[CentOS] cloning a server
Hi, I have a centos 5 (current) mail server that I have compiled dovecot/postfix and installed some packages like mysql etc. These packages have been configured and changed to my liking. How can I now save all this and install it on another server without having to do all the work of compiling installing and configuring the same applications. Is it possible to burn this server image into multiple DVD's make it bootable and then install on another server. Basically I want to clone this server and make it easy to install on another similar hardware server without having to install centos and then manually installing/configuring dovecot/postfix/mysql etc. Not sure if I can create a bootable ISO that will install on new servers or what my options are. I would appreciate any suggestions. Paul ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cloning a server
I guess what I was asking for is to take a already configured server and put it on multiple CD's DVD's and then use that to install on another server. -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Corey A Johnson Sent: Thursday, January 20, 2011 3:50 PM To: CentOS mailing list Subject: Re: [CentOS] cloning a server PA wrote: > > Hi, I have a centos 5 (current) mail server that I have compiled > dovecot/postfix and installed some packages like mysql etc. These > packages have been configured and changed to my liking. How can I now > save all this and install it on another server without having to do > all the work of compiling installing and configuring the same > applications. Is it possible to burn this server image into multiple > DVD's make it bootable and then install on another server. > > Basically I want to clone this server and make it easy to install on > another similar hardware server without having to install centos and > then manually installing/configuring dovecot/postfix/mysql etc. Not > sure if I can create a bootable ISO that will install on new servers > or what my options are. I would appreciate any suggestions. > > Paul > We use Clonezilla for this sort of thing. http://www.clonezilla.org/ Have had decent success with this. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] dictonary attacks
Hi hoping someone can help me a little with this one. I have 2 mail servers, the incoming mail server runs dovecot and the outgoing mail server runs postfix with sasl. Lately I noticed a lot of spammers are running dictionary attacks on my incoming server and then using that user/password for sasl on the outgoing server. The weird thing is I never see on the logs the guessed username/password. I always see the ones they can't guess. For example: Looking at the logs I see the following dictionary attack from 94.242.206.37 Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37, lip=209.213.66.10 Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(ababa,94.242.206.37): lookup . And so on.. Then that ip gets banned by fail2ban [r...@pop ~]# grep 94.242.206.37 /var/log/fail2ban.log 2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban 94.242.206.37 However on my outgoing mail server that ip is already sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovecot dictionary attack log, as a matter of fact the user Paramus is nowhere to be found on the dovecot log at all and I have logs going back months. /var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]: 3B64928015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]: 247AB28016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]: 87DE128016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]: 9728628015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]: D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]: DDF7C2801B: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus Does anyone have any idea what could of happened here. I mean if the user/passwd was already harvested by 94.242.206.37 why would they bother to start another dict. attack. I'm just not sure how they guess the username/password as its not on any logs that goes back months and I don't have a dovecot fail record for that user on the logs. This is the case all the time for me and it happens with other ips. Any help would be appreciated. paul ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dictonary attacks
John, I figured that the user's computer was compromised and the user/password was obtained that way but then again I'm baffled as to why they would start a dictionary attack on the server if they already have the user/pass combo. I was just worried that something else happened here that I was unaware of. From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of John Hinton Sent: Wednesday, November 10, 2010 6:27 PM To: CentOS mailing list Subject: Re: [CentOS] dictonary attacks On 11/10/2010 6:10 PM, PA wrote: Hi hoping someone can help me a little with this one. I have 2 mail servers, the incoming mail server runs dovecot and the outgoing mail server runs postfix with sasl. Lately I noticed a lot of spammers are running dictionary attacks on my incoming server and then using that user/password for sasl on the outgoing server. The weird thing is I never see on the logs the guessed username/password. I always see the ones they can't guess. For example: Looking at the logs I see the following dictionary attack from 94.242.206.37 Nov 10 03:04:38 pop dovecot: pop3-login: Disconnected: rip=94.242.206.37, lip=209.213.66.10 Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): shadow(abaft,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(aarhus,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): lookup Nov 10 03:04:38 pop dovecot: auth(default): shadow(aaron,94.242.206.37): unknown user Nov 10 03:04:38 pop dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3lip=209.213.66.10 rip=94.242.206.37 resp= Nov 10 03:04:38 pop dovecot: auth(default): shadow(ababa,94.242.206.37): lookup . And so on.. Then that ip gets banned by fail2ban [r...@pop ~]# grep 94.242.206.37 /var/log/fail2ban.log 2010-11-10 03:04:42,416 fail2ban.actions: WARNING [dovecot] Ban 94.242.206.37 However on my outgoing mail server that ip is already sending out all sorts of spam with the sasl username of Paramus. This username Paramus never shows up on the dovecot dictionary attack log, as a matter of fact the user Paramus is nowhere to be found on the dovecot log at all and I have logs going back months. /var/log/maillog:Nov 10 02:46:16 mrelay3 postfix/smtpd[27776]: 3B64928015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:47:54 mrelay3 postfix/smtpd[27776]: 247AB28016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:48:00 mrelay3 postfix/smtpd[27785]: 87DE128016: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 02:56:00 mrelay3 postfix/smtpd[27792]: 9728628015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:05:38 mrelay3 postfix/smtpd[27808]: D529F28015: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=paramus /var/log/maillog:Nov 10 03:06:00 mrelay3 postfix/smtpd[27808]: DDF7C2801B: client=unknown[94.242.206.37], sasl_method=LOGIN, sasl_username=Paramus Does anyone have any idea what could of happened here. I mean if the user/passwd was already harvested by 94.242.206.37 why would they bother to start another dict. attack. I'm just not sure how they guess the username/password as its not on any logs that goes back months and I don't have a dovecot fail record for that user on the logs. This is the case all the time for me and it happens with other ips. Any help would be appreciated. paul Yeah... isn't this fun? I'm using Fail2Ban for the same reasons. Off the top of my head, perhaps the user paramus, assuming they actually use your server for email, may have a trojan on their comp recording keystrokes and sending them to the bad boy. Many of the latest virii are very good at this, getting FTP logins as well to help spread their malwares onto web pages. I believe most of these are totally automated processes, with just a bit of blackhat input. As they had your server address anyway, I'd bet it just made it onto the bot list to do dictionary attacks as well. Sort of dumb wh
