[CentOS] vsftpd log issues
I have an up-to-date CentOS 6 with reasonable amount of ftp activity (a dozen of network cameras uploading images every second 24x7). The first issue was that the whole /var filesystem was about to get full, because of huge ftp daemon log. vsftpd.conf says: # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/vsftpd.log Ok, the above works now. But while the setting was (by default) commented out, the default wasn't /var/log/vsftpd.log but /var/log/xferlog which was growing without limits (it was over 6 GB when I first time noticed the problem) since logrotate tried to rotate vsftpd.log -rw--- 1 root root 0 Dec 31 03:07 vsftpd.log -rw--- 1 root root 39134459 Dec 31 12:19 vsftpd.log.1 -rw--- 1 root root 433305200 Dec 30 22:03 xferlog Now, after uncommenting the log file setting line in the conf the next issue is, that logrotate does rotate the log files (the old one gets .1 postfix added to its name and a new file is created), but it still keeps writing to the original file (which is renamed now) In the ls -l listing above: - vsftpd started to write log vsftpd.log around 10pm last night (when I uncommented the log setting from the conf and restarted the daemon, until that it was logging to xferlog) - during the night logrotate has changed the name of the existing log file to ...log.1 but now, several hours later, this renamed old file is still used for logging, and the new ...log file remains empty! Is there some simple option in logrotate's conf that could change this behaviour? Or how to fix this. There must be many others who already have run into this issue. Regards, Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
It's been an interesting if somewhat heated discussion. Figures the fun ones come up when I'm away. ;) The discussion of using Certs(PKI) vs Passwords to secure SSH seem to be missing an important piece of the puzzle, and that to my mind is attack vectors & target value. The argument I saw against PKI is that's it's no more secure then regular passwords because your certificates are password protected anyways and stored on external media so they can be stolen and used to access the system. Like the OP I run a web server (two in my case) and I have external SSH access for certain reasons. I've got things like fail2ban installed, various logwatch type software running to alert me to any abnormal entries. I also have cert based access to my machine. In my case, the primary attack vector for hackers getting at my servers is via the web. Because I host primarily personal websites on my servers, the hackers motivation for breaking into my server (aside from 'it's there') is to turn the machine into a bot-net or host some viagra phishing sites on it. The concern, for me, is more about remote compromise then about physical theft of my usb token. A russian hacker who want's another compromised machine for his bot-net or phishing ring is probably not going to go to the effort of physically flying over here from Europe and spend the time needed to track me down, break into my office, and steal my usb token. He's more likely to move onto another target one of his script-kiddies found for him. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Drew wrote: > In my case, the primary attack vector for hackers getting at my > servers is via the web. Because I host primarily personal websites on > my servers, the hackers motivation for breaking into my server (aside > from 'it's there') is to turn the machine into a bot-net or host some > viagra phishing sites on it. I'm in much the same situation, and would like to protect myself to a minimal extent. But I don't understand how a usb token (below) would help. I'm probably showing my ignorance. (The only protection I take is to run fail2ban.) > The concern, for me, is more about remote compromise then about > physical theft of my usb token. A russian hacker who want's another > compromised machine for his bot-net or phishing ring is probably not > going to go to the effort of physically flying over here from Europe > and spend the time needed to track me down, break into my office, and > steal my usb token. He's more likely to move onto another target one > of his script-kiddies found for him. -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 11:02 PM, Alex Milojkovic wrote: > I think the best password policy is the one you've never told anyone and > never posted on a public mailing list. > > How many of you out there know of cases where administrators' passwords were > compromised by brute force? > Can we take a count of that? I know of plenty ... people contact secur...@centos.org all the time after having their machines compromised by brute force. Here are a couple of articles for you to read: http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > > I believe in passwords. I don't believe in PKI. > It's a lot more likely that I will forget my laptop somewhere, or that > someone will steal my usb key than that someone will guess my password and > have opportunities to try it. > PKI is convenience and if your password is 20-30 characters it will take long > time to break it. > > Password crack estimator > http://www.mandylionlabs.com/documents/BFTCalc.xls > > Spreadsheet is safe (take my word for it) ha,ha > > Scenario of botnet with 1000 PCs making attempts to crack are password ain't > gonna happen. You don't need a botnet of 1000 PCs ... you only need a couple of graphics cards. > > > -Alex signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Checkinstall rpm for CentOS-6 x86_64?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 30.12.2011 21:08, schrieb Karanbir Singh: > On 12/30/2011 03:34 PM, James B. Byrne wrote: >> Does anyone have a source for an rpm of this package that >> runs on CentOS-6_x86_64 or can recommend a replacement for >> it? > > consider using fpm instead ? it kind of address's the same problem in a > different way. Although I'm not the OP I'm interested in that topic too. Unfortunately, due to heavy TLA overloading I couldn't make out which FPM you might be referring to. "yum search fpm" came up blank. http://www.google.com/search?q=fpm yielded "About 22,400,000 results" but nothing promising on the first three result pages. http://en.wikipedia.org/wiki/FPM wasn't helpful either. Do you have an URL perhaps? Thanks, Tilman -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk7/GxIACgkQ780oymN0g8N4jACfWRLGP2/QeaRQqWRVHbC0UryA zncAn1WS/lyI8ENT/XZOu78whaWWROgA =//v0 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Sat, Dec 31, 2011 at 05:43:54AM -0800, Drew wrote: > The argument I saw against PKI is that's it's no more secure then > regular passwords because your certificates are password protected > anyways and stored on external media so they can be stolen and used to > access the system. Typical security is based around three things: 1. Something you know (eg password) 2. Something you have (eg physical token, USB key, ssh private key) 3. Something you are (eg fingerprint) Passwords are "1 factor"; it's just a password. RSA SecurID tokens are "2 factor"; you need the number on the token and the PIN. The more factors you have, typically the stronger the protection. (Assuming proper implementation, of course!) In the same way, public key authentication is 2 factor (in the SSH implementation, anyway) because you need the private key and the passphrase to the key. (historically, passphrases were longer than 8 character passwords but that's not so true on many systems, today) Why is this more secure? Because a gazillion people can brute force attack a box protected by passwords, however only people who have physical access to the token (#2) can attack my box. By stealing the token they've reduced my protection to single factor. BUT, and this is an important but, they _have to steal it first_. SSH keys are weaker than RSA tokens because an SSH key can be duplicated without the owners knowledge; if you steal my RSA key then I'll know! But you still need to duplicate it, and that makes it stronger than password auth. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
> I'm in much the same situation, > and would like to protect myself to a minimal extent. > But I don't understand how a usb token (below) would help. The 'token' in this case (a standard usb thumbdrive) is merely a portable container for my ssh certificates and a copy of putty (when I'm on a windows box). You don't need it if you never move around. What matters is the use of the certificate. Token may have been the incorrect word as RSA's keyfobs are sometime called tokens. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Hello Johnny, On Sat, 2011-12-31 at 08:13 -0600, Johnny Hughes wrote: > Here are a couple of articles for you to read: > > http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System > > http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > You don't need a botnet of 1000 PCs ... you only need a couple of > graphics cards. Please enlighten me how this has any bearing on remotely brute forcing an SSH login? The number of passwords tried is limited by the daemon, not the amount of processing power the attacker has available. The examples you provide require the attacker to have access to the hash table, f.e. /etc/shadow, which supposedly is not the case if they haven't been able to login to your system yet. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Checkinstall rpm for CentOS-6 x86_64?
On 12/31/2011 03:24 PM, Tilman Schmidt wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Am 30.12.2011 21:08, schrieb Karanbir Singh: >> On 12/30/2011 03:34 PM, James B. Byrne wrote: >>> Does anyone have a source for an rpm of this package that >>> runs on CentOS-6_x86_64 or can recommend a replacement for >>> it? >> >> consider using fpm instead ? it kind of address's the same problem in a >> different way. > > Although I'm not the OP I'm interested in that topic too. > Unfortunately, due to heavy TLA overloading I couldn't make out > which FPM you might be referring to. "yum search fpm" came up blank. > http://www.google.com/search?q=fpm yielded "About 22,400,000 results" > but nothing promising on the first three result pages. > http://en.wikipedia.org/wiki/FPM wasn't helpful either. > Do you have an URL perhaps? > https://github.com/jordansissel/fpm/wiki I used >>linux "fpm" checkinstall<< for a google search. You have to filter your search results with few more related words. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/31/2011 03:13 PM, Johnny Hughes wrote: > On 12/30/2011 11:02 PM, Alex Milojkovic wrote: >> I think the best password policy is the one you've never told anyone and >> never posted on a public mailing list. >> >> How many of you out there know of cases where administrators' passwords were >> compromised by brute force? >> Can we take a count of that? > > I know of plenty ... people contact secur...@centos.org all the time > after having their machines compromised by brute force. > > Here are a couple of articles for you to read: > > http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System > > http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > >> >> I believe in passwords. I don't believe in PKI. >> It's a lot more likely that I will forget my laptop somewhere, or that >> someone will steal my usb key than that someone will guess my password and >> have opportunities to try it. >> PKI is convenience and if your password is 20-30 characters it will take >> long time to break it. >> >> Password crack estimator >> http://www.mandylionlabs.com/documents/BFTCalc.xls >> >> Spreadsheet is safe (take my word for it) ha,ha >> >> Scenario of botnet with 1000 PCs making attempts to crack are password ain't >> gonna happen. > > You don't need a botnet of 1000 PCs ... you only need a couple of > graphics cards. > Can you please explain how this is possible by attacking linux via ssh brute force. I fail to see it. If attacks are throttled via ssh config and fail2ban/danyhosts, how does their GPU power comes into equation? -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Hello Johnny, On Sat, 2011-12-31 at 08:13 -0600, Johnny Hughes wrote: > http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System > > http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ These articles fail to clarify even the most basic of assumptions they make. I can only guess the numbers relate to the cracking of MD5 hashes (salted or unsalted?) and access to the /etc/shadow file. On CentOS-6 password hashes are no longer stored as MD5, but as SHA-512 hashes. Apparently the SHA hashing algorithms as used by Red Hat have a configurable iterator count much like bcrypt ( http://en.wikipedia.org/wiki/Crypt_%28Unix%29 "SHA2-based scheme"). Also, the only way for an attacker to have access to /etc/shadow is to already have root access to your system in which case you are already faqed. Imo the weakness of MD5 hashes is more of a concern for web applications where an attacker might gain access to (part of) your database via f.e. SQL injection. This is why a proper web application will use a bcrypt hash to store passwords. As the amount of iterations bcrypt uses is configurable the algorithm can scale with increasing processing power. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Sat, Dec 31, 2011 at 8:13 AM, Johnny Hughes wrote: >> >> Scenario of botnet with 1000 PCs making attempts to crack are password ain't >> gonna happen. > > You don't need a botnet of 1000 PCs ... you only need a couple of > graphics cards. > If you have a stolen passphrase-protected ssh private key, is it possible to brute-force the passphrase directly, or can success only be determined by checking against a copy of the public key? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Thanks Johnny, Yes if you have console access to the server and can plug in the GPU and/or have access to the password file. Ok let me rephrase myself. How many people have had their passwords cracked on Internet servers by means available to them? In other words gained root access by way of a TCP service. These articles are based on theoretical math and scenarios that are not common. They are saying one billion passwords per second How many servers can handle a million requests per second without DOS, I'd like to have one :) But the reality is that most passwords are taken through flaws in the software run as root or by weak password and obvious user names. Everything else is more or less social engineering in my opinion and shouldn't focus on passwords. In that case no authentication mechanism will be enough, we are just fooling ourselves. If someone can gain physical access to your server you've got other problems, not password problems. It's not the fault of the developer /password mechanism. One weakness in Unix is that root account. Everyone knows it's there and everyone's trying it. When will it be possible to set your own admin username, that'd be nice. In Windows you can rename Administrator which helps. Internet is still an infant. Hopefully sometime soon, perimeter routers will be like border checkpoints. I like you, you get in. I don't like you, you stay out. IP address allocation needs to be done smarter so that geographical regions can be isolated easier. And at some point it probably will be. Internet has facilitated the biggest financial/intellectual losses during such a short time of its existence. I believe that needs to change. Good discussion --Alex -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Johnny Hughes Sent: Saturday, December 31, 2011 6:14 AM To: centos@centos.org Subject: Re: [CentOS] what percent of time are there unpatched exploits against default config? On 12/30/2011 11:02 PM, Alex Milojkovic wrote: > I think the best password policy is the one you've never told anyone and > never posted on a public mailing list. > > How many of you out there know of cases where administrators' passwords were > compromised by brute force? > Can we take a count of that? I know of plenty ... people contact secur...@centos.org all the time after having their machines compromised by brute force. Here are a couple of articles for you to read: http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ > > I believe in passwords. I don't believe in PKI. > It's a lot more likely that I will forget my laptop somewhere, or that > someone will steal my usb key than that someone will guess my password and > have opportunities to try it. > PKI is convenience and if your password is 20-30 characters it will take long > time to break it. > > Password crack estimator > http://www.mandylionlabs.com/documents/BFTCalc.xls > > Spreadsheet is safe (take my word for it) ha,ha > > Scenario of botnet with 1000 PCs making attempts to crack are password ain't > gonna happen. You don't need a botnet of 1000 PCs ... you only need a couple of graphics cards. > > > -Alex ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Checkinstall rpm for CentOS-6 x86_64?
This is all I found so far. http://www.ducea.com/2011/08/31/build-your-own-packages-easily-with-fpm/ There is also a link to the main site in there as well. Not a lot on it. D On Saturday, December 31, 2011, Ljubomir Ljubojevic wrote: > On 12/31/2011 03:24 PM, Tilman Schmidt wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Am 30.12.2011 21:08, schrieb Karanbir Singh: >>> On 12/30/2011 03:34 PM, James B. Byrne wrote: Does anyone have a source for an rpm of this package that runs on CentOS-6_x86_64 or can recommend a replacement for it? >>> >>> consider using fpm instead ? it kind of address's the same problem in a >>> different way. >> >> Although I'm not the OP I'm interested in that topic too. >> Unfortunately, due to heavy TLA overloading I couldn't make out >> which FPM you might be referring to. "yum search fpm" came up blank. >> http://www.google.com/search?q=fpm yielded "About 22,400,000 results" >> but nothing promising on the first three result pages. >> http://en.wikipedia.org/wiki/FPM wasn't helpful either. >> Do you have an URL perhaps? >> > > https://github.com/jordansissel/fpm/wiki > > I used >>linux "fpm" checkinstall<< for a google search. You have to > filter your search results with few more related words. > > > -- > > Ljubomir Ljubojevic > (Love is in the Air) > PL Computers > Serbia, Europe > > Google is the Mother, Google is the Father, and traceroute is your > trusty Spiderman... > StarOS, Mikrotik and CentOS/RHEL/Linux consultant > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
The good thing about PKI is that it takes longer to break. The bad thing about PKI is many admins keep many private keys in the same spot. So you figure out one password, many doors are open. --Alex -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Stephen Harris Sent: Saturday, December 31, 2011 6:41 AM To: CentOS mailing list Subject: Re: [CentOS] what percent of time are there unpatched exploits against default config? On Sat, Dec 31, 2011 at 05:43:54AM -0800, Drew wrote: > The argument I saw against PKI is that's it's no more secure then > regular passwords because your certificates are password protected > anyways and stored on external media so they can be stolen and used to > access the system. Typical security is based around three things: 1. Something you know (eg password) 2. Something you have (eg physical token, USB key, ssh private key) 3. Something you are (eg fingerprint) Passwords are "1 factor"; it's just a password. RSA SecurID tokens are "2 factor"; you need the number on the token and the PIN. The more factors you have, typically the stronger the protection. (Assuming proper implementation, of course!) In the same way, public key authentication is 2 factor (in the SSH implementation, anyway) because you need the private key and the passphrase to the key. (historically, passphrases were longer than 8 character passwords but that's not so true on many systems, today) Why is this more secure? Because a gazillion people can brute force attack a box protected by passwords, however only people who have physical access to the token (#2) can attack my box. By stealing the token they've reduced my protection to single factor. BUT, and this is an important but, they _have to steal it first_. SSH keys are weaker than RSA tokens because an SSH key can be duplicated without the owners knowledge; if you steal my RSA key then I'll know! But you still need to duplicate it, and that makes it stronger than password auth. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Sat, Dec 31, 2011 at 1:50 PM, Alex Milojkovic wrote: > > Ok let me rephrase myself. > How many people have had their passwords cracked on Internet servers by means > available to them? > In other words gained root access by way of a TCP service. Someone cracked my gmail password and sent what seemed like an oddly small amount of spam from it. > These articles are based on theoretical math and scenarios that are not > common. > They are saying one billion passwords per second > How many servers can handle a million requests per second without DOS, I'd > like to have one :) If you have a server with port 22 open to the internet you can get an idea of what is going on by looking at your logs. Unless you are a high-profile site you probably won't see millions of attempts, but you will see dozens or hundreds a day, coming from many different sources. They seem to be at least loosely coordinated and are probably spreading the attempts widely. If your machine happens to be the one where they get a match from the random probabilities, it likely gets added into the set doing more attempts. > Everything else is more or less social engineering in my opinion and > shouldn't focus on passwords. In that case no authentication mechanism will > be enough, we are just fooling ourselves. Targeted cracking may involve social engineering, but I'd bet that much, much more of the random hacking involves software vulnerabilities, both before and after they are published. Again, if you look at the logs of what hits port 80 you'll see the probes for things that might permit arbitrary code execution. Unless one of those succeeds, you won't see the followup - but if it does, the attacker will then attempt to execute local 'root escalation' vulnerabilities like the one fixed not too long ago in glibc that let anyone who could create a symlink become root. > Hopefully sometime soon, perimeter routers will be like border checkpoints. > I like you, you get in. > I don't like you, you stay out. That doesn't work for web services open to the public. You need firewalls that can work at wire speed filtering the inbound URLs for known attack patterns, plus of course, updating the software as quickly as possible to fix the vulnerabilities. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
> IP address allocation needs to be done smarter so that geographical regions > can be isolated easier. And at some point it probably will be. There already is that capability to some extent. Between geoip and the RIR's, one can get a pretty good handle on which /8 or /16 blocks need to be blocked at your firewall. In fact the linux based router's we use have a specific "Country Blocking" feature which I use to block large swathes of the Net from our systems. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
>> IP address allocation needs to be done smarter so that geographical >> regions can be isolated easier. And at some point it probably will >> be. > > There already is that capability to some extent. Between geoip and > the RIR's, one can get a pretty good handle on which /8 or /16 blocks > need to be blocked at your firewall. In fact the linux based router's > we use have a specific "Country Blocking" feature which I use to > block large swathes of the Net from our systems. > We've been thinking of using the MaxMind GeoIP Country database with Apache mod_geoip API to limit certain countries visiting our websites. Has anyone used this or have any input on it's usefulness? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Sat, 2011-12-31 at 15:17 -0700, Ken godee wrote: > >> IP address allocation needs to be done smarter so that geographical > >> regions can be isolated easier. And at some point it probably will > >> be. > > > > There already is that capability to some extent. Between geoip and > > the RIR's, one can get a pretty good handle on which /8 or /16 blocks > > need to be blocked at your firewall. In fact the linux based router's > > we use have a specific "Country Blocking" feature which I use to > > block large swathes of the Net from our systems. > > > > We've been thinking of using the MaxMind GeoIP Country database with > Apache mod_geoip API to limit certain countries visiting our websites. > > Has anyone used this or have any input on it's usefulness? totally works (maxmind/geoip - at least it did for me with a rubyonrails app) I wouldn't know how to use it for http blocking but it's probably possible but it would seem to be far more effective at a firewall level. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/31/11 2:17 PM, Ken godee wrote:
> We've been thinking of using the MaxMind GeoIP Country database with
> Apache mod_geoip API to limit certain countries visiting our websites.
>
> Has anyone used this or have any input on it's usefulness?
the virus/worm folks will just move to open relays that are not
blocked. I have something like 1/2 the total IP space blocked on this
one forum I host that seems to attract a very large number of bogus
signups, and it hasn't abated the 50-100/day of fake registrations yet.
there's now 1700 subnets and another 1000 specific IPs blocked. I can
tell they are robotic assisted fake registrations because the 'Bio'
field ('about you, why you want to join this forum') is always filled
with one of 4 specific entries ("LO qUe eS bRaKbEaT", "Me gusta la
guasa", "Loading...", or less often, "Robot"). initially, the vast
majority of these fake registrations came from china, russia. now they
are coming from everywhere since I have almost all of china and russia
blocked.
--
john r pierceN 37, W 122
santa cruz ca mid-left coast
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
> On 12/31/11 2:17 PM, Ken godee wrote:
>> We've been thinking of using the MaxMind GeoIP Country database with
>> Apache mod_geoip API to limit certain countries visiting our websites.
>>
>> Has anyone used this or have any input on it's usefulness?
>
> the virus/worm folks will just move to open relays that are not
> blocked. I have something like 1/2 the total IP space blocked on this
> one forum I host that seems to attract a very large number of bogus
> signups, and it hasn't abated the 50-100/day of fake registrations yet.
> there's now 1700 subnets and another 1000 specific IPs blocked. I can
> tell they are robotic assisted fake registrations because the 'Bio'
> field ('about you, why you want to join this forum') is always filled
> with one of 4 specific entries ("LO qUe eS bRaKbEaT", "Me gusta la
> guasa", "Loading...", or less often, "Robot"). initially, the vast
> majority of these fake registrations came from china, russia. now they
> are coming from everywhere since I have almost all of china and russia
> blocked.
>
Grrr... didn't think of that. A quick google shows plenty of free or low
cost US proxy servers. That would be the first thing I would do.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Les Mikesell wrote: > Someone cracked my gmail password and sent what seemed like an oddly > small amount of spam from it. gmail and hotmail must be very easy to crack, or is there some check apart from the password? > That doesn't work for web services open to the public. You need > firewalls that can work at wire speed filtering the inbound URLs for > known attack patterns, plus of course, updating the software as > quickly as possible to fix the vulnerabilities. Yes, I'm more worried about attacks through port 80. Can anyone point me to documentation on protecting a web-server? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Sun, Jan 1, 2012 at 11:45 AM, Timothy Murphy wrote: > Les Mikesell wrote: > >> Someone cracked my gmail password and sent what seemed like an oddly >> small amount of spam from it. > > gmail and hotmail must be very easy to crack, > or is there some check apart from the password? > >> That doesn't work for web services open to the public. You need >> firewalls that can work at wire speed filtering the inbound URLs for >> known attack patterns, plus of course, updating the software as >> quickly as possible to fix the vulnerabilities. > > Yes, I'm more worried about attacks through port 80. > Can anyone point me to documentation on protecting a web-server? > A server serving just static pages on port 80 would be pretty much safe. A server that provides dynamic pages (eg script-generated with a database backend) can never be completely safe. A book like this is probably what you are looking for: http://www.wilyhacker.com/ Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Yes, but this is left to every server admin to do. Then if some don't do it and get hacked it pretty much defeats the rest if their "home" based servers are used as bots. What I'm talking about is a national policy using perimeter routers and better netblock allocation. The reason netblocks should be better organized is that if you have many rules in your router it takes time to process the rules. If you have 10,000 lines of rules in out firewall it takes some time to go through them. It's easy enough to copy a bunch of CIDR addresses and add them, but I just see it as unnecessary overhead for your router. If you choke the whole thing at the source, there is no way anyone sitting in "that" place to access anything on under your watch. It's like international relations. You like me, I like you, you have an embassy in my town, I have an embassy in your town. You peeve me off, I close my embassy and close my Internet pipe too. They should add Internet pipe to the table. I'm oversimplifying, but that's the idea. Internet was such a great thing and everyone was enamored with it so quickly because it opened so many possibilities that no one thought about the doors we didn't want to open. I think some of these changes are coming. --Alex Happy New Year Y'all ! -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Drew Sent: Saturday, December 31, 2011 2:07 PM To: CentOS mailing list Subject: Re: [CentOS] what percent of time are there unpatched exploits against default config? > IP address allocation needs to be done smarter so that geographical regions can be isolated easier. And at some point it probably will be. There already is that capability to some extent. Between geoip and the RIR's, one can get a pretty good handle on which /8 or /16 blocks need to be blocked at your firewall. In fact the linux based router's we use have a specific "Country Blocking" feature which I use to block large swathes of the Net from our systems. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/31/11 5:06 PM, Alex Milojkovic wrote: > I think some of these changes are coming. careful what you wish for, it may come true... ...those changes ARE coming, but they are coming at the request of the movie and music industries who are trying to legislate the ability to demand domain names be blocked based on accusations. IANAL, but as I read the proposed legislation, running your own DNS server that attempts to circumvent these blocks is being elevated to a felony. may I add... this thread has drifted *WAY* off scope for this list, and belongs elsewhere. NOTHING here is specific to CentOS. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] sa-update error with perl
Hi, Running CentOS5 with SpamAssassin v3.3.1-2.el5 installed via yum I remember getting this error a while ago, and it was fixed, but now it's happening again: Subroutine Net::DNS::Resolver::Base::AF_INET6 redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/Net/DNS/Resolver/Base.pm line 65 The results I get from Google regarding this are all circa 2008. The only hints I can find seem to suggest to remove perl-IO-Socket-INET6, but trying to do so using yum (I don't want to start using another method of package management) tells me that spamassassin is a dependency and will also be removed - obviously undesirable. Perl is up to date on the machinge. Am I the only one seeing this? What can I do to fix it? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
