitted from) SMTP host for forwarding their outgoing e-mails. > > Craig > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Yes, I second this. No legitimate mail users today expect to send email directly from a mobile device or even a home broadband connection. Any mail server that allows incoming email directly from end users is going to get bombarded with spam. In recent years, most mailserver administrators know that they have to setup proper DNS as well. Disallowing mailservers without proper DNS stops massive amounts of spam, and lately I hardly ever have to add exceptions for this anymore. I run a mail server for a good number of users and I run with this: This one is very reliable and will reject a good many broadband/dialup connections Under smtpd_client_restrictions: reject_rbl_client pbl.spamhaus.org reject_unknown_client_hostname unknown_client_reject_code = 550 I just don't get alot of complaints from users anymore, running with these. This will of coarse depend heavily on your user base and who they exchange email with. You might also look at postscreen. I've heard really good things about it, though I haven't had time to set it up yet. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Request for CentOS stats
On 05/30/2012 03:36 PM, Bob Hoffman wrote: > On 5/30/2012 5:50 PM, Hakan Koseoglu wrote: >> I trust the administrators of the centos.org mailing lists not to give >> out any information on my subscription(s) to anyone, even including a >> count of it. > Actually, I would really like them to clean up our email addresses from > the archives. > Those pages are copied throughout the net and a lot of sites change the > 'me at mysite' to m...@mysite.com > and it does add to issues and such. > Never liked the mailman, majordomo, etc cause they all seem to love to > do that...post emails on the web. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Very easy solution, create a unique email address to subscribe to the list, then add: whitelist envelope-to = unique-email-address client-hostname='regex:.*\.centos\.org' blacklist envelope-to = unique-email-address Of course you need to be running something on your mailserver to let you whitelist/blacklist on these different fields and then process whitelist and blacklist requests in the order specified. Using this method you get 0. spam messages from being subscribed to the list. As you've pointed out though, other list members can't easily send you private email. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] need assist with upstart config problem
On 05/30/2012 02:00 PM, James B. Byrne wrote: > I am trying, without success, to create an upstart config file to > automatically start and restart an ssh proxy. The command sting that > I use in the script has been checked and verified from the shell but > it fails in the upstart file. > > The file contents are: > > . . . > # proxy is used to authenticate smtp submissions > # so start it before the postfix service starts > start on starting postfix > > # Take down proxy after postfix stops > stop on stopped postfix > > # tell upstart that this script creates a daemon > # and have upstart manage PID creation > # but it is generally a bad idea to use this with a > # script / end script block, use exec() instead > # no fork in ssh > #expect fork > > # restart automatically if connection fails > respawn > > # for script debugging with strace > # but not available in 0.6.3 of course > #debug > # use strace -p -o /tmp/upstart_debug.log -Ff -s 1024 -v > > > # Setup script configuration variables: > > # localhost means we do not expose proxy to internet > env LOCAL_HOST=localhost > > # port 143 is default IMAP service port for plain text connections > env LOCAL_PORT=143 > > # ports less than 1024 require root privileges to establish > # this must be a passwordless login using PKI certificates > # requires one time setup of local root user ssh key and cert > # and adding this host's root user cert to authorized_keys of > # login host's root user. > env LOGIN_USER=root > > # login PKI credentials for LOGIN_USER > env LOGIN_IDENT=/root/.ssh/id_rsa > > # login host, may be different than remote host for port forwarding > # must resolve to an address that sshd login server listens on > env LOGIN_HOST=inet07.hamilton.harte-lyne.ca > > # the remote host destination for port forwarding > env REMOTE_HOST=inet07.hamilton.harte-lyne.ca > > # port that remote service listens on > env REMOTE_PORT=143 > > # Locate ssh binary > env SSH_BINARY=/usr/bin/ssh > > # SSH options used: > > ### -D : "dynamic" app-level port forwarding - not used. ### > > # -f : run in background without a terminal implies -n > > # -i : identity file for pki login credentials > > # -l : login user name > > # -L local_host:local_port:remote_host:remote_port > #: Establishes proxy connection from local port > # port on the remote host. > > # -n : stdin from /dev/null, must be used when ssh is run in bg. > > # -N : Do not run a command on the remote host. Otherwise an > # error results because we are not initiating a session. > > # -o ExitOnForwardFailure=yes : Wait until connection successfully > # completes before daemonizing > > # -o ServerAliveInterval=15 : Keep connection alive every 15 seconds > > # -q : Run quietly, do not produce local output. > > # -T : disable pseudo-tty allocation > > # SSH options used > env SSH_OPTIONS=" -o ExitOnForwardFailure=yes " > env SSH_OPTIONS=${SSH_OPTIONS}" -o ServerAliveInterval=15 " > > # SSH switches used: > env SSH_SWITCHES=" -fNqT " > > exec ${SSH_BINARY} ${SSH_OPTIONS} ${SSH_SWITCHES} -l ${LOGIN_USER} -i > ${LOGIN_IDENT} -L > ${LOCAL_HOST}:${LOCAL_PORT}:${REMOTE_HOST}:${REMOTE_PORT} > ${LOGIN_HOST} > > # EOF > > The exec is all one line. > > I have tried removing -f from the switches but this makes no > difference. Whenever I start this job it immediately fails with the > following in the syslog: > > . . . > May 30 16:47:06 inet08 init: LOCAL_ssh_imap_proxy main process ended, > respawning > May 30 16:47:06 inet08 init: LOCAL_ssh_imap_proxy main process (3393) > terminated with status 255 > May 30 16:47:06 inet08 init: LOCAL_ssh_imap_proxy main process ended, > respawning > May 30 16:47:06 inet08 init: LOCAL_ssh_imap_proxy main process (3397) > terminated with status 255 > May 30 16:47:06 inet08 init: LOCAL_ssh_imap_proxy respawning too fast, > stopped > > Is what I am doing wrong obvious to anyone? > > The '-f option' tells SSH to run in the background, but normally upstart expects to wait for the process. Maybe you want '-n' instead of '-f'. Alternatively, if you run a program in the background you could specify 'task' in the config file to tell upstart not to wait for the process (you couldn't use respawn with that because then the process is not managed by upstart anymore). Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] LVM superblock version
Is there an lvm command to print out any kind of version information for the LVM superblock, similar to what "mdmadmin -E" does for raid. How can I tell whether a mountable device with LVMs on it can be safely moved between CentOS 5 and CentOS 6 and/or potentially other Linux distributions? I know that that CentOS 6 supports 'lvconvert -merge'. Is this implementation purely in the lvm software or does it require a different superblock? Can I take an LVM setup created under CentOS 6 and read it on a CentOS 5 system? Thanks, Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] anyone care to helop with a fail2ban problem on Centos 5.8?
On 05/28/2012 01:00 PM, Dave Stevens wrote: > I've got an up-to-date Centos 5.8 and can't seem to get fail2ban to > get rid of troublesome sshd login attempts. /etc/fail2ban/jail.conf > has these sections: > > [ssh] > > enabled = true > port= ssh > filter = sshd > logpath = /var/log/auth.log > maxretry = 6 > > # Generic filter for pam. Has to be used with action which bans all ports > # such as iptables-allports, shorewall > [pam-generic] > > enabled = false > # pam-generic filter can be customized to monitor specific subset of 'tty's > filter = pam-generic > # port actually must be irrelevant but lets leave it all for some > possible uses > port = all > banaction = iptables-allports > port = anyport > logpath = /var/log/auth.log > maxretry = 6 > > and an excerpt from a logwatch run just now is: > > - pam_unix Begin > > sshd: > Authentication Failures: > unknown (190.145.98.179): 2460 Time(s) > root (58.51.95.75): 285 Time(s) > unknown (122.70.128.5): 125 Time(s) > postgres (190.145.98.179): 64 Time(s) > mail (190.145.98.179): 40 Time(s) > mysql (190.145.98.179): 40 Time(s) > root (190.145.98.179): 36 Time(s) > unknown (58.51.95.75): 26 Time(s) > ftp (190.145.98.179): 17 Time(s) > root (122.70.128.5): 15 Time(s) > root (221.226.215.117): 13 Time(s) > root (cloud-128-117.diagcomputing.org): 13 Time(s) > adm (190.145.98.179): 12 Time(s) > > so advice? redirection? rtfm? > > Dave > > First, I don't think your CentOS 5.8 system has a logfile named /var/log/auth.log, so you probably want /var/log/secure or /var/log/audit/audit.log, probably the former, otherwise you can try enabling the pam filter in fail2ban. Next, you need to edit /etc/fail2ban/filter.d/sshd.conf and setup the python regular expression to match the failure messages that you get from sshd (or pam). You can use the fail2ban-regex program (run it with no arguments for a help message), to test and see if your regular expressions are matching properly. See http://docs.python.org/library/re.html for documentation on python regular expressions and the fail2ban Wiki on http://www.fail2ban.org <http://www.fail2ban.org>which explains how to use a python variable in the RE to pass the IP address from the logfile back to fail2ban. I'm not sure where you got your fail2ban version, I think I'm running one from EPEL, but the jail.conf entry that you have has no action entry, so it won't do anything. My jail.conf entry for ssh (I don't have SSH enabled for fail2ban), looks like this: [ssh-iptables] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2...@mail.com] logpath = /var/log/secure maxretry = 5 So to enable it, you would change the enabled line to 'enabled = true'. The action line show here will invoke the commands in /etc/fail2ban/action.d/iptables.conf to insert iptables access lists to block the offending ip address. You must have iptables turned on.You can change the maxretry value to specify how many failures are allowed before the IP is blocked. You can also add a "bantime = #seconds" to the jail.conf entry to specify how long to block the IP for. I would suggest that you remove the copy of fail2ban that you have installed and install the one from the EPEL repo instead and you are much more likely to have the correct configuration for the CentOS logfiles as well as the correct regular expression for matching entries in the log files, so that if you enable it in jail.conf, it might just work with little or no customization. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help needed with NFS issue
Have you looked at the rpcd process with top or ps to see what state it is in? What about running strace? What about your dns server or any other (reverse) client lookup services that you might have enabled? Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vpostmaster and Centos 6
On 04/09/2012 12:02 PM, Bowie Bailey wrote: > On 4/9/2012 2:49 PM, Tom Bishop wrote: >> Yup, I feel good about our antivirus front, that is installed and all up to >> date, what I am after now is a simple, yet effective smtp relay/gateway to >> go to exchange server 2010. > Whatever you do, your front-line mail server MUST be able to reject > invalid email addresses for your domain. If you just pass the whole > domain through to exchange, then you are going to be generating > backscatter spam when exchange rejects the invalid users. > Yes, I would agree with this, so you end up having to create local accounts anyway, unless you link postfix into an active directory server and I wouldn't suggest this unless you have a fair amount of experience and time to figure out how to do it. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vpostmaster and Centos 6
On 04/09/2012 11:49 AM, Tom Bishop wrote: > Yup, I feel good about our antivirus front, that is installed and all up to > date, what I am after now is a simple, yet effective smtp relay/gateway to > go to exchange server 2010. > > On Mon, Apr 9, 2012 at 1:45 PM, wrote: > >> Nataraj wrote: >>> On 04/09/2012 10:57 AM, Tom Bishop wrote: >>>> Thanks, this will be frontending an exchange setup I assume that I dont >>>> have to use pop pr imap that I can just filter and have the mail >>>> delivered via the vpostmaster to exchange. >> >>> 1) easiest - setup mail forwarding individually for each user account >> >>> 2) If exchange supports doing pickups from pop mailboxes, you can do that >> >> Actually, given the OP's comments - everywhere I've worked in years >> really, *really* wants you to use IMAP, even in Windows, not POP-3 - so >> the alternative would seem to be sendmail/dovecot. >> >> OP - should we assume that those running the Exchange server have all the >> antivirus, etc, in place? >> >> mark >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos vpostmaster includes a complete running dovecot setup supporting either imap, pop3 or mail forwarding. For 20 users, just using mail forwarding (or pickup via imap or pop) with vpostmaster is probably the easiest to setup because you don't have to mess with postfix, sendmail or spamassassin at the configuration file level. If you want to build your own mail configuration, you could use either postfix or sendmail and it should be possible to install various spam filtering packages and then configure it to forward all mail for the domain to another server. This would save you having to create individual accounts on the mail relay, but is a whole lot more work to setup than using vpostmaster, especially if you only have 20 users. It also requires much more understanding of the MTA (postfix or sendmail) as well as the spam control software that you run. vpostmaster also includes greylisting and SPF. After installing CentOS you could probably have it up and running in 1/2 hour or less. Installing individual components, depending on your level of experience, you could easily spend several days or a week or more getting all the components running smoothly together. I successfully used sendmail for years and at this time, I prefer postfix and find it much easier to configure and setup securely. nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vpostmaster and Centos 6
On 04/09/2012 10:57 AM, Tom Bishop wrote: > Thanks, this will be frontending an exchange setup I assume that I dont > have to use pop pr imap that I can just filter and have the mail delivered > via the vpostmaster to exchange. > I'm not intimately familiar with exchanges, but I can think of 2 different approaches 1) easiest - setup mail forwarding individually for each user account from the GUI - be sure to uncheck local delivery if you don't want to store mail on the local server. 2) If exchange supports doing pickups from pop mailboxes, you can do that I think those are the easiest options. Though you could configure postfix to forward all email for a domain, I don't think you want to do that because that won't give you all the spam control features of vpostmaster without implementing that yourself. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vpostmaster and Centos 6
On 04/09/2012 09:07 AM, Tom Bishop wrote: > Read through several vpostmaster email threads via the centos mail list, > I am about to go down the vpostmaster bunny hole. I need a spam filter for > a very small site, my church, 20 or so mailboxes and just need something > easy to setup and maintain. > > One of my inital thoughts when I was creating the centos 6 VM was what > sort of disk space is required, nothing in the docs called anything out, > they talked about memory which is not an issue for me and I gave 2Gb for > the memory and threw a small disk out of it. Is anyone running it with > Centos 6, it appears from the mailing list that it should work with centos > 6 but wanted to see if anyone was using it. Also, if anyone has any > tips/guides/tweaks that they can recommend/share that would be great, > Thanks in advance. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Disk space requirements for vpostmaster are pretty close to a standard CentOS install (for the software itself). The vpostmaster install procedure will install postfix (though you should let the install script install all of these packages, since it installs some things from the vpostmaster repository), postgres, dovecot, clamav, spamassassin and a few other small packages. Then you need to include space for /var/spool/vpostmaster depending on how much space you want imap mail accounts to keep on line, or if your using pop, enough space to hold pop mail until the clients download it. In either case, much less than an exchange server. It just depends whether your users need to keep a GB or more of email online or whether 200-300mb is enough. For pop clients I only give them 30-50mb, but they pick up their mail every day. I currently run it on CentOS 5, however there are at least a few people who have reported sucess with CentOS 6 on the vpostmaster list. There are not many people using vpostmaster on this list. I suggest you join the vpostmaster list. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dns cache rbl lists?
On 04/04/2012 08:48 PM, Bob Hoffman wrote: > No idea where else to ask this and get a real qualified answer but here. > Not exactly pure centos questionbut... > > I am adding blacklists to my postfix smtpd settings. > I have the inkling that after the first lookup for a domain or ip that > my dns caches the result and I no longer bother the RBL or RHSBL list > owners anymore in that instance. > > Is that correct? I hate to waste their resources if it is not. > > thanks, > bob > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Not exactly. It is whatever TTL they return, though generally short for two reasons, they and you probably want it so that they can quickly remove entries from the blacklist once issues have been resolved. They want to know how often you query the blacklist, because they want to charge a fee if you are a large site with high volume queries. I guess they need to fund their service somehow. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 5.6 Kernel Panics
On 04/04/2012 09:31 AM, Nataraj wrote: > On 04/04/2012 09:16 AM, Jonathan Alstead wrote: >> Hello, >> >> Recently our dell sc1425 server has been locking up with kernel freezes >> and required a hard reboot on each occasion. I've looked on the centos >> forums with limited success - each problem seems slightly different >> (some failure on high load, some not). Our kernel is 2.6.18-274.17.1.el5 >> and /var/log/messages show the following errors: >> >> Apr 3 12:41:25 sp2 kernel: INFO: task mysqld:15345 blocked for more >> than 120 seconds. >> Apr 3 12:41:25 sp2 kernel: "echo 0 > >> /proc/sys/kernel/hung_task_timeout_secs" disables this message. >> Apr 3 12:41:25 sp2 kernel: mysqldD 0CEB 2524 15345 32083 >> 15346 15167 (NOTLB) >> Apr 3 12:41:25 sp2 kernel:c50c7f54 0082 bf379c08 0ceb >> ca9b1648 f43c6c5c 0001 >> Apr 3 12:41:25 sp2 kernel:d9d18000 bf384f01 0ceb b2f9 >> 0001 d9d1810c c2013ac4 edc5de40 >> Apr 3 12:41:25 sp2 kernel:08515c98 c6cb37b8 c2014464 c200cc80 >> 0020 >> Apr 3 12:41:25 sp2 kernel: Call Trace: >> Apr 3 12:41:25 sp2 kernel: [] >> rwsem_down_write_failed+0x126/0x141 >> Apr 3 12:41:25 sp2 kernel: [] .text.lock.rwsem+0x2b/0x3a >> Apr 3 12:41:25 sp2 kernel: [] sys_mprotect+0xbd/0x1eb >> >> Apr 3 12:41:25 sp2 kernel: [] syscall_call+0x7/0xb >> >> Apr 3 12:41:25 sp2 kernel: === >> Apr 3 12:41:25 sp2 kernel: INFO: task clamd:15721 blocked for more than >> 120 seconds. >> Apr 3 12:41:26 sp2 kernel: "echo 0 > >> /proc/sys/kernel/hung_task_timeout_secs" disables this message. >> Apr 3 12:41:26 sp2 kernel: clamd D 0D49 2528 15721 1 >> 16416 15449 (NOTLB) >> Apr 3 12:41:26 sp2 kernel:e848cf74 0086 8f107b57 0d49 >> 30ea2005 e848cf44 c08259d0 0007 >> Apr 3 12:41:26 sp2 kernel:e8c6aaa0 8f117848 0d49 fcf1 >> e8c6abac c200cc80 f4f5f3c0 >> Apr 3 12:41:26 sp2 kernel:c041f863 0184 c200d620 c2013ac4 >> 0020 d887f0a8 f766f0c0 >> Apr 3 12:41:26 sp2 kernel: Call Trace: >> Apr 3 12:41:26 sp2 kernel: [] default_wake_function+0x0/0xc >> Apr 3 12:41:26 sp2 kernel: [] destroy_inode+0x38/0x47 >> Apr 3 12:41:26 sp2 kernel: [] >> rwsem_down_write_failed+0x126/0x141 >> Apr 3 12:41:26 sp2 kernel: [] .text.lock.rwsem+0x2b/0x3a >> Apr 3 12:41:26 sp2 kernel: [] sys_munmap+0x24/0x41 >> >> Apr 3 12:41:26 sp2 kernel: [] syscall_call+0x7/0xb >> > It sounds like some kind of IO or memory problem. I would probably > start by running MEMTEST and the basic diagnostic tests provided by > DELL, which if you don't have installed on your disk can be downloaded > in the form of a CentOS based openmange liveCD from somewhere on the > dell site. It could also be a disk problem, but from the output you > provide I think I would look for memory or IO bus problems first and > then look for disk problems if you don't find anything with the first > two. It almost looks like a memory controller problem. > > Nataraj > > If for any reason you think the problem started after a kernel upgrade, then try booting with the previous version of the kernel. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] question on DHCP
On 04/04/2012 09:18 AM, Jerry Geis wrote: > If a machine with centos 6.2 is set for DHCP and it looses power and the > switch > looses power for a long time. lets say a day. so the switch really goes > off even with batter backup. > > Now power comes on, the machine asks for a DHCP address before the > switch is read > as its not back up yet. there is no response and the machine does not > get an address. > Finally the switch comes back up , the machine has already posted that it > Network got an error as there was no DHCP server. > > Does the machine ever ask again or do I have to manually do a server > network restart > or reboot the machine again. > > It seems to never ask again. > > jerry > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos There is a timeout and a retry parameter in the dhcp client configuration file (whatever it is called in CentOS 6). On the non-CentOS system where I am sending the email from it is /etc/dhcp3/dhclient.conf (but probably different in CentOS 6). Look for a man page for dhclient.conf. My CentOS 6 machine is turned off right now. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 5.6 Kernel Panics
On 04/04/2012 09:16 AM, Jonathan Alstead wrote: > Hello, > > Recently our dell sc1425 server has been locking up with kernel freezes > and required a hard reboot on each occasion. I've looked on the centos > forums with limited success - each problem seems slightly different > (some failure on high load, some not). Our kernel is 2.6.18-274.17.1.el5 > and /var/log/messages show the following errors: > > Apr 3 12:41:25 sp2 kernel: INFO: task mysqld:15345 blocked for more > than 120 seconds. > Apr 3 12:41:25 sp2 kernel: "echo 0 > > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > Apr 3 12:41:25 sp2 kernel: mysqldD 0CEB 2524 15345 32083 > 15346 15167 (NOTLB) > Apr 3 12:41:25 sp2 kernel:c50c7f54 0082 bf379c08 0ceb > ca9b1648 f43c6c5c 0001 > Apr 3 12:41:25 sp2 kernel:d9d18000 bf384f01 0ceb b2f9 > 0001 d9d1810c c2013ac4 edc5de40 > Apr 3 12:41:25 sp2 kernel:08515c98 c6cb37b8 c2014464 c200cc80 > 0020 > Apr 3 12:41:25 sp2 kernel: Call Trace: > Apr 3 12:41:25 sp2 kernel: [] > rwsem_down_write_failed+0x126/0x141 > Apr 3 12:41:25 sp2 kernel: [] .text.lock.rwsem+0x2b/0x3a > Apr 3 12:41:25 sp2 kernel: [] sys_mprotect+0xbd/0x1eb > > Apr 3 12:41:25 sp2 kernel: [] syscall_call+0x7/0xb > > Apr 3 12:41:25 sp2 kernel: === > Apr 3 12:41:25 sp2 kernel: INFO: task clamd:15721 blocked for more than > 120 seconds. > Apr 3 12:41:26 sp2 kernel: "echo 0 > > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > Apr 3 12:41:26 sp2 kernel: clamd D 0D49 2528 15721 1 > 16416 15449 (NOTLB) > Apr 3 12:41:26 sp2 kernel:e848cf74 0086 8f107b57 0d49 > 30ea2005 e848cf44 c08259d0 0007 > Apr 3 12:41:26 sp2 kernel:e8c6aaa0 8f117848 0d49 fcf1 > e8c6abac c200cc80 f4f5f3c0 > Apr 3 12:41:26 sp2 kernel:c041f863 0184 c200d620 c2013ac4 > 0020 d887f0a8 f766f0c0 > Apr 3 12:41:26 sp2 kernel: Call Trace: > Apr 3 12:41:26 sp2 kernel: [] default_wake_function+0x0/0xc > Apr 3 12:41:26 sp2 kernel: [] destroy_inode+0x38/0x47 > Apr 3 12:41:26 sp2 kernel: [] > rwsem_down_write_failed+0x126/0x141 > Apr 3 12:41:26 sp2 kernel: [] .text.lock.rwsem+0x2b/0x3a > Apr 3 12:41:26 sp2 kernel: [] sys_munmap+0x24/0x41 > > Apr 3 12:41:26 sp2 kernel: [] syscall_call+0x7/0xb > It sounds like some kind of IO or memory problem. I would probably start by running MEMTEST and the basic diagnostic tests provided by DELL, which if you don't have installed on your disk can be downloaded in the form of a CentOS based openmange liveCD from somewhere on the dell site. It could also be a disk problem, but from the output you provide I think I would look for memory or IO bus problems first and then look for disk problems if you don't find anything with the first two. It almost looks like a memory controller problem. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos6 iptables startup vs. restart?
On 04/03/2012 05:25 AM, Les Mikesell wrote: > On Tue, Apr 3, 2012 at 5:54 AM, Dennis Jacobfeuerborn > wrote: >>> The iptables redirect works fine once the commands are loaded. My >>> problem is just that the boot-time startup isn't loading the saved >>> state from /etc/sysconfig/iptables, but a subsequent 'service iptables >>> restart' does - and it is something new in 6.x. >>> >> Did you make sure that the service is active and that the iptables service >> is actually startet on bootup? >> >> Try "chkconfig --list iptables" to see if it is active and "chkconfig >> iptables on" to activate it. >> > Yes, it does start, but the initial rules don't include the port > redirection in the nat table. > I still think it's a timing problem. Have you checked to see that the proper NAT module is loaded in the kernel at the time when the iptables rules are loaded? At least for diagnostic purposes I would try adding a delay in the startup. You might even find that adding an lsmod into the startup sequence (for diagnostic purposes) there would fix the problem. I have not had a chance to look at the scripts that do this in CentOS 6. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SPF Setup CentOS 6.3 x86_64
On 04/01/2012 09:06 AM, Prabhpal S. Mavi wrote: > Dear Friends Greetings, > > i wish to setup SPF look up f0r Postfix on CentOS 6.2. I could not find > any document on the net describing the procedure. is anyone have > documentation i can follow to setup the SPF please? > > > Thanks / Regards > Prabhpal S. Mavi > > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I run a package called vpostmaster http://www.tummy.com/Products/vpostmaster/ which provides a complete postfix based virtual mailbox setup with a GUI including greylisting, spamassassin, spf, dovecot pop3/imap, clamav. It is very easy to install and configure and you still have full access to all the features of postfix, but you may be able to do everything you need using the GUI. You can also look on the postfix.org web pages and there is a list of compatible SPF implementations which work with postfix if you want to do your own setup. Though I haven't used it, I believe that:http://www.openspf.org/Software will work. Also take a look at: http://www.postfix.org/addon.html But if you want something easy to install, start with a fresh CentOS install and then follow the instructions for install of the free version of vpostmaster. You can install it in a VM. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SMTP Port 465 - Postfix
You can run an smtp server on any port you want. The advantage to not using one of the standard ports is that you won't have as many attacks from spammers and password guessing attacks. The smtp parameters that are specified in main.cf are the default for all of your smtp servers however any of the parameters can be overridden in master.cf. So to define an smtp server on port 1234 which requires TLS (issued via a STARTTLS) and must have SASL authentication you would add the following entry to master.cf: 1234 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject The port number can also be any named port in /etc/services. For any public SMTP server on the internet, I believe the relevant RFC specifies that you must accept unauthenticated, unencrypted (NON-TLS) connections on port 25 (sort of obvious if you want to receive incoming mail from the Internet). What I do on my servers is to disallow relaying and authentication from my port 25 smtp server and require all of my mail clients to connect on the port that I designate, requiring TLS+SASL auth. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos6 iptables startup vs. restart?
On 03/30/2012 10:53 AM, Les Mikesell wrote: > What is different about the initial startup of iptables than 'service > iptables restart' (and different from C5)? I want to use iptables > port redirection to send port 80 to 8080 so a java web service doesn't > have to start as root. On C5 it worked to give the iptables > commmands, then 'iptables save', and from then on it would > automatically work when iptables started after a reboot. With C6, I > have the expected entries in /etc/sysconfig/iptables and they are > loaded after 'service iptables restart', but the initial startup is > doing something else. > There is a bug that has been around for years in iptables. I'm not sure if it's a timing problem or what, but I've seen it in fedora, centos, and ubuntu where certain rules appear not to work when configured inititally. I've even dumped out the running iptables list after it was restarted and diffed it with the saved one and the rules are all there. It may be specific to NAT or possibly related to an interaction between NAT and connection tracking. Somewhere I remember seeing this problem documentated as a known bug in iptables. There are a few bugs listed in: http://bugzilla.netfilter.org/buglist.cgi?quicksearch=nat , though I'm not sure if any of them quite describes this problem. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] transition to ip6
On 03/30/2012 11:23 AM, Bob Hoffman wrote: > I imagine some day in the near future there will be a switch to ipv6. > I cannot imagine ever remembering the ip address then...crazy. > > My question, since i have never done ip6 stuff, is what does that mean > on my webservers? > > Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, > and configuration files...and copy out my iptables to ip6tables, and > change the dns servers? > > all that does not sound to harsh. > > anything especially daunting to make that switch (save from someone > having to do that on 100 computers really fast!!) > > -bob > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos We've been running out of IPV4 address and needing to convert someday soon for the last 10 years..., but yet the vast majority of broadband providers and even most ISP's don't support it yet. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SMTP Port 465 - Postfix
On 03/30/2012 08:22 AM, Mike McCarthy wrote: > In /etc/postfix/master.cf uncomment the line that starts #smtps. > > One thing I also do is to listen on an alternate socket way up high, > like 5, to bypass ISP's that restrict port 25 and 465 to their own > servers. This way I can send mail through my server when I am on a > restricted network like AT&T wireless with my smart phone. Just make a > copy of the standard smtp line, call it smtp-alt, then define smtp-alt > to the port you want in /etc/services. > > Mike Some versions of outlook or outlook express do not handle 5 digit smtp port numbers, so if you have any non-linux mail clients, you might want to stay with a 4 digit port number. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] my spammer list
On 03/30/2012 04:48 AM, Markus Falb wrote: > On 30.3.2012 05:26, Nataraj wrote: > >> The way that I finally got rid of all the residual spam that makes it >> through greylisting, SPF, spamassassin, clamav is to handout unique mail >> addresses and use black/whitelists. So for example if I assign an email >> address for incoming mail from a mailing list and then setup a whitelist >> entry that only allows that address to receive email from the >> mailservers that serve that mailing list and then blacklist all other >> incoming mail to that address it is very effective. > But how to tell which mailservers are "serving" that mailing list? > That's the thing SPF or similar is supposed to do, isn't it? Don't tell > me you are looking at the MX Records! Incoming and Outgoing Mailservers > are not the same necessarily. > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos My white/blacklisting software happens to allow regular expressions as well as IP addresses and has the capability to match on one or more of the following fields in the message: envelope sender envelope recipient helo name remote IP address Remote hostname When it matches on remote hostname, it does a reverse dns lookup. I already have my mailserver configured so that It will not accept mail from any site for which the forward and reverse dns entries do not match. So I can create a whitelist entry which allows .*\.centos\.org or .*@centos\.org. Yes, it limits the ability for people to contact me off list, but people that need to reach me seem to find a way. There is a price for everything. If you happen to own a 3 letter domain name that was around from the days of the original arpanet, and you have had a bad enough spam problem, then it may be worthwhile to pay that price. I am on a fair number of mailing lists and find that spammers do harvest addresses on these lists. Generally when I join a new list, I just create the unique email address, but don't do the whitelist/blacklist thing until I start seeing spam to that address, so I can tell which lists or people that I gave my email address too was harvested or leaked. I've see my email address leaked to spammers from presumably secure sites like major banks and financial institutions, various websites where I've made online purchases, etc. It is unbelievable how insecure these supposedly secure sites are. On two occasions I reported to a major financial institution that they had leaked my email address and after several months got back a notice that they had found that the security of their systems had been compromised, but assured me that it affected only my email address and not my bank account or other personal information. Yes it is the case that I generally do not recommend this technique to inexperienced user. For my users I do the best I can with greylisting, spamassassin, etc. For users who do not highly publicize their email address this is usually enough. I have one client though that advertises their customer service email address and has a massive spam problem. I told them that the best way to solve that was to create a properly designed web page for customer service requests that was protected from automated submission methods. There are also tools that implement auto-whitelisting, that will send out an auto-response requiring the user to send back a confirmation or click on a web page and be automatically whitelisted. Some people are strongly opposed to this method because it will generate more spam to what ever return address is given in the spam that you do receive. This would not work so well for things like receiving a confirmation message for your online purchase from amazon.com. Nataraj Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Linux on touch screen device
On 03/29/2012 11:04 PM, Michel Daggelinckx wrote: > check out http://www.redsleeve.org/ > > RHEL 6 for ARM > > I did notice your previous post. I'm aware that people do get these linux ports up and running on arm devices, but essentially what I am asking here is if I went out and bought any particular arm device, Asus transformer prime, galaxy etc, what's the likelyhood that your port includes a device driver that will work well with the touch screen? I looked at your website a few days ago and saw the low power arm appliance devices, but didn't see anything about supported touch screen devices. nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Linux on touch screen device
On 03/29/2012 10:51 PM, 夜神 岩男 wrote: > > --- On Fri, 2012/3/30, Nataraj wrote: > >> I have poked around in google and have seen a number of youtube videos, >> but my question is whether anyone really has linux running on any kind >> of tablet or tablet PC device in such a way that the touch screen can be >> used productively and it won't take a month to get it running? >> Initially the two applications that are of most interest to me would be >> a good web browser (maybe chromium) and thunderbird. I would also like >> to have a decent on screen keyboard which could be used to ssh to >> servers in an emergency. >> >> I've seen instructions for booting linux on various devices, but many >> people doing this are using keyboards and not touchscreens. >> >> Do applications like thunderbird have to be modified in order to work >> well with a touch screen or is just getting a working driver for the >> touchpad sufficient? >> >> If anyone has any experience with this I would appreciate knowing what >> hardware your running on and what linux distro/desktop environment you >> use. I've been interested in devices like the ASUS EP121 which is a >> dual core I5, so it wouldn't be necessary to have an ARM distribution. >> Also the newest Asus transformer prime (arm) which I think is about 2 >> months away sounds interesting. > Lots of people do this and lots of (most?) commercial tablet/smartphone > systems are based on Linux or a close cousin (Android and iOS come to > mind...). Thank you. I am aware of android, but my understanding is that the libraries are changed enough that it's not that easy to build random linux software that hasn't been ported. My interests in running linux on a tablet is influenced by: - ability to eventually run wide range of open source linux software, scripting languages like perl, python - privacy issues, prefer not to run software that forces you to allow companies to track keystrokes/location - ability to implement and verify my own security, i.e. my own iptables rules - ability to integrate well into my existing linux based network, i.e. ipad doesn't do this so well > As far as non-commercial DIY tablet distros, there are distros and special > interest groups within larger distros that focus on this type of deployment. > > But none of them are CentOS, so I'm not sure why you pinged this mailinglist > -- though I think you'd probably find that CentOS installs just fine in most > cases, just remember to build whatever graphcs driver you need or your > experience might not be good. I pinged this list because I find there is alot of diversity on list and I value the experience that people share here. I am not attached to CentOS and I do run several distros myself. I've seen some threads where people went out and bought devices and never got the touchpad working. In some cases some people got things working and then the manufacturer changed the firmware in later versions and suddenly people that bought them couldn't get them to work. > Go ask over at Fedora, Ubuntu and maybe Mint. Also check out MeeGo and > whatnot. > > As a side note, there is nothing magical about a touchscreen. Touchscreens > are just pointing devices like mice and touchpads as far as Linux is > concerned, but in this case it is a touchpad that you can see through to a > screen on the other side (there is a special case of location logic, of > course, so the pointer doesn't continue from last location, but this is a > normal case handled by X). So nothing special happens in an application to > make it "work with a touchscreen" because a touchscreen is just creating > mouse events the same way your normal mouse would do. The only problem with > touchscreens is that small icons are smaller than your finger (well, mine > anyway) and so you have to make the desktop a little cartoony to make things > work right. Gnome Shell in Fedora is actually not too bad to use with a > touchscreen, though it sucks horribly with a mouse IMO, and KDE with large > widgets is pretty easy as well. That makes sense. I can see though where some desktops/user interfaces will provide a very different user experience than others on a touchpad and similarly for a desktop. I tried unity about 1.5 yrs ago and was very unimpressed using it on a desktop, but it might be good on a tablet. Thank You, Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] my spammer list
On 03/29/2012 03:00 PM, Bob Hoffman wrote: > Hello, > Thanks to some nice people on here and other forums I have pretty much > finalized my whole mail system on centos 6.x. > > With all the checks, greylisting, dev/null of any 8+ spam level SA, I > still get a few mails. > > It seems like everytime I enable a new protectant, the mail stops > spamming for a few hours...then the spammers decide I am worthy of using > better methods against me..and more come. LOL. > > I am down to just 10-15 a day. > Anything that gets through all that I set up now goes to a spammers list > that I add to the access file of postfix. > > http://bobhoffman.com/spammers.html > > that is the link to my list. I am trying to sort them out into > political, real estate, bulk spammers, etc. > The worst part is the bulk emailers are not on any black list. It is > very hard to find their mail MX until they actually send you one. > Many will be blocked, then a new alternate of theirs comes through. > > I could not find a list of bulk commercial spammers so I thought I would > start one. As I progress it will become more defined, but right now a > big list with some categories after it. > > Hope it helps. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos You won't be able to track them easily because they hop around from network to network. Sometimes I can recognize them by seeing the same spams repeatedly, also, different IP addresses connecting and guessing passwords for the same list of users. But I rarely get those anymore since I have blocked pop/imap logins from outside of the US. You can report them to spamcop.net and that may help to provide some incentive for ISPs to kick spammers off their network. The way that I finally got rid of all the residual spam that makes it through greylisting, SPF, spamassassin, clamav is to handout unique mail addresses and use black/whitelists. So for example if I assign an email address for incoming mail from a mailing list and then setup a whitelist entry that only allows that address to receive email from the mailservers that serve that mailing list and then blacklist all other incoming mail to that address it is very effective. With a decent whitelist/blacklist tool it's fairly easy to implement. I used to get literally hundreds of spams a day and now I probably average about 2 per week. You can also get on the spamassassin mailing list and add more plugins and work on tuning the spamassassin config. You can also play with sa-learn. For me though the black/whitelisting works quite well. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Linux on touch screen device
I have poked around in google and have seen a number of youtube videos, but my question is whether anyone really has linux running on any kind of tablet or tablet PC device in such a way that the touch screen can be used productively and it won't take a month to get it running? Initially the two applications that are of most interest to me would be a good web browser (maybe chromium) and thunderbird. I would also like to have a decent on screen keyboard which could be used to ssh to servers in an emergency. I've seen instructions for booting linux on various devices, but many people doing this are using keyboards and not touchscreens. Do applications like thunderbird have to be modified in order to work well with a touch screen or is just getting a working driver for the touchpad sufficient? If anyone has any experience with this I would appreciate knowing what hardware your running on and what linux distro/desktop environment you use. I've been interested in devices like the ASUS EP121 which is a dual core I5, so it wouldn't be necessary to have an ARM distribution. Also the newest Asus transformer prime (arm) which I think is about 2 months away sounds interesting. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One disk speed problem [SOLVED], and a question on hdparm
On 03/28/2012 08:00 AM, m.r...@5-cent.us wrote: > Les Mikesell wrote: >> On Mon, Mar 26, 2012 at 4:20 PM, wrote: >>> Yeah... but parted is user hostile. A co-worker and I, both of whom >>> don't need GUIs, use gparted. However, that doesn't tell me where it's >>> aligning things. >> I think its trick is the default 1M offset it adds at the start. > You may be right... but I'm not sure. We'll see if the 3tb drive I've just > formatted takes less time - the others I used gparted with. > >mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I've found every one of these utilities to be problematic at various time, particularly on systems with a GPT bios. Each one seems to have its own strengths and weaknesses. Though I don't remember exactly how it works, my recollection is that there are ways to trick fdisk into doing alignment by specifying the -H (number of heads) and the -S (number of sectors per track). You'll have 1 unaligned partition at the beginning because of the MBR, but all the rest can be forced into the desired alignment. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] your advice on backup procedure
had to be specified and some people still had to write scripts to manually go through and make some conversions. I ran into these problems while upgrading a mediawiki database that was running under a very old version of mysql for a client. So if having long term access to old backups is important, you must check for compatibility between newer/older versions of mysql and either do conversion/refresh of your data, or make sure you still have functional copies of the tools necessary to restore older versions. Nataraj > Which way would you go, or do you have a different way you like better? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nfslock
On 03/22/2012 11:54 AM, John R Pierce wrote: > On 03/22/12 11:50 AM, m.r...@5-cent.us wrote: >> In this case, a more elegant solution would be one that the authors of the >> initscript should have thought of: they're already checking to see if >> something's running, why not loop with a sleep until portmap's running? > they'd have to spawn a detached shell for that, as the rc scripts won't > continue until the current script returns. > > You have to spawn a detached shell anyway weather you do a sleep or check to see if portmap is running. If you want to check to see if it's running, that will certainly work too. In my case, I used a time delay because the problem I was having was with named not binding to the vmnet interfaces because vmware took too long to start. named needed to start early on because other daemons were depended on it, but then it needed to be kicked later so it would bind to the newly created vmnet interface. Upstart (which was authored by one of the Ubuntu developers) is now part of CentOS 6. It attempts to address these issues by allowing you to define dependencies between upstart scripts. Unfortunately it's still a mess in CentOS 6 because a large number of packages still use the old init scripts. Furthermore RedHat has decided that they don't like Upstart and they are going to yet another replacement for upstart in future releases (sorry, I don't remember the name of it). Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nfslock
On 03/22/2012 08:24 AM, m.r...@5-cent.us wrote: > mark wrote: >> On 03/21/12 19:50, Adam Wead wrote: >>> On Wed, Mar 21, 2012 at 4:40 PM, wrote: >>>> I just updated one of our servers to 5.8, and rebooted. In the logs, I >>>> saw >>>> a bunch of >>>> Mar 21 16:29:02 rpc.statd[9783]: recv_rply: can't decode RPC >>>> message! >>>> Mar 21 16:29:33 last message repeated 442 times >>>> Mar 21 16:30:34 last message repeated 835 times >>>> Mar 21 16:31:36 last message repeated 884 times >>>> Mar 21 16:32:38 last message repeated 856 times >>>> Mar 21 16:32:44 last message repeated 111 times >>>> >>>> I tried restarting nfslock, and that *appears* to have fixed it. >>>> Googling, I found a thread about that at >>>> <http://nerdbynature.de/s9y/archives/2009/08.html>, which suggests that >>>> it's starting too early, possibly before portmap is running. >>>> >>>> Anyone else see this? Has an old bug snuck back in? >>>> >> > There's a NFS bug with the latest kernel: >> > >> > https://bugzilla.redhat.com/show_bug.cgi?id=798809 >> > >> > Reboot into your previous kernel and that should fix it. >> >> Great - but I've just updated a server I've missed, that's been "we're >> too busy to let you do it" until now, and it would take it back to 5.7, >> at least. I suppose I can yum downgrade > Following myself up - I didn't look at the bugzilla link earlier - updated > t-bird at home the other day, and the click link to open it in browser > doesn't work - but looked at it here, and it doesn't seem to be related - > this is a backup server, and only had a home directory mounted when I > ssh'd in. It does appear to have been the case suggested in the thread > I've mentioned - there's no entry in the logfile after I restarted > nfslock. > > mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I run into these startup timing issues all the time on many linux distributions. Upstart was supposed to be an attempt to address these issues in Redhat/CentOS 6, but the hybrid startup process that has resulted from a partial transition to upstart is both confusing and sometimes makes the problem worse. I suspect the timing issues are related also to the speed and number of processors on your system. I've solved these problems in several different ways: For CentOS 5, if you don't mind changing the number on the init script, you can cause it to start later in the startup process. Sometimes this isn't enough. In some cases I've solved the problem by creating my own init script which has a sleep command in it and then either starts or restarts the selected component after a fixed time delay. Note that the init script must fire up a shell that runs in the background and then runs the restart command after the specified time. Maybe not so elegant, but it works. In CentOS 6 you can just create an upstart job with the correct dependencies. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix spam question for the gurus
On 03/14/2012 04:56 PM, Bob Hoffman wrote: > Hello, > I have a question about postfix. > I have a few webservers, each with their own mailing system. Obviously > manually adding > items can be quite tedious going from one to another to another. > > I am in the process of making a list of domains (commercial spammers) > that bother me. My idea is to use the access file to reject them. > > My question is this... > > Can I make a text page on one of my html servers that lists all these > bums and reference > that file in the postfix smtpd restrictions (probably as regex or prce > instead of hash)? You can use postfix database format that is compiled into your version of postfix. Run 'postfix -m' to display what formats your system supports. See "man regex_table" for the format of the regex files. I would be careful about where in the file system your postfix server is reading configuration data from. I like to keep my config files in a secure place, in a system directory. Nataraj > This way I only have to make one big page of them. And I can add a 'you > be blocked m.f. because > of spamming me on the page so they can learn how to get unlisted. > > can this be done or do I need to make my own rbl list (obvously limited > to just my sites).? > I would think I could just reference a remote file as easily as a local > file? > > -thanks > bob > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Server Backup Options: at runlevel 5?
On 03/14/2012 08:43 AM, Les Mikesell wrote: > On Wed, Mar 14, 2012 at 10:10 AM, ken wrote: >> What (FOSS) backup apps can back up a system running at level 3/5? > Almost all backup methods except raw partition/disk images will work > with the system running. You aren't guaranteed that files will be in > a consistent state when restored, but the OS itself is fairly sure to > work and databases and similar apps usually have their own ways to do > live consistent snapshots. > I find that LVM snapshots are useful to insure data integrity. for example, I backup my mysql databases by stopping the mysql server, taking an LVM snapshot and restarting it. The whole snapshot process probably takes less then 15 seconds. Then I backup the snapshot LVM and it doesn't matter how long it takes. You must make sure that your snapshot volume is large enough that you won't run out of space before deleting the snapshot. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] t-bird, followup
On 03/13/2012 10:42 AM, Les Mikesell wrote: > On Tue, Mar 13, 2012 at 12:29 PM, Jake Shipton > wrote: >> Oh? I have, I found Claws to have quite advanced search, filters, >> actions etc. It's one of the main reasons I switched :-) >> >> Here's a screenshot of claws extended search: >> >> http://i.imgur.com/Hmwyv.png > Nothing in particular jumps out at me that you can't do in t-bird. > Did you find something specific? In t-bird, the handiest thing is the > toolbar 'search all messages' box that is very fast and does partial > matches as you type. But, for non-work mail these days I just use a > free gmail account and google obviously knows how to search. > The last time claws was mentioned on the list, I decided to try it. Besides being very slow in handling large folders, it crashed on me several times. I have many large mail folders with over 60,000 messages that thunderbird handles just fine. I am able to do server side searches with no problem on the large folders. I've never found another mail client that reasonably handles this and it's reasonably fast too. No, I don't keep local indexes for those folders. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Server Backup Options
On 03/13/2012 09:17 PM, John R Pierce wrote: > On 03/13/12 7:05 PM, Nataraj wrote: >> I would have to dig up some references, but I have read some articles >> that claim that the reliability of a drive that is in full time >> operation in a server, running 24hrs/day and maybe even seeking under >> heavy load is way different than a drive that you run for a day or two >> and then it sits in an environmentally controlled storage, powered down >> for most of its lifetime. At least from what I read, the failure rate >> is much lower for the same drive used under the later conditions. > on the other hand, the vibration and shock of transport is more likely > to make a drive fail, so its all a tradeoff. > > > You could take your chances on the dyes with optical media. Some say that in a proper controlled environment, they will last much longer. The best media I think are the ones from Japan and singapore. There are several places in Japan that now ship to the US for reasonable rates. I just ordered from 1 on ebay. I think the reality is that nothing lasts forever. Optical media is probably much more likely to survive ICBM's, but then you may not have a drive to read them... Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Server Backup Options
On 03/13/2012 05:23 PM, Les Mikesell wrote: > On Tue, Mar 13, 2012 at 7:05 PM, Tilman Schmidt > wrote: >> Am 13.03.2012 19:46, schrieb m.r...@5-cent.us: >>> Markus Falb wrote: >>>> On 12.3.2012 01:37, Mark LaPierre wrote: >>>>> Tape, and tape drives, have a bad reputation. They are difficult and >>>>> time consuming to verify. >>>> Harddisks have a bad reputation too. They fail regulary. >>>> >>> Not that frequently. >> I beg to differ. Hard disk failures are by far the most frequent >> hardware problem I encounter at work. > Don't forget to scale that by the number of hard disks you have per > motherboard - they are probably also your most common component... > And in my experience those failures are clustered within the first few > months or out about 5 years. > I would have to dig up some references, but I have read some articles that claim that the reliability of a drive that is in full time operation in a server, running 24hrs/day and maybe even seeking under heavy load is way different than a drive that you run for a day or two and then it sits in an environmentally controlled storage, powered down for most of its lifetime. At least from what I read, the failure rate is much lower for the same drive used under the later conditions. Even so, I still choose multiple different backup format. But if long term archival is important, I think I would be doing some data refreshing after a few years of service from backup drives. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
On 03/13/2012 12:03 PM, Tom Bishop wrote: > One more thing, I did a quick search and it appears that they are now > supporting 6.x code...have you given that a try yet...I already have a > centos 6.2 vmware template that would make it quick and easy to spool up... I'm still running on CentOS 5, but I'm on the mailing list and I'm pretty sure that CentOS 6 works now. One thing that I do recommend is that if your not real familiar with postfix and your going to do your own tweaking, keep a test VM around. I also install updates first on my test system before updating my production server. Nataraj > On Tue, Mar 13, 2012 at 1:56 PM, Nataraj wrote: > >> On 03/13/2012 11:28 AM, Tom Bishop wrote: >>> Nataraj >>> >>> I need something for a very small shop and have been looking...been >>> reading the comments. Is vpostmaster easy to setup and maintain, I'm >>> looking for something lightweight and works for spam, I support them >> after >>> hours and looking for something that just works >> Vpostmaster is very easy to setup, provided you start with a clean linux >> install (CentOS is good choice). Don't install it on a system where >> you've already installed postfix, dovecot etc. For a small site it runs >> very well in a VM. A VM is certainly adequate for testing. >> >> I have done some customization to my config, but I don't really think >> that's necessary for most small sites. It's certainly better then >> piecing together all the components yourself. The install package will >> provide you with a working postfix, dovecot, greylisting, clamav, >> spamassassin, spf etc and you can always add any additional postfix >> compatibile addons. The commercial version is still open source and gets >> a few extra features over the free version. I currently run the free >> version, but I like the author and plan to spring for the commercial >> version. >> >> http://www.tummy.com/Products/vpostmaster >> >> There are a 2 or 3 alternatives that provide an integrated mail system >> based on postfix. I looked at them a while back and all were less >> attractive to me. I'd have to dig up their names, but one is a package >> in the fedora repositories. I think it's written in java. Sounded like >> a nightmare to me. >> >> Nataraj >> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
On 03/13/2012 11:28 AM, Tom Bishop wrote: > Nataraj > > I need something for a very small shop and have been looking...been > reading the comments. Is vpostmaster easy to setup and maintain, I'm > looking for something lightweight and works for spam, I support them after > hours and looking for something that just works Vpostmaster is very easy to setup, provided you start with a clean linux install (CentOS is good choice). Don't install it on a system where you've already installed postfix, dovecot etc. For a small site it runs very well in a VM. A VM is certainly adequate for testing. I have done some customization to my config, but I don't really think that's necessary for most small sites. It's certainly better then piecing together all the components yourself. The install package will provide you with a working postfix, dovecot, greylisting, clamav, spamassassin, spf etc and you can always add any additional postfix compatibile addons. The commercial version is still open source and gets a few extra features over the free version. I currently run the free version, but I like the author and plan to spring for the commercial version. http://www.tummy.com/Products/vpostmaster There are a 2 or 3 alternatives that provide an integrated mail system based on postfix. I looked at them a while back and all were less attractive to me. I'd have to dig up their names, but one is a package in the fedora repositories. I think it's written in java. Sounded like a nightmare to me. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
On 03/13/2012 11:05 AM, Les Mikesell wrote: > On Tue, Mar 13, 2012 at 12:00 PM, Nataraj wrote: >> Ok, so it wouldn't work to just use the oldest received, but a smarter >> inspection could check to see weather it actually passed through a >> server owned by the claimed domain. The reality is that what is need is >> to input this into a scoring system weighted with other spam evaluation >> mechanisms, something like spamassassin. The downside of spamassasin is >> that it is costly to run and must be run after the message is accepted >> by the smtp server. > MimeDefang runs it as part of its own milter process so you don't > start a new perl for each message (and multiplexed so there is not > necessarily an instance for every mailer process), and at a point > where you can do an smtp reject based on the content. > >> There already exist so many different spam control methods, many of them >> can run at the smtp level and reject mail prior to accepting. I get >> pretty decent rejection from greylisting. > MimeDefang doesn't do greylisting although the hooks are there if you > wanted to do it yourself. But, you can run multiple milters and > milter-greylist works OK. > >> I would look at the milter that Les mentioned. I haven't had a a chance >> yet. > I set up the package from rpmforge a long time ago along with their > clamav. I see they are both in epel now - not sure what you would > have to do to make them work with postfix, though. I've seen them > mentioned together on the mimedefang mail list, so someone must be > doing it. > I run clamav and the greylisting implementation and the spamassasin interface that's included with vpostmaster. It's not perfect, but it's all quite nicely coded in python and easy to tweak. The GUI allows changing spamassasin, greylisting, clamav parameters on a per user basis. Users can also login to the gui and manage their own spam control. The database also has designed in, the ability to store per user configuration for other modules that you might add yourself. I will look at MimeDefang. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Server Backup Options
On 03/13/2012 08:09 AM, m.r...@5-cent.us wrote: > Tilman Schmidt wrote: >> Am 13.03.2012 00:48, schrieb Nataraj: >>> I have been sucessfully using 8GB dual layer DVDs for some of my >>> backups/archiving and now that the price of Blu ray has come down I am >>> about to experiment with that. I have been writing dump format files to >>> the DVD's and then writing an SHA256 checksum for each dump file so it's >>> very easy to verify the integrity of the dump. >>> >>> I am also about to try daily emcrypted backups to http://rsync.net along > 1++ > >>> with periodic archival to blu-ray disk for one of my backup needs. >> In my experience, the long-term stability of DVDs is rather >> questionable. I've had quite a few nasty surprises with DVDs. >> Even single-layer ones regularly turn out to be unreadable >> after two or three years, and double-layer ones are worse. >> I don't know if Blueray is any better in that respect. > Yup. I've been reading about that instability for several years now: the > commercially-produced ones are ok, but not the ones you write; they will > *not* last the same number of years. > > mark > mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Good point. I've been following the recommendations in articles such as this http://adterrasperaspera.com/blog/2006/10/30/how-to-choose-cddvd-archival-media/ using mostly the Taiyo Yuden and verbatim media where I could identify the country of origin and the dyes and so far I've done ok. A good reminder for me to check some of my back archives. I also have this same data stored on hard drives, so there is redundancy. As some have pointed out, if you really need long term archival of data I think a good plan would include periodic testing and refresh of media or rewrite to new media. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed[Solution that works]
On 03/13/2012 04:21 AM, Bob Hoffman wrote: > *Nataraj* > /Tue Mar 13 02:01:36 EDT 2012/ wrote: > >> On 03/12/2012 10:06 PM, Nataraj wrote: >>> / On 03/12/2012 09:08 PM, Ron Loftin wrote: > />>>/ I'm going to chuck in my 2 cents worth here, as I've been using Postfix > />>>/ as a first-line filter for some years now. > // > />pbl.spamhaus.org (dynamic IP address RBL) is generally quite safe for >> most sites to use from postfix. The rest of the spamhaus RBL's such as >> the combination that you get from zen.spamhaus.org are mostly safe >> (better than all others that I've tried), but not 100%. Most others >> that I've tried I have gotten a fair number of false positives over time >> (This includes dul.dnsbl.sorbs.net, the sorbs dynamic IP RBL). Many >> people feel that most other RBL's need to be used with a scoring >> mechanism, such as that provided by spamassasin, instead of directly > >from postfix to avoid getting too many false positives. > >> Nataraj > I changed it a bit since then. I found that sleep 1, when talking to my other > VM that had > sleep 1, caused one mail to just get lost, so I dropped it. > > My brother travels a lot and I found the client restrictions would not allow > him > to send mail since the wi-fi he would connect to was not figured correctly > causing > 100% mail send failure. So I left client restrictions empty, but I force ssl > and user auth > only anyway. Mobile clients should be authenticating to a relay that's not on any of the dynamic lists and sending mail out through there. Most sane mail administrators do not accept mail directly from dynamic broadband/mobile clients. > for the rbl lists I tried to pick those that had a notice page and a remove > page. > This way a blocked user can try to figure out why. Also anyone using rbl's should also review the RBL's policy. Most RBL's charge a license fee for high volume queries and will cut you off if you violate their policy. > Here is a bit from my logwatch, with 8 hours of non blocked spam and 16 hours > since blocking it > 6098 rejected, 429 accepted (most of those 429 were before the change) > Since 12 noon yesterday I have received 17 junk mails, all but two tagged by > spamasassin. > BIG DIFFERENCE. > > Below is the logwatch section, followed by my final set up (at least so far). Your logwatch format is very nice, that does not appear to be the standard CentOS included logwatch. Have you customized it alot yourself? In any case, I used to have very large numbers in the category you described, but since I started doing agressive blocking with fail2ban (matching on repeated mail delivery failures), now I just completely block all those with IPtables, so that postfix never sees them. I have not noticed any increase in user complaints since this happened. And I do notice that the majority of the offending IP addresses were from asia, south america, eastern Europe, the middle east, etc. Is this just a personal mail server or are you serving a large user base? > > 1.062M Bytes accepted 1,113,084 > 1007.732K Bytes delivered1,031,918 > > >429 Accepted 6.57% > 6098 Rejected 93.43% > > 6527 Total100.00% > > > 4 Reject relay denied0.07% >340 Reject HELO/EHLO 5.58% > 1749 Reject unknown user 28.68% > 1 Reject recipient address 0.02% > 3 Reject sender address 0.05% > 4001 Reject RBL65.61% > > 6098 Total Rejects100.00% > > > 8 4xx Reject relay denied0.84% >318 4xx Reject HELO/EHLO 33.23% > 39 4xx Reject unknown user4.08% > 81 4xx Reject recipient address 8.46% >511 4xx Reject sender address 53.40% > >957 Total 4xx Rejects100.00% > > > 3534 Connections made >419
Re: [CentOS] postfix and spam, I am impressed
On 03/13/2012 07:02 AM, m.r...@5-cent.us wrote: > Ross Walker wrote: >> On Mar 12, 2012, at 5:25 PM, m.r...@5-cent.us wrote: >> >>> Here's a question: is there any way to inspect an email's headers, and >>> reject it if the alleged FWDN in the From:" doesn't match the oldest >>> "Received: "? >> That would be problematic with dual homed mail gateways that received on >> internal interface and delivered on external interface that had different >> host names on each. >> > I'm just trying to think of ways around a blacklist... *esp* the way > dnsorb does, where they'll blacklist an entire block that belongs to a > hosting provider, who provides one external delivery address. > >mark "why, yes, that has happened to me several times" > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Ok, so it wouldn't work to just use the oldest received, but a smarter inspection could check to see weather it actually passed through a server owned by the claimed domain. The reality is that what is need is to input this into a scoring system weighted with other spam evaluation mechanisms, something like spamassassin. The downside of spamassasin is that it is costly to run and must be run after the message is accepted by the smtp server. There already exist so many different spam control methods, many of them can run at the smtp level and reject mail prior to accepting. I get pretty decent rejection from greylisting. Postscreen is supposed to be quite good for detecting any kind of bot attacks. I'm currently using other techniques for bot attacks, but plan on switching to postscreen. I also run fail2ban and block IP addresses when I get repeated smtp errors from an IP, this substantially reduces any kind of bulk spam attack which attempts to guess valid mail recipients. I would look at the milter that Les mentioned. I haven't had a a chance yet. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
On 03/12/2012 10:06 PM, Nataraj wrote: > On 03/12/2012 09:08 PM, Ron Loftin wrote: >> I'm going to chuck in my 2 cents worth here, as I've been using Postfix >> as a first-line filter for some years now. >> >> All of the above suggestions are very useful. The only point that I >> haven't seen in this thread is that mail server/filter configs are >> extremely user-dependent. I started out with some of the more >> restrictive options discussed here, but I had to relax a few of them for >> the client involved. It seems that they were doing business with some >> folks ( both customers and suppliers ) who were using poorly-configured >> mail servers, and some of the options given above can cause "legitimate" >> traffic from such poorly-configured servers to be rejected. >> >> In short, like you should do for any application, do the appropriate >> research so that you UNDERSTAND what the recommended options are doing >> for you ( or TO you ) and tailor your selection(s) to meet YOUR specific >> needs. In the case of using Postfix to filter mail to reduce the >> inbound spam to an old, feature-poor mail server, it took some research >> and some experimenting with different recommendations to achieve the >> solution that met the needs of a particular user community. >> >> Like I said, this is just my $0.02 (US) worth. Enjoy. ;^> >> pbl.spamhaus.org (dynamic IP address RBL) is generally quite safe for most sites to use from postfix. The rest of the spamhaus RBL's such as the combination that you get from zen.spamhaus.org are mostly safe (better than all others that I've tried), but not 100%. Most others that I've tried I have gotten a fair number of false positives over time (This includes dul.dnsbl.sorbs.net, the sorbs dynamic IP RBL). Many people feel that most other RBL's need to be used with a scoring mechanism, such as that provided by spamassasin, instead of directly from postfix to avoid getting too many false positives. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
On 03/12/2012 09:08 PM, Ron Loftin wrote: > > I'm going to chuck in my 2 cents worth here, as I've been using Postfix > as a first-line filter for some years now. > > All of the above suggestions are very useful. The only point that I > haven't seen in this thread is that mail server/filter configs are > extremely user-dependent. I started out with some of the more > restrictive options discussed here, but I had to relax a few of them for > the client involved. It seems that they were doing business with some > folks ( both customers and suppliers ) who were using poorly-configured > mail servers, and some of the options given above can cause "legitimate" > traffic from such poorly-configured servers to be rejected. > > In short, like you should do for any application, do the appropriate > research so that you UNDERSTAND what the recommended options are doing > for you ( or TO you ) and tailor your selection(s) to meet YOUR specific > needs. In the case of using Postfix to filter mail to reduce the > inbound spam to an old, feature-poor mail server, it took some research > and some experimenting with different recommendations to achieve the > solution that met the needs of a particular user community. > > Like I said, this is just my $0.02 (US) worth. Enjoy. ;^> > Yes, this is very much true. It takes a bit of tuning to find the right settings for each mail environment. Turn things up too high and your phone will ring off the hook with user complaints about rejecting mail that they want to receive. Fortunately you can define multiple smtpd_restriction_classes and apply different policies by matching on who the recipient, sender, client domain etc is. An example would be: NOTE THIS example is hypothetical, I don't suggest that anyone try to use my extra_restrictive class on a production system without testing. smtpd_restriction_classes = extra_restrictive, restrictive, permissive extra_restrictive = reject_rbl_client dul.dnsbl.sorbs.net reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client hostkarma.junkemailfilter.com =127.0.0.2 reject_rbl_client dnsbl.sorbs.net reject_rhsbl_sender whois.rfc-ignorant.org reject_rhsbl_sender postmaster.rfc-ignorant.org reject_rhsbl_sender abuse.rfc-ignorant.org reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2 reject_rbl_client l2.apews.org restrictive = reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net permissive = reject_rbl_client pbl.spamhaus.org smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_recipient_access proxy:pgsql:/etc/postfix/vpm_recipient_access ## # NOTE: YOU MUST ALWAYS check for valid recipients before checking # for sender exceptions, otherwise anyone who passes the # sender exceptions will be allowed to use us as a relay. ## check_sender_access hash:/etc/postfix/smtpd_sender_access check_recipient_access hash:/etc/postfix/smtpd_recipient_access check_policy_service unix:private/vpm-pfpolicy reject_unauth_destination Then is smtpd_recipient_access I have: domain1.comrestrictive ab...@domain1.comextra_restrictive postmas...@domain1.comextra_restrictive registrar_domain_cont...@domain1.com extra_restrictive domain2.compermissive Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
On 03/12/2012 02:25 PM, m.r...@5-cent.us wrote: > Bob Hoffman wrote: >> I have had the same email address since 1997 (when microsoft stole >> bob.com from me thanks to network solutions...) > I remember reading about you, vaguely. > >> Now I have set up a centos 6 box using postfix. Today I decided to try >> to add smtpd restrictions. After a lot of reading and testing I 'seem' >> to be doing incredible. >> I wanted to share my current working postfix smtpd restrictions area so >> that others who are interested can start with it. > > Here's a question: is there any way to inspect an email's headers, and > reject it if the alleged FWDN in the From:" doesn't match the oldest > "Received: "? > >mark > That would be a good test. Postfix does have the ability to match regular expressions on headers, but the tests are limited to testing a single line at a time. You can however write one of several types of postfix content inspection modules using your favorite programming or scripting language. If you use one of the before queue inspection methods and you have a busy mail server, you have to watch out that you don't introduce delays that could cause clients to time out. You might also look around to see if there's something out there that would already do that. Check out http://www.postfix.org/CONTENT_INSPECTION_README.html I don't think it's that hard to throw together a perl or python script to do this. I have more experience with the policy daemon though. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos