RE: SL7 - crond starting before chronyd causing problem with mrtg {solved - I think}
OK. The truth is out!
The power outage did not resolve the problem, even though the guests were
shutdown and freshly booted.
The rtc on each SL7 guest on the SL7 host were set incorrectly as the
localtime, because the XML file had:
Changing the XML files for the SL7 guests to contain:
fixed the problem.
However, the SL6 guests on the SL7 host still needed:
to get the time correct on them.
Some inconsistency here, but I can cope with that until the SL6 guests get
replaced with SL7.
Cheers
Bill
-Original message-
> From:Bill Maidment
> Sent: Friday 6th February 2015 20:41
> To: Bill Maidment ; scientific-linux-users@fnal.gov
> Subject: RE: SL7 - crond starting before chronyd causing problem with mrtg
> {solved - I think}
>
>
>
> Hmm
>
> It seems that I forgot that kvm by default only suspends the guests when you
> reboot the host. This explains the delay in resyncronising the clock, etc.
>
> I've now fixed up the /etc/sysconfig/libvirt-guests on the host to ensure a
> reboot of guests.
>
> I'm now awaiting the next reboot (a scheduled power outage on Tuesday) to
> prove the point.
>
> Sorry all for the noise; at age 68 the little grey cells aren't what they
> used to be.
>
> Cheers
>
> Bill
>
> -Original message-
> From: Bill Maidment
> Sent: Thursday 22nd January 2015 18:26
> To: scientific-linux-users@fnal.gov
> Subject: RE: SL7 - crond starting before chronyd causing problem with mrtg
>
> Thanks David.
> However, even using After= chronyd.service the chronyd still takes too long
> to correct the time for the time-zone.
>
> After some investigation, it seems that the KVM system is at fault when the
> host is rebooted, but not when the guest is rebooted.
> On reboot of the host KVM adds the timezone shift to the hardware clock for
> the guests and then the guest adds the timezone shift again.
> This extra addition of the timzone shift did not happen on SL6.
>
> After running hwclock --systohc on the guest, I get the following setup.
>
> [root@giggs2 ˜]# timedatectl
> Local time: Thu 2015-01-22 17:55:26 AEDT
> Universal time: Thu 2015-01-22 06:55:26 UTC
> RTC time: Thu 2015-01-22 06:55:26
> Timezone: Australia/Sydney (AEDT, +1100)
> NTP enabled: yes
> NTP synchronized: yes
> RTC in local TZ: no
> DST active: yes
> Last DST change: DST began at
> Sun 2014-10-05 01:59:59 AEST
> Sun 2014-10-05 03:00:00 AEDT
> Next DST change: DST ends (the clock jumps one hour backwards) at
> Sun 2015-04-05 02:59:59 AEDT
> Sun 2015-04-05 02:00:00 AEST
> [root@giggs2 ˜]#
>
> On reboot of just the guest, I get the following, the RTC looks OK:
>
> [root@giggs2 ˜]# timedatectl
> Local time: Thu 2015-01-22 18:05:09 AEDT
> Universal time: Thu 2015-01-22 07:05:09 UTC
> RTC time: Thu 2015-01-22 07:05:09
> Timezone: Australia/Sydney (AEDT, +1100)
> NTP enabled: yes
> NTP synchronized: yes
> RTC in local TZ: no
> DST active: yes
> Last DST change: DST began at
> Sun 2014-10-05 01:59:59 AEST
> Sun 2014-10-05 03:00:00 AEDT
> Next DST change: DST ends (the clock jumps one hour backwards) at
> Sun 2015-04-05 02:59:59 AEDT
> Sun 2015-04-05 02:00:00 AEST
> [root@giggs2 ˜]#
>
> On reboot of the host, I get the following on the guest, the RTC looks wrong:
>
> [root@giggs2 ˜]# timedatectl
> Local time: Fri 2015-01-23 05:15:41 AEDT
> Universal time: Thu 2015-01-22 18:15:41 UTC
> RTC time: Thu 2015-01-22 18:15:42
> Timezone: Australia/Sydney (AEDT, +1100)
> NTP enabled: yes
> NTP synchronized: yes
> RTC in local TZ: no
> DST active: yes
> Last DST change: DST began at
> Sun 2014-10-05 01:59:59 AEST
> Sun 2014-10-05 03:00:00 AEDT
> Next DST change: DST ends (the clock jumps one hour backwards) at
> Sun 2015-04-05 02:59:59 AEDT
> Sun 2015-04-05 02:00:00 AEST
> [root@giggs2 ˜]#
>
> Regards
> Bill Maidment
>
> -Original message-
> > From:David Sommerseth
> > Sent: Wednesday 21st January 2015 23:33
> > To: Bill Maidment ; SCIENTIFIC-LINUX-USERS@FNAL.GOV
> >
> > Subject: Re: SL7 - crond starting before chronyd causing problem with mrtg
> >
> > On 21/01/15 12:18, Bill Maidment wrote:
> > > Hi guys
> > > MRTG is having problems with timeshift because crond starts before
> > > chronyd on SL7.
> > > I have added chrond.service as a dependancy to the crond.service. Is that
> > > the right approach to solving the problem?
> >
> > This sounds like the right approach. But systemd have different levels of
> > dependencies. I recommend you to check the dependency you used against man
> > systemd.unit. Check out After=, Requires= and Requisite=.
> >
> > --
> > kind regards,
> >
> > David Sommerseth
> >
> >
>
>
Re: Is there any data base collecting data on breakin attempts?
Check out https://dshield.org/howto.html for a central place to submit attempts... Some useful pages: https://dshield.org/reports.html https://dshield.org/sources.html As many sources can be anonymous, it's easy for hosts to be on someones lists from either spoofed or replies to spoofed ips, etc... and so shouldn't be used as a blacklist, at least not exclusively. (ie: wouldn't want to block port 80 based on this for a public web server) - Original Message - > From: "hansel" > To: SCIENTIFIC-LINUX-USERS@FNAL.GOV > Sent: Sunday, February 8, 2015 12:41:56 PM > Subject: Is there any data base collecting data on breakin attempts? > > I accept it as normal many (upwards of several thousand) daily root > breaking attempts. My defense is careful sshd configuration and > restrictive incoming router firewall. > > Does anyone mantain a database of consistently offending sites (maybe > a > news source, such as politico or propublica)? Initial use of whois > and dig > for a few returned familiar countries of origin, coutries that may > encourage or even sponsor some attempts. > > I searched the archive for "breakin" and "failed" with an without > subject > line qualifiers (like "root") and found nothing. > > Thank you. > mark hansel >
Re: what port does theyum visual frontend use?
What visual front end are you referring to? There are a few of them to choose from. They usually just call the yum python libraries and or command. No additional ports required. In general yum only requires ports 80, and 443 for 90% of public repos; however yum supports using other methods like rsync too. Also port numbers my vary. For example I've seen publicly posted yum repos hosted on odd ports like HTTPS on port 8443 so you need to look at the repos you are using to determine if any of them are using odd port numbers and or protocols Sent from my BlackBerry 10 smartphone. Original Message From: hansel Sent: Monday, February 9, 2015 09:57 To: scientific-linux-users@fnal.gov Subject: what port does theyum visual frontend use? >From the command line, "yum info " produces output, while the visual frontend always reports "no results were found" (annoying passive voice). The visual tool does provide repository listings. It appears the reason is that yesterday (Sun 2/8) I closed a port at the router used by this tool. 80, 8080, and 443 (as well as 992) are open and I thought that was sufficient. Yum docs claim 443 and 80 are sufficient, at least as I read them. This is a Motorola router integrated with a cable modem (SBG6580) -- that has worked mostly flawlessly for about a year. FWIW, this change reduced root breakin attempts from thousands to 1 in 24 hours, so it may be a reasonable trade-off. Thank you, Mark Hansel
RE: Is there any data base collecting data on breakin attempts?
Mark, not a direct answer to your question but you could run 'fail2ban'. This will log and blacklist failed login attempts, the time the blacklist is valid for is tuneable. Maybe not what you asked for, but might help you. ***Viglen*** Viglen Ltd, Registered in England No 1208441. Registered Office: 7, Handley Page Way, Colney Street, St. Albans, Hertfordshire AL2 2DQ. Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Viglen Terms & Conditions. Please rely on your own virus checker and procedures with regard to any attachment to this message. ***Viglen*** __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
Re: Is there any data base collecting data on breakin attempts?
Well the answer is yes there are for things like email and other specific services. These are lists you generally pay to get access to the reason being it takes a lot of constant work to maintain them. Your best bet though is to run snort and possibly a console like base (just search "snort base" you should find it quickly) If you are really brave and paranoid you can also run snort "inline" in your firewall; however I don't know of any one who has ever done that in a production environment. Snort in inline mode links into iptables and or a squid proxy and will acctivly drop and log any thing it finds objectionable. The problem is untill it's tuned correctly snort tends to find every thing it sees objectionable. The other thing you can do is log monitoring on a central syslog server. In the past Red Hat use to install logwatch on every host resulting in a deluge of daily email reports which were annoying. But if you run logwatch on a central syslog server and you actually tune the settings logwatch becomes your best friend because it will give you an easy to read daily report encompassing you're entire infrastructure. Sent from my BlackBerry 10 smartphone. Original Message From: hansel Sent: Monday, February 9, 2015 09:57 To: SCIENTIFIC-LINUX-USERS@FNAL.GOV Subject: Is there any data base collecting data on breakin attempts? I accept it as normal many (upwards of several thousand) daily root breaking attempts. My defense is careful sshd configuration and restrictive incoming router firewall. Does anyone mantain a database of consistently offending sites (maybe a news source, such as politico or propublica)? Initial use of whois and dig for a few returned familiar countries of origin, coutries that may encourage or even sponsor some attempts. I searched the archive for "breakin" and "failed" with an without subject line qualifiers (like "root") and found nothing. Thank you. mark hansel
Is there any data base collecting data on breakin attempts?
I accept it as normal many (upwards of several thousand) daily root breaking attempts. My defense is careful sshd configuration and restrictive incoming router firewall. Does anyone mantain a database of consistently offending sites (maybe a news source, such as politico or propublica)? Initial use of whois and dig for a few returned familiar countries of origin, coutries that may encourage or even sponsor some attempts. I searched the archive for "breakin" and "failed" with an without subject line qualifiers (like "root") and found nothing. Thank you. mark hansel
what port does theyum visual frontend use?
From the command line, "yum info " produces output, while the visual frontend always reports "no results were found" (annoying passive voice). The visual tool does provide repository listings. It appears the reason is that yesterday (Sun 2/8) I closed a port at the router used by this tool. 80, 8080, and 443 (as well as 992) are open and I thought that was sufficient. Yum docs claim 443 and 80 are sufficient, at least as I read them. This is a Motorola router integrated with a cable modem (SBG6580) -- that has worked mostly flawlessly for about a year. FWIW, this change reduced root breakin attempts from thousands to 1 in 24 hours, so it may be a reasonable trade-off. Thank you, Mark Hansel
