Re: [CentOS] IPMI/BMC/BIOS

[Peter Kjellstrom]

On Thu, 2 Jul 2015 10:11:09 + (UTC)
Chris Olson  wrote:

... 
> My initial recommendation was to use a totally separate network for
> any service processors

+1 for this. We typically put all management ports for a
'system/project' on a sep. non-routed eth. segment to which only the,
for the 'system/project', designated management servers can connect.

It is probably a good idea to consider random ethernet connected
'things' as soft security wise and not suitable for the big bad
internet...

As for bios/firmware on servers the best one can do is to use
non-deprecated hardware from responsible vendors and keep up to date
with their sec. info and update promptly when required.

/Peter
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] ntpd new version

[Vijendra Agarwal (vijagarw)]

Hi All,
Currently CentOS site contains the below version of ntpd.
ntp-4.2.6p5-3.el6.centos.x86_64.rpm
 :- 16 mar 2015.

Does anybody have any information about when the new version of ntpd is 
expected to release containing new vulnerabilities fixes?

Thanks
Vijendra.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh -X versus -Y

[Liam O'Toole]

On 2015-07-05, Gordon Messmer
 wrote:
> On 07/05/2015 04:51 AM, Liam O'Toole wrote:
>> One practical difference I have seen is the improved performance of
>> -Y over -X. I have long attributed that to the relaxation of security
>> controls in the former case.
>
> When and how did you measure that?
>
> The -Y change was introduced in Fedora Core 3, in November 2004.  The
> default was changed to ForwardX11Trusted=yes just a month or two
> later.  I'm not sure -X and -Y ever behaved differently on Enterprise
> Linux or CentOS.
>
> At this point, I don't think it's even possible to set
> ForwardX11Trusted=no any more.  The X SECURITY extension was replaced
> with "X Access Control Extension" several years ago.

The perceived difference was a general impression on my part, and not
measured scientifically. Moreover, it was formed years ago, and on a
variety of Linux systems. I concede that it may well be obsolete.

-- 

Liam


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh -X versus -Y

[John Hodrien]

On Mon, 6 Jul 2015, Liam O'Toole wrote:


On 2015-07-05, Gordon Messmer >  wrote:

On 07/05/2015 04:51 AM, Liam O'Toole wrote:

At this point, I don't think it's even possible to set
ForwardX11Trusted=no any more.  The X SECURITY extension was replaced
with "X Access Control Extension" several years ago.


The perceived difference was a general impression on my part, and not
measured scientifically. Moreover, it was formed years ago, and on a
variety of Linux systems. I concede that it may well be obsolete.


EL6:

ssh -X -o ForwardX11Trusted=no somehost xterm


X Error of failed request:  BadAccess (attempt to access private resource 
denied)

ssh -Y -o ForwardX11Trusted=no somehost xterm


All well.

ssh -X -o ForwardX11Trusted=yes somehost xterm


All well (unsurprising really, seeing as it means the same thing).

-X/-Y/ForwardX11Trusted still do exactly what they've always done, no?

You're trusting the remote host to not misbehave if you use -Y or
ForwardX11Trusted=yes since at the very least you're opening up a fairly large
information leakage to the remote host.  That's fine if you do trust it, but
it really isn't if you don't, surely?

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntpd new version

[Ned Slider]

On 06/07/15 12:04, Vijendra Agarwal (vijagarw) wrote:
> Hi All,
> Currently CentOS site contains the below version of ntpd.
> ntp-4.2.6p5-3.el6.centos.x86_64.rpm
>  :- 16 mar 2015.
> 
> Does anybody have any information about when the new version of ntpd is 
> expected to release containing new vulnerabilities fixes?
> 
> Thanks
> Vijendra.


That is the current version for el6.

What new vulnerabilities?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Centos 7 Server Forgets IPv6 Address On Reboot

[Dave Cross]

My Centos 7 server has started to forget its IPv6 address on a reboot.
This causes problems with services being unable to start up.

It's easy enough to fix each time (ip addr add ...), but it would be
nice to be able to convince it to retain that information. Presumably,
there's a file somewhere under /etc/sysconfig that should contain this
information - does anyone know where it should be stored?

Thanks,

Dave...

-- 
Dave Cross :: d...@dave.org.uk
http://dave.org.uk/
@davorg
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntpd new version

[Jonathan Billings]

On Mon, Jul 06, 2015 at 11:04:25AM +, Vijendra Agarwal (vijagarw) wrote:
>
> Hi All,
> Currently CentOS site contains the below version of ntpd.
> ntp-4.2.6p5-3.el6.centos.x86_64.rpm
>  :- 16 mar 2015.
> 
> Does anybody have any information about when the new version of ntpd is 
> expected to release containing new vulnerabilities fixes?

If you're talking about this:

http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

Then you'd probably be best tracking the RHEL CVE entry:

https://access.redhat.com/security/cve/CVE-2015-5146

which is currently marked as **RESERVED**.  It's marked as "Low"
impact.

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 Server Forgets IPv6 Address On Reboot

[Chris Murphy]

On Mon, Jul 6, 2015 at 8:36 AM, Dave Cross  wrote:
> My Centos 7 server has started to forget its IPv6 address on a reboot.
> This causes problems with services being unable to start up.
>
> It's easy enough to fix each time (ip addr add ...), but it would be
> nice to be able to convince it to retain that information. Presumably,
> there's a file somewhere under /etc/sysconfig that should contain this
> information - does anyone know where it should be stored?

I'd look at nmcli and see why the connection is not persistent.

-- 
Chris Murphy
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 Server Forgets IPv6 Address On Reboot

[Gordon Messmer]

On 07/06/2015 07:36 AM, Dave Cross wrote:

Presumably,
there's a file somewhere under /etc/sysconfig that should contain this
information - does anyone know where it should be stored?


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh -X versus -Y

[Gordon Messmer]

On 07/06/2015 04:31 AM, John Hodrien wrote:


EL6:

ssh -X -o ForwardX11Trusted=no somehost xterm


X Error of failed request:  BadAccess (attempt to access private 
resource denied) 


Interesting.  On Fedora 22, "-o ForwardX11Trusted=no" seems to have no 
effect.  Copy and paste work normally with gnome-terminal, so I'm 
certain that X SECURITY isn't available and doesn't affect the application.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Prompt for chrooted users

[James B. Byrne]

We have a requirement to allow ssh access to a server in order to
provide a secure link to one of our legacy systems.  I would like to
chroot these accounts.

I have this working except for one small detail, the user's prompt in
the ssh session.  Each user has their shell set to /bin/bash in
/etc/passwd.  However, instead of getting the prompt defined in their
.bash_profiles we see this:

-bash-4.1$

when we are expecting this:

[username@hostname dir]$

So, before I go messing around moving files I would some information
from you as tio what I have overlooked.  Do I need to move something
like etc/passwd and /etc/group into the chroot/etc?

TIA
-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 7.1 install with Areca arc-1224

[g]

On 07/05/15 22:25, C Linus Hicks wrote:
<>

> Ran the check again, same thing. Took that DVD back to the machine I
> burned it on, downloaded the MD5SUM from one of the mirrors and checked
> the file I downloaded. That checks. Used cmp to compare the .iso file to
> the image on the DVD, they match, the DVD is good. Hmm, what gives.
>
> Burned another DVD and verified the burned image matches the .iso file.
> Took the new DVD to the machine I'm doing the install on and ran the
> check again. OMG, it did the same thing at 76.2%.
>
> Now I'm thinking, wait, it says "Failed to start media check" is that a
> poorly worded message or does it really mean what it says?

you might try verifying that system you are getting error message on
has a good cd/dvd drive.

burn another dvd at at least 4 speeds slower.

if runs ok, bad drive.

if still fails, bad drive.

another way you can check is to pull iso on system you are having
problem with and burn dvd.

if you get error, get a new drive.


-- 

peace out.

-+-
If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.
-+-

CentOS GNU/Linux 6.6

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Prompt for chrooted users

[m . roth]

James B. Byrne wrote:
> We have a requirement to allow ssh access to a server in order to
> provide a secure link to one of our legacy systems.  I would like to
> chroot these accounts.
>
> I have this working except for one small detail, the user's prompt in
> the ssh session.  Each user has their shell set to /bin/bash in
> /etc/passwd.  However, instead of getting the prompt defined in their
> .bash_profiles we see this:
>
> -bash-4.1$
>
> when we are expecting this:
>
> [username@hostname dir]$
>
> So, before I go messing around moving files I would some information
> from you as tio what I have overlooked.  Do I need to move something
> like etc/passwd and /etc/group into the chroot/etc?

When ssh'ing into the chrooted directories, where's their /home/?
I'd set the prompt in ~/.bash_profile.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntpd new version

[Brian Mathis]

RedHat/CentOS does not upgrade packages based on version numbers.  Please
read https://access.redhat.com/security/updates/backporting  Understanding
this is essential to running a RedHat/CentOS server.


❧ Brian Mathis
@orev


On Mon, Jul 6, 2015 at 7:04 AM, Vijendra Agarwal (vijagarw) <
vijag...@cisco.com> wrote:

> Hi All,
> Currently CentOS site contains the below version of ntpd.
> ntp-4.2.6p5-3.el6.centos.x86_64.rpm<
> http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm>
> :- 16 mar 2015.
>
> Does anybody have any information about when the new version of ntpd is
> expected to release containing new vulnerabilities fixes?
>
> Thanks
> Vijendra.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 7.1 install with Areca arc-1224

[C Linus Hicks]

 On 07/06/15, g wrote:
you might try verifying that system you are getting error message on
has a good cd/dvd drive.

burn another dvd at at least 4 speeds slower.

if runs ok, bad drive.

if still fails, bad drive.

another way you can check is to pull iso on system you are having
problem with and burn dvd.

if you get error, get a new drive.

 Above quoted 

When I md5sum the DVD on the system I burned it on, it matches. When I md5sum 
it on another system, it matches. When I md5sum it on the system I am trying to 
install, it comes up with a different answer. I'm getting a new DVD drive.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Prompt for chrooted users

[Jonathan Billings]

On Jul 6, 2015, at 2:49 PM, James B. Byrne  wrote:
> However, instead of getting the prompt defined in their
> .bash_profiles we see this:
> 
> -bash-4.1$
> 
> when we are expecting this:
> 
> [username@hostname dir]$
> 
> So, before I go messing around moving files I would some information
> from you as tio what I have overlooked.  Do I need to move something
> like etc/passwd and /etc/group into the chroot/etc?

This just means that your users don’t have a ~/.bashrc that can sources 
/etc/bashrc (either/both are missing), where the traditional $PS1 is set.

--
Jonathan Billings 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntpd new version

[Jonathan Billings]

On Jul 6, 2015, at 4:59 PM, Brian Mathis  
wrote:
> RedHat/CentOS does not upgrade packages based on version numbers.  Please
> read https://access.redhat.com/security/updates/backporting  Understanding
> this is essential to running a RedHat/CentOS server.

While this is true, the NTPd web site says the CVE  “...Affects: 4.2.5p3 up to, 
but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25”.  The 
version in RHEL6/CentOS6 is 4.2.6p5.  The fix will most likely be backported, 
though.

--
Jonathan Billings 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 7.1 install with Areca arc-1224

[g]

On 07/06/15 18:06, C Linus Hicks wrote:
>  On 07/06/15, g wrote:
>> you might try verifying that system you are getting error message on
>> has a good cd/dvd drive.
>>
>> burn another dvd at at least 4 speeds slower.
>>
> if runs ok, bad drive.
>>
> if still fails, bad drive.
>>
> another way you can check is to pull iso on system you are having
> problem with and burn dvd.
>>
> if you get error, get a new drive.
>>
>  Above quoted 
>
> When I md5sum the DVD on the system I burned it on, it matches. When I
> md5sum it on another system, it matches. When I md5sum it on the system
> I am trying to install, it comes up with a different answer. I'm getting
> a new DVD drive.
.
wise decision.

optical drives do not fair well burning a lot of dvd's.

thru the years of dealing with cd/dvd burners, i have found the above
trouble shooting checks to prove out bad drives due to the increased
voltage needed for dvd burning shortens laser's life.

with low prices of optical drives today, it is almost worth wild to
keep a usb optical drive around for when needed. ;-)


-- 

peace out.

-+-
If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.
-+-

CentOS GNU/Linux 6.6

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 7.1 install with Areca arc-1224

[John R Pierce]

On 7/6/2015 6:11 PM, g wrote:

optical drives do not fair well burning a lot of dvd's.

thru the years of dealing with cd/dvd burners, i have found the above
trouble shooting checks to prove out bad drives due to the increased
voltage needed for dvd burning shortens laser's life.


good burners will burn many hundreds of DVD-R/+R before they conk, I 
know, I've done just that, and worn out a few drives :)


my experience is, find out what your drives maximum CLV speed is, and 
burn at that rather than let it spin up to the higher CAV speeds, and 
your burns will be more reliable and work in more readers. most 
later drives, thats 8X


now, its been a few years since I've done a lot of disk burning, and my 
current drives are all a couple years old.  my newer main PC has a 
Lite-On iHBS112 in it, which is a blu-ray burner, although I've never 
used that functionality (I have read a few dozen BD video disks).   
specs on it say it burns DVD+/-R 16X CAV and 8X max by Zone CLV, so I'd 
use it at 8X.16X CAV reading is just fine.


the other thing that kills optical disks is fine dust collecting on the 
lens assembly with age.  This dust is nearly invisible unless you use a 
very high power magnifier and very bright oblique light, but very 
carefully cleaning said laser lens can resurrect a flakey drive (treat 
it like a fine camera lens, use a air puffer to blow off coarse dust, 
then a clean soft camel hair brush very gently to clean it).  as the 
drives are so cheap, its hardly worth the effort of disassembly unless 
your time is worthless.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problems with Samba-based Home-Directory

[Meikel]

Am 05.07.2015 um 21:13 schrieb Steven Tardy:

What is the upstream switch? If it is a Cisco switch does the configuration
have `spanning-tree portfast` enabled?
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10553-12.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



It's a D-Link DGS-1210-16 Switch.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problems with Samba-based Home-Directory

[Meikel]

Am 05.07.2015 um 20:52 schrieb Gordon Messmer:

On 07/05/2015 07:57 AM, Meikel wrote:

Jul  5 16:36:08 meikel-pc kernel: ADDRCONF(NETDEV_UP): eth0: link is not
ready
Jul  5 16:36:23 meikel-pc kernel: ADDRCONF(NETDEV_CHANGE): eth0: link
becomes ready

It takes 15 seconds between the two messages until it becomes ready. I
have no idea why it first says that the link is not ready.


It's probably autonegotiation of link speed.  I'm not sure why it'd 
take that long.  I'd think the most likely explanation would be a bad 
cable.  Could also be a flaky port on the switch, or a flaky Ethernet 
card. What brand is the local interface?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


I'll check the cable (not clear how I can do that, probably using 
another cable and connecting to another outlet).




I think the local interface is directly integrated into the Intel 
Desktop Board DH87RL.


dmesg | grep eth
e1000e :00:19.0: eth0: registered PHC clock
e1000e :00:19.0: eth0: (PCI Express:2.5GT/s:Width x1) 00:22:4d:b0:e0:e1
e1000e :00:19.0: eth0: Intel(R) PRO/1000 Network Connection
e1000e :00:19.0: eth0: MAC: 11, PHY: 12, PBA No: FF-0FF
ADDRCONF(NETDEV_UP): eth0: link is not ready
e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None
e1000e :00:19.0: eth0: 10/100 speed: disabling TSO
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
eth0: no IPv6 routers present

lspci | grep Ether
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection 
I217-V (rev 04)



It says that it has a speed of 10/100, but I definitely expect 1000 Mbps!

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problems with Samba-based Home-Directory

[Gordon Messmer]

On 07/06/2015 10:00 PM, Meikel wrote:

I'll check the cable (not clear how I can do that, probably using
another cable and connecting to another outlet).


Use a different cable to the same switch port, first.  If you change 
both the cable and the switch port, you won't know if the problem was 
the cable or the switch port.


If the problem persists with a different cable, *then* try a different 
switch port.



e1000e :00:19.0: eth0: Intel(R) PRO/1000 Network Connection
e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None

...

It says that it has a speed of 10/100, but I definitely expect 1000 Mbps!


Yeah, the low link speed is no surprise given the long negotiation time.

Google-fu also turns up a suggestion that the switch doesn't negotiate 
properly in some cases, and that the problem can be resolved by 
disabling power saving mode on the switch, in its management interface.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replacing cpu

[g]

On 07/06/15 22:22, jd1008 wrote:
<<>>

> I plan to do both :)
> This is why I use AmEx.
> They fully refund for merchandise that does not work.
> They are able to extract that from the merchant.
> Don't ask me how :) They have done it for me before.

it is in the 'toa', 'terms of agreement'. credit card companies require
signing agreement before they will do any funds transactions. cyoa.

> But B 4 I resort to AmEX, I will first try Ebay problem
> resolution. Failing that, I will talk to AmEx.

go back to ebay page that you ordered from to see if there is ability
to make comment about seller.


-- 

peace out.

-+-
If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.
-+-

CentOS GNU/Linux 6.6

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replacing cpu

[g]

On 07/07/15 01:01, g wrote:
> On 07/06/15 22:22, jd1008 wrote:

ooppss.

my bad.

entered wrong address.


-- 

peace out.

-+-
If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.
-+-

CentOS GNU/Linux 6.6

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos