Re: [CentOS] ASP running on a Linux Machine
On 01/03/12 11:30 PM, Jonathan Vomacka wrote: > I currently have a website that was written in ASP back in 1999. .. even if you can get most of your site working under a ASP emulation, and you can convert your data from MS SQL Server to mySQL, you'll need to rework the SQL code in the VBasic sourrce of the ASP pagesas well as fix other system dependencies. If that site has been live 12 years, it sounds like you got your moneys worth. I would reimplement a new site using your choice of open source web application technologies, whether its java & struts, or php & drupal or python & django, ruby + rails, whatever.import the existing data bases into the new schema in postgresql or mysql or whatever. much better than hacking and repairing old vbasic code running on the wrong environment. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ASP running on a Linux Machine
On 01/04/2012 03:11 PM, John R Pierce wrote: > On 01/03/12 11:30 PM, Jonathan Vomacka wrote: >> I currently have a website that was written in ASP back in 1999. .. > even if you can get most of your site working under a ASP emulation, and > you can convert your data from MS SQL Server to mySQL, you'll need to > rework the SQL code in the VBasic sourrce of the ASP pagesas well as fix > other system dependencies. > > If that site has been live 12 years, it sounds like you got your moneys > worth. I would reimplement a new site using your choice of open source > web application technologies, whether its java& struts, or php& drupal > or python& django, ruby + rails, whatever.import the existing data > bases into the new schema in postgresql or mysql or whatever. much > better than hacking and repairing old vbasic code running on the wrong > environment. > +1 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ASP running on a Linux Machine
Hello, an alternative solution: convert the total Win 2k3 to a virtual machine e.g. VMWare. Viele Grüße Helmut Drodofsky Internet XS Service GmbH Heßbrühlstraße 15 70565 Stuttgart Geschäftsführung Dr.-Ing. Roswitha Hahn-Drodofsky HRB 21091 Stuttgart USt.ID: DE190582774 Tel. 0711 781941 0 Fax: 0711 781941 79 Mail: i...@internet-xs.de www.internet-xs.de Am 04.01.2012 08:30, schrieb Jonathan Vomacka: > Good morning all, > > I currently have a website that was written in ASP back in 1999. The > system is currently running Windows 2003 Server with MsSQL. Before > everyone flames me for being in the wrong place, I was wondering if > there is a way to allow centos to run old ASP code? I know years ago > this wasn't possible without a program like ChiliASP, but noow I heard > rumor that apache might have a plugin to allow it to read ASP. I am > unsure if there is an apache solution, or other solution like > nginx/lighttpd that runs ASP. Any information you guys could provide > would be great. I do appreciate your help in advance > > PS. I will need to convert the mssql data to mysql, is there any good > program that will convert this? I understand that this question is > probably inappropriate for this e-mail thread but maybe someone could > shoot me a quick suggestion. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vsftpd log issues
Il 03/01/2012 04:14, Nataraj ha scritto: >> >> Ok, the above works now. But while the setting was (by default) commented >> out, the default wasn't /var/log/vsftpd.log but /var/log/xferlog which >> was growing without limits (it was over 6 GB when I first time noticed the >> problem) since logrotate tried to rotate vsftpd.log >> >> -rw--- 1 root root 0 Dec 31 03:07 vsftpd.log >> -rw--- 1 root root 39134459 Dec 31 12:19 vsftpd.log.1 >> -rw--- 1 root root 433305200 Dec 30 22:03 xferlog >> Nataraj replied to this >> Now, after uncommenting the log file setting line in the conf the next issue >> is, that logrotate does rotate the log files (the old one gets .1 postfix >> added to its name and a new file is created), but it still keeps writing to >> the original file (which is renamed now) >> As noted in /etc/logrotate.d/vsftpd.log ftpd does'nt handle SIGHUP properly, so the daemon keeps writing on the original file >> In the ls -l listing above: >> - vsftpd started to write log vsftpd.log around 10pm last night (when I >> uncommented the log setting from the conf and restarted the daemon, until >> that it was logging to xferlog) >> - during the night logrotate has changed the name of the existing log file >> to ...log.1 but now, several hours later, this renamed old file is still >> used for logging, and the new ...log file remains empty! >> >> Is there some simple option in logrotate's conf that could change this >> behaviour? Or how to fix this. There must be many others who already have >> run into this issue. Try skeduling a service stop/start instead the SIGHUP the logrotate daemon does. >> Regards, >> Timo >> > Check out the man page for vsftpd.conf. vsftpd supports 2 log file > formats. The xferlog_file parameter is for the wu-ftpd style log and > the vsftpd_log_file is the native format log file. The description of > xferlog_file is: > > xferlog_file > This option is the name of the file to which we write > the wu- > ftpd style transfer log. The transfer log is only written > if the > option xferlog_enable is set, along with > xferlog_std_format. > Alternatively, it is written if you have set the > option > dual_log_enable. > > > So if you enable the wu-ftpd style logging then it goes to to xferlog_file. > > Nataraj > Regards Lorenzo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Since 6.2 USB-dvices will not be recognized automatically
Hi Folks, since the update from 6.1 x86_64 to 6.2 x86_64 my external USB-HDs are not any longer recognized automatically. I mean that popup where I can mount/umount the devices. /var/log/messages says Jan 4 10:37:28 server1 kernel: usb 1-7.3: new high speed USB device using ehci_hcd and address 15 Jan 4 10:37:29 server1 kernel: usb 1-7.3: New USB device found, idVendor=0bc2, idProduct=2300 Jan 4 10:37:29 server1 kernel: usb 1-7.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Jan 4 10:37:29 server1 kernel: usb 1-7.3: Product: Portable Jan 4 10:37:29 server1 kernel: usb 1-7.3: Manufacturer: Seagate Jan 4 10:37:29 server1 kernel: usb 1-7.3: SerialNumber: 2GH5KBG2 Jan 4 10:37:29 server1 kernel: usb 1-7.3: configuration #1 chosen from 1 choice Jan 4 10:37:29 server1 kernel: scsi15 : SCSI emulation for USB Mass Storage devices What goes wrong here? Thx Timothy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 and screenshot of website
Hi,
How one is supposed to do screenshots of a website with CentOS 6?
The usual and normal ways I know doing it is:
http://www.coderholic.com/pywebshot-generate-website-thumbnails-using-python/
https://github.com/AdamN/python-webkit2png/
But then from some reason RedHat doesn't support them:
gnome-python2-extras:
* Thu Jul 15 2010 Christopher Aillon - 2.25.3-20
- Drop the -gtkmozembed subpackage
PyQt4:
* Tue Jun 01 2010 Than Ngo - 4.6.2-8
- Resolves: bz#597271, drop WebKit support in Qt
Why-o-why? Any good ideas of going it differently?
Noticed that one can take gnome-python2-extras source and add
following lines based on el5 package .spec:
%package -n gnome-python2-gtkmozembed
Summary: Python bindings for interacting with gtkmozembed
Group: Development/Languages
Requires: gecko-libs >= %{gecko_version}
%description -n gnome-python2-gtkmozembed
This module contains a wrapper that allows the use of gtkmozembed
via Python.
%files -n gnome-python2-gtkmozembed
%defattr(-,root,root,-)
%{python_sitearch}/gtk-2.0/gtkmozembed.so
%{_datadir}/gtk-doc/html/pygtkmozembed
And get a package which seems to work, but still makes me wonder
why have they removed the support work both of those techniques
and which would be the way to archive that without need of
compile own packages.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] Since 6.2 USB-dvices will not be recognized automatically
Hi Folks, since the update from 6.1 x86_64 to 6.2 x86_64 my external USB-HDs are not any longer recognized automatically. I mean that popup where I can mount/umount the devices. /var/log/messages says Jan 4 10:37:28 server1 kernel: usb 1-7.3: new high speed USB device using ehci_hcd and address 15 Jan 4 10:37:29 server1 kernel: usb 1-7.3: New USB device found, idVendor=0bc2, idProduct=2300 Jan 4 10:37:29 server1 kernel: usb 1-7.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Jan 4 10:37:29 server1 kernel: usb 1-7.3: Product: Portable Jan 4 10:37:29 server1 kernel: usb 1-7.3: Manufacturer: Seagate Jan 4 10:37:29 server1 kernel: usb 1-7.3: SerialNumber: 2GH5KBG2 Jan 4 10:37:29 server1 kernel: usb 1-7.3: configuration #1 chosen from 1 choice Jan 4 10:37:29 server1 kernel: scsi15 : SCSI emulation for USB Mass Storage devices What goes wrong here? Thx Timothy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
2012/1/4 An Yang > Somebody in Oracle told me, they need one year to test, I'm not sure, > it's true or not. > That's about right. The testing isn't done by Oracle btw, it's done by the end vendor. -- Kind Regards, Christopher J. Buckley ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
>> On my Zimbra server (CentOS 5.7), sa works fine. >> I have spamassassin-3.3.1-2.el5 and >> perl-IO-Socket-INET6-2.51-2.fc6 installed. > Same here. Are you running sa-update? SpamAssassin works > fine for me, but sa-update is giving this error every time it runs. Yes, it seems to run fine: Updating (Sun Jan 1 00:00:01 CET 2012)... Update available for channel updates.spamassassin.org Update was available, and was downloaded and installed successfully ... >> Did you disable IPV6? > No - can you explain what you are implying? Hum... not sure anymore why I asked... ^_^ Nevermind. Did you install any perl libs out of rpm/yum...? BTW, 64bits here... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Cannot use kickstart file to install CentOS 6.2 into a blank harddisk
I am trying using a kickstart file to install CentOS 6.2 into a new virtual machine (the MBR sector of the harddisk is all zero), however I found that the installer cannot go through the harddisk partition. It failed after I chose "Use All Space" at harddisk partition option. The error message is: http://anony.ws/i/bMcTJ.png "You have not defined a root partition (/), which is required for installation of CentOS to continue. You have not created a/boot/efi partition (note: I am using BIOS, not (U)EFI) This can happen if there is not enough space on your harddrive(s) for installation." However, if I create a blank MBR partition table before before CentOS installation, then there is no problem. The same kickstart file works for CentOS 6.1 with blank harddisk. (with url parameter changed of course) Below is the kickstart file I used (between dash lines) --- url --url="http://ftp.twaren.net/Linux/CentOS/6.2/os/i386/"; interactive timezone Asia/Hong_Kong firstboot --enable --- Steps to reproduce: 1. create a new virtual machine with blank harddisk image (or, a real blank harddisk) 2. boot the netinstall iso 3. at boot menu, press tab and append ks= and press enter to boot 4. go through the boot option as usual until harddisk partition options 5. Choose "Use All Space" at harddisk partition options 6. error occurs ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware fusion display auto-size problem
Hi Monty, > I am running vmware fusion 4.1.1 on a OSX host. Same here. > Centos6.2 is a guest. Same here. > The box is a macbook laptop running leopard. OK, there's a difference - I have a Mac Pro running Snow Leopard. But that shouldn't make a difference. > Before upgrading to 6.2, the display auto-resize (or auto-fill) was > working fine. After 6.2, it has stopped working. Works here. > Centos is fully updated to 6.2. Same here. > I have tried to install the vmware drivers from the repository (via yum), > and yum reports I have the latest. Vmware reports I have the latest > version of app and linux tools. My current versions are: xorg-x11-drv-vmware.x86_64 11.0.3-1.el6 xorg-x11-drv-vmmouse.x86_6412.7.0-1.el6 xorg-x11-drv-vmware.x86_64 11.0.3-1.el6 VMware Tools version is: VMware-Tools-8.8.1-528969 This is the version that was downloaded by Fusion after the upgrade to 4.1.1. > I have uninstalled and re-installed vmware tools to no avail. During > the vmware tools install it returns a statement that it does not have > drivers for x: I get the statement that it does not install X drivers since there are drivers installed by the distribution, but resizing works fine, so the drivers should be up-to-date. Detected X server version 1.10.4 Distribution provided drivers for Xorg X server are used. Skipping X configuration because X drivers are not included. > Anybody else come across this? Google and vmware sites either do not > have any info, or I am asking the wrong question. > > This being my first foray into vmware, is it advisable not to run > updates until needed? What is best practice in this config? I usually install all updates provided by CentOS (the VMs I run on Fusion are mostly test systems). From time to time, there are kernel updates that are not compatible with VMware Tools, but usually a reconfiguration (with installed gcc/required libs/kernel headers) fixes that. It's also possible to enable 'VMware automatic kernel modules', an experimental feature of VMware Tools, that should automate that process. You can enable it by re-running vwmware-install.pl or running /usr/bin/vmware-config-tools.pl HTH, Peter. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On Thu, Dec 29, 2011 at 6:30 AM, mcclnx mcc wrote: > Does anyone know CENTOS/Redhat 6.X compatible to ORACLE software (X86 and > X86_64) version like 9.X, 10GR2, 11G and 11GR2. > > Any official document say that? Apart from everything else said here, this is well worth a read -> http://en.community.dell.com/techcenter/b/techcenter/archive/2012/01/03/dell-engineering-preview-oracle-11gr2-rac-on-rhel6.aspx -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware fusion display auto-size problem
On 1/4/12 7:03 AM, Peter Eckel wrote: > > My current versions are: > >xorg-x11-drv-vmware.x86_64 11.0.3-1.el6 >xorg-x11-drv-vmmouse.x86_6412.7.0-1.el6 >xorg-x11-drv-vmware.x86_64 11.0.3-1.el6 > > HTH, > >Peter. > Peter, Which repository did you get the above drivers from? I have base and cr enabled on my box. Thanks, Monty ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] phpmyadmin issue
From: Rajagopal Swaminathan > I just did add ::1 > Still forbidden :-( Just in case: did you restart apache...? JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] turning off udev for eth0
> -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of Les Mikesell > Sent: Tuesday, January 03, 2012 22:24 > To: CentOS mailing list > Subject: Re: [CentOS] turning off udev for eth0 > > On Tue, Jan 3, 2012 at 5:13 PM, Peter Larsen > wrote: > > > >> Is there no way to alter udev's behaviour? Is udev even > >> needed on a server system using virtual hardware? > >> Altering the rules file not a big deal in itself but it > >> adds needless busywork when setting up a new guest. > > It's a very common problem. Another way is to have a %post script in KS > > or after initial startup as a VM, that fixes the file based on what the > > VM properties are. > > It happens in real hardware too if you move a disk to a different > chassis, clone a drive, restore a backup to similar hardware, etc. > > Where is the best documentation on what triggers the rules to be > rewritten, how the bios location works, etc.? I gave up on tricking UDEV, it was easier to work with the system with my clones. `system-config-network-cmd -e` yields a text file that, you can have either a firstboot script or the booting sysadm, `system-config-network-cmd -i -c -f file.txt` will pull back in and reconfigure the system after ifdown'ing eth0. For good measure I also blanked (and restorecon'd) resolv.conf and hosts prior to pulling in the file. Good luck. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware fusion display auto-size problem
>Which repository did you get the above drivers from? I have base and cr >enabled on my box. http://packages.vmware.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware fusion display auto-size problem
On 1/4/12 9:08 AM, Joseph L. Casale wrote: >> Which repository did you get the above drivers from? I have base and cr >> enabled on my box. > http://packages.vmware.com > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cannot use kickstart file to install CentOS 6.2 into a blank harddisk
On Wed, Jan 4, 2012 at 07:25, lee_yiu_ch...@yahoo.com wrote: > Below is the kickstart file I used (between dash lines) > > --- > url --url="http://ftp.twaren.net/Linux/CentOS/6.2/os/i386/"; > interactive > timezone Asia/Hong_Kong > firstboot --enable > --- clearpart --all --initlabel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cannot use kickstart file to install CentOS 6.2 into a blank harddisk
於 2012/1/4 下午 11:21, John Broome 提到: > clearpart --all --initlabel In fact I already tried this before sending this email, and it doesn't work. BTW, I don't need this option to install CentOS 6.1. This simply suppress the "unknown partition table format" warning before the GUI installer starts. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] local repositories
I need a clarification to the documentation. My manager added a 6.2 repo; however, when I try doing pxeboot installs, it fails, asserting that it can't find the group info. Another admin I work with thinks it's not really what it's failing in, and notes that it 404's on images/updates.img and images/product.img. We *think* that's irrelevant and ok. What is not clear to me is when we run createrepo, what directory you need to be in at the time you execute it. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware fusion display auto-size problem SOLVED
On 1/4/12 9:08 AM, Joseph L. Casale wrote: >> Which repository did you get the above drivers from? I have base and cr >> enabled on my box. > http://packages.vmware.com > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I had to do a reinstall of the xorg vmware drivers via yum. vmware tools apparently didn't install them right, for whatever reason. Thanks to all for the help and advice. Monty ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local repositories
On Wed, 4 Jan 2012, m.r...@5-cent.us wrote: > I need a clarification to the documentation. > > My manager added a 6.2 repo; however, when I try doing pxeboot installs, > it fails, asserting that it can't find the group info. Another admin I > work with thinks it's not really what it's failing in, and notes that it > 404's on images/updates.img and images/product.img. We *think* that's > irrelevant and ok. > > What is not clear to me is when we run createrepo, what directory you need > to be in at the time you execute it. I would expect the createrepo to be done from the DVD root path, but I could be wrong on that point. Did you include the -g option to point to the comps.xml to include the package group info? Why are you doing a createrepo there at all? If you're adding your own packages to the base, why not have it as a separate repo? jh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
On 01/04/2012 04:29 AM, Christopher J. Buckley wrote: > 2012/1/4 An Yang > >> Somebody in Oracle told me, they need one year to test, I'm not sure, >> it's true or not. >> > That's about right. The testing isn't done by Oracle btw, it's done by the > end vendor. > > The "end vendor" submitted the information to Oracle months ago: http://www.redhat.com/about/news/blog/Red-Hat-Submits-Oracle-11gR2-on-Red-Hat-Enterprise-Linux-6-Certification-Test-Results-to-Oracle Oracle does not want to support ASMLib on any kernel other than OEL (or UBL if you prefer): https://www.redhat.com/archives/rhelv6-list/2011-December/msg00032.html The bottom line is that Oracle IS going to try to drive people to their version of Linux and off RHEL. But I know, I am just be paranoid or some other such thing. Right Christopher? signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cannot use kickstart file to install CentOS 6.2 into a blank harddisk
- Original Message - | I am trying using a kickstart file to install CentOS 6.2 into a new | virtual machine (the MBR sector | of the harddisk is all zero), however I found that the installer | cannot go through the harddisk | partition. It failed after I chose "Use All Space" at harddisk | partition option. | The error message is: | http://anony.ws/i/bMcTJ.png | | "You have not defined a root partition (/), which is required for | installation of CentOS to continue. | You have not created a/boot/efi partition (note: I am using BIOS, not | (U)EFI) | This can happen if there is not enough space on your harddrive(s) for | installation." | | However, if I create a blank MBR partition table before before CentOS | installation, then there is no | problem. The same kickstart file works for CentOS 6.1 with blank | harddisk. (with url parameter | changed of course) | | Below is the kickstart file I used (between dash lines) | | --- | url --url="http://ftp.twaren.net/Linux/CentOS/6.2/os/i386/"; | interactive | timezone Asia/Hong_Kong | firstboot --enable | --- | | Steps to reproduce: | 1. create a new virtual machine with blank harddisk image (or, a real | blank harddisk) | 2. boot the netinstall iso | 3. at boot menu, press tab and append ks= and | press enter to boot | 4. go through the boot option as usual until harddisk partition | options | 5. Choose "Use All Space" at harddisk partition options | 6. error occurs | ___ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos clearpart --all --initlabel part /boot --fstype=ext4 --size=1024 part pv.0 --grow --size=1 volgroup ROOTDISK --pesize=4096 pv.0 logvol swap --name=swap --vgname=ROOTDISK --recommended logvol / --fstype=ext4 --name=root --vgname=ROOTDISK --size=1 --grow They that. Should work for you. Feel free to adjust as necessary -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier I will do the best I can with the talent I have ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vmware fusion display auto-size problem
Hi Monty, > Which repository did you get the above drivers from? I have base and cr > enabled on my box. they are from @base. I doubt that the VMware Tools installer installs them at all. Possibly without a current version of the VMware tools the CentOS installation process doesn't recognise it runs on a VMware instance, and so the drivers don't get installed. Just a wild guess, though. Cheers, Peter. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Request for suggestion of a SCM package for Centos 6
On 01/03/2012 10:05 PM, Rajagopal Swaminathan wrote: > Greetings, > > On Tue, Jan 3, 2012 at 7:24 PM, Karanbir Singh wrote: >> On 01/03/2012 03:46 AM, Rajagopal Swaminathan wrote: >>> 1. Can somebody suggest a way to select all packages while installing from >>> DVD? >> you cant install everything from the DVD, since packages overlap and >> conflict with each other. a %post of yum --skip-broken install \*; might >> be your best bet. >> >> -- >> Karanbir Singh >> +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh >> ICQ: 2522219| Yahoo IM: z00dax | Gtalk: z00dax >> GnuPG Key : http://www.karan.org/publickey.asc > Thanks Karan, > > I will try to do that today. > You really do not want to install all packages. You should only install the packages you need to run the things you want to run. Installing all packages puts services on your machine, some of them listening on the default Ethernet interface. This greatly increases your security risk to the machine. For example, you have no reason to install an FTP server if you are not going to provide an FTP service. You do not need to install samba-server if you are not going to be on a windows network ,etc. There are also packages (usually named *-devel*) that are only required if you are compiling things on the machine. If you insist on install "ALL" then you are putting things on the machine, which may have security issues, that do absolutely nothing for you except give someone the ability to attack an unneeded service. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local repositories
On Wed, 4 Jan 2012, m.r...@5-cent.us wrote: > I need a clarification to the documentation. > > My manager added a 6.2 repo [...] That's a bit unclear. Did he mirror an existing repository using rsync or a similar tool? Did he build a local repo for locally built packages? createrepo would only need to be run in the latter case. -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
On 01/04/2012 01:33 AM, email builder wrote: > John, THANK YOU very much for responding -- > > > >>> The only hints I can find seem to suggest to remove >>> perl-IO-Socket-INET6, but trying to do so using yum (I don't >>> want to start using another method of package management) >>> tells me that spamassassin is a dependency and will also be >>> removed - obviously undesirable. >> If you really want to remove it, use rpm instead. >> rpm -e --nodeps perl-IO-Socket-INET6 >> But it will annoy you at every update... > That was my fear... I'm wondering why this crept up again, > since all my packages are completely up to date according > to yum. > yum only does what we tell it to do. It is possible that you have a package installed that is not from the CentOS repos, etc. If people add external repositories, it is very easy to get conflicts. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cannot use kickstart file to install CentOS 6.2 into a blank harddisk
> clearpart --all --initlabel > > part /boot --fstype=ext4 --size=1024 > part pv.0 --grow --size=1 > volgroup ROOTDISK --pesize=4096 pv.0 > logvol swap --name=swap --vgname=ROOTDISK --recommended > logvol / --fstype=ext4 --name=root --vgname=ROOTDISK --size=1 --grow Thanks for your suggestion, but I just wished to keep the kickstart file bare minimum. It is intended to save my little trouble in typing installation repository path and choosing timezones only and do nothing else. All other options would be asked interactively, including disk partition. (timezone and installation repository are the only options that are absolutely the same in every machine in a local environment :) ) Since this problem doesn't occur in 6.1, is it possible to be a installer bug in 6.2? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
On 01/04/2012 02:58 AM, fakessh wrote: > Le 2012-01-04 01:48, Ljubomir Ljubojevic a écrit : >> On 01/03/2012 10:14 PM, fakessh wrote: >>> So I think do a post on the bugtracker of elrepo to ask >>> the creation of a new kmod-* >>> >>> So I tried to compile the driver provided >>> in [1] >>> >>> module appears to load properly >> When you run lspci -v, it shows something like: >> >> Kernel driver in use: rtl8185 >> Kernel modules: rtl8185 >> >> ??? > > lspci -v does not send me what I want > > this my output > root@localhost swilting]# lspci -v | egrep Kernel > Kernel driver in use: nForce2_smbus > Kernel modules: i2c-nforce2 > Kernel driver in use: ohci_hcd > Kernel driver in use: ehci_hcd > Kernel driver in use: HDA Intel > Kernel modules: snd-hda-intel > Kernel driver in use: forcedeth > Kernel modules: forcedeth > Kernel driver in use: sata_nv > Kernel modules: sata_nv > Kernel driver in use: sata_nv > Kernel modules: sata_nv > Kernel driver in use: nouveau > Kernel modules: nouveau, nvidiafb > Kernel driver in use: k10temp > Kernel modules: k10temp > Kernel modules: r8185b > > Kernel driver in use: is missing > > 01:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8185 > IEEE 802.11a/b/g Wireless LAN Controller (rev 20) > Subsystem: Realtek Semiconductor Co., Ltd. RTL-8185 IEEE 802.11a/b/g > Wireless LAN Controller > Flags: medium devsel, IRQ 16 > I/O ports at bc00 [size=256] > Memory at fde0 (32-bit, non-prefetchable) [size=1K] > Kernel modules: r8185b > > > >> >>> Still I have failed to create the wireless interface >>> despite my attempts with the file ifcfg-wlan0 tape provided I >>> to try to load ifup the interface without success >> >> Why do you manually edit that file? Have you tried if NetworkManager >> or >> "system-config-network-tui" command (package has the same name) see >> the >> interface? > > I am completely lost and I do not know how > > please help me Somebody else should step in. I never had similar problem before. My NIC/wireless just works with stock kernel drivers. What I can tell you is to (re)move manually made "ifcfg-*" file and run "yum install system-config-network-tui" and then run command "system-config-network-tui" as root. In "Device configuration" there should be option to set up some kind of wireless NIC (name does not have to be wlan). -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 and screenshot of website
On 01/04/2012 10:46 AM, Jani Ollikainen wrote: > Hi, > > How one is supposed to do screenshots of a website with CentOS 6? > pres PrtScr key, save, open and crop image with gThumb (Image->Crop), then upload it. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local repositories
John Hodrien wrote: > On Wed, 4 Jan 2012, m.r...@5-cent.us wrote: >> My manager added a 6.2 repo; however, when I try doing pxeboot installs, it fails, asserting that it can't find the group info. Another admin I work >> What is not clear to me is when we run createrepo, what directory you need to be in at the time you execute it. > > I would expect the createrepo to be done from the DVD root path, but I could be wrong on that point. > Why are you doing a createrepo there at all? If you're adding your own packages to the base, why not have it as a separate repo? You seem to have misunderstood. .../CentOS/base/6.0 .../CentOS/base/6.2 rsync'd 6.2 from mirror to the latter. Now, are you saying to cd to .../CentOS/base/6.2/ and run createrepo ? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local repositories
On 01/04/2012 09:52 AM, John Hodrien wrote: > On Wed, 4 Jan 2012, m.r...@5-cent.us wrote: > >> I need a clarification to the documentation. >> >> My manager added a 6.2 repo; however, when I try doing pxeboot installs, >> it fails, asserting that it can't find the group info. Another admin I >> work with thinks it's not really what it's failing in, and notes that it >> 404's on images/updates.img and images/product.img. We *think* that's >> irrelevant and ok. >> >> What is not clear to me is when we run createrepo, what directory you need >> to be in at the time you execute it. > I would expect the createrepo to be done from the DVD root path, but I could > be wrong on that point. > > Did you include the -g option to point to the comps.xml to include the package > group info? > > Why are you doing a createrepo there at all? If you're adding your own > packages to the base, why not have it as a separate repo? You do not HAVE to run createrepo unless you want to do so, and in fact I recommend that you don't. We do serveral things with createrepo, including providing deltarpms (the yum-presto plugin) for updates where a usually much smaller DELTA is downloaded for updates rather than the entire package. The options that we use for createrepo are: createrepo -g -d --unique-md-filenames --deltas --num-deltas=5 --update --oldpackagedirs= . Note: The -g allows for groups and is optional. Note: There are usually more than one --oldpackagedirs=, depending on where the old packages reside. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] turning off udev for eth0
On Wed, Jan 4, 2012 at 8:22 AM, Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote: >>> > It's a very common problem. Another way is to have a %post script in KS >> > or after initial startup as a VM, that fixes the file based on what the >> > VM properties are. >> >> It happens in real hardware too if you move a disk to a different >> chassis, clone a drive, restore a backup to similar hardware, etc. >> >> Where is the best documentation on what triggers the rules to be >> rewritten, how the bios location works, etc.? > > I gave up on tricking UDEV, it was easier to work with the system with my > clones. > `system-config-network-cmd -e` yields a text file that, you can have either a > firstboot script or the booting sysadm, > `system-config-network-cmd -i -c -f file.txt` will pull back in and > reconfigure the system after ifdown'ing eth0. > For good measure I also blanked (and restorecon'd) resolv.conf and hosts > prior to pulling in the file. > Thanks, but does that control the device naming order? My boxes generally have 4 to 6 NICs, with at least 2 active. Every time I touch something the system wants to change the names around. With 5.x, once the MAC addresses were known and in the ifcfg-* files the names generally were stable unless something triggered kudzu to run and replace them. With 6.x even that is not reliable. I need something that will tie the ip config to a certain physical nic and keep it there. Sometimes I know the MAC addresses ahead of time when cloning. Should I expect substituting them into this file to nail things down or is udev still involved separately? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 and screenshot of website
From: Ljubomir Ljubojevic > On 01/04/2012 10:46 AM, Jani Ollikainen wrote: >> How one is supposed to do screenshots of a website with CentOS 6? > pres PrtScr key, save, open and crop image with gThumb (Image->Crop), > then upload it. I think maybe he wants command line tools... But if that is not the case, there is the Screengrab! Firefox addon that can screenshot a complete page, only the visible part, or just a selection... JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local repositories
On 01/04/2012 10:39 AM, Johnny Hughes wrote: > On 01/04/2012 09:52 AM, John Hodrien wrote: >> On Wed, 4 Jan 2012, m.r...@5-cent.us wrote: >> >>> I need a clarification to the documentation. >>> >>> My manager added a 6.2 repo; however, when I try doing pxeboot installs, >>> it fails, asserting that it can't find the group info. Another admin I >>> work with thinks it's not really what it's failing in, and notes that it >>> 404's on images/updates.img and images/product.img. We *think* that's >>> irrelevant and ok. >>> >>> What is not clear to me is when we run createrepo, what directory you need >>> to be in at the time you execute it. >> I would expect the createrepo to be done from the DVD root path, but I could >> be wrong on that point. >> >> Did you include the -g option to point to the comps.xml to include the >> package >> group info? >> >> Why are you doing a createrepo there at all? If you're adding your own >> packages to the base, why not have it as a separate repo? > You do not HAVE to run createrepo unless you want to do so, and in fact > I recommend that you don't. > > We do serveral things with createrepo, including providing deltarpms > (the yum-presto plugin) for updates where a usually much smaller DELTA > is downloaded for updates rather than the entire package. > > The options that we use for createrepo are: > > createrepo -g -d --unique-md-filenames --deltas > --num-deltas=5 --update --oldpackagedirs= . > > > Note: The -g allows for groups and is optional. > Note: There are usually more than one --oldpackagedirs=, > depending on where the old packages reside. We run it from the current directory (thus the . at the end above) ... but the current directory is usually /centos So, for the 6.2 i386 os repo it would be: /centos/6.2/os/i386/ Or for the 6.2 x86_64 extras repo it would be: /centos/6.2/extras/x86_64/ signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 and screenshot of website
On Wed, 04 Jan 2012 17:23:09 +0100 Ljubomir Ljubojevic wrote: > > How one is supposed to do screenshots of a website with CentOS 6? > > > > pres PrtScr key, save, open and crop image with gThumb (Image->Crop), > then upload it. PrtScr key alone screenshots the whole desktop. Alt-PrtScr screenshots the active window only. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New Tutorial - RHCS + DRBD + KVM; 2-Node HA on EL6
On 01/03/2012 10:29 AM, Digimer wrote: > Hi all, > > I'm happy to announce a new tutorial! > > https://alteeve.com/w/2-Node_Red_Hat_KVM_Cluster_Tutorial Hello Digimer, Thanks for sharing this. I might try it in a couple of months as I'm not ready yet (need to grasp some concepts/technologies first). I also haven't used KVM but I have some experience with VMware (vSphere Clusters). For vSphere clusters you need a shared storage system: ideally (in preference order) you'll be using a FC SAN, iSCSI SAN or a NAS (serving NFS). I'm interested in the DRBD part here. Did you use it because you didn't have access to a shared storage system? or is it a requirement for a particular functionality you wanted? Have you done it before with a shared system? Any considerable performance difference (DRBD vs shared-storage)? Thanks! Best regards, Jorge ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 and screenshot of website
On Wed, 4 Jan 2012, John Doe wrote: > From: Ljubomir Ljubojevic > >> On 01/04/2012 10:46 AM, Jani Ollikainen wrote: >>> How one is supposed to do screenshots of a website with CentOS 6? >> pres PrtScr key, save, open and crop image with gThumb (Image->Crop), >> then upload it. > > I think maybe he wants command line tools... > But if that is not the case, there is the Screengrab! Firefox addon that can > screenshot a complete page, only the visible part, or just a selection... For a command line tool, how about 'import' from imagemagick. jh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] local repositories
Johnny Hughes wrote: > On 01/04/2012 09:52 AM, John Hodrien wrote: >> On Wed, 4 Jan 2012, m.r...@5-cent.us wrote: >> >>> I need a clarification to the documentation. >> Why are you doing a createrepo there at all? If you're adding your own >> packages to the base, why not have it as a separate repo? > You do not HAVE to run createrepo unless you want to do so, and in fact > I recommend that you don't. > > We do serveral things with createrepo, including providing deltarpms > (the yum-presto plugin) for updates where a usually much smaller DELTA > is downloaded for updates rather than the entire package. Ok, then why, after he's rsync'd from the mirror, and I try to PXEboot install, does it fail, asserting (and I just ran it, so I could get the exact wording): "Unable to read group information from repositories. This is a problem with the generation of your install tree."? I've compared the 6.0/os/x86_64 and 6.2/os/x86_64, and ownership, permissions, and directories seem identical. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
Ljubomir Ljubojevic wrote: > On 01/04/2012 02:58 AM, fakessh wrote: >> Le 2012-01-04 01:48, Ljubomir Ljubojevic a écrit : >>> On 01/03/2012 10:14 PM, fakessh wrote: So I think do a post on the bugtracker of elrepo to ask the creation of a new kmod-* >> Kernel modules: r8185b >> >> Kernel driver in use: is missing Still I have failed to create the wireless interface despite my attempts with the file ifcfg-wlan0 tape provided I to try to load ifup the interface without success Have you checked /etc/udev/rules.d/70-persistant-net.rules? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New Tutorial - RHCS + DRBD + KVM; 2-Node HA on EL6
On 01/04/2012 11:52 AM, Jorge Fábregas wrote: > On 01/03/2012 10:29 AM, Digimer wrote: >> Hi all, >> >> I'm happy to announce a new tutorial! >> >> https://alteeve.com/w/2-Node_Red_Hat_KVM_Cluster_Tutorial > > Hello Digimer, > > Thanks for sharing this. I might try it in a couple of months as I'm > not ready yet (need to grasp some concepts/technologies first). I also > haven't used KVM but I have some experience with VMware (vSphere Clusters). > > For vSphere clusters you need a shared storage system: ideally (in > preference order) you'll be using a FC SAN, iSCSI SAN or a NAS (serving > NFS). I'm interested in the DRBD part here. Did you use it because you > didn't have access to a shared storage system? or is it a requirement > for a particular functionality you wanted? Have you done it before with > a shared system? Any considerable performance difference (DRBD vs > shared-storage)? > > Thanks! > > Best regards, > Jorge When you get a chance to try it out, please feel free to ask for help if you run into any issues. I chose DRBD because of it's ease to implement and that it did not require external storage. I've had very good success with performance of DRBD, getting near-capacity speeds out of it (that is, near the speed of the underlying storage). The only limitation is that DRBD is a best fit at two nodes only. You can do three nodes with stacked configuration, but I've not played with that so I can't comment on it's effectiveness. As for external storage as a comparison, I can't say. I don't have corporate backing or a hardware budget. :) I suspect though that the real question will not be so much FC SAN vs DRBD as it will be the speed of the underlying storage and the number and type of VMs hitting that storage. The consistent issue I have to deal with in production is storage seek latency. Thankfully, 15k drives and sufficient caching seems to resolve this in most cases. Also, the distributed locking, by it's nature, can be a source of slow down. So you need to allocate time to tune both the storage and the locking when concerned with performance, more than the details of the storage. Cheers! -- Digimer E-Mail: digi...@alteeve.com Freenode handle: digimer Papers and Projects: http://alteeve.com Node Assassin: http://nodeassassin.org "omg my singularity battery is dead again. stupid hawking radiation." - epitron ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On Tuesday, January 03, 2012 06:12:10 PM Bennett Haselton wrote: > I'm not sure what their logic is for recommending 80. But 72 bits > already means that any attack is so improbable that you'd *literally* > have to be more worried about the sun going supernova. I'd be more worried about Eta Carinae than our sun, as with it's mass it's likely to be a GRB. The probability of it happening in our lifetime is quite low; yet, if it does happen in our lifetime (actually, if it happened about 7,500 years ago!) it will be an extinction event. So we watch it over time (and we have plates of it going back into the late 1800's). Likewise for security; the gaussian curve does have outliers, after all, and while it is highly unlikely for a brute-force attack to actually come up with anything against a single server it is still possible, partially due to the number of servers out there coupled with the sheer number of brute-forcers running. The odds are not 1 out of 4.7x10^21; they're much better than that since there isn't just a single host attempting the attack. If I have a botnet of 10,000,000 infected PC's available to attack 100,000,000 servers (close to the number), what are the odds of one of those attacks succeeding? (the fact is that it has happened already; see my excerpted 'in the wild' brute-forcer dictionary below). > > The critical thing to remember is that in key auth the authenticating key > > never leaves the client system,... > Actually, the top answer at that link appears to say that the server > sends the nonce to the client, and only the client can successfully > decrypt it. (Is that what you meant?) That's session setup, not authentication. The server has to auth to the client first for session setup, but then client auth is performed. But either way the actual client authenticating key never traverses the wire and is unsniffable. > Furthermore, when you're dealing with probabilities that ridiculously > small, they're overwhelmed by the probability that an attack will be > found against the actual algorithm (which I think is your point about > possible weaknesses in the stream cipher). This has happened; read some SANS archives. There have been and are exploits in the wild against SSH and SSL; even caused OpenBSD to have to back down from it's claim of never having a remotely exploitable root attack. > However, *then* you have to take into account the fact that, similarly, > the odds of a given machine being compromised by a man-in-the-middle > attack combined with cryptanalysis of the stream cipher, is *also* > overwhelmed by the probability of a break-in via an exploit in the > software it's running. I mean, do you think I'm incorrect about that? What you're missing is that low probability is not a preventer of an actual attack succeeding; people do win the lottery even with the odds stacked against them. > Of the compromised machines on the Internet, what proportion do you > think were hacked via MITM-and-advanced-crypto, compared to exploits in > the services? I don't have sufficient data to speculate. SANS or CERT may have that information. > and if I hadn't stood my ground about that, > the discussion never would have gotten around to SELinux, which, if it > works in the manner described, may actually help. The archives of this list already had the information about SELinux contained in this thread. Not to mention the clear and easily accessible documentation from the upstream vendor linked to from the CentOS website. > The problem with such "basic stuff" is that in any field, if there's no > way to directly test whether something has the desired effect or not, it > can become part of accepted "common sense" even if it's ineffective. Direct testing of both SELinux and iptables effectiveness is doable, and is done routinely by pen-testers. EL6 has the tools necessary to instrument and control both, and by adding third-party repositories (in particular there is a security repo out there > If your server does get broken into > and a customer sues you for compromising their data, and they find that > you used passwords instead of keys for example, they can hire an > "expert" to say that was a foolish choice that put the customer's data > at risk. There is this concept called due diligence. If an admin ignores known industry standards and then gets compromised because of that, then that admin is negligent. Thus, risk analysis and management is done to weigh the costs of the security against the costs of exploit; or, to put in the words of a security consultant we had here (the project is, unfortunately, under NDA, so I can't drop the name of that consultant) "You will be or are compromised now; you must think and operate that way to mitigate your risks." Regardless of the security you think you have, you will be compromised at some point. The due diligence is being aware of that and being diligent en
[CentOS] PHP 5 bug?
I'm using EL6 with all updates applied and getting bit by a PHP5 bug
that was fixed a year and a half ago...
https://bugs.php.net/bug.php?id=52534
EL6 ships with php 5.3.3, which was released prior to the bug fix. What
are the chances that this fixed bug can be reported/fixed upstream at
the prominent North American Linux Vendor? Here's sample code that
demonstrates the problem:
function CheckBug52534(){
$check = array(1 => 'a', -1 => 'b');
$str = var_export($check, true);
$str = "\$a=$str;";
eval($str);
if (!isset($a[-1]))
return true;
}
echo (Checkbug52534()) ? "has it" : 'not found';
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP 5 bug?
On 4.1.2012 19:09, Lists wrote: > I'm using EL6 with all updates applied and getting bit by a PHP5 bug > that was fixed a year and a half ago... > > https://bugs.php.net/bug.php?id=52534 > > EL6 ships with php 5.3.3, which was released prior to the bug fix. What > are the chances that this fixed bug can be reported/fixed upstream at > the prominent North American Linux Vendor? I found the following existing bugzillas. https://bugzilla.redhat.com/show_bug.cgi?id=695251 https://bugzilla.redhat.com/show_bug.cgi?id=700724 However, both seems for 5 only. If you think this applies to 6 too, consider filing a bug request yourself. -- Kind Regards, Markus Falb signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] server host keys for kvm clones
Respecting cloning vm guests, I see in /etc/ssh the following: ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub Is there a simple script somewhere to regenerate all the server host keys for the new guest after cloning? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
Le 2012-01-04 17:22, Ljubomir Ljubojevic a écrit : > On 01/04/2012 02:58 AM, fakessh wrote: >> Le 2012-01-04 01:48, Ljubomir Ljubojevic a écrit : >>> On 01/03/2012 10:14 PM, fakessh wrote: So I think do a post on the bugtracker of elrepo to ask the creation of a new kmod-* So I tried to compile the driver provided in [1] module appears to load properly >>> When you run lspci -v, it shows something like: >>> >>> Kernel driver in use: rtl8185 >>> Kernel modules: rtl8185 >>> >>> ??? >> >> lspci -v does not send me what I want >> >> this my output >> root@localhost swilting]# lspci -v | egrep Kernel >> Kernel driver in use: nForce2_smbus >> Kernel modules: i2c-nforce2 >> Kernel driver in use: ohci_hcd >> Kernel driver in use: ehci_hcd >> Kernel driver in use: HDA Intel >> Kernel modules: snd-hda-intel >> Kernel driver in use: forcedeth >> Kernel modules: forcedeth >> Kernel driver in use: sata_nv >> Kernel modules: sata_nv >> Kernel driver in use: sata_nv >> Kernel modules: sata_nv >> Kernel driver in use: nouveau >> Kernel modules: nouveau, nvidiafb >> Kernel driver in use: k10temp >> Kernel modules: k10temp >> Kernel modules: r8185b >> >> Kernel driver in use: is missing >> >> 01:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. >> RTL-8185 >> IEEE 802.11a/b/g Wireless LAN Controller (rev 20) >> Subsystem: Realtek Semiconductor Co., Ltd. RTL-8185 IEEE >> 802.11a/b/g >> Wireless LAN Controller >> Flags: medium devsel, IRQ 16 >> I/O ports at bc00 [size=256] >> Memory at fde0 (32-bit, non-prefetchable) [size=1K] >> Kernel modules: r8185b >> >> >> >>> Still I have failed to create the wireless interface despite my attempts with the file ifcfg-wlan0 tape provided I to try to load ifup the interface without success >>> >>> Why do you manually edit that file? Have you tried if >>> NetworkManager >>> or >>> "system-config-network-tui" command (package has the same name) see >>> the >>> interface? >> >> I am completely lost and I do not know how >> >> please help me > > Somebody else should step in. I never had similar problem before. My > NIC/wireless just works with stock kernel drivers. > > What I can tell you is to (re)move manually made "ifcfg-*" file and > run > "yum install system-config-network-tui" and then run command > "system-config-network-tui" as root. In "Device configuration" there > should be > option to set up some kind of wireless NIC (name does not have to be > wlan). the problem seems weird but the output of lspci -v | egrep Kernel shows that there is a problem I have tried to create the interface with graphical tools and command line without success I never managed to run this card with all Linux systems available that i tried sincerely ... -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ http://gplus.to/sshfake http://gplus.to/sshswilting http://gplus.to/john.swilting ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On Thu, Jan 5, 2012 at 1:32 AM, Lamar Owen wrote: > root:LdP9cdON88yW > root:u2x2bz > root:6e51R12B3Wr0 > root:nb0M4uHbI6M > root:c3qLzdl2ojFB > root:LX5ktj > root:34KQ > root:8kLKwwpPD > root:Bl95X1nU > root:3zSlRG73r17 > root:fDb8 > root:cAeM1KurR > root:MXf3RX7 > root:4jpk > root:j00U3bG1VuA > root:HYQ9jbWbgjz3 > root:Ex4yI8 > root:k9M0AQUVS5D > root:0U9mW4Wh > root:2HhF19 > root:EmGKf4 > root:8NI877k8d5v > root:K539vxaBR > root:5gvksF8g55b > root:TO553p9E > root:7LX66rL7yx1F > root:uOU8k03cK2P > root:l9g7QmC9ev0 > root:E8Ab > root:98WZ4C55 > root:kIpfB0Pr3fe2 > ... I bet someone in this list will say surprisingly "Damnit. That's my password!" :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP 5 bug?
> I found the following existing bugzillas. https://bugzilla.redhat.com/show_bug.cgi?id=695251 https://bugzilla.redhat.com > /show_bug.cgi?id=700724 However, both seems for 5 only. If you think this applies to 6 too, consider filing a bug request yourself. Thanks, I did. https://bugzilla.redhat.com/show_bug.cgi?id=771738 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On 1/4/2012 9:32 AM, Lamar Owen wrote: > On Tuesday, January 03, 2012 06:12:10 PM Bennett Haselton wrote: >> I'm not sure what their logic is for recommending 80. But 72 bits >> already means that any attack is so improbable that you'd *literally* >> have to be more worried about the sun going supernova. > I'd be more worried about Eta Carinae than our sun, as with it's mass it's > likely to be a GRB. The probability of it happening in our lifetime is quite > low; yet, if it does happen in our lifetime (actually, if it happened about > 7,500 years ago!) it will be an extinction event. So we watch it over time > (and we have plates of it going back into the late 1800's). > > Likewise for security; the gaussian curve does have outliers, after all, and > while it is highly unlikely for a brute-force attack to actually come up with > anything against a single server it is still possible, partially due to the > number of servers out there coupled with the sheer number of brute-forcers > running. The odds are not 1 out of 4.7x10^21; they're much better than that > since there isn't just a single host attempting the attack. If I have a > botnet of 10,000,000 infected PC's available to attack 100,000,000 servers > (close to the number), what are the odds of one of those attacks succeeding? > (the fact is that it has happened already; see my excerpted 'in the wild' > brute-forcer dictionary below). (1) Someone already raised the issue of what if you have 10 million infected machines instead of just 1; multiple people pointed out that it doesn't matter because the limiting factor is the speed at which sshd can accept/reject login requests, so it doesn't matter if the attacker has 10 million machines or 1. (2) If there are 100 million machines being attacked, that still doesn't make a brute force attack any more likely for my machine. It's not correct to say that if 10 million of those 100 million machines are likely to get compromised, then mine has a 10% chance of being compromised, because with a 12-char random password the odds are much lower for me than for others in the sample. If *everyone* used a 12-char random password, then the odds are that *none* of the 10 million machines attacking 100 million servers would hit on a success, not when there are 10^21 possible passwords to choose from. >>> The critical thing to remember is that in key auth the authenticating key >>> never leaves the client system,... >> Actually, the top answer at that link appears to say that the server >> sends the nonce to the client, and only the client can successfully >> decrypt it. (Is that what you meant?) > That's session setup, not authentication. The paragraph I'm reading appears to say that the server sends the nonce to the client, even for *authentication* (after session setup): http://security.stackexchange.com/questions/3887/is-using-a-public-key-for-logging-in-to-ssh-any-better-than-saving-a-password "After the channel is functional and secure... the server has the public key of the user stored. What happens next is that the server creates a random value (nonce), encrypts it with the public key and sends it to the user. If the user is who is supposed to be, he can decrypt the challenge and send it back to the server". So that's what I meant... you'd said the client sends the nonce to the server whereas the page said the server sends the nonce to the client... just wanted to make sure I wasn't missing anything. > The server has to auth to the client first for session setup, but then client > auth is performed. But either way the actual client authenticating key never > traverses the wire and is unsniffable. >> Furthermore, when you're dealing with probabilities that ridiculously >> small, they're overwhelmed by the probability that an attack will be >> found against the actual algorithm (which I think is your point about >> possible weaknesses in the stream cipher). > This has happened; read some SANS archives. There have been and are exploits > in the wild against SSH and SSL; even caused OpenBSD to have to back down > from it's claim of never having a remotely exploitable root attack. > >> However, *then* you have to take into account the fact that, similarly, >> the odds of a given machine being compromised by a man-in-the-middle >> attack combined with cryptanalysis of the stream cipher, is *also* >> overwhelmed by the probability of a break-in via an exploit in the >> software it's running. I mean, do you think I'm incorrect about that? > What you're missing is that low probability is not a preventer of an actual > attack succeeding; people do win the lottery even with the odds stacked > against them. > >> Of the compromised machines on the Internet, what proportion do you >> think were hacked via MITM-and-advanced-crypto, compared to exploits in >> the services? > I don't have sufficient data to speculate. SANS or CERT may have that > information. Well, what
Re: [CentOS] probleme with my wifi card on centos 6
Le 2012-01-04 18:07, m.r...@5-cent.us a écrit : > Ljubomir Ljubojevic wrote: >> On 01/04/2012 02:58 AM, fakessh wrote: >>> Le 2012-01-04 01:48, Ljubomir Ljubojevic a écrit : On 01/03/2012 10:14 PM, fakessh wrote: > So I think do a post on the bugtracker of elrepo to ask > the creation of a new kmod-* > >>> Kernel modules: r8185b >>> >>> Kernel driver in use: is missing > > Still I have failed to create the wireless interface > despite my attempts with the file ifcfg-wlan0 tape provided I > to try to load ifup the interface without success > > Have you checked /etc/udev/rules.d/70-persistant-net.rules? > >mark I do not know what this file if selinux is disabled -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ http://gplus.to/sshfake http://gplus.to/sshswilting http://gplus.to/john.swilting ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
fakessh wrote: > Le 2012-01-04 18:07, m.r...@5-cent.us a écrit : >> Ljubomir Ljubojevic wrote: >>> On 01/04/2012 02:58 AM, fakessh wrote: Le 2012-01-04 01:48, Ljubomir Ljubojevic a écrit : > On 01/03/2012 10:14 PM, fakessh wrote: >> So I think do a post on the bugtracker of elrepo to ask >> the creation of a new kmod-* >> Kernel modules: r8185b Kernel driver in use: is missing >> >> Still I have failed to create the wireless interface >> despite my attempts with the file ifcfg-wlan0 tape provided I >> to try to load ifup the interface without success >> >> Have you checked /etc/udev/rules.d/70-persistant-net.rules? > > I do not know what this file if selinux is disabled That has nothing at all to do with selinux. Please man udev. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
Le 2012-01-04 21:15, m.r...@5-cent.us a écrit : > fakessh wrote: >> Le 2012-01-04 18:07, m.r...@5-cent.us a écrit : >>> Ljubomir Ljubojevic wrote: On 01/04/2012 02:58 AM, fakessh wrote: > Le 2012-01-04 01:48, Ljubomir Ljubojevic a écrit : >> On 01/03/2012 10:14 PM, fakessh wrote: >>> So I think do a post on the bugtracker of elrepo to ask >>> the creation of a new kmod-* >>> > Kernel modules: r8185b > > Kernel driver in use: is missing >>> >>> Still I have failed to create the wireless interface >>> despite my attempts with the file ifcfg-wlan0 tape provided I >>> to try to load ifup the interface without success >>> >>> Have you checked /etc/udev/rules.d/70-persistant-net.rules? >> >> I do not know what this file if selinux is disabled > > That has nothing at all to do with selinux. Please man udev. > >mark > > ___ can you explain how I use this utility -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ http://gplus.to/sshfake http://gplus.to/sshswilting http://gplus.to/john.swilting ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
fakessh wrote: > Le 2012-01-04 21:15, m.r...@5-cent.us a écrit : >> fakessh wrote: >>> Le 2012-01-04 18:07, m.r...@5-cent.us a écrità: Ljubomir Ljubojevic wrote: > On 01/04/2012 02:58 AM, fakessh wrote: >> Le 2012-01-04 01:48, Ljubomir Ljubojevic a ÃÆécrit : >>> On 01/03/2012 10:14 PM, fakessh wrote: So I think do a post on the bugtracker of elrepo to ask the creation of a new kmod-* >> Kernel modules: r8185b >> >> Kernel driver in use: is missing Still I have failed to create the wireless interface despite my attempts with the file ifcfg-wlan0 tape provided I to try to load ifup the interface without success Have you checked /etc/udev/rules.d/70-persistant-net.rules? >>> >>> I do not know what this file if selinux is disabled >> >> That has nothing at all to do with selinux. Please man udev. > > can you explain how I use this utility Have you read the man page? Do you understand how CentOS 6 creates /dev on the fly? Please go read some howtos, and man pages. I was bothered by your reference to the ifcfg-wlan0 tape - I have no idea what a tape has to do with anything - and it feels, from the small bits of this thread I've read, as though you don't really understand what you're doing, or why. Time to go read some Linux orientations and documentation. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] probleme with my wifi card on centos 6
On 01/04/2012 08:28 PM, fakessh wrote: > the problem seems weird but the output of lspci -v | egrep Kernel shows > that there is a problem I said "lspci -v", not "lspci -v | egrep Kernel". But it is only view, has nothing to do with actual driver that IS installed now. > > I have tried to create the interface with graphical tools and command > line without success > I never managed to run this card with all Linux systems available that > i tried > Then just CHANGE the radio card. Get Atheros and be done with it. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
>>> On my Zimbra server (CentOS 5.7), sa works fine. > >>> I have spamassassin-3.3.1-2.el5 and >>> perl-IO-Socket-INET6-2.51-2.fc6 installed. >> Same here. Are you running sa-update? SpamAssassin works >> fine for me, but sa-update is giving this error every time it runs. > > Yes, it seems to run fine: > Updating (Sun Jan 1 00:00:01 CET 2012)... > Update available for channel updates.spamassassin.org > Update was available, and was downloaded and installed successfully Weird then. Wondering why I'm getting this problem. Name : spamassassin Arch : i386 Version : 3.3.1 Release : 2.el5 Size : 3.1 M Repo : installed Name : perl-IO-Socket-INET6 Arch : noarch Version : 2.51 Release : 2.fc6 Size : 22 k Repo : installed >>> Did you disable IPV6? >> No - can you explain what you are implying? > > Hum... not sure anymore why I asked... ^_^ > Nevermind. > > Did you install any perl libs out of rpm/yum...? > BTW, 64bits here... 32 for me. Thanks for your help... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
The only hints I can find seem to suggest to remove perl-IO-Socket-INET6, but trying to do so using yum (I don't want to start using another method of package management) tells me that spamassassin is a dependency and will also be removed - obviously undesirable. >>> If you really want to remove it, use rpm instead. >>> rpm -e --nodeps perl-IO-Socket-INET6 >>> But it will annoy you at every update... >> That was my fear... I'm wondering why this crept up again, >> since all my packages are completely up to date according >> to yum. > > yum only does what we tell it to do. I told it to update all my packages. :-) > It is possible that you have a package installed that is not from the > CentOS repos, etc. > > If people add external repositories, it is very easy to get conflicts. I do have rpmforge as a repo in order to get a thing or two that CentOS does not offer. How can I diagnose if this is the problem? Here's a list of perl packages according to rpm -qa are the ".rf" ones from rpmforge? I think most of those are requirements for the amavisd-new package. perl-Net-DNS-0.63-1.el5.rf perl-URI-1.35-3 perl-libwww-perl-5.805-1.1.1 perl-Package-Constants-0.02-1.el5.rf perl-Pod-Escapes-1.04-1.2.el5.rf perl-Crypt-OpenSSL-RSA-0.26-1.el5.rf perl-NetAddr-IP-4.044-1.el5.rf perl-Socket6-0.19-3.fc6 perl-5.8.8-32.el5_7.6 perl-String-CRC32-1.4-2.fc6 perl-Digest-SHA1-2.11-1.2.1 perl-Digest-HMAC-1.01-15 perl-HTML-Tagset-3.20-1.el5.rf perl-IO-Socket-SSL-1.17-1.el5.rf perl-Compress-Zlib-1.42-1.fc6 perl-TimeDate-1.16-5.el5 perl-Convert-BinHex-1.119-2.2.el5.rf perl-Convert-TNEF-0.17-3.2.el5.rf perl-Mail-SPF-2.006-1.el5.rf perl-DBI-1.52-2.el5 perl-Digest-SHA-5.50-1.el5.rf perl-Crypt-OpenSSL-Random-0.04-1.el5.rf perl-Pod-Simple-3.16-1.el5.rf perl-Git-1.7.6.4-1.el5.rf perl-Unix-Syslog-1.1-1.el5.rf perl-Archive-Tar-1.39.1-1.el5_5.2 perl-Error-0.17016-1.el5.rf perl-Email-Date-Format-1.002-1.el5.rf perl-Mail-DKIM-0.39-1.el5.rf perl-Net-SSLeay-1.30-4.fc6 perl-IO-Zlib-1.09-1.el5.rf perl-HTML-Parser-3.59-1.el5.rf perl-IO-stringy-2.110-1.2.el5.rf perl-Archive-Zip-1.26-1.el5.rf perl-MIME-tools-5.420-2.el5.rf perl-Razor-Agent-2.84-1.el5.rf perl-DBD-MySQL-3.0007-2.el5 perl-BerkeleyDB-0.43-1.el5.rf perl-Convert-UUlib-1.34-1.el5.rf perl-Net-Server-0.99-1.el5.rf perl-Test-Pod-1.45-1.el5.rf perl-MIME-Lite-3.027-1.el5.rf perl-MailTools-2.08-1.el5.rf perl-version-0.91-1.el5.rf perl-IO-Socket-INET6-2.51-2.fc6 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] server host keys for kvm clones
On Wed, Jan 4, 2012 at 8:08 PM, James B. Byrne wrote: > Respecting cloning vm guests, I see in /etc/ssh the > following: > > ssh_host_dsa_key > ssh_host_dsa_key.pub > ssh_host_key > ssh_host_key.pub > ssh_host_rsa_key > ssh_host_rsa_key.pub > > Is there a simple script somewhere to regenerate all the > server host keys for the new guest after cloning? Simple, just remove them and boot the server or restart sshd: # rm -f /etc/ssh/ssh_host*key*; /etc/init.d/sshd restart Stopping sshd: [ OK ] Generating SSH1 RSA host key: [ OK ] Generating SSH2 RSA host key: [ OK ] Generating SSH2 DSA host key: [ OK ] Starting sshd: [ OK ] -- Mikael Fridh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
On 01/04/2012 10:29 PM, email builder wrote: >The only hints I can find seem to suggest to remove > >perl-IO-Socket-INET6, but trying to do so using yum (I don't >want to start using another method of package management) >tells me that spamassassin is a dependency and will also be >removed - obviously undesirable. If you really want to remove it, use rpm instead. rpm -e --nodeps perl-IO-Socket-INET6 But it will annoy you at every update... >>> That was my fear... I'm wondering why this crept up again, >>> since all my packages are completely up to date according >>> to yum. >> >> yum only does what we tell it to do. > > I told it to update all my packages. :-) > >> It is possible that you have a package installed that is not from the >> CentOS repos, etc. >> >> If people add external repositories, it is very easy to get conflicts. > > I do have rpmforge as a repo in order to get a thing or two that > CentOS does not offer. How can I diagnose if this is the problem? > Here's a list of perl packages according to rpm -qa are the ".rf" > ones from rpmforge? I think most of those are requirements for the > amavisd-new package. > .rf? is from RepoForge (ex-RPMForge). You might need to use priorities and set RepoForge lower then SA repo. maybe you will need to downgrade few packages. There is "Perl package problems" thread on this list from ~20 days ago. Read it for more info. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
[Distilling to the core matter; everything else is peripheral.] On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote: To be absolutely clear: Do you, personally, believe there is more than a 1 in a million chance that the attacker who got into my machine, got it by brute-forcing the password? As opposed to, say, using an underground exploit? Here's how I see it breaking down: 1.) Attacker uses apache remote exploit (or other means) to obtain your /etc/shadow file (not a remote shell, just GET the file without that fact being logged); 2.) Attacker runs cloud-based (and/or CUDA accelerated) brute-forcer on 10,000,000 machines against your /etc/shadow file without your knowledge; 3.) Some time passes; 4.) Attacker obtains your password using distributed brute forcing of the hash in the window of time prior to you resetting it; 5.) Attacker logs in since you allow password login. You're pwned by a non-login brute-force attack. In contrast, with ssh keys and no password logins allowed: 1.) Attacker obtains /etc/shadow and cracks your password after some time; 2.) Attacker additionally obtains /root/.ssh/* 3.) Attacker now has your public key. Good for them; public keys don't have to be kept secure since it is vastly more difficult to reverse known plaintext, known ciphertext, and the public key into a working private key than it is to brute-force the /etc/shadow hash (part of the difficulty is getting all three required components to successfully reverse your private key; the other part boils down to factoring and hash brute-forcing); 4.) Attacker also has root's public and private keys, if there is a pair in root's ~/.ssh, which may or may not help them. If there's a passphrase on the private key, it's quite difficult to obtain that from the key; 5.) Attacker can't leverage either your public key or root's key pair (or the machine key; even if they can leverage that to do MitM (which they can and likely will) that doesn't help them obtain your private key for authentication; 6.) Attacker still can't get in because you don't allow password login, even though attacker has root's password. This only requires an apache httpd exploit that allows reading of any file; no files have to be modified and no shells have to be acquired through any exploits. Those make it faster, for sure; but even then the attacker is going to acquire your /etc/shadow as one of the first things they do; the next thing they're going to do is install a rootkit with a backdoor password. Brute-forcing by hash-cracking, not by attempting to login over ssh, is what I'm talking about. This is what I mean when I say 'multilayer metasploit-driven attacks.' The weakest link is the security of /etc/shadow on the server for password auth (unless you use a different auth method on your server, like LDAP or other, but that just adds a layer, making the attacker work harder to get that all-import password). Key based auth is superior, since the attacker reading any file on your server cannot compromise the security. Kerberos is better still. Now, the weakest link for key auth is the private key itself. But it's better protected than any password is (if someone can swipe your private key off of your workstation you have bigger problems, and they will have your /etc/shadow for your workstation, and probably a backdoor.). The passphrase is also better protected than the typical MD5 hash password, too. It is the consensus of the security community that key-based authentication with strong private key passphrases is better than any password-only authentication, and that consensus is based on facts derived from evidence of actual break-ins. While login-based brute- forcing of a password that is long-enough (based upon sshd/login/ hashing speed) is impractical for passwords of sufficient strength, login-based brute forcing is not the 'state of the art' in brute- forcing of passwords. Key-based auth with a passphrase is still not the ultimate, but it is better than only a password, regardless of the strength of that password. If your password was brute-forced, it really doesn't matter how the attacker did it; you're pwned either way. It is a safe assumption that there are httpd exploits in the wild, that are not known by the apache project, that specifically attempt to grab /etc/shadow and send to the attacker. It's also a safe assumption that the attacker will have sufficient horsepower to crack your password from /etc/shadow in a 'reasonable' timeframe for an MD5 hash. So you don't allow password authentication and you're not vulnerable to a remote /etc/shadow brute-forcing attack regardless of how much horsepower the attacker can throw your way, and regardless of how the attacker got your /etc/shadow (you could even post it publicly and it wouldn't help them any!).
Re: [CentOS] server host keys for kvm clones
On Wed, January 4, 2012 14:08, James B. Byrne wrote: > Is there a simple script somewhere to regenerate all the > server host keys for the new guest after cloning? The init script /etc/rc.d/init.d/sshd handles it. I discover that simply removing the existing ssh keys from /etc/ssh and restarting the sshd service causes the host keys to be regenerated. Another step to add to post cloning housekeeping. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On 4.1.2012 20:58, Bennett Haselton wrote: > On 1/4/2012 9:32 AM, Lamar Owen wrote: >> The slow brute-forcers are at work, and are spreading. ... > Well yes of course an attacker can try *particular* 12-character > passwords, I never said they couldn't :) ... If you enforce use of ssh keys an attacker can try passwords but cannot succeed because he has not the private key. You are free however to apply a 12-character password to your private key, then you have to know your 12-character password plus you have to own the private key. So the whole blah about brute force becomes lame. More secure or not? > > To be absolutely clear: Do you, personally, believe there is more than a > 1 in a million chance that the attacker who got into my machine, got it > by brute-forcing the password? I think it was Lamar trying to point out that statistics and probabilities are not applicable to the single individuum (at least not to lotterie players or captains of big vessels) -- Kind Regards, Markus Falb signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On Wed, Jan 4, 2012 at 4:13 PM, Markus Falb wrote: >> >> To be absolutely clear: Do you, personally, believe there is more than a >> 1 in a million chance that the attacker who got into my machine, got it >> by brute-forcing the password? > > I think it was Lamar trying to point out that statistics and > probabilities are not applicable to the single individuum (at least not > to lotterie players or captains of big vessels) And the last post was more to the point that there have been earlier exploits that could have permitted access to the shadow file even if those are currently fixed with updates. And there are lots of other ways to steal a password. Whether it was brute-forced or not is mostly irrelevant. It is reusable and you don't know if someone else has it. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On 01/04/2012 10:59 PM, Lamar Owen wrote: > [Distilling to the core matter; everything else is peripheral.] > > > It is a safe assumption that there are httpd exploits in the wild, that > are not known by the apache project, that specifically attempt to grab > /etc/shadow and send to the attacker. It's also a safe assumption that > the attacker will have sufficient horsepower to crack your password from > /etc/shadow in a 'reasonable' timeframe for an MD5 hash. So you don't > allow password authentication and you're not vulnerable to a remote > /etc/shadow brute-forcing attack regardless of how much horsepower the > attacker can throw your way, and regardless of how the attacker got your > /etc/shadow (you could even post it publicly and it wouldn't help them > any!). > Excellent text. This should be published on some Blog, or CentOS wiki maybe. Thank you for this. Concise and practical. Wow. Thanks again! -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux context for mm-handler?
I've got a Mailman installation running on CentOS 4 that I'd like to migrate to a CentOS 6 box. My big obstacle at present is getting Mailman's mm-handler Perl script to run as a Sendmail local mailer with SELinux enabled. I've tried changing mm-handler's selinux context type a few times, but nothing has resulted in success: context result --- - etc_mail_t sendmail can't execute mm-handler mailman_mail_exec_t mm-handler can't load perl modules bin_tmm-handler can't read Mailman data sendmail_exec_t mm-handler can't read Mailman data I'm willing and able to whip up a local policy modification, but I thought I'd ask if there's a standard solution to this problem; my Google searches have so far proven ineffective at providing pointers to an answer. -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On Wednesday 04 January 2012 11:58:07 Bennett Haselton wrote: > If *everyone* used a 12-char random password, then the odds are that > *none* of the 10 million machines attacking 100 million servers would > hit on a success, not when there are 10^21 possible passwords to choose > from. It is too naive to identify the statement "something has very low probability" with the statement "it will not happen". There are processes in nature that have 1 / 10^21 (or any other) probability of happening, but they are detected to actually happen every couple of seconds or so (hint: ask any nuclear physicist). In a security-related context, relying on low probability is always a risk (regardless of how small), and it should be avoided if feasible. IOW, chances of "10^ to one" are *infinitely* bigger than zero. Proof --- divide that number by zero to find out how many times it is bigger. ;-) You should never rely on any probability count if you have critical security concerns. Yes, I also use a strong password rather than ssh key (mostly for the same reason you do --- convenience), but I understand the risk of doing so, I don't have any valuable data on the machine, and I never claim that any password is as effective as a ssh key. Btw, I am also one of the "lucky" people who managed to get hacked by ssh brute-forcing. The password was as "random" as it can get, but the attacker just got lucky (he didn't get root, though, just my user password, so I could mitigate the damage). After that I installed fail2ban, but I still don't keep anything valuable on that machine... > >> However, *then* you have to take into account the fact that, > >> similarly, > >> the odds of a given machine being compromised by a man-in-the-middle > >> attack combined with cryptanalysis of the stream cipher, is *also* > >> overwhelmed by the probability of a break-in via an exploit in the > >> software it's running. I mean, do you think I'm incorrect about that? Are you basically saying that this is a premature optimization problem? If I understand your argument correctly, some attack vectors are much more probable than others, so guarding against a low-probability attack vector is superfluous, given that there are more probable ones still unguarded. Is that what you are saying here? If yes, let me stress --- the premature optimization issue is *void* in a security-related context. The main guideline is rather the "cover all bases" principle. The fact that something is unlikely to happen does not mean you should not guard against it, if you can. You may find the pain/gain ratio too high sometimes, and you are welcome to ignore some obvious security holes for the sake of convenience if you like, but you cannot argue that low-probability holes are safe to ignore *in* *principle*. That is where the cover-all-bases always wins over avoiding premature optimization. > > The archives of this list already had the information about SELinux > > contained in this thread. Not to mention the clear and easily > > accessible documentation from the upstream vendor linked to from the > > CentOS website. > Well every one of the thousands of features and functions of Linux is > indexed by Google on the web *somewhere* :) The question is whether > you'll get pointed to it if you ask for help. No, this is not the right question. SELinux is enabled by *default* in CentOS, and for a good reason. You had to make a conscious choice to disable it, and if you are security-aware admin, you should have *first* get yourself educated on what you will lose if you do so. So you were already pointed to SELinux (and iptables and some other stuff) by the very fact that you installed CentOS. The real question is why did you disable SELinux without looking at the documentation or asking on this list is it useful for you? If you are ignorant about security software to begin with, you have no right to bitch about relevant information not being available at your glance. > I didn't doubt that SELinux or iptables both do what they say they do, > or that they reduce the risk of a break-in. My point was that other > pieces of "lore" (like "ssh keys reduce the chance of a break-in more > than 12-char passwords") have the potential to become part of "folk > wisdom" despite not having been tested directly and despite not actually > making any difference. It's not folk wisdom. The probability of someone guessing your password is nonzero (regardless of how small). The probability of someone "guessing" your ssh key is still much smaller than that. There is an extremely big difference there. Both methods can be considered "reasonably safe", and at the same time "not completely safe", but one *can* compare *relative* safeness, and conclude that keys are much safer than passwords. Why do you think people invented keys in the first place? Because they were too stupid to see see that a good password is "good enough"? I doubt. Again, it is the c
[CentOS] No eth0 on centos 6.2
Just installed centos 6.2. I run and ifconfig -a I see and em1 em2 and lo interface. If I go to /etc/sysconfig/network-scripts, I don't see an ifcfg-eth0. If I run ifup eth0 it comes back with "Device eth0 does not seem to be present, delaying initialization". Anybody have a clue? Thanks in advance. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] A simplistic parental-control setup
I am looking at the simplest (implementation-wise) solution to the following problem (on CentOS 6.2): I have a list of web addresses (like http://www.example.com, https://1.2.3.4/, etc.) that should be "forbidden" to access from a particular host. On access attempt, the browser should be redirected to a local web page (file on the hard disk) with the explanation that those addresses are forbidden. The possible ways of disallowed access include: * typing www.example.com or http://1.2.3.4/ in the browser * typing www.example.com/anyfolder/somefile.html in the browser * clicking on www.example.com when listed as a link on some other web site (say, Google search results) * nothing else. The last point above assumes that the users will never try any other method of accessing the site. These user's knowledge about computers in general is known to be elementary, so I don't need protection against geniouses who can figure out some obscure way to circumvent the lockdown (and please don't tell me that this is an irrational assumption, I know it is...). If possible, all this should be on a "per user" basis, but if implementing it system-wide would be much simpler, I could live with it. :-) The point is that I need a simple, easy-to-implement, easy-to-configure and easy-to-maintain solution for this particular usecase. What I don't need is some over-engineered solution that covers my usecase along with a whole bunch of stuff I will never need, and takes two months to configure properly. It should also be F/OSS, preferably included in CentOS repos or elsewhere. Or alternatively I could go along with manually setting up a bogus httpd/dns/iptables configuration which would do all this, but I have a feeling that it would not be the easiest thing to maintain... I'd appreciate any suggestions. :-) Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ASP running on a Linux Machine
On 1/4/2012 12:30 AM, Jonathan Vomacka wrote: > > this wasn't possible without a program like ChiliASP, ...which is now dead, apparently. > noow I heard > rumor that apache might have a plugin to allow it to read ASP. Rumor, really? I don't think open source works like that. We're not talking about an Apple product. :) You may have heard about Apache::ASP (apache-asp.org). Once installed, it allows Apache to work like IIS with classic ASP. There is one key difference, however: it's based on Perl, rather than VBScript. You will have to rewrite all your code to make use of it. I wouldn't say that's the biggest problem with Apache::ASP, though. Being forced to rewrite VBScript in Perl is more of a feature than a problem, in my oh-so-humble opinion. :) The real problem with Apache::ASP is that it's semi-abandonware. The web pages are still up, the software still works, but it hasn't gotten a new feature in years, and even bug fixes are few and far between. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] fail2ban won't die
If I lose my broadband connection here (Italy), and try to re-boot the computer (CentOS-6.2), the shutdown hangs at fail2ban. Normally there is no problem re-booting; it only happens if the network has gone down. It may just be an extraordinarily long timeout. Has anyone experienced this? And is there anything one can do about it? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A simplistic parental-control setup
On Wednesday 04 January 2012 18:04:43 Frank Cox wrote: > On Wed, 04 Jan 2012 23:58:17 + Marko Vojinovic wrote: > > The point is that I need a simple, easy-to-implement, easy-to-configure > > and easy-to-maintain solution for this particular usecase. > > Put the disallowed addresses into your /etc/hosts file and associate those > addresses with whatever you want them to resolve to. Hmm... that sure looks simple enough. :-) I'll give it a try, thanks! Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No eth0 on centos 6.2
On 01/04/2012 06:52 PM, Jeff wrote: > Just installed centos 6.2. I run and ifconfig -a I see and em1 > em2 and lo interface. If I go to /etc/sysconfig/network-scripts, > I don't see an ifcfg-eth0. If I run ifup eth0 it comes back > with "Device eth0 does not seem to be present, delaying > initialization". Anybody have a clue? Thanks in advance. The names of the devices are starting to change. The 'emX' are likely your interfaces. If you check you should have ifcfg-emX files. If you would like to rename them, you can follow this; https://alteeve.com/w/Changing_the_ethX_to_Ethernet_Device_Mapping_in_EL6_and_Fedora_12%2B That talks about change eth0 <-> eth1, but it can just as easily be em0 <-> eth0. -- Digimer E-Mail: digi...@alteeve.com Freenode handle: digimer Papers and Projects: http://alteeve.com Node Assassin: http://nodeassassin.org "omg my singularity battery is dead again. stupid hawking radiation." - epitron ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A simplistic parental-control setup
On 01/05/2012 12:58 AM, Marko Vojinovic wrote: > > I am looking at the simplest (implementation-wise) solution to the following > problem (on CentOS 6.2): > > I have a list of web addresses (like http://www.example.com, https://1.2.3.4/, > etc.) that should be "forbidden" to access from a particular host. On access > attempt, the browser should be redirected to a local web page (file on the > hard > disk) with the explanation that those addresses are forbidden. The possible > ways of disallowed access include: > > * typing www.example.com or http://1.2.3.4/ in the browser > * typing www.example.com/anyfolder/somefile.html in the browser > * clicking on www.example.com when listed as a link on some other web site > (say, Google search results) > * nothing else. > > The last point above assumes that the users will never try any other method of > accessing the site. These user's knowledge about computers in general is known > to be elementary, so I don't need protection against geniouses who can figure > out some obscure way to circumvent the lockdown (and please don't tell me that > this is an irrational assumption, I know it is...). > > If possible, all this should be on a "per user" basis, but if implementing it > system-wide would be much simpler, I could live with it. :-) > > The point is that I need a simple, easy-to-implement, easy-to-configure and > easy-to-maintain solution for this particular usecase. What I don't need is > some over-engineered solution that covers my usecase along with a whole bunch > of stuff I will never need, and takes two months to configure properly. It > should also be F/OSS, preferably included in CentOS repos or elsewhere. > > Or alternatively I could go along with manually setting up a bogus > httpd/dns/iptables configuration which would do all this, but I have a feeling > that it would not be the easiest thing to maintain... > > I'd appreciate any suggestions. :-) There is squidguard in RepoForge repository. It's a plugin for squid. There is also dansguardian. If you use separate firewall box, you can use ClearOS, it has dansguardian set up. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No eth0 on centos 6.2
I simply decided to set onboot to yes, bootproto to static, and assign an address. Thank you! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] dhcp lease-time
Why is the default lease-time set to only 10 minutes (600 seconds) in /etc/dhcp/dhcpd.conf (CentOS-6.2) as distributed? Why is not set to a much longer time? Is there any disadvantage in doing that? Or conversely, is a short lease-time safer in some way? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sa-update error with perl
>> The only hints I can find seem to suggest to remove >> perl-IO-Socket-INET6, but trying to do so using yum (I > don't >> want to start using another method of package > management) >> tells me that spamassassin is a dependency and will also > be >> removed - obviously undesirable. > If you really want to remove it, use rpm instead. > rpm -e --nodeps perl-IO-Socket-INET6 > But it will annoy you at every update... That was my fear... I'm wondering why this crept up again, since all my packages are completely up to date according to yum. >>> >>> yum only does what we tell it to do. >> >> I told it to update all my packages. :-) >> >>> It is possible that you have a package installed that is not from the >>> CentOS repos, etc. >>> >>> If people add external repositories, it is very easy to get conflicts. >> >> I do have rpmforge as a repo in order to get a thing or two that >> CentOS does not offer. How can I diagnose if this is the problem? >> Here's a list of perl packages according to rpm -qa are the > ".rf" >> ones from rpmforge? I think most of those are requirements for the >> amavisd-new package. >> > > .rf? is from RepoForge (ex-RPMForge). > > You might need to use priorities and set RepoForge lower then SA repo. > maybe you will need to downgrade few packages. Hmm, OK, prioritze CentOS repo over RepoForge then will yum update figure out the rest? I don't see any priority settings in my yum conf files... I'll have to read up on that. Interestingly, I get this: rpm -q --whatrequires perl-IO-Socket-INET6 no package requires perl-IO-Socket-INET6 However, yum remove perl-IO-Socket-INET6 Loaded plugins: fastestmirror Setting up Remove Process Resolving Dependencies --> Running transaction check ---> Package perl-IO-Socket-INET6.noarch 0:2.51-2.fc6 set to be erased --> Processing Dependency: perl(IO::Socket::INET6) for package: spamassassin --> Running transaction check ---> Package spamassassin.i386 0:3.3.1-2.el5 set to be erased --> Processing Dependency: perl(Mail::SpamAssassin) for package: amavisd-new --> Running transaction check ---> Package amavisd-new.i386 0:2.6.6-1.el5.rf set to be erased --> Finished Dependency Resolution Dependencies Resolved == Package Arch Version Repository Size == Removing: perl-IO-Socket-INET6 noarch 2.51-2.fc6 installed 22 k Removing for dependencies: amavisd-new i386 2.6.6-1.el5.rf installed 2.7 M spamassassin i386 3.3.1-2.el5 installed 3.1 M Transaction Summary == Remove 3 Package(s) Reinstall 0 Package(s) Downgrade 0 Package(s) Is this ok [y/N]: n Exiting on user Command > There is "Perl package problems" thread on this list from ~20 days > ago. > Read it for more info. OK I'll go try to find it ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On 1/4/2012 1:59 PM, Lamar Owen wrote: > [Distilling to the core matter; everything else is peripheral.] > > On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote: >> To be absolutely clear: Do you, personally, believe there is more than a >> 1 in a million chance that the attacker who got into my machine, got it >> by brute-forcing the password? As opposed to, say, using an underground >> exploit? > > Here's how I see it breaking down: > > 1.) Attacker uses apache remote exploit (or other means) to obtain > your /etc/shadow file (not a remote shell, just GET the file without > that fact being logged); > 2.) Attacker runs cloud-based (and/or CUDA accelerated) brute-forcer > on 10,000,000 machines against your /etc/shadow file without your > knowledge; > 3.) Some time passes; > 4.) Attacker obtains your password using distributed brute forcing of > the hash in the window of time prior to you resetting it; > 5.) Attacker logs in since you allow password login. You're pwned by > a non-login brute-force attack. > > In contrast, with ssh keys and no password logins allowed: > > 1.) Attacker obtains /etc/shadow and cracks your password after some > time; > 2.) Attacker additionally obtains /root/.ssh/* > 3.) Attacker now has your public key. Good for them; public keys > don't have to be kept secure since it is vastly more difficult to > reverse known plaintext, known ciphertext, and the public key into a > working private key than it is to brute-force the /etc/shadow hash > (part of the difficulty is getting all three required components to > successfully reverse your private key; the other part boils down to > factoring and hash brute-forcing); > 4.) Attacker also has root's public and private keys, if there is a > pair in root's ~/.ssh, which may or may not help them. If there's a > passphrase on the private key, it's quite difficult to obtain that > from the key; > 5.) Attacker can't leverage either your public key or root's key pair > (or the machine key; even if they can leverage that to do MitM (which > they can and likely will) that doesn't help them obtain your private > key for authentication; > 6.) Attacker still can't get in because you don't allow password > login, even though attacker has root's password. > > This only requires an apache httpd exploit that allows reading of any > file; no files have to be modified and no shells have to be acquired > through any exploits. Those make it faster, for sure; but even then > the attacker is going to acquire your /etc/shadow as one of the first > things they do; the next thing they're going to do is install a > rootkit with a backdoor password. > > Brute-forcing by hash-cracking, not by attempting to login over ssh, > is what I'm talking about. I acknowledged that the first time I replied to someone's post saying a 12-char password wasn't secure enough. I hypothesized an attacker with the fastest GPU-driven password cracker in the world (even allowing for 100-factor improvements in coming years) and it would still take centuries to break. I understand about brute-forcing the hash vs. brute-forcing the login, but some others had posted about brute-forcing the login specifically and I was commenting on how ridiculous that was. > This is what I mean when I say 'multilayer metasploit-driven attacks.' > > The weakest link is the security of /etc/shadow on the server for > password auth (unless you use a different auth method on your server, > like LDAP or other, but that just adds a layer, making the attacker > work harder to get that all-import password). Key based auth is > superior, since the attacker reading any file on your server cannot > compromise the security. > > Kerberos is better still. > > Now, the weakest link for key auth is the private key itself. But > it's better protected than any password is (if someone can swipe your > private key off of your workstation you have bigger problems, and they > will have your /etc/shadow for your workstation, and probably a > backdoor.). The passphrase is also better protected than the > typical MD5 hash password, too. > > It is the consensus of the security community that key-based > authentication with strong private key passphrases is better than any > password-only authentication, and that consensus is based on facts > derived from evidence of actual break-ins. Well yes, on average, password-authentication is going to be worse because it includes people in the sample who are using passwords like "Patricia". Did they compare the break-in rate for systems with 12-char passwords vs. systems with keys? I have nothing in particular against ssh keys - how could anybody be "against ssh keys"? :) My point was that when I asked "How did attackers probably get in, given that the password was a random 12-character string?" people pounced on the fact that I was using a password at all, and kept insisting that that had a non-trivial likelihood of being
Re: [CentOS] c6, LSI megaraid drive failure notification
On 12/22/11 1:32 PM, Craig White wrote: > On Dec 22, 2011, at 1:12 PM, John R Pierce wrote: > >> > i'm configuring a storage server with CentOS 6.2, it uses a LSI MegaRAID >> > SAS controller, I'm using LSI's megacli to configure the storage... >> > Any ideas on how to get drive failure notifications out of this >> > system? I'm configuring hot spares but I'd still like some sort of >> > notification when a drive has failed so the spare can be replaced. > > don't know how to do it on CentOS but on Ubuntu, I use megaclisas-status > package which goes hand in hand with megacli and it sends notifications. > > If you want, I can e-mail you the megaclisas-status script from /usr/sbin and > beyond that, there's a sysv initscript that periodically checks and sends an > e-mail. Simple enough. not having much luck locating that megaclisas-status script http://hwraid.le-vert.net/wiki/LSIMegaRAIDSAS talks about it, but the source is nowhere to be found I found this, which looks moderately interesting, but I'm not a python programmer http://windowsmasher.wordpress.com/2011/08/15/using-megacli-to-monitor-openfiler-rev2/ -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] an actual hacked machine, in a preserved state
On 1/4/2012 3:01 PM, Marko Vojinovic wrote: > On Wednesday 04 January 2012 11:58:07 Bennett Haselton wrote: >> If *everyone* used a 12-char random password, then the odds are that >> *none* of the 10 million machines attacking 100 million servers would >> hit on a success, not when there are 10^21 possible passwords to choose >> from. > It is too naive to identify the statement "something has very low probability" > with the statement "it will not happen". > > There are processes in nature that have 1 / 10^21 (or any other) probability > of happening, but they are detected to actually happen every couple of seconds > or so (hint: ask any nuclear physicist). That's because they are observing quantities of particles on the order of 10^21, so the odds of the event occurring are realistic. (Recall Avogadro's number is 6 x 10^23, the number of particles in one mole of a substance.) > In a security-related context, relying on low probability is always a risk > (regardless of how small), and it should be avoided if feasible. IOW, chances > of "10^ to one" are *infinitely* bigger than zero. > Proof --- divide that number by zero to find out how many times it is bigger. > ;-) > > You should never rely on any probability count if you have critical security > concerns. Yes, I also use a strong password rather than ssh key (mostly for > the same reason you do --- convenience), but I understand the risk of doing > so, I don't have any valuable data on the machine, and I never claim that any > password is as effective as a ssh key. Well as I've said it depends on how literally you mean "as effective". If your password is strong enough that there's only a 1 in 10^10 chance of it being broken by an attacker in the next year, then if an alternative method reduces that chance to 1 in 10^20, you could do that, but I wouldn't bother. Again, I would have been perfectly happy to use ssh keys -- it would have been less work to switch to ssh keys than to write all the messages defending 12-char passwords :) The reason I wrote all those messages about 12-char passwords was not because I wanted to avoid switching to ssh keys. It was because I wanted some alternative suggestions for how an attacker could have gotten in, given that the chance of brute-forcing the password (even if the attacker had obtained the password hash) was so astronomically small! > Btw, I am also one of the "lucky" people who managed to get hacked by ssh > brute-forcing. The password was as "random" as it can get, but the attacker > just got lucky Not sure what you mean by "as random as it can get", but -- I can write this in my sleep by now -- if you have a 12-character password, with 10^21 possibilities to search from, the odds of an attacker getting "lucky" and guessing it, are less probable than you being hit by a meteorite tomorrow. I can absolutely guarantee you that either the password was shorter and less random, or else the attacker got it some other way (possibly your machine got infected with malware that captured your password and uploaded it to a botnet). > (he didn't get root, though, just my user password, so I could > mitigate the damage). After that I installed fail2ban, but I still don't keep > anything valuable on that machine... > However, *then* you have to take into account the fact that, similarly, the odds of a given machine being compromised by a man-in-the-middle attack combined with cryptanalysis of the stream cipher, is *also* overwhelmed by the probability of a break-in via an exploit in the software it's running. I mean, do you think I'm incorrect about that? > Are you basically saying that this is a premature optimization problem? If I > understand your argument correctly, some attack vectors are much more probable > than others, so guarding against a low-probability attack vector is > superfluous, given that there are more probable ones still unguarded. Is that > what you are saying here? > > If yes, let me stress --- the premature optimization issue is *void* in a > security-related context. The main guideline is rather the "cover all bases" > principle. The fact that something is unlikely to happen does not mean you > should not guard against it, if you can. You may find the pain/gain ratio too > high sometimes, and you are welcome to ignore some obvious security holes for > the sake of convenience if you like, but you cannot argue that low-probability > holes are safe to ignore *in* *principle*. That is where the cover-all-bases > always wins over avoiding premature optimization. It depend on what you mean by "low probability". As I said, if it's less likely than being hit with a meteor, I don't care. >>> The archives of this list already had the information about SELinux >>> contained in this thread. Not to mention the clear and easily >>> accessible documentation from the upstream vendor linked to from the >>> CentOS website. >> Well every one of the thousand
Re: [CentOS] No eth0 on centos 6.2
On Wed, Jan 04, 2012 at 07:22:11PM -0500, Digimer wrote: > On 01/04/2012 06:52 PM, Jeff wrote: > > Just installed centos 6.2. I run and ifconfig -a I see and em1 > > em2 and lo interface. If I go to /etc/sysconfig/network-scripts, > > I don't see an ifcfg-eth0. If I run ifup eth0 it comes back > > with "Device eth0 does not seem to be present, delaying > > initialization". Anybody have a clue? Thanks in advance. > > The names of the devices are starting to change. The 'emX' are likely > your interfaces. If you check you should have ifcfg-emX files. If you > would like to rename them, you can follow this; > Not sure about RH 6.x, but in Fedora 16 and up, one also should remove the biosdevname package (rpm -e biosdevname) if they want to go back to the ethX naming scheme. http://fedoraproject.org/wiki/Features/ConsistentNetworkDeviceNaming and http://fedoraproject.org/wiki/Talk:Features/ConsistentNetworkDeviceNaming -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Buffy: I didn't jump to conclusions. I took a small step, and conclusions there were. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cannot use kickstart file to install CentOS 6.2 into a blank harddisk
於 2012/1/4 下午 08:25, lee_yiu_ch...@yahoo.com 提到: > I am trying using a kickstart file to install CentOS 6.2 into a new virtual > machine (the MBR sector > of the harddisk is all zero), however I found that the installer cannot go > through the harddisk > partition. It failed after I chose "Use All Space" at harddisk partition > option. > The error message is: > http://anony.ws/i/bMcTJ.png > > "You have not defined a root partition (/), which is required for > installation of CentOS to continue. > You have not created a/boot/efi partition (note: I am using BIOS, not (U)EFI) > This can happen if there is not enough space on your harddrive(s) for > installation." > > However, if I create a blank MBR partition table before before CentOS > installation, then there is no > problem. The same kickstart file works for CentOS 6.1 with blank harddisk. > (with url parameter > changed of course) > > Below is the kickstart file I used (between dash lines) > > --- > url --url="http://ftp.twaren.net/Linux/CentOS/6.2/os/i386/"; > interactive > timezone Asia/Hong_Kong > firstboot --enable > --- > > Steps to reproduce: > 1. create a new virtual machine with blank harddisk image (or, a real blank > harddisk) > 2. boot the netinstall iso > 3. at boot menu, press tab and append ks= and press > enter to boot > 4. go through the boot option as usual until harddisk partition options > 5. Choose "Use All Space" at harddisk partition options > 6. error occurs > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I just tested with equivalent upstream version, and confirmed the same bug occurred in upstream. I opened a bugzilla ticket for this. https://bugzilla.redhat.com/show_bug.cgi?id=771806 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] phpmyadmin issue
Greetings, On Wed, Jan 4, 2012 at 7:32 PM, John Doe wrote: > From: Rajagopal Swaminathan > >> I just did add ::1 >> Still forbidden :-( > > Just in case: did you restart apache...? > of course, yes -- Regards, Rajagopal ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
At 2012-01-04 Wed 09:53 -0600,Johnny Hughes wrote: > On 01/04/2012 04:29 AM, Christopher J. Buckley wrote: > > 2012/1/4 An Yang > > > >> Somebody in Oracle told me, they need one year to test, I'm not sure, > >> it's true or not. > >> > > That's about right. The testing isn't done by Oracle btw, it's done by the > > end vendor. > > > > > The "end vendor" submitted the information to Oracle months ago: > > http://www.redhat.com/about/news/blog/Red-Hat-Submits-Oracle-11gR2-on-Red-Hat-Enterprise-Linux-6-Certification-Test-Results-to-Oracle > Greate! "end vendor" people said, Consequently, we confidently recommend the deployment of Oracle 11gR2 in Red Hat Enterprise Linux 6 production environments today. > Oracle does not want to support ASMLib on any kernel other than OEL (or > UBL if you prefer): > > https://www.redhat.com/archives/rhelv6-list/2011-December/msg00032.html > > The bottom line is that Oracle IS going to try to drive people to their > version of Linux and off RHEL. > > But I know, I am just be paranoid or some other such thing. Right > Christopher? > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos signature.asc Description: 这是信件的数字签名部分 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.X compatible to ORACLE DB verssion????
2012/1/5 An Yang : > Greate! > "end vendor" people said, Consequently, we confidently recommend the > deployment of Oracle 11gR2 in Red Hat Enterprise Linux 6 production > environments today. Your database support agreement is not with "the end vendor" but the database software supplier and as far as they are concerned, it is not certified and they are under no obligation to support you. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
