Re: [CentOS-es] encolamiento de correo
Prueba enviando un correo y observa que te responde en los logs tail -f /var/log/maillog y pegalo aqui slds On Wed, 30 Jan 2008 07:09:02 -0500, Edwin Aguilar wrote Estimados Sería tan amable alguien en indicarnos las posibles causas por las que los correos se encolan? Trato de enviar correos a usarios de latinmail.com y el correo se encola por 5 días, y luego me da error de que no encontró al destintario. Hago: telnet mx1.latinmail.com 25 y me responde: 220 mx1.latinmail.com 8576 ltmta01 ESMTP Que más me recomindan probar? Gracias de antemano por su gentil ayuda. Edwin ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es -- Gino Alania Hurtado Nitcom Labs (http://www.nitcom.com) ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] Bonding two network cards
On Jan 30, 2008 3:35 AM, Joseph L. Casale [EMAIL PROTECTED] wrote: Try the wiki: http://wiki.centos.org/TipsAndTricks/BondingInterfaces Is it ok to leave the hwaddress in the eth(n) files to make sure they are used explicitely as intended in the event other cards are added? In my experience it is ok. Regards, Tim -- Tim Verhoeven - [EMAIL PROTECTED] - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the microsoft approach to programming and should never be allowed. (Linus Torvalds) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How can i share my WAN ip to my LAN?
Hi; Thanks... I solved this problem also... thank you Alain... Here is my iptables -L result... ** # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere 192.168.10.13 tcp dpt:ssh DROP tcp -- anywhere 192.168.10.13 tcp dpt:ncube-lm Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ** how can I change FORWARD policy to accepting only http, https? Thanks for all... sincerely yours... 2008/1/29, Alain Spineux [EMAIL PROTECTED]: On Jan 28, 2008 8:45 AM, Tolun ARDAHANLI [EMAIL PROTECTED] wrote: Hi guys; OK let me explain like this... We had a problem with our General network administration and our General network cant be managed so well(Cause of our IT manager is not so good about administration on our network). that is why i thing that our department's users must be separated from General LAN(Cause of our Generel LAN effected to our working performance). After that we separated our users to another subnet(192.168.1.xxx). Right now all of my departments member joined to our server(Centos5.1) and all of them joins to internet over our server... We solved the problem together if you read all mails in this subject... I thing Only problem is that our members must not to reach server's internet side ip(192.168.10.13) am i right for that? 192.168.10.13 and 192.168.1.100 refer the same centos server! Right ? Then this is the default behavior for a linux to answer requests on one interface, even if the request is for one address on another interface. and other question is about how can i stop the ssh service for the internet side ip(192.168.10.13)? 2 possibilities using iptables to reject/drop any packet coming from eth1 (or eth0) iptables -t filter -A INPUT -p tcp -i eth1 --dport 22 -j DROP Or force sshd to bind only to the internal address, this is ListenAddress in sshd config: man sshd_config for more Regards. I am not a network engineer... I am just a software engineer... I am trying to do our project on Linux systems... I cant focus so deeply on network administration... Only I can do your advise... not else... Cause I can't spent time for that(I want but I can't)..:( I hope that I explained it well...;)... thanks to all... sincerely yours... 2008/1/25, Alain Spineux [EMAIL PROTECTED]: On Jan 25, 2008 9:37 AM, Tolun ARDAHANLI [EMAIL PROTECTED] wrote: Thank you for all really I solved the forward/ip sharing problem... But I see there is other problem with that like this; This is my network structure now; LAN(there are 3machines): start ip:192.168.1.10 end ip: 192.168.1.12 gateway address of users: 192.168.1.100 (my server's LAN side ip address) LAN side Server ip: 192.168.1.100 WAN(this ip comes from behind of swicth. the switch is behind of firewall and firewall is behind of router): WAN side Server ip: 192.168.10.13 gateway address of Server:192.168.10.1 And here is the problem i thing; The users from inside(LAN) can reach from server's WAN side ip(192.168.10.13) and they can ping it and they can take a services which is for LAN services(like ssh...etc). I agree that pinging from LAN to gateway address(192.168.10.1). But I cant agree that pinging to server's WAN address(192.168.10.13). Do I thing wrong at this point? and last question is about how can I close/stop services for WAN side? I dont understant! WHO is (OR CANNOT) pinging 192.168.10.13 or can (OR CANNOT) access the service ? LAN or WAN ? thanks to all of you... sincerely yours... 2008/1/24, Alain Spineux [EMAIL PROTECTED]: On Jan 24, 2008 5:42 AM, Alain Spineux [EMAIL PROTECTED] wrote: On Jan 23, 2008 9:43 AM, Tolun ARDAHANLI [EMAIL PROTECTED] wrote: Hi again to everyone; Guys your mails are very nice... i liked all of them... let me give you about my system and my need(sorry for writing these late)... I've got an IBM x3650 server which is open 7d/24h. It has got 2 ethernet card. I would like to connect my LAN to WAN over this machine... LAN(there are 3machines): start ip:192.168.10.10 end ip: 192.168.10.12 gateway address of users:192.168.10.13(my server's LAN side ip address) LAN side Server ip: 192.168.10.13
Re: [CentOS] RHEL / CentOS Kernel Updates
On Jan 30, 2008 4:06 AM, Johnny Hughes [EMAIL PROTECTED] wrote: nate wrote: Akemi Yagi wrote: I hope you are interested in contributing to the CentOS community by sharing your driver: https://projects.centos.org/trac/dasha/ Looks like that site is for source drivers, these drivers come from VMWare, and I'm not sure what their license is, nor do I know exactly what the build process is, I just take the resulting binaries, so I'm not really one that can submit the driver. open-vm-tools is also being developed for CentOS :D http://people.centos.org/~hughesjr/open-vm-tools/ I re-read the earlier post and realized that nate was talking about vmware tools, *not* the vmware modules for the host machine. Then I thought about referring to Johnny's open-vm-tools. Of course it is best to hear about it from him. Thanks Johnny! Akemi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL / CentOS Kernel Updates
nate wrote: Akemi Yagi wrote: I hope you are interested in contributing to the CentOS community by sharing your driver: https://projects.centos.org/trac/dasha/ Looks like that site is for source drivers, these drivers come from VMWare, and I'm not sure what their license is, nor do I know exactly what the build process is, I just take the resulting binaries, so I'm not really one that can submit the driver. open-vm-tools is also being developed for CentOS :D http://people.centos.org/~hughesjr/open-vm-tools/ signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: CentOS plus mysql server
Scott Silva wrote: It is currently only in CentOS 4 AFAIR. Yes, it is part of the Red Hat Web Stack - which isn't available for version 5 (as that already has a mysql 5 and a php 5 and a more current perl version). Ralph PS: Scott, I do see that you sign your mails. Could you please put your public key on some sort of keyserver (like subkeys.pgp.net), so one can actually verify those signatures? Thanks. pgpk6Q7P8zT52.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems to install java plugin in CentOS 5.1 x86_64
Sergio Belkin wrote: Hi! I've tried to install java plugin as is in http://www.howtoforge.com/installation-guide-centos5.1-desktop-p7 but with no success. All steps seems to go well, with no error messages, but Firefox says that there is no java plugin. Are you using a 64bit version of CentOS? Then it won't work - Sun's java plugin only works on 32bit browsers. If you need it, you should install firefox.i386. If you already are on a 32bit system you should tell us a bit more of what you did :) Cheers, Ralph pgprge8igHd7r.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Command limiting with SSH keys and password auth ...
On Tue, 29 Jan 2008, Ian wrote: Main problem I have is if you enter no command (simply ssh server) it also kicks you out, I'd like it to ask for a password if no command is given, and then if correct pass you onto a normal shell. I've always used 2 sets of keys, one for the restriction, one without. Then on the invoking end alias/script/config shortcuts to ssh -i the right one. Jim Wildman, CISSP, RHCE [EMAIL PROTECTED] http://www.rossberry.com Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one. Thomas Paine ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rsync and swapping
hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year This is approximately 102G of data. Thanks for any suggestions. Jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache: User and Group
Jim Perrin a écrit : If apache owns everything in that directory, then it can modify them. This can potentially be undesirable. Depending on what you're doing, you'll have to mix and match permissions as needed. Mostly apache just needs to be able to read stuff, so having root own it with 644 is fine. If you're using a CMS which allows folks to edit things via the webserver, then those will have to be owned by apache, or apache will otherwise need rights to modify them. Have I made that muddled and complex enough? Yes! :o) Most of the hosted stuff is indeed CMS, so I'll go for apache:apache. Cheers, Niki ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Resizing a fat filesystem on a USB partition
AFAIK, there is no way to resize any FAT partition. You have to delete both partitions and then create a new one. I thought the CD installer came with a utility to resize FAT partitions (albeit in MS DOS)? And this isn't possible in CentOS it self? :-/ Have you looked at the gparted LiveCD? If parted doesn't work I guess gparted won't either :-/ This is a USB drive so it's not a problem unmounting it and playing around with it. Shame it can't be done. I thought I was finally getting somewhere with that. Thanks again Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
Jerry Geis wrote: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year This is approximately 102G of data. It's the number of files in the run that matters more than the amount of date. Rsync loads the entire directory listing into RAM before starting to copy so there is a certain amount of per-file overhead. It should help if you could break the run up, perhaps doing a few directories separately, then make another pass that excludes those directories. -- Les Mikesell [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year IMHO, rsync is overkill here. I would: mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year cd /home;find . | cpio -vdump /mnt/backup/mon.day.year -- Marcelo ¿No será acaso que ésta vida moderna está teniendo más de moderna que de vida? (Mafalda) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Question on http stop responding
I have a machine centos 5.1 fully up to patch that is on a network that has other machines that takes credit cards. In such an environment I have found that there is something called PCI - Payment Card Industry standards. They are scanning my machine to make sure it is OK to be on this network. One of the faults coming back is Web server stops responding to 3 consecutive HTTP attempts Is this a setting in http? Anyone familiar with this? Thanks, Jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
Bent Terp wrote: On 1/24/08, Karanbir Singh [EMAIL PROTECTED] wrote: Bent Terp wrote: Hi all! Just a word of warning: after updating a few of our x86_64 based web frontend boxes to the new kernel, we began to get weird MySQL timeouts. The problem went away again when we downgraded to the previous kernel-2.6.18-53.1.6.el5.x86_64.rpm A bit more info / context would be nice ! We upgraded our web front servers to kernel 2.6.18-53.1.6, and suddenly sites wouldn't load. It seemed to be that the connections from php to the backend sql servers timed out, so we immediately downgraded back to 2.6.18-53.1.4 Now that we've had more time to look at the problem, it is not related to mysql, sorry about that. Rather, it looks as if the set of nfs patches do not agree with our EMC Cellera NAS server. Backing out that bunch and rebuilding makes the problem go away. The patches that gives us problems, results in a kernel which makes something like 2000 times more NFS V3 LOOKUP Call and NFS V3 LOOKUP Reply than without. Has something changed with regard to the mount options? We use (rw,noatime,rsize=8192,wsize=8192,hard,udp,context=system_u:object_r:httpd_sys_content_t:s0) which has worked fine until now. I am trying to duplicate your options ... and noatime is not a valid option. Could you please double check the /etc/export options again so I can try to duplicate the issue. Using my standard /etc/exports on 2 i686 test platforms I have no problems at all. Here are the options I used on my test: (rw,insecure,sync,no_subtree_check) Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
Joshua Baker-LePain wrote: On Wed, 30 Jan 2008 at 10:18am, Johnny Hughes wrote Bent Terp wrote: Has something changed with regard to the mount options? We use (rw,noatime,rsize=8192,wsize=8192,hard,udp,context=system_u:object_r:httpd_sys_content_t:s0) which has worked fine until now. I am trying to duplicate your options ... and noatime is not a valid option. Could you please double check the /etc/export options again so I can try to duplicate the issue. Using my standard /etc/exports on 2 i686 test platforms I have no problems at all. Here are the options I used on my test: (rw,insecure,sync,no_subtree_check) Those are NFS export options. The OP's list is *mount* options (i.e. on the client side). He stated that his NFS server is actually an EMC Cellera. AH ... now I see. In any event, I can not duplicate the problem with an nfs export on c4 or c5 and connecting with a c5 client, regardless of the kernel using i686. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
On Wed, 30 Jan 2008 at 10:18am, Johnny Hughes wrote Bent Terp wrote: Has something changed with regard to the mount options? We use (rw,noatime,rsize=8192,wsize=8192,hard,udp,context=system_u:object_r:httpd_sys_content_t:s0) which has worked fine until now. I am trying to duplicate your options ... and noatime is not a valid option. Could you please double check the /etc/export options again so I can try to duplicate the issue. Using my standard /etc/exports on 2 i686 test platforms I have no problems at all. Here are the options I used on my test: (rw,insecure,sync,no_subtree_check) Those are NFS export options. The OP's list is *mount* options (i.e. on the client side). He stated that his NFS server is actually an EMC Cellera. -- Joshua Baker-LePain QB3 Shared Cluster Sysadmin UCSF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year IMHO, rsync is overkill here. I would: mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year cd /home;find . | cpio -vdump /mnt/backup/mon.day.year how about cp -a ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Wed, 2008-01-30 at 17:14 +0100, Nicolas Thierry-Mieg wrote: Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year IMHO, rsync is overkill here. I would: mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year cd /home;find . | cpio -vdump /mnt/backup/mon.day.year how about cp -a ? How about find -newer to just back up things that have been added or changed? A big space saver. *However*, this leaves things deleted since the previous backup(s) in the previous archives. A *good* or *bad* thing? Depends on what you want to achieve. Rsync can handle that situation for you, and so is better if you don't want to keep deleted files around. The cpio solution offers a lot, most beneficial here is the ability to bzip the archive (anticipating it won't be frequently used), saving a lot of space. snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
Nicolas Thierry-Mieg wrote: Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year IMHO, rsync is overkill here. I would: mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year cd /home;find . | cpio -vdump /mnt/backup/mon.day.year how about cp -a ? You may find that cp is significantly slower than cpio/tar. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum fails with invalid dependency on sqlite
Yusuf Goolamabbas wrote: Hi, I am using Centos 4.6 on x86-64. recently when I tried to do a yum -y check-update this is the output I get [EMAIL PROTECTED] ~]# yum check-update Setting up repositories update100% |=| 951 B00:00 base 100% |=| 1.1 kB00:00 addons100% |=| 951 B00:00 Reading repository metadata in from local files primary.xml.gz100% |=| 74 kB00:01 (process:1999): GLib-CRITICAL **: file gtimer.c: line 106 (g_timer_stop): assertion `timer != NULL' failed (process:1999): GLib-CRITICAL **: file gtimer.c: line 88 (g_timer_destroy): assertion `timer != NULL' failed Traceback (most recent call last): File /usr/bin/yum, line 29, in ? yummain.main(sys.argv[1:]) File /usr/share/yum-cli/yummain.py, line 97, in main result, resultmsgs = do() File /usr/share/yum-cli/cli.py, line 534, in doCommands ypl = self.returnPkgLists() File /usr/share/yum-cli/cli.py, line 1176, in returnPkgLists ypl = self.doPackageLists(pkgnarrow=pkgnarrow) File __init__.py, line 904, in doPackageLists File /usr/share/yum-cli/cli.py, line 75, in doRepoSetup self.doSackSetup(thisrepo=thisrepo) File __init__.py, line 260, in doSackSetup File repos.py, line 277, in populateSack File /usr/lib64/python2.3/site-packages/sqlitecachec.py, line 40, in getPrimary self.repoid)) TypeError: Can not create index on requires table: near NOT: syntax error This is the output of rpm -qa | grep sqlite [EMAIL PROTECTED] ~]# rpm -qa | grep sqlite python-sqlite-1.1.7-1.2.1 sqlite-3.3.6-2 sqlite-devel-3.3.6-2 any suggestions ? Check yum version and yum-metadata-parser version. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] One approach to dealing with SSH brute force attacks.
Message-ID: [EMAIL PROTECTED] On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes [EMAIL PROTECTED] Subject Was: [CentOS] Unknown rootkit causes compromised servers SOME of the script kiddies check higher ports for SSH *_BUT_* I only see 4% of the brute force attempts to login on ports other than 22. I would say that dropping brute force login attempts by 96% is quite a good reason to move the SSH port from 22 to something else. I am not a fan of security through obscurity. If a port is open to the internet then it must be secured whether it is well known or not and if it is properly secured then changing the port number customarily assigned provides no measurable benefit. In my opinion, arbitrarily switching port numbers for well known services provides only the illusion of security while often inconveniencing the legitimate users in unpredictable, and sometimes expensively resolved, fashions. To deal with brute force attacks (not just on ssh) I spent some time tracking down how others had dealt with the problem. I discovered thereby that one can use the simple linux firewall iptables to restrict the number of connections to a given port from a single source over a specified interval. I therefore added these rules to my /etc/sysconfig/iptables file: ... # This is usually present in all setups but, you never know # Established connections go right through. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ... # Block brute force attacks # Drop repeated ssh connection attempts within 20 seconds interval -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource # Accept ssh connection if not attempted within past 20 sec. -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource You can change the interval from 20 seconds to whatever you feel represents a decent compromise between user satisfaction and security. Many authorities considered a value between 3 and 6 seconds sufficient to render brute force attacks impractical. These rules can be trivially modified to protect any destination port (-dport 21 for ftp for instance) or protocol (-p udp). I hope this information is of use to some of you. I find this list and its archives very helpful myself. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:[EMAIL PROTECTED] Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm
On Wed, 2008-01-30 at 10:25 -0600, Johnny Hughes wrote: Joshua Baker-LePain wrote: On Wed, 30 Jan 2008 at 10:18am, Johnny Hughes wrote Bent Terp wrote: Has something changed with regard to the mount options? We use (rw,noatime,rsize=8192,wsize=8192,hard,udp,context=system_u:object_r:httpd_sys_content_t:s0) which has worked fine until now. I am trying to duplicate your options ... and noatime is not a valid option. Could you please double check the /etc/export options again so I can try to duplicate the issue. Using my standard /etc/exports on 2 i686 test platforms I have no problems at all. Here are the options I used on my test: (rw,insecure,sync,no_subtree_check) Those are NFS export options. The OP's list is *mount* options (i.e. on the client side). He stated that his NFS server is actually an EMC Cellera. AH ... now I see. In any event, I can not duplicate the problem with an nfs export on c4 or c5 and connecting with a c5 client, regardless of the kernel using i686. According to man pages for mount and nfs, *atime is not a supported mount option for NFS. *If* I read correctly. snip sig stuff -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question on http stop responding
Jerry Geis wrote: They are scanning my machine to make sure it is OK to be on this network. One of the faults coming back is Web server stops responding to 3 consecutive HTTP attempts Are you running an http server on that machine they are scanning? If yes, do you need to be running one ? From the sounds of the error it seems like there is not a web server running on that system and whatever scanning system thinks there is, a faulty scanning system assuming there is a web server running on a particular port. If you are running a http server, check the error/access logs to see if there are any problems detected by the system. And I'd suggest running tcpdump or some sort of port scan/network scan detection software while they run the test so you can see exactly what they are looking at. At the last company I worked at they were working towards PCI compliance, and there was at least 50-60 servers that did not run any sort of HTTP service(they ran other services that talked other protocols). While we talked about PCI compliance I never heard of anything needing to scan the network for HTTP servers. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: CentOS plus mysql server
on 1/30/2008 4:02 AM Ralph Angenendt spake the following: Scott Silva wrote: It is currently only in CentOS 4 AFAIR. Yes, it is part of the Red Hat Web Stack - which isn't available for version 5 (as that already has a mysql 5 and a php 5 and a more current perl version). Ralph PS: Scott, I do see that you sign your mails. Could you please put your public key on some sort of keyserver (like subkeys.pgp.net), so one can actually verify those signatures? Thanks. I thought I did, but I will check. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
I use this one, works great and easy to setup http://rfxnetworks.com/bfd.php On Jan 30, 2008 11:54 AM, James B. Byrne [EMAIL PROTECTED] wrote: Message-ID: [EMAIL PROTECTED] On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes [EMAIL PROTECTED] Subject Was: [CentOS] Unknown rootkit causes compromised servers SOME of the script kiddies check higher ports for SSH *_BUT_* I only see 4% of the brute force attempts to login on ports other than 22. I would say that dropping brute force login attempts by 96% is quite a good reason to move the SSH port from 22 to something else. I am not a fan of security through obscurity. If a port is open to the internet then it must be secured whether it is well known or not and if it is properly secured then changing the port number customarily assigned provides no measurable benefit. In my opinion, arbitrarily switching port numbers for well known services provides only the illusion of security while often inconveniencing the legitimate users in unpredictable, and sometimes expensively resolved, fashions. To deal with brute force attacks (not just on ssh) I spent some time tracking down how others had dealt with the problem. I discovered thereby that one can use the simple linux firewall iptables to restrict the number of connections to a given port from a single source over a specified interval. I therefore added these rules to my /etc/sysconfig/iptables file: ... # This is usually present in all setups but, you never know # Established connections go right through. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ... # Block brute force attacks # Drop repeated ssh connection attempts within 20 seconds interval -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource # Accept ssh connection if not attempted within past 20 sec. -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource You can change the interval from 20 seconds to whatever you feel represents a decent compromise between user satisfaction and security. Many authorities considered a value between 3 and 6 seconds sufficient to render brute force attacks impractical. These rules can be trivially modified to protect any destination port (-dport 21 for ftp for instance) or protocol (-p udp). I hope this information is of use to some of you. I find this list and its archives very helpful myself. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:[EMAIL PROTECTED] Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Network routes
on 1/29/2008 5:24 PM Jason Pyeron spake the following: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Les Mikesell Sent: Tuesday, January 29, 2008 18:25 To: CentOS mailing list Subject: Re: [CentOS] Network routes You probably want to remove the default route through NE.TW.KB.1 and add routes for the specific networks that you can reach though it. Normally routing is done toward a destination network/address without regard to the route of a packet you might be replying to. As for an 'outage', how do you define/detect the outage? Normally if you want routes to be determined dynamically you would set up a routing protocol with the next-hop routers - or for simple failover the alternative gateway routers might be configured via hsrp or vrrp to have a floating IP address that the rest of the LAN uses as the default gateway address. Droping the failover requirements, pings still do not respond off the local subnet. [EMAIL PROTECTED] ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface NET.WOR.KA.00.0.0.0 255.255.255.0 U 0 00 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 NE.TW.RKB.0 0.0.0.0 255.255.255.0 U 0 00 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 00 eth1 0.0.0.0 NET.WOR.KA.10.0.0.0 UG0 00 eth1 But none of the destinations have a gateway address. So all of the traffic is trying to go from every interface to the default gateway. Do both interfaces go out the same router? As an example in my system, I have a local interface and a wan interface. Only the wan interface needs to use the default route, as it is the only interface that talks to the outside world. But my internal interface has routes to other private networks through IPSec tunnels on other routers. So the internal interface has multiple routes and each has a gateway address of the router that handles that route. Are your network-a and network-b addresses actually public addresses or rfc-1918 private addresses? It took me a while to get mine right, so don't feel bad. [EMAIL PROTECTED] ~]# tcpdump -n 'icmp[0] = 8 or icmp[0] = 0' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 20:27:02.789177 IP 192.168.1.114 192.168.1.20: icmp 64: echo request seq 0 20:27:02.789277 IP 192.168.1.20 192.168.1.114: icmp 64: echo reply seq 0 20:27:03.786470 IP 192.168.1.114 192.168.1.20: icmp 64: echo request seq 256 20:27:03.786509 IP 192.168.1.20 192.168.1.114: icmp 64: echo reply seq 256 20:27:04.778574 IP 192.168.1.114 192.168.1.20: icmp 64: echo request seq 512 20:27:04.778612 IP 192.168.1.20 192.168.1.114: icmp 64: echo reply seq 512 20:27:05.778262 IP 192.168.1.114 192.168.1.20: icmp 64: echo request seq 768 20:27:05.778299 IP 192.168.1.20 192.168.1.114: icmp 64: echo reply seq 768 20:27:08.032006 IP CO.MC.A.ST NE.TW.RKB.IP1: icmp 64: echo request seq 0 20:27:09.026055 IP CO.MC.A.ST NE.TW.RKB.IP1: icmp 64: echo request seq 256 20:27:10.032333 IP CO.MC.A.ST NE.TW.RKB.IP1: icmp 64: echo request seq 512 20:27:11.025881 IP CO.MC.A.ST NE.TW.RKB.IP1: icmp 64: echo request seq 768 20:27:13.022155 IP CO.MC.A.ST NE.TW.RKB.IP1: icmp 64: echo request seq 1280 13 packets captured 13 packets received by filter 0 packets dropped by kernel Why are there no replies being sent? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
On Wed, Jan 30, 2008 at 12:17 PM, Ed Donahue [EMAIL PROTECTED] wrote: On Jan 30, 2008 11:54 AM, James B. Byrne [EMAIL PROTECTED] wrote: Message-ID: [EMAIL PROTECTED] On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes [EMAIL PROTECTED] Subject Was: [CentOS] Unknown rootkit causes compromised servers SOME of the script kiddies check higher ports for SSH *_BUT_* I only see 4% of the brute force attempts to login on ports other than 22. I would say that dropping brute force login attempts by 96% is quite a good reason to move the SSH port from 22 to something else. I am not a fan of security through obscurity. If a port is open to the internet then it must be secured whether it is well known or not and if it is properly secured then changing the port number customarily assigned provides no measurable benefit. In my opinion, arbitrarily switching port numbers for well known services provides only the illusion of security while often inconveniencing the legitimate users in unpredictable, and sometimes expensively resolved, fashions. To deal with brute force attacks (not just on ssh) I spent some time tracking down how others had dealt with the problem. I discovered thereby that one can use the simple linux firewall iptables to restrict the number of connections to a given port from a single source over a specified interval. I therefore added these rules to my /etc/sysconfig/iptables file: ... # This is usually present in all setups but, you never know # Established connections go right through. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ... # Block brute force attacks # Drop repeated ssh connection attempts within 20 seconds interval -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource # Accept ssh connection if not attempted within past 20 sec. -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource You can change the interval from 20 seconds to whatever you feel represents a decent compromise between user satisfaction and security. Many authorities considered a value between 3 and 6 seconds sufficient to render brute force attacks impractical. These rules can be trivially modified to protect any destination port (-dport 21 for ftp for instance) or protocol (-p udp). I hope this information is of use to some of you. I find this list and its archives very helpful myself. Regards, -- James B. Byrnemailto:[EMAIL PROTECTED] I use this one, works great and easy to setup http://rfxnetworks.com/bfd.php Log parsing scripts often don't provide the immediacy that rate limiting does when under attack. You'd have to run the script constantly parsing logs, since most ssh scans come in bursts. @James: As for the security through obscurity post, you are missing the point. Changing the port number that SSH runs on is not security through obscurity. Moving an already highly secure service to a different port so scanners don't hit it automatically is a different thing. This type of move is purely to reduce the amount of garbage in one's log file due to automated scans. However, I do agree that there are probably better ways to handle the situation, such as using rate limiting. Security through obscurity would be something like leaving a shell that requires no login running on some random port, and hoping nobody finds it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Jan 30, 2008 8:26 AM, William L. Maltby [EMAIL PROTECTED] wrote: On Wed, 2008-01-30 at 17:14 +0100, Nicolas Thierry-Mieg wrote: Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, I use rsync to copy/backup ALL my stuff to another disk. IMHO, rsync is overkill here. I would: mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year cd /home;find . | cpio -vdump /mnt/backup/mon.day.year how about cp -a ? How about find -newer to just back up things that have been added or changed? A big space saver. *However*, this leaves things deleted since the previous backup(s) in the previous archives. A *good* or *bad* thing? Depends on what you want to achieve. Rsync can handle that situation for you, and so is better if you don't want to keep deleted files around. The cpio solution offers a lot, most beneficial here is the ability to bzip the archive (anticipating it won't be frequently used), saving a lot of space. As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. I'd go with cpio if rsync causes problems. YMMV. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Wed, Jan 30, 2008 at 1:36 PM, MHR [EMAIL PROTECTED] wrote: As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. I'd go with cpio if rsync causes problems. YMMV. mhr I once knew a guy who bought a really cheap PC with an AMD CPU in it. Despite the fact that the power supply was underpowered, and everything else on the machine was just as cheap as possible, he blamed the AMD chip for all of the problems the PC had. To this day he refuses to buy AMD CPUs, because they don't work right -- despite the fact that millions of people use bzip2^H^H^H^H^H AMD chips every day without any problem at all. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Wed, January 30, 2008 1:36 pm, MHR wrote: snip As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. Why do you think that the corruption you experienced had something to do with bzip2? I have been using it on a regular basis for the last several years to compress files of all sizes (ranging from very small to several gigabytes) and have yet to experience any corruption whatsoever. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
Marcelo Roccasalva wrote: I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year IMHO, rsync is overkill here. I would: mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year cd /home;find . | cpio -vdump /mnt/backup/mon.day.year Rsync will be much, much faster on the 2nd and subsequent runs when it only has to copy the changed files. -- Les Mikesell [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
MHR wrote: On Jan 30, 2008 8:26 AM, William L. Maltby [EMAIL PROTECTED] wrote: On Wed, 2008-01-30 at 17:14 +0100, Nicolas Thierry-Mieg wrote: Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. Isn't the kernel source stored as a tared bzip file? If so, that's a lot of plain text. -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
MHR wrote: On Jan 30, 2008 8:26 AM, William L. Maltby [EMAIL PROTECTED] wrote: As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. I've been using pigz for a while (Parallel gzip), to compress 100+GB tar files, it works well if you have multiple CPUs. Never encountered corruption with bzip2 myself, there is a parallel bzip but it's about 8x slower. from my notes: -- To compile: gcc pigz17.c -lpthread -lz -o pigz Sample command line: pigz -p 10 -v (filename) The default 32 threads seems to be kind of high, drives load up quite a bit, while 10 threads at least in a simple test on a 2GB file kept load a lot lower but still kept the CPUs busy at 100% utilization on a dual core system. YMMV. original source: http://zlib.net/pigz17.c.gz if that doesn't exist there may be a new version, try pibz18.c.gz 19.c.gz ..etc --- To be safe, since I deployed it a few months ago I've been running gzip -t afterwards on the files, and all of them have passed. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dump on remote filesystems?
dump works at the device level, dumping the raw block device by interpreting the ext2/3 structures there. If you pass it a directory, it converts it to the device mounted there and dumps the device. restore, on the other hand, operates at the filesystem level. You don't need to be root to dump. Your dump script can run as anyone in the disk group, the default group of disk block devices, which by default have group read access. You do need to be root to verify, though, because restore is going through the filesystem. I back my CentOS box up to a USB-attached hard drive on a Windows XP workstation mounted via cifs. This is effectively a push system. After the backup, I run restore -C to verify that the data got there successfully. During the verify pass, I remount the filesystem with the noatime option so that reading it to compare to the tape image on the USB drive does not change the atimes. I then re-enable atime when the verify is done. (I use atime to watch for dead email accounts and so that tmpwatch will work correctly.) dump has its own home page and mailing list, and the author is very helpful with support. http://dump.sf.net/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
MHR wrote: On Jan 30, 2008 11:03 AM, Milton Calnek [EMAIL PROTECTED] wrote: MHR wrote: On Jan 30, 2008 8:26 AM, William L. Maltby [EMAIL PROTECTED] wrote: On Wed, 2008-01-30 at 17:14 +0100, Nicolas Thierry-Mieg wrote: Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. Isn't the kernel source stored as a tared bzip file? If so, that's a lot of plain text. # file /boot/vmlinuz-2.6.18-53.1.6.el5 /boot/vmlinuz-2.6.18-53.1.6.el5: ELF 64-bit LSB shared object, AMD x86-64, version 1, stripped Doesn't look that way - BUT, it is a self-extracting archive. AFAIK it is gzipped, and it is not tarred (why would it be - it's one file?). Not that file... I meant linux-major.minor.blah.blah.tar.gz say from ftp://ftp.kernel.org/pub/linux/kernel/v2.6 And, my mistake... it's gzip'd. -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Jan 30, 2008 10:51 AM, Marko A. Jennings [EMAIL PROTECTED] wrote: On Wed, January 30, 2008 1:36 pm, MHR wrote: snip As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. Why do you think that the corruption you experienced had something to do with bzip2? I have been using it on a regular basis for the last several years to compress files of all sizes (ranging from very small to several gigabytes) and have yet to experience any corruption whatsoever. One of my hobbies is writing, a practice in which I have been engaged since the late 1980s. For personal reasons, until very recently, I did all of my writing in plain text files, all around 20-30k, and kept all my archives in pkzip, then zip/unzip format. From August through December, 1999, I was using bzip2 instead because it got slightly better compression. Some time in January, 2000, I found that some of the files I had not changed in a long time, and some that I had just edited, had become corrupted and I had to rebuild them. Maybe bzip2 has improved since then, but my experience with it has been jaded ever since, and I'd rather go for reliability over a slight improvement in compression any day. I may undertake an experiment and keep parallel bzip2 archives for a while, but now isn't a good time for it. On the other hand, I've been using bzip2 for a few executables since that same time frame and, AFAIK, they work just fine, no corruption. As I said, YMMV, and that's just my $0.02. mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
Brian Mathis wrote: @James: As for the security through obscurity post, you are missing the point. Changing the port number that SSH runs on is not security through obscurity. Moving an already highly secure service to a different port so scanners don't hit it automatically is a different thing. This type of move is purely to reduce the amount of garbage in one's log file due to automated scans. However, I do agree that there are probably better ways to handle the situation, such as using rate limiting. Not to mention that if there is a lot less garbage, it is much easier to catch something trying to sneak in. So it does have an element of security to it. Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync and swapping
On Jan 30, 2008 11:03 AM, Milton Calnek [EMAIL PROTECTED] wrote: MHR wrote: On Jan 30, 2008 8:26 AM, William L. Maltby [EMAIL PROTECTED] wrote: On Wed, 2008-01-30 at 17:14 +0100, Nicolas Thierry-Mieg wrote: Marcelo Roccasalva wrote: On Jan 30, 2008 11:24 AM, Jerry Geis [EMAIL PROTECTED] wrote: hi all, As long as the majority of the files are not plain text - I have had really bad results using bzip2 on text files - specifically, massive file corruption. I have had to go back to pre-bzipped archives to rebuild these files - not a fun task. Isn't the kernel source stored as a tared bzip file? If so, that's a lot of plain text. # file /boot/vmlinuz-2.6.18-53.1.6.el5 /boot/vmlinuz-2.6.18-53.1.6.el5: ELF 64-bit LSB shared object, AMD x86-64, version 1, stripped Doesn't look that way - BUT, it is a self-extracting archive. AFAIK it is gzipped, and it is not tarred (why would it be - it's one file?). mhr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: rsync and swapping
on 1/30/2008 5:24 AM Jerry Geis spake the following: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year This is approximately 102G of data. Thanks for any suggestions. Jerry Rsync's main benefit is on backups of changed files. dumping to a new destination every time makes rsync less efficient than just about every other option. Now if you made the new directory, and hardlinked the old stuff to the new directory, then rsync would shine. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
Good security is like an onion. The users' think it smells... No, it's layered. Changing the the sshd port from the default does add a layer, a thin layer, but a layer all the same. The rate limiting is a somewhat thicker layer. I personally prefer to block all ssh traffic from the internet and have my customers vpn to my server which let's me ssh over the vpn to their machines. If they happen to have dynamic addresses, it doesn't matter to me. Patrick wrote: Brian Mathis wrote: @James: As for the security through obscurity post, you are missing the point. Changing the port number that SSH runs on is not security through obscurity. Moving an already highly secure service to a different port so scanners don't hit it automatically is a different thing. This type of move is purely to reduce the amount of garbage in one's log file due to automated scans. However, I do agree that there are probably better ways to handle the situation, such as using rate limiting. Not to mention that if there is a lot less garbage, it is much easier to catch something trying to sneak in. So it does have an element of security to it. Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Re: rsync and swapping
Yohoo! Rsync's main benefit is on backups of changed files. dumping to a new destination every time makes rsync less efficient than just about every other option. Now if you made the new directory, and hardlinked the old stuff to the new directory, then rsync would shine. That's what rsnapshot is designed for. It uses rsync to sync the files to a backup destination and hardlinks any existing file, so you can go back to any level you like. Christian ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: rsync and swapping
Scott Silva wrote: on 1/30/2008 5:24 AM Jerry Geis spake the following: hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year This is approximately 102G of data. Thanks for any suggestions. Jerry Rsync's main benefit is on backups of changed files. dumping to a new destination every time makes rsync less efficient than just about every other option. Now if you made the new directory, and hardlinked the old stuff to the new directory, then rsync would shine. I did the rsync hard link for a while. After 30+ hardlinks to each file built up, filesystem operations slowed down - not in a killer way, but I did notice it. I think it's better to just use --backup and write the previous version to a new dir with --backup-dir=`date +%F` or some such scheme. You don't see the backups represented as a whole directory structure, but it's less messy. -- Toby Bluhm Alltech Medical Systems America, Inc. 30825 Aurora Road Suite 100 Solon Ohio 44139 440-424-2240 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 5.0/5.1 nfs kickstart
Hi, On Tue, 29 Jan 2008, Adam Miller wrote: According to these docs an MTU can be specified in the kickstart script. It doesn't say much more than that though. http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-kickstart2-options.html The reason for nfs and an mtu of 4500 is complicated and not in my control. This is being used in a beowulf cluster environment. The process I'm following is currently working for kickstarting Fedora Core 4 installs, so I am hopeful it will work in centos. Adam Getting this thread back on track... The problem seems to be that when syslinux hands over control to the anaconda image, anaconda (specifically /sbin/loader) blows away the mtu... I'm guessing that it actually does set the mtu, then resets the interface (in our case, a broacom 5704 using tg3) and thus instantly forgets the mtu change. If in the syslinux kernel args I pass a static ip/netmask/mtu to the kernel, it works appropriately. Oddly, when starting the kickstart, after the ks.cfg file it will dhcp AND it seems remember the mtu setting. Thanks, Paul ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
James B. Byrne wrote: Message-ID: [EMAIL PROTECTED] On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes [EMAIL PROTECTED] Subject Was: [CentOS] Unknown rootkit causes compromised servers SOME of the script kiddies check higher ports for SSH *_BUT_* I only see 4% of the brute force attempts to login on ports other than 22. I would say that dropping brute force login attempts by 96% is quite a good reason to move the SSH port from 22 to something else. I am not a fan of security through obscurity. If a port is open to the internet then it must be secured whether it is well known or not and if it is properly secured then changing the port number customarily assigned provides no measurable benefit. If you consider this security through obscurity, then why not publish the list of your users on a public web page? after all, you should use strong passwords, so why hide usernames? and how about also publishing the list of your files and directories, of package versions, ... etc. Relying on the secrecy of such infos is security through obscurity too ;-p Of course one must secure the setup and not rely solely on a port number. but using a different port: - reduces the noise, and the stress level, so one can audit logs quietly instead of trying to separate kiddie attempts from serious attacks... - an attacker needs to find the port. In general, this means some form of port scanning. and before he finds the port, there is a chance that he gets caught. Not certain, but still. There is the case of an attacker who guesses the port at once or an attacker using N machines to do the scanning, which is why one must not rely on the port choice, but this will happen less. better fight few ennemies than the full jungle. In my opinion, arbitrarily switching port numbers for well known services provides only the illusion of security while often inconveniencing the legitimate users in unpredictable, and sometimes expensively resolved, fashions. What I would I like to do is: - allow 22 from specific IPs - allow another port (redirected) from anywhere. this port is then redirected to 22. I guess this requires marking the redirected packets so they can be allowed to go to port 22? anyone having a working ruleset for this? This way, users and programs that connect from specific machines do not need to use a different port (which becomes quickly annoying if you use rsync or other tasks over ssh and you don't want to spend your times setting a .ssh/config). [snip] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
mouss [EMAIL PROTECTED] wrote: If you consider this security through obscurity, then why not publish the list of your users on a public web page? after all, you should use strong passwords, so why hide usernames? Usernames are comparatively hard to guess, and chosen from a large space - although email addresses often provide a huge clue. By contrast, there are only 64K port numbers (and only 1K privileged ports, all of which will be scanned by default with nmap) - and to make it worse, the attacker only has to telnet or nc to a port and sshd will obligingly send back its version number and protocol version info as plaintext. So, the added obscurity is effectively zero. I sort of half-buy the log volume/noise argument, but rate-limiting and good analysis tools deal with this as well. And it does nothing for the stress level, since the serious adversary will see through your non-standard port number in seconds. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum fails with invalid dependency on sqlite
Hi, I am using Centos 4.6 on x86-64. recently when I tried to do a yum -y check-update this is the output I get [EMAIL PROTECTED] ~]# yum check-update Setting up repositories update100% |=| 951 B00:00 base 100% |=| 1.1 kB00:00 addons100% |=| 951 B00:00 Reading repository metadata in from local files primary.xml.gz100% |=| 74 kB00:01 (process:1999): GLib-CRITICAL **: file gtimer.c: line 106 (g_timer_stop): assertion `timer != NULL' failed (process:1999): GLib-CRITICAL **: file gtimer.c: line 88 (g_timer_destroy): assertion `timer != NULL' failed Traceback (most recent call last): File /usr/bin/yum, line 29, in ? yummain.main(sys.argv[1:]) File /usr/share/yum-cli/yummain.py, line 97, in main result, resultmsgs = do() File /usr/share/yum-cli/cli.py, line 534, in doCommands ypl = self.returnPkgLists() File /usr/share/yum-cli/cli.py, line 1176, in returnPkgLists ypl = self.doPackageLists(pkgnarrow=pkgnarrow) File __init__.py, line 904, in doPackageLists File /usr/share/yum-cli/cli.py, line 75, in doRepoSetup self.doSackSetup(thisrepo=thisrepo) File __init__.py, line 260, in doSackSetup File repos.py, line 277, in populateSack File /usr/lib64/python2.3/site-packages/sqlitecachec.py, line 40, in getPrimary self.repoid)) TypeError: Can not create index on requires table: near NOT: syntax error This is the output of rpm -qa | grep sqlite [EMAIL PROTECTED] ~]# rpm -qa | grep sqlite python-sqlite-1.1.7-1.2.1 sqlite-3.3.6-2 sqlite-devel-3.3.6-2 any suggestions ? Check yum version and yum-metadata-parser version. [EMAIL PROTECTED] ~]# rpm -qa | grep yum yum-metadata-parser-1.0-8.el4.centos yum-2.4.3-4.el4.centos This machine was update from 4.5 to 4.6 and I can't recollect if this happened right after the update I also came across this bug in the CentOS bug list http://bugs.centos.org/view.php?id=2611 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
NFS problem in the latest kernel (Was: [CentOS] MySQL issues with kernel-2.6.18-53.1.6.el5.x86_64.rpm)
On Jan 30, 2008 8:25 AM, Johnny Hughes [EMAIL PROTECTED] wrote: Joshua Baker-LePain wrote: On Wed, 30 Jan 2008 at 10:18am, Johnny Hughes wrote Bent Terp wrote: Has something changed with regard to the mount options? We use (rw,noatime,rsize=8192,wsize=8192,hard,udp,context=system_u:object_r:httpd_sys_content_t:s0) which has worked fine until now. I am trying to duplicate your options ... and noatime is not a valid option. Could you please double check the /etc/export options again so I can try to duplicate the issue. Using my standard /etc/exports on 2 i686 test platforms I have no problems at all. Here are the options I used on my test: (rw,insecure,sync,no_subtree_check) Those are NFS export options. The OP's list is *mount* options (i.e. on the client side). He stated that his NFS server is actually an EMC Cellera. AH ... now I see. In any event, I can not duplicate the problem with an nfs export on c4 or c5 and connecting with a c5 client, regardless of the kernel using i686. One other person has reported seemingly the same nfs problem in the Scientific Linux mail list: http://listserv.fnal.gov/scripts/wa.exe?A2=ind0801L=scientific-linux-develT=0P=5427 According to this post, It only seems to affect x86_64 systems, or affects them much more noticeably than it does i386 ones. Akemi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] adaptec 2100S drivers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I've got a server that I'm rebuilding and I've been given an Adaptec 2100S single channel scsi card to use. Problem is I can't find drivers for CentOS 4 anywhere. So far I've tried the adaptec drivers on the install CD but when it comes time to use disc druid it doesn't see the array that I've setup. don't know if it matters, but I've got the CDROM on IDE0 port and nothing on IDE1 port. Are there drivers for this scsi card anywhere? thanks, - -- Mark If you have found a very wise man, then you've found a man that at one time was an idiot and lived long enough to learn from his own stupidity. == Powered by CentOS5 (RHEL5) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: GnuPT 2.5.8.1 by EQUIPMENTE.DE iD8DBQFHoNHkXIpLU+e4OpgRAgltAKCVRlOlrtXSHz4ptqeEVV58rGsEDACgkwzN f1RNeKUBfq8AaISTe5KFIPM= =+MVB -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
What I would I like to do is: - allow 22 from specific IPs - allow another port (redirected) from anywhere. this port is then redirected to 22. I do exactly this with a combination of SSH config options and iptables rules. In your /etc/ssh/sshd_config file, find the Port 22 statement and add a Port statement for the desired port, something like: snip Port 22 Port 20022 Protocol 2 snip Then, in iptables, add the appropriate rules to let incoming connections to port 22 from only specific addresses and to allow port 20022 (or whatever you pick) to be available worldwide. Assuming you wanted port 22 access for a local subnet like 192.169.1.0/24, add the following to the /etc/sysconfig/iptables file before the REJECT statement at the end of the file: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20022 -j ACCEPT After restarting SSH and reloading iptables you should have just what you want. I use this, in addition to blockhosts (http://www.aczoom.com/cms/blockhosts/), on several production systems and the result has been almost total elimination of brute-force attacks. on those systems. Another possibility is a variation on port-knocking using PKI authentication or a shared secret. The project is called fwknop (http://www.cipherdyne.org/fwknop/) and has the potential to almost completely eliminate brute-force attacks. Essentially, the target port (22 in the case of SSH) is not open at all normally, but a daemon monitors the network interface for a specific packet signed using either a shared secret or a pre-authorized PGP key. When it sees the packet, it opens up the appropriate port for a specified time (usually just a few seconds) to the IP address the packet comes from. This allows a very short time window for the client system to complete its connection before the port gets closed down. I've set this up on a couple of systems so far with excellent results. Your mileage may vary! -- Jay Leafey - Memphis, TN [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] centosplus + priority plugin
I have a Centos 4 box that has been updated all the way to 4.6 without using the centosplus repository. Now I want to use the centosplus repository for Centos 4 to get the latest LAMP, mod_perl, perl and other perl modules so that I can install rt 3.6.6 and its necessary modules. However, for some reason, the latest perl package in the centosplus repository does not appear on the radar when I run yum check-update. Has anybody ran into this and get around the problem? Contents of yum.conf and Centos-Base.repo and output from yum check-update follow. Christopher cat /etc/yum.conf [main] cachedir=/var/cache/yum debuglevel=2 logfile=/var/log/yum.log pkgpolicy=newest distroverpkg=centos-release tolerant=1 exactarch=1 retries=20 obsoletes=1 gpgcheck=1 plugins=1 exclude=postfix* cyrus-sasl* dovecot* cat /etc/yum.repos.d/CentOS-Base.repo # CentOS-Base.repo # # This file uses a new mirrorlist system developed by Lance Davis for CentOS. # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [base] name=CentOS-$releasever - Base #mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=os baseurl=http://ftp.hostrino.com/pub/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 exclude=php* httpd* postgres* MySQL* mysql* perl perl-DBD-MySQL perl-DBD-Pg perl-DBI perl-suidperl unixODBC* mod_auth_mysql mod_auth_pgsql mod_perl mod_perl-devel mod_ssl priority=1 #released updates [update] name=CentOS-$releasever - Updates #mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=updates baseurl=http://ftp.hostrino.com/pub/centos/$releasever/updates/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 exclude=php* httpd* postgres* MySQL* mysql* perl perl-DBD-MySQL perl-DBD-Pg perl-DBI perl-suidperl unixODBC* mod_auth_mysql mod_auth_pgsql mod_perl mod_perl-devel mod_ssl priority=1 #packages used/produced in the build but not released [addons] name=CentOS-$releasever - Addons #mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=addons baseurl=http://ftp.hostrino.com/pub/centos/$releasever/addons/$basearch/ gpgcheck=1 enabled=0 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 #additional packages that may be useful [extras] name=CentOS-$releasever - Extras #mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=extras baseurl=http://ftp.hostrino.com/pub/centos/$releasever/extras/$basearch/ gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 #additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus #mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=centosplus baseurl=http://ftp.hostrino.com/pub/centos/$releasever/centosplus/$basearch/ gpgcheck=1 enabled=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 priority=2 #contrib - packages by Centos Users [contrib] name=CentOS-$releasever - Contrib #mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=contrib baseurl=http://ftp.hostrino.com/pub/centos/$releasever/contrib/$basearch/ gpgcheck=1 enabled=0 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-centos4 yum check-update Loading priorities plugin Setting up repositories Reading repository metadata in from local files Excluding Packages in global exclude list Finished Excluding Packages from CentOS-4 - Updates Finished Excluding Packages from CentOS-4 - Base Finished 43 packages excluded due to repository priority protections httpd.x86_64 2.0.59-1.el4s1.10.el4. centosplus httpd-manual.x86_64 2.0.59-1.el4s1.10.el4. centosplus mod_perl.x86_64 2.0.3-1.el4s1.3centosplus mod_ssl.x86_64 1:2.0.59-1.el4s1.10.el centosplus mysql.x86_64 5.0.54-1.el4.centoscentosplus mysql-devel.x86_64 5.0.54-1.el4.centoscentosplus mysql-server.x86_64 5.0.54-1.el4.centoscentosplus mysqlclient10.x86_64 3.23.58-9.2.c4 centosplus perl-DBD-MySQL.x86_643.0008-1.el4.centoscentosplus perl-DBD-Pg.x86_64 1.49-1.el4s1 centosplus perl-DBI.x86_64 1.54-1.el4s1 centosplus php.x86_64 5.1.6-3.el4s1.8centosplus
[CentOS] No route to host
Dear Mr/Mrs/Ms, I have e-mail server using Centos 4.1 So far I can send and receive e-mail using this server, but why to this address: [EMAIL PROTECTED] can not send? Every time I send e-mail to above address my server always respon with this massage: - Transcript of session follows - [EMAIL PROTECTED]... Deferred: mail.pttropical.co.id.: No route to host Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old Please help me solve this problem! Previously Thank yuo for your help. Regards, Horasima SML. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No route to host
horas simalango [EMAIL PROTECTED] wrote: Please help me solve this problem! The commands you'd use to diagnose this problem are: dig pttropical.co.id SOA (That works fine) dig pttropical.co.id MX (That works, and shows mail.pttropical.co.id as their MX) traceroute mail.pttropical.co.id (Which bombs out. Ergo their mail server or an upstream router or link is down). Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] No route to host
Dear Mr/Mrs/Ms, I have e-mail server using Centos 4.3 So far I can send and receive e-mail using this server, but why to this address: [EMAIL PROTECTED] can not send? Every time I send e-mail to above address my server always respon with this massage: - Transcript of session follows - [EMAIL PROTECTED]... Deferred: mail.pttropical.co.id.: No route to host Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old Please help me solve this problem! Previously Thank yuo for your help. Regards, Horasima SML. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Re: Network routes
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Silva Sent: Wednesday, January 30, 2008 12:30 To: centos@centos.org Subject: [CentOS] Re: Network routes on 1/29/2008 5:24 PM Jason Pyeron spake the following: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Les Mikesell Sent: Tuesday, January 29, 2008 18:25 To: CentOS mailing list Subject: Re: [CentOS] Network routes You probably want to remove the default route through NE.TW.KB.1 and add routes for the specific networks that you can reach though it. Normally routing is done toward a destination network/address without regard to the route of a packet you might be replying to. As for an 'outage', how do you define/detect the outage? Normally if you want routes to be determined dynamically you would set up a routing protocol with the next-hop routers - or for simple failover the alternative gateway routers might be configured via hsrp or vrrp to have a floating IP address that the rest of the LAN uses as the default gateway address. Droping the failover requirements, pings still do not respond off the local subnet. [EMAIL PROTECTED] ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface NET.WOR.KA.00.0.0.0 255.255.255.0 U 0 00 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 NE.TW.RKB.0 0.0.0.0 255.255.255.0 U 0 00 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 00 eth1 0.0.0.0 NET.WOR.KA.10.0.0.0 UG0 00 eth1 But none of the destinations have a gateway address. So all of the traffic is trying to go from every interface to the default gateway. Do both interfaces go out the same router? As an example in my system, I have a local interface and a wan interface. Only the wan interface needs to use the default route, as it is the only interface that talks to the outside world. But my internal interface has routes to other private networks through IPSec tunnels on other routers. So the internal interface has multiple routes and each has a gateway address of the router that handles that route. Are your network-a and network-b addresses actually public addresses or rfc-1918 private addresses? Public. BTW thank you all for the help so far. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] One approach to dealing with SSH brute force attacks.
On Wed, Jan 30, 2008 at 12:17:22PM -0500, Ed Donahue wrote: I use this one, works great and easy to setup http://rfxnetworks.com/bfd.php This is how I deal with them: deny by default unless you know the secret handshake. http://wiki.xdroop.com/space/Linux/Limited+SSH+Access -- /\oo/\ / /()\ \ David Mackintosh | [EMAIL PROTECTED] | http://www.xdroop.com pgp7wY7wnhgql.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NoMachine NX Server
- Sobari Tanuwijaya [EMAIL PROTECTED] wrote: Hi, Is there anybody ever have an experience install NoMachine NX Server on centos? Is there anything need to get special attention? Thanks in advance -- Tanu -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. I've installed the 'free forever' version on both centos 4.x and 5.x i386 without issue. I'm just about to install the 'small business' server on redhat 5.1. I don't anticipate any issues with the redhat install either. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NoMachine NX Server
Hi, Is there anybody ever have an experience install NoMachine NX Server on centos? Is there anything need to get special attention? Thanks in advance -- Tanu -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No route to host
Thank's for your support, So what is the conclusion sir? Is the problem in my server or in pttropical server? Could you please explain more clear? thank you, Regards, Horasima SML. 2008/1/31, Les Bell [EMAIL PROTECTED]: horas simalango [EMAIL PROTECTED] wrote: Please help me solve this problem! The commands you'd use to diagnose this problem are: dig pttropical.co.id SOA (That works fine) dig pttropical.co.id MX (That works, and shows mail.pttropical.co.id as their MX) traceroute mail.pttropical.co.id (Which bombs out. Ergo their mail server or an upstream router or link is down). Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NoMachine NX Server
On Thu, 31 Jan 2008 11:15:04 +0700 Sobari Tanuwijaya [EMAIL PROTECTED] took out a #2 pencil and scribbled: Hi, Is there anybody ever have an experience install NoMachine NX Server on centos? Is there anything need to get special attention? Thanks in advance -- Tanu -- I've seen no issues running NoMachine NX on two machines in my custody. You can also yum install freenx if that suits your purposes. HTH -- [EMAIL PROTECTED] Life is a prison, death is a release ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No route to host
On Thu, Jan 31, 2008, horas simalango wrote: Thank's for your support, So what is the conclusion sir? Is the problem in my server or in pttropical server? Could you please explain more clear? Most likely there was a temporary problem connecting to their server. I was just able to ping mail.pttropical.co.id, their only listed MX server. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 The difference between science and the fuzzy subjects is that science requires reasoning while those other subjects merely require scholarship. -- Robert Heinlein ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos