Re: Frustrated - Weird problem

[Ed]

On Thu, Sep 2, 2010 at 8:03 PM, Simon Chatfield
 wrote:
>
> Ok, I've got a doozy of an issue which has happened twice this week and is
> absolutely crushing to my clients who are in busy season right about now.
> Here's the issue...
>
> I have a beefy linux database server which runs both postgres and mysql. We
> just recently loaded mysql and putting it under significant load.
>
> Apperantly at random, twice the week (Monday and this evening) it appears to
> take the network down save for a single machine which we are still able to
> ssh into. There are 6 other boxes which we cannot ssh into when this occurs.
> Link light activity does appear to still be active on the network. The
> method for solving the problem has been to hard reboot this specific server
> and as soon as it goes down, we can access the other boxes via ssh and they
> start working again. When the box comes back up, we can then ssh into that
> machine and everything is good (until it happens again that is). After the
> reboot, there isn't much in the logs, but I see the log entry for the tech
> unplugging and plugging in the computer from the switch PRIOR to the reboot
> so the network link was detected and logged even though it was not
> responding to ssh.
>
> These machines are hosted down at i/o so a hardboot is causing us
> significant time to get a tech to handle it.
>
> Has anyone ever heard of a single linux box bringing down 'most' of a
> network? then reboot and the other boxes are then accessible?
>
> My client is at his whits end, and I don't blame him. However, I'm not even
> sure what kind of problem this is. hardware on that box? system
> configuration? a bad switch?
>
> Looking for ideas at least, and if someone has time and ability, I'd love to
> have someone on-site to help debug and fix this issue...
>
> Thanks everyone!
>
> --
> Simon Chatfield
>

Are the 6 machines actually crashing or are they loosing their routing
tables - if the systems just got un-networked, see if/how the routing
tables change - OTOH do you have avahi running? look for 169.254/16 IP
addresses in the wrong place.
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Re: Server/Form/Language Exploits

[Lisa Kachold]

1) Web file integrity:

Run a job that informs you of web systems level file changes every day.

It's a simple one liner, find -R /var/www/htdocs/* -mtime 1day

Or run a diff between another backed up tree and current file system that
alerts you via email if one of the files has been changed.

With an if/then statement that matches only changed content and alerts you
when/if something changes via either a diff to a backed up tree in
/root/htdocs or /usr/local/src/htdocs

2) IDS/Snort
Run snort on your system to ensure known packet signatures are dropped.
This is generally needed for PHP/Mysql.

3) Create an initial dd iso of your build and restore it to three drives
during build.  Every six months restore original dd iso drive.  Requires 5
minutes downtime to replace the drive.  Restore the drive you removed to dd
iso of original build so you always have at least two servers ready for DR
and one spare drive to swap in.

4) Run standard layered firewall that includes bottom up network protection.

5) Expect they will get it, so run different passwords on every system, be
ready to restore databases and web content quickly.  It's easy really.

6) As soon as you see any evidence of exploit, take it offline immediately
and rebuild.

7) Take a list of every single version and platform you are using and
compare patch levels and versions against the CERT and OWASP exploit
databases.  If there are no exploits for it, you are safer, some exploits
can be mitigated, but at the very least expect to patch your server
regularly.  Don't just build it and forget it.
-- 
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com 

“These capitalists generally act harmoniously and in concert, to fleece the
people”  --Abraham Lincoln

On Tue, Sep 7, 2010 at 2:32 PM, James Mcphee  wrote:

> Harden your server intelligently and keep it up to date with patches.
>
> Also, keep yourself informed.  I'm sure people can suggest various
> resources that have all the latest exploit info, etc.
>
> On Tue, Sep 7, 2010 at 2:07 PM, keith smith  wrote:
>
>>
>> I was just talking with the guy who manages our servers and he was telling
>> me about some exploits and some of the things he sees.
>>
>> He was telling me about one gang that might exploit a server and other
>> gang finds it and takes it over, fixes the exploit and them creates a back
>> door.
>>
>> How does one keep up on exploits and current security issues?
>>
>> Thanks!
>>
>> 
>> Keith Smith
>>
>> ---
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> James McPhee
> jmc...@gmail.com
>
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


1) Web file integrity:

Run a job that informs you of web systems level file changes every day.

It's a simple one liner, find -R /var/www/htdocs/* -mtime 1day

Or run a diff between another backed up tree and current file system that
alerts you via email if one of the files has been changed.

With an if/then statement that matches only changed content and alerts you
when/if something changes via either a diff to a backed up tree in
/root/htdocs or /usr/local/src/htdocs

2) IDS/Snort
Run snort on your system to ensure known packet signatures are dropped.
This is generally needed for PHP/Mysql.

3) Create an initial dd iso of your build and restore it to three drives
during build.  Every six months restore original dd iso drive.  Requires 5
minutes down
-- 
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com 

“These capitalists generally act harmoniously and in concert, to fleece the
people”  --Abraham Lincoln
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Re: Verify if an email address exists.

[Alex Dean]

On Sep 8, 2010, at 12:22 AM, Dan Dubovik wrote:

If you want to know if a specific email address is available, you  
can try to send an email to the address, and note the response code  
after sending it.  Using php, you can use the mail() function,  
however, the error message it returns is binary in nature, either it  
sends or not, without a real reason why it failed to send.


That tells you if PHP was able to hand the message off to the local  
MTA (sendmail/postfix/etc).  It doesn't give any indication of whether  
the destination address is valid or not, unfortunately.


Keith: The only sure way I know of to tell if an address is valid or  
not is to send a 'please reply to this message' email, and see if you  
get a response or not.  And (as mentioned by others) that's not a  
guarantee that the address you sent to is actually the address which  
the email was delivered to.  Aliases, catch-all accounts, etc can all  
play a part.


alex

---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss