Tim Dunphy writes:
> Hey guys,
>
> I need to give the 'nobody' user (which is what our apache runs as) no
> password access to a file, via sudo. This is what I've tried:
In addition to all other comments so far, 'nobody' is a bad choice for
httpd. If this is your distro's default, it's a bad
Our cluster was supplied with two IBM DS3400 RAID arrays connected with
fibre channel. Both are old and one is failing so we bought an IBM
V3700 to replace it. The V3700 complained that we were using the IBM's
RDAC driver (true) and we were advised to change to using Linux
multipath. I've done t
On Tue, February 3, 2015 14:01, Valeri Galtsev wrote:
>
> On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:
>> On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev
>> wrote:
>>>
>>> Sounds so I almost have to feel shame for securing my boxes no
>>> matter what job vendor did ;-)
>>
>> Yes, comput
This is probably covered in many places, but my Google-fu is failing.
I have an existing office of Windows computers, in a domain, with a
couple of Windows Server 2012 AD servers. I need to add a file server,
so I'd prefer to use CentOS 7 and Samba to do it (because I know very
little about Windo
Although you can choose this in the installer, isnt the provided values
supposed to be the default?
I tired the following
inst.repo=hd:/dev/sdb1:/repo
Result: /dev/sdb1 is not mounted.
inst.repo=nfs:[fc00::6009]:/home/auser/repo
Result: NFS is not mounted even the correct ip is set by passin
On 2015-02-04, James B. Byrne wrote:
>
> One might question why *nix distributions insist on providing a known
> point of attack to begin with. Why does user 0 have to be called
> root? Why not beatlebailey, cinnamon or pasdecharge?
That is more or less what OS X does. User 0 still exists, and
On Wed, Feb 4, 2015 at 10:05 AM, Chris Adams wrote:
> This is probably covered in many places, but my Google-fu is failing.
>
> I have an existing office of Windows computers, in a domain, with a
> couple of Windows Server 2012 AD servers. I need to add a file server,
> so I'd prefer to use CentO
Once upon a time, Les Mikesell said:
> On Wed, Feb 4, 2015 at 10:05 AM, Chris Adams wrote:
> > I have an existing office of Windows computers, in a domain, with a
> > couple of Windows Server 2012 AD servers. I need to add a file server,
> > so I'd prefer to use CentOS 7 and Samba to do it (beca
On Wed, February 4, 2015 9:17 am, James B. Byrne wrote:
>
> On Tue, February 3, 2015 14:01, Valeri Galtsev wrote:
>>
>> On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:
>>> On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev
>>> wrote:
Sounds so I almost have to feel shame for securin
On Wed, Feb 4, 2015 at 10:24 AM, Chris Adams wrote:
> Once upon a time, Les Mikesell said:
>> On Wed, Feb 4, 2015 at 10:05 AM, Chris Adams wrote:
>> > I have an existing office of Windows computers, in a domain, with a
>> > couple of Windows Server 2012 AD servers. I need to add a file server,
On Wed, Feb 04, 2015 at 08:18:23AM -0800, Keith Keller wrote:
> On 2015-02-04, James B. Byrne wrote:
> >
> > One might question why *nix distributions insist on providing a known
> > point of attack to begin with. Why does user 0 have to be called
> > root? Why not beatlebailey, cinnamon or pasd
On 02/04/2015 10:17 AM, James B. Byrne wrote:
I had a friend, now deceased, who worked as an RCA colour TV
technician when he was very young. In the 1950s he would be sent to
the homes of people having trouble adjusting the colour settings on
their new RCA's. That was system administration then
On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
> On 2015-02-04, James B. Byrne wrote:
>> One might question why *nix distributions insist on providing a known
point of attack to begin with. Why does user 0 have to be called root?
Why not beatlebailey, cinnamon or pasdecharge?
>
> That is
On Wed, February 4, 2015 10:35 am, Scott Robbins wrote:
> On Wed, Feb 04, 2015 at 08:18:23AM -0800, Keith Keller wrote:
>> On 2015-02-04, James B. Byrne wrote:
>> >
>> > One might question why *nix distributions insist on providing a known
>> > point of attack to begin with. Why does user 0 have
On 02/04/2015 08:05 AM, Chris Adams wrote:
This is probably covered in many places, but my Google-fu is failing.
Samba's documentation/howto is here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
As others have mentioned, authconfig will take care of some of those
steps for
Hi,
I'm currently experimenting with CentOS 7 in order to get a grasp of
everything that's new.
After having read the FAQ entry on network interface names, I decided to
revert to the tradictional interface naming scheme by adding the
relevant kernel options to the bootloader. This went well,
On 02/04/15 22:53, Niki Kovacs wrote:
Hi,
I'm currently experimenting with CentOS 7 in order to get a grasp of
everything that's new.
After having read the FAQ entry on network interface names, I decided
to revert to the tradictional interface naming scheme by adding the
relevant kernel opt
On Wed, Feb 4, 2015 at 11:20 AM, Gordon Messmer
wrote:
> >
>> This is probably covered in many places, but my Google-fu is failing.
>
>
> Samba's documentation/howto is here:
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> As others have mentioned, authconfig will take care o
On Wed, Feb 4, 2015 at 11:23 AM, Niki Kovacs wrote:
> Hi,
>
> I'm currently experimenting with CentOS 7 in order to get a grasp of
> everything that's new.
>
> After having read the FAQ entry on network interface names, I decided to
> revert to the tradictional interface naming scheme by adding th
Le 04/02/2015 18:48, m.r...@5-cent.us a écrit :
That directory, and that file, exist in CentOS, also, since 6. And the new
naming... it's*so* much easier to deal with... yeah, right, I'll run the
install, and wait till it hangs, so I can see that the NIC is named, what
was it, on that HP last mo
On 2/4/2015 6:02 AM, Rushton Martin wrote:
OS is CentOS 5.3 (yes, I know - upgrade)
at least patch CentOS 5. 5.3 is a snapshot from 6 years ago (2009),
there've been 6 years of updates to CentOS 5 since that point, both
security and bug fixes. `yum update` would bring you up to CentOS the
On 02/03/2015 03:44 PM, Always Learning wrote:
There should be a basic defence that when the password is wrong 'n'
occasions the IP address is blocked automatically and permanently
unless it is specifically allowed in IP Tables.
As has been mentioned, fail2ban does this.
However, the reason y
On 02/04/2015 02:08 PM, Lamar Owen wrote:
3.) Attacker uses a large graphics card's GPU power, harnessed with
CUDA or similar, to run millions of bruteforce attempts per second on
the exfiltrated /etc/shadow, on their computer (not yours).
4.) After a few hours, attacker has your password (or
On 2015-02-04, Valeri Galtsev
wrote:
> On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
>> On 2015-02-04, James B. Byrne
>> wrote:
[SNIP]
>> (Users with sudo can still get a root shell, but that's
>> not the same as logging in as root.)
>>
>> I thought Ubuntu did this as well, but I haven
> On Feb 4, 2015, at 10:04 AM, Valeri Galtsev wrote:
>
> wikiedia is really vague on the date MacOS 10 was first shipped
It depends on what you mean by “shipped.”
The first OS X product released into the market was OS X Server 1.0, in March
1999:
http://en.wikipedia.org/wiki/Mac_OS_X_Serve
On Wed, 2015-02-04 at 14:08 -0500, Lamar Owen wrote:
> However, the reason you want a password that is not easily bruteforced
> has nothing to do with this, and all bruteforce attempts cannot be
> blocked by this method.
Thanks for your well-explained concerns. You make good sense.
Just count
On Wed, 2015-02-04 at 14:16 -0500, Lamar Owen wrote:
> Oh, and the program to do this can be found very easily. It's called
> 'John the Ripper' and has GPU support available:
> http://openwall.info/wiki/john/GPU
> https://en.wikipedia.org/wiki/John_the_ripper
>
> Again, the real bruteforce dan
> On Feb 4, 2015, at 8:17 AM, James B. Byrne wrote:
>
> I had a friend, now deceased, who worked as an RCA colour TV
> technician when he was very young. In the 1950s he would be sent to
> the homes of people having trouble adjusting the colour settings on
> their new RCA's. That was system adm
> On Feb 4, 2015, at 12:16 PM, Lamar Owen wrote:
>
> Again, the real bruteforce danger is when your /etc/shadow is exfiltrated by
> a security vulnerability
Unless you have misconfigured your system, anyone who can copy /etc/shadow
already has root privileges. They don’t need to crack your pa
On Wed, February 4, 2015 3:55 pm, Warren Young wrote:
>> On Feb 4, 2015, at 12:16 PM, Lamar Owen wrote:
>>
>> Again, the real bruteforce danger is when your /etc/shadow is
>> exfiltrated by a security vulnerability
>
> Unless you have misconfigured your system, anyone who can copy /etc/shadow
> a
On 02/04/2015 04:55 PM, Warren Young wrote:
Unless you have misconfigured your system, anyone who can copy
/etc/shadow already has root privileges. They don’t need to crack your
passwords now. You’re already boned.
Not exactly.
There have been remotely exploitable vulnerabilities where an ar
Am 04.02.2015 um 15:02 schrieb Rushton Martin:
Our cluster was supplied with two IBM DS3400 RAID arrays connected with
fibre channel. Both are old and one is failing so we bought an IBM
V3700 to replace it. The V3700 complained that we were using the IBM's
RDAC driver (true) and we were advised
> On Feb 4, 2015, at 3:16 PM, Lamar Owen wrote:
>
> On 02/04/2015 04:55 PM, Warren Young wrote:
>> Unless you have misconfigured your system, anyone who can copy /etc/shadow
>> already has root privileges. They don’t need to crack your passwords now.
>> You’re already boned.
>
> Not exactly.
I just had a peek at the anaconda source for Fedora 21. Apparently
you can waive the password strength tests (and the non-ASCII tests) by
simply clicking "Done" twice.
def _checkPasswordASCII(self, inputcheck):
"""Set an error message if the password contains non-ASCII characters.
> On Feb 4, 2015, at 3:56 PM, Kahlil Hodgson
> wrote:
>
> I just had a peek at the anaconda source for Fedora 21.
This change isn’t in a released version of Fedora yet:
https://lists.fedoraproject.org/pipermail/test/2015-January/124827.html
The change will probably be in Fedora 22, and it’s
On Wed, Feb 4, 2015 at 4:55 PM, Warren Young wrote:
>>>
>> There have been remotely exploitable vulnerabilities where an arbitrary file
>> could be read
>
> CVEs, please?
>
> I’m aware of vulnerabilities that allow a remote read of arbitrary files that
> are readable by the exploited process’s u
> On Feb 4, 2015, at 4:14 PM, Les Mikesell wrote:
>
> Not exactly - it just becomes a question of whether the complexity
> requirements imposed by the installer are really worth much against
> the pre-hashed lists that would be used to match up the shadow
> contents.
Rainbow tables don’t help ag
On Wed, 2015-02-04 at 14:55 -0700, Warren Young wrote:
> > On Feb 4, 2015, at 12:16 PM, Lamar Owen wrote:
> >
> > Again, the real bruteforce danger is when your /etc/shadow is exfiltrated
> > by a security vulnerability
>
> Unless you have misconfigured your system, anyone who can copy /etc/sh
On 5 February 2015 at 10:53, Always Learning wrote:
> On C6, the default is:-
>
> -- 1 root root 854 Mar 13 2014 shadow
Even better if you have SElinux enabled
--. root root system_u:object_r:shadow_t:s0/etc/shadow
__
> On Feb 4, 2015, at 4:53 PM, Always Learning wrote:
>
> On C5 the default appears to be:-
>
> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow
Nope:
# rpm -q --dump setup|grep shadow
/etc/gshadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1
0 0 X
/etc/shadow 0 13299
On 2/4/2015 4:04 PM, Warren Young wrote:
# rpm -q --dump setup|grep shadow
/etc/gshadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1
0 0 X
/etc/shadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1 0
0 X
This says it should be mode 400, as it is here on
On 5 February 2015 at 10:36, Warren Young wrote:
> When the hashes are properly salted, the only option is brute force. All
> having /etc/shadow does for you is let you make billions of guesses per
> second instead of 5 guesses per minute, as you get with proper throttling on
> remote login av
> On Feb 4, 2015, at 4:14 PM, Les Mikesell wrote:
>
> On Wed, Feb 4, 2015 at 4:55 PM, Warren Young wrote:
>> Most such vulns are against Apache, PHP, etc, which do not run as root.
>
> Those are common. Combine them with anything called a 'local
> privilege escalation' vulnerability and
> On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson
> wrote:
>
> On 5 February 2015 at 10:36, Warren Young wrote:
>> When the hashes are properly salted, the only option is brute force. All
>> having /etc/shadow does for you is let you make billions of guesses per
>> second instead of 5 guesses per
> On Feb 4, 2015, at 5:43 PM, Warren Young wrote:
>
> SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this
> calculator assumes
Hmm, just thought of a counterattack:
If CentOS’s SSH currently allows 10 guesses per minute *per IP*, all you need
to do to get 1,000 guesses pe
On Wed, 2015-02-04 at 17:50 -0700, Warren Young wrote:
> > On Feb 4, 2015, at 5:43 PM, Warren Young wrote:
> >
> > SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this
> > calculator assumes
>
> Hmm, just thought of a counterattack:
>
> If CentOS’s SSH currently allows 10
While this discussion has been very interesting, I would like to
encourage participants to be very careful about disclosing the
specifics their own security efforts. While is good to discuss the
pros and cons of strategies, disclosing the details of the exact
strategies that you use, no matter how
On Thu, Feb 05, 2015 at 09:56:30AM +1100, Kahlil Hodgson wrote:
> I just had a peek at the anaconda source for Fedora 21. Apparently
> you can waive the password strength tests (and the non-ASCII tests) by
> simply clicking "Done" twice.
That's correct for Fedora 21. The inability to waive the r
> On Feb 4, 2015, at 5:55 PM, Always Learning wrote:
>
> On Wed, 2015-02-04 at 17:50 -0700, Warren Young wrote:
>
>>> rent time on a 6,000 machine botnet.
>
> Rent ? That costs money. Just crack open some Windoze machines and do
> it for free. That is what many hackers do.
Acquiring your own
On 5 February 2015 at 12:09, Scott Robbins wrote:
> On Thu, Feb 05, 2015 at 09:56:30AM +1100, Kahlil Hodgson wrote:
>> I just had a peek at the anaconda source for Fedora 21. Apparently
>> you can waive the password strength tests (and the non-ASCII tests) by
>> simply clicking "Done" twice.
>
>
On Wed, 2015-02-04 at 18:14 -0700, Warren Young wrote:
> Nothing is free. Just as with my analogy with safes, we’re not
> talking about absolute security. We just need to make an attack
> *costly enough* that it will never succeed, if we do our part. (Like
> not saying chmod 644 /etc/shadow !
On Wed, Feb 4, 2015 at 6:32 PM, Warren Young wrote:
>
>>> Most such vulns are against Apache, PHP, etc, which do not run as root.
>>
>> Those are common. Combine them with anything called a 'local
>> privilege escalation' vulnerability and you've got a remote root
>> exploit.
>
> Not quite. An
> On Feb 4, 2015, at 7:23 PM, Les Mikesell wrote:
>
> On Wed, Feb 4, 2015 at 6:32 PM, Warren Young wrote:
>>
>> An LPE can only be used against your system by logged-in users.
>
> Or any running program - like a web server.
That’s not what LPE means. “L” = “local”, meaning you are logged-in
On Wed, Feb 4, 2015 at 8:43 PM, Warren Young wrote:
>> On Feb 4, 2015, at 7:23 PM, Les Mikesell wrote:
>>
>> On Wed, Feb 4, 2015 at 6:32 PM, Warren Young wrote:
>>>
>>> An LPE can only be used against your system by logged-in users.
>>
>> Or any running program - like a web server.
>
> That’s no
On 02/02/2015 03:15 PM, Tim wrote:
What are you exactly searching for?
Sounds like he is doing a network install, and is looking for the network
path that must be supplied in order to do the install. If he doesn't have
a local repository, then he has to supply the first part of the path (e.g
On 2015-02-04, Valeri Galtsev wrote:
>
> I'm neutral to sudo (even though I was taught "the smaller number of
> SUID/SGID files you have, the better). Yet, I'm considering it less safe
> to have regular user who can log in with GUI interface, and likely to be
> doing regular user stuff to have alm
56 matches
Mail list logo
