Re: [CentOS-es] rsyn (u otro) copia de seguridad centos
Yo uso tareas automáticas, tar, con gpg dentro del contrab. las palabras de cifrado las tengo ficheros aparte. Sí OS interesa puedo mandar ejemplos. El 07/12/2010 02:21, Lucas Smud devot...@hotmail.com escribió: Hola que tal amigos del foro hace bastante que no ando por aquí... bueno vengo con una consultilla: Estoy queriendo hacer copias de seguridad de mi centos 5.5 de algunos módulos por ej /etc/httpd resulta que con el webmin puedo hacerlo pero quisiera saber que me recomendarían para realizarla: y también una copia general del sistema ya configurado. Leí que rsync es muy bueno, uds que me recomiendan para: -backups de módulos -backups completos -espejos (como el ghost) Gracias de antemano por su respuesta ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Bloquear entrada de correos por dominios CentOS 5.5 + Postfix + Dovecot (Carlos Sura)
Carlos tambien puedes bloquearlos editando el archivo /etc/hosts.deny. Si quieres bloquear todos los servicios usa # vi /etc/hosts.deny ALL:.dominiobloqueado.org y si quieres bloquear solamente postfix y dovecot usa # vi /etc/hosts.deny postfix:.dominiobloqueado.org dovecot:dominiobloqueado.org Saludos Julio -- Message: 1 Date: Sat, 4 Dec 2010 09:30:39 -0600 From: Carlos Sura carlos.su...@googlemail.com Subject: [CentOS-es] Bloquear entrada de correos por dominios CentOS 5.5 +Postfix + Dovecot To: centos-es@centos.org Message-ID: aanlkti=cg=_bhecezxz9hzvkq3gzdejen9xqr9noj...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hola buen día, En los servidores de correo que administro, quisiera saber una forma de negarle la entrada a dominios en especifico (que yo seleccionaría), para que no pueda entrarme ni un solo correo que lleve ese dominio la cuenta que lo envíe, utilizo Postfix. Éxitos, Carlos Sura. -- ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es Fin de Resumen de CentOS-es, Vol 48, Envío 8 ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] PAM soporta el servicio vsftpd?
Es una duda que tengo... Porque creo que en otras distros vsftpd es soportado por PAM... ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] publicar apache 2 sitios web que corren en otros apache.
Hola amigos de la lista, me gusta seguir el hilo de esta lista ya que siempre nos aporta algo interesante y como yo siempre digo, uno no se la sabe toda, mi interes es preguntarles si alguien me pudiera ayudar con un tema que tengo. les explico rapidamente para no cansarlos tengo un apache con un sitio www publicado a mi server dns1 externo con un apache instalado y dentro de mi red tengo dos pc con wampserver cada una y en cada una un sitio corriendo: una intranet y un ftp por http. cuento con 2 ip externas navegables y en mi dns1 externo declare los alias ftp y intranet y en el dns2 externo no tengo apache solo cree una regla en el iptable para hacer FORWARD para cuando pregunten por intranet.midominio.cu lo envie a la ip interna donde esta el wampserver con su apache corriendo. pero ninguna de mis empresas logra ver la intranet ni el ftp solo carga el www. saludos -- == Luis García Rey Esp. Informatico Network/System Administrator I+D Informatica y Desarrollo ECIE ECIE Empresa de Construcciones de la Industria Eléctrica Tejadillo 57-59 e/ Aguiar y Cuba, La Habana Vieja, Ciudad de la Habana Telf:(537)8630884 r...@ecie.minbas.cu Linux counter:352162 Cada día sabemos más y entendemos menos. Albert Einstein == ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] publicar apache 2 sitios web que corren en otros apache.
On Mon, 06 Dec 2010 09:20:19 -0500, Luis García Rey r...@ecie.minbas.cu wrote: Hola amigos de la lista, me gusta seguir el hilo de esta lista ya que siempre nos aporta algo interesante y como yo siempre digo, uno no se la sabe toda, mi interes es preguntarles si alguien me pudiera ayudar con un tema que tengo. les explico rapidamente para no cansarlos tengo un apache con un sitio www publicado a mi server dns1 externo con un apache instalado y dentro de mi red tengo dos pc con wampserver cada una y en cada una un sitio corriendo: una intranet y un ftp por http. cuento con 2 ip externas navegables y en mi dns1 externo declare los alias ftp y intranet y en el dns2 externo no tengo apache solo cree una regla en el iptable para hacer FORWARD para cuando pregunten por intranet.midominio.cu lo envie a la ip interna donde esta el wampserver con su apache corriendo. pero ninguna de mis empresas logra ver la intranet ni el ftp solo carga el www. saludos -- == Luis García Rey Esp. Informatico Network/System Administrator I+D Informatica y Desarrollo ECIE ECIE Empresa de Construcciones de la Industria Eléctrica Tejadillo 57-59 e/ Aguiar y Cuba, La Habana Vieja, Ciudad de la Habana Telf:(537)8630884 r...@ecie.minbas.cu Linux counter:352162 Cada día sabemos más y entendemos menos. Albert Einstein == ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es haz probado con el modulo de apache mod_proxy saludos -- Julio Cèsar Carballo Lòpez Administrador de Red Instituto de Geografìa Tropical Debian GNU/Linux User Linux Registered User: 477739 Telef: (537) 832/3494 ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Resumen de CentOS-es, Vol 48, Env ío 10
El mar, 07-12-2010 a las 12:00 -0500, centos-es-requ...@centos.org escribió: Envíe los mensajes para la lista CentOS-es a centos-es@centos.org Para subscribirse o anular su subscripción a través de la WEB http://lists.centos.org/mailman/listinfo/centos-es O por correo electrónico, enviando un mensaje con el texto help en el asunto (subject) o en el cuerpo a: centos-es-requ...@centos.org Puede contactar con el responsable de la lista escribiendo a: centos-es-ow...@centos.org Si responde a algún contenido de este mensaje, por favor, edite la linea del asunto (subject) para que el texto sea mas especifico que: Re: Contents of CentOS-es digest Además, por favor, incluya en la respuesta sólo aquellas partes del mensaje a las que está respondiendo. Asuntos del día: 1. rsyn (u otro) copia de seguridad centos (Lucas Smud) 2. Re: rsyn (u otro) copia de seguridad centos (Ricardo Martinez) 3. Re: Bloquear entrada de correos por dominios CentOS 5.5 + Postfix + Dovecot (Carlos Sura) (Julio Martinez) 4. PAM soporta el servicio vsftpd? (Ru-Benz Cáceres) 5. publicar apache 2 sitios web que corren en otros apache. (Luis García Rey) 6. Re: publicar apache 2 sitios web que corren en otros apache. (Julio Cesar) -- Message: 1 Date: Mon, 6 Dec 2010 22:18:35 -0300 From: Lucas Smud devot...@hotmail.com Subject: [CentOS-es] rsyn (u otro) copia de seguridad centos To: centos-es@centos.org Message-ID: snt110-w317127851b13ad78d7660ddf...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 Hola que tal amigos del foro hace bastante que no ando por aquí... bueno vengo con una consultilla: Estoy queriendo hacer copias de seguridad de mi centos 5.5 de algunos módulos por ej /etc/httpd resulta que con el webmin puedo hacerlo pero quisiera saber que me recomendarían para realizarla: y también una copia general del sistema ya configurado. Leí que rsync es muy bueno, uds que me recomiendan para: -backups de módulos -backups completos -espejos (como el ghost) Gracias de antemano por su respuesta -- Message: 2 Date: Tue, 7 Dec 2010 12:14:16 +0100 From: Ricardo Martinez harisel...@gmail.com Subject: Re: [CentOS-es] rsyn (u otro) copia de seguridad centos To: centos-es@centos.org Message-ID: aanlktimw=eweauvstyzuvcyuqfy4v8dnz4f+b4vdo...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Yo uso tareas automáticas, tar, con gpg dentro del contrab. las palabras de cifrado las tengo ficheros aparte. Sí OS interesa puedo mandar ejemplos. El 07/12/2010 02:21, Lucas Smud devot...@hotmail.com escribió: Hola que tal amigos del foro hace bastante que no ando por aquí... bueno vengo con una consultilla: Estoy queriendo hacer copias de seguridad de mi centos 5.5 de algunos módulos por ej /etc/httpd resulta que con el webmin puedo hacerlo pero quisiera saber que me recomendarían para realizarla: y también una copia general del sistema ya configurado. Leí que rsync es muy bueno, uds que me recomiendan para: -backups de módulos -backups completos -espejos (como el ghost) Gracias de antemano por su respuesta ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es -- Message: 3 Date: Sun, 5 Dec 2010 09:23:57 -0800 (PST) From: Julio Martinez hul...@yahoo.com Subject: Re: [CentOS-es] Bloquear entrada de correos por dominios CentOS 5.5 + Postfix + Dovecot (Carlos Sura) To: centos-es@centos.org Message-ID: 8075.74364...@web38707.mail.mud.yahoo.com Content-Type: text/plain; charset=iso-8859-1 Carlos tambien puedes bloquearlos editando el archivo /etc/hosts.deny. Si quieres bloquear todos los servicios usa # vi /etc/hosts.deny ALL:.dominiobloqueado.org y si quieres bloquear solamente postfix y dovecot usa # vi /etc/hosts.deny postfix:.dominiobloqueado.org dovecot:dominiobloqueado.org Saludos Julio -- Message: 1 Date: Sat, 4 Dec 2010 09:30:39 -0600 From: Carlos Sura carlos.su...@googlemail.com Subject: [CentOS-es] Bloquear entrada de correos por dominios CentOS 5.5 +Postfix + Dovecot To: centos-es@centos.org Message-ID: aanlkti=cg=_bhecezxz9hzvkq3gzdejen9xqr9noj...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hola buen día, En los servidores de correo que administro, quisiera saber una forma de negarle la entrada a dominios en especifico (que yo seleccionaría), para que no pueda entrarme ni un solo correo que lleve ese dominio la cuenta que lo envíe, utilizo
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcco...@lightlink.com wrote: Ryan Wagoner wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. As opposed to these Russian mobsters, terrorists, crackers looking at the headers of your email above... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, Dec 6, 2010 at 6:56 PM, Ryan Wagoner rswago...@gmail.com wrote: On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcco...@lightlink.com wrote: Ryan Wagoner wrote: On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcco...@lightlink.com wrote: David Sommerseth wrote: On 06/12/10 15:29, Todd Rinaldo wrote: On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? This can be a bit confusing, especially if you see this with IPv4 eyes. In IPv6, it basically is no such things as a private subnet (range). When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks. Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like: :::::/64 the '::' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The '' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536. And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses. (You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks) So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop. And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway. So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure. Bob McConnell N2SPP IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect
[CentOS] How to dump mails via HTTP
Hello everyone! How can i dump with human-readable format all e-mails sent and received via HTTP web-interface, for example, via aol.com or gmail.com - it's just examples, there's own mail service, but not under control. Connections to web-iface not secured with HTTPS, pure HTTP. In case of POP3/SMTP - i can successfully dump it with mailsnarf from dsniff rpm. Please, help with something! Sorry, english is not my native language :-) -- -- With regards, Dmitry Lock Network Engineer Customer Support Service PTC Center ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 11:08 AM, Todd Rinaldo wrote: On Dec 6, 2010, at 7:51 PM, Christopher Chan wrote: On Tuesday, December 07, 2010 08:57 AM, David wrote: Folks I have been following the IPV6 comments. What concerns me with the loss of NAT are the following issues: 1) My friend from half-way around the world comes to visit. He turns on his IPV6 enabled device (think Ipad), and wants to use my ISP's connection. What IP address does he get? If it's his home address, that makes routing difficult. If he dynamically gets one of my addresses a) Did my ISP give me enough? Let's see...if you apply for ipv6, you get a /48 network or as David put it, 65k worth of /64 subnets. b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... I'm still waiting for the day I get a home ISP that doesn't nickel and dime me. I agree that this is a potential concern. What's sad is that if they decide to do this, there's little I can do about it since ipv6 doesn't support NAT. Don't get me wrong. Now I've reviewed the spec, I agree NAT isn't required, but unless all the end user ISPs turn into benevolent Oligopolies, it is a potential issue. Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.5 with MediaWiki
Em 06-12-2010 15:55, Mathieu Baudier escreveu: Also, there will soon be a MediaWiki 1.16 package in EPEL[1]. There is Good news! Actually my dependencies were probably from EPEL in that case, not RPMForge. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos How to solve this problem, rebuild the package php-xml to CentOS 5.5 ? Cheers, Clóvis -- Clovis Tristao - UNICAMP/Faculdade de Engenharia Agricola Administrador de Redes - Secao de Informatica (SINFO) E-mail: clo...@feagri.unicamp.br http://www.feagri.unicamp.br Fone(0xx19) 35211031-35211038-91173116 ou FAX(55xx19) 35211005/35211010 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 02:26, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ... IPv4: aa:bb:cc:dd that's 32 bit IPv6: :::: this is 48 bits out of 128bits In the IPv6 scenario, you have been assigned '::::' as your IPv6 prefix by your ISP. So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it: IPv6 /64 subnets: ::::: That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times. What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had. It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times. Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. It isn't. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. Why? There is no reason. You are wrong, you do *NOT* need to continue that mapping. That mapping is pointless. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 07:23 PM, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Never said it was. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) Not news to me. Netvigator over here had single computer in its terms and conditions and single user/multiple user accounts. And only they had such terms but they never did try to enforce them. Not with all the competition around. In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question) /me does not care. Not sure about other folks though...do them a service :-p ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
/me does not care. Not sure about other folks though...do them a service :-p In theory, a lot of residential routers (not provided by the ISP) will allow to set the sent MAC address via their web interface. And on a full fledged Linux OS: ifconfig ethX hw ether MY:MA:CA:DD:RE:SS (or something like that, see man ifconfig) I just did not say whether I have ever tried in real... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathieu Baudier said the following on 07/12/10 12:23: Some big providers in some countries limit the number of device that can connect to internet. FastWeb does this in Italy. They configure their router (to which you do NOT have access) giving the LAN side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you pay) of the subnet are NATted. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Biggest Black Hole ever Found in Nearby Galaxy. EVERYBODY PAN..IC --fark.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk ve8An1LO9CW88BE2+lH+U598H1OZunDt =hWDc -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 07, 2010 at 12:23:08PM +0100, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) In the old days (5-6 years ago?), you were being sneaky if you used a router--this is in the US, with Roadrunner. They acknowledged, eventually, that it was common, and their terms of service specifically allow it. Verizon used to (don't know what they do now), provide a modem-cum-wireless-router when you got their service---this was with DSL, I assume they do the same with FIOS. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Anyanka: You trusting fool. How do you know the other world is any better than this? Giles: Because it has to be. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 12:53 PM, Mathieu Baudier wrote: ... And on a full fledged Linux OS: ifconfig ethX hw ether MY:MA:CA:DD:RE:SS (or something like that, see man ifconfig) I just did not say whether I have ever tried in real... You just add the following line to /etc/sysconfig/network-scripts/ifcfg-eth0: MACADDR=MY:MA:CA:DD:RE:SS It works. Mogens -- Mogens Kjaer, m...@lemo.dk http://www.lemo.dk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate? -- Sincerely, John Thomas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 12:23, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) For a lot of people, it is always possible to vote with your wallet. If a provider is too restrictive for you, choose another one. I pay my fees to the ISP I feel is worthy to have me as customer. So if they want my money, they must please me. But I am also willing to pay a bit more to a competitor who can fulfil my demands if my current provider does not deliver according to the agreement and my expectations Of course this is not possible in places where there are only one option. But then try to approach, if possible, other ISPs anyway, to see what they can offer you. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. Cheers, Gavin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 06:56 AM, Luigi Rosa wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathieu Baudier said the following on 07/12/10 12:23: Some big providers in some countries limit the number of device that can connect to internet. FastWeb does this in Italy. They configure their router (to which you do NOT have access) giving the LAN side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you pay) of the subnet are NATted. That is easily defeated by putting a Linux box behind the provided router to do natting. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Biggest Black Hole ever Found in Nearby Galaxy. EVERYBODY PAN..IC --fark.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk ve8An1LO9CW88BE2+lH+U598H1OZunDt =hWDc -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 05:13 AM, David Sommerseth wrote: On 07/12/10 02:26, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ... IPv4: aa:bb:cc:dd that's 32 bit IPv6: :::: this is 48 bits out of 128bits In the IPv6 scenario, you have been assigned '::::' as your IPv6 prefix by your ISP. So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it: IPv6 /64 subnets: ::::: That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times. What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had. It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times. Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended. ISP's are supposed to hand out /48's so you can move to a new ISP without having to disrupt your internal addressing. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 13:22, John Thomas wrote: Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate? They are separated. It's two different protocols, even though they are similar in many aspects. There are some projects trying to bridge that for single-stack IPv6 networks. But I've concluded running dual-stack with both IPv4 and IPv6 is less error prone, as such a proxy solutions will not always work 100% perfect. The IPv4 addresses needs to be translated into a IPv6 addresses by a local DNS service, and the proxy anyway need IPv4 access to reach the IPv4 host. David S. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] difference between cron and shell invocation.
I have a fairly involved root cron task that I moved verbatim from another server. On the original server, this task ran without problem. On the new server, when this task runs via cron, which I confirm is happening by looking in the cron log, no files are transferred and no error is reported. However, if I copy cron command from roots crontab and paste it into a terminal session on the new server then the task runs to completion and the files are transferred. This task involves sshfs, fuse, and rsync and employs pki certificates for authentication. The fact that it works from the shell without alteration and yet not from cron is the issue. Does anyone have any idea where I would start to track down what is going on? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
James B. Byrne wrote: I have a fairly involved root cron task that I moved verbatim from another server. On the original server, this task ran without problem. On the new server, when this task runs via cron, which I confirm is happening by looking in the cron log, no files are transferred and no error is reported. However, if I copy cron command from roots crontab and paste it into a terminal session on the new server then the task runs to completion and the files are transferred. This task involves sshfs, fuse, and rsync and employs pki certificates for authentication. The fact that it works from the shell without alteration and yet not from cron is the issue. Does anyone have any idea where I would start to track down what is going on? Sure - it's pretty obvious that something in the environment is missing. Try putting env in the cron job, or run the actual job as a shell script, and in the script, put env and pipe that to a file, so that you can then compare that with your env o/p as root. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
On Tuesday 07 December 2010 14:34:33 James B. Byrne wrote: I have a fairly involved root cron task that I moved verbatim from another server. On the original server, this task ran without problem. On the new server, when this task runs via cron, which I confirm is happening by looking in the cron log, no files are transferred and no error is reported. However, if I copy cron command from roots crontab and paste it into a terminal session on the new server then the task runs to completion and the files are transferred. This task involves sshfs, fuse, and rsync and employs pki certificates for authentication. The fact that it works from the shell without alteration and yet not from cron is the issue. Does anyone have any idea where I would start to track down what is going on? Check the paths in cron. They are not necessarly the same as the paths for the shell. Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
At Tue, 7 Dec 2010 09:34:33 -0500 (EST) CentOS mailing list centos@centos.org wrote: I have a fairly involved root cron task that I moved verbatim from another server. On the original server, this task ran without problem. On the new server, when this task runs via cron, which I confirm is happening by looking in the cron log, no files are transferred and no error is reported. However, if I copy cron command from roots crontab and paste it into a terminal session on the new server then the task runs to completion and the files are transferred. This task involves sshfs, fuse, and rsync and employs pki certificates for authentication. The fact that it works from the shell without alteration and yet not from cron is the issue. Does anyone have any idea where I would start to track down what is going on? Things to check: Environment issues: PATH, SHELL, etc. I would put in calls to logger and/or echo to log what is going on. Adding a '-v' (verbose flag) to selected commands to generate additional debug information can also help. Is anything making use of stdin? Does the script still work if you do something like from an interactive shell?: /dev/null ./script Is anything dependent on having access to an actual console device (eg /dev/tty)? That is, are any of the programs trying to be interactive? What are you doing about stderr's channel? Does adding '21' to the command in crontab prove enlightening? -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
On Tue, December 7, 2010 09:49, Brent L. Bates wrote: If you aren't already doing so, use the full path to the commands you are I have done as you suggest and that indeed has solved the problem. Thank you very much. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 19:26 -0600, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. most people have no idea what NAT is, don't care, and shouldn't have to care. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity Set your refrigerator to fe80:0001:: and it's now only accessible on the local subnet. Quoting http://www.litech.org/~jeff/private/ipv6primer/html/ Two prefixes are set aside for link-local and site-local addresses. site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. Or block if from acquiring a public address and leave it as link-local only [most people will, I think, just choose the first options - like they do now when they want to block a device]. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 20:55 -0500, Bob McConnell wrote: David wrote: Folks I have been following the IPV6 comments. What concerns me with the loss of NAT are the following issues 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. I just finished reviewing my firewall logs for last week. There are 127MiB with ipmon reports of rejected connection attempts. That's actually on the low side for any seven day period. I have some weeks that are half again that much. Somebody out there is pounding on that firewall pretty hard, trying to break in. I'm certain they don't have my best interests at heart. Most of the ports attacked are linked to well known services and worms on one particular OS, which I don't happen to have running on my network. But this log tells me that it is important to make it as difficult as possible for whomever is knocking on the door. I don't see that IPv6 helps improve that protection. In fact, it appears to eliminate some of the protection I have now. It does *NOT* help with that situation; nobody credible says it does. It also does *NOT* eliminate some of the protection I have now. You apparently *believe* that NAT is about protection You are wrong. NAT [at best, and not really] adds obfuscation to the source / destination. Obfuscation is not security. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.5 with MediaWiki
On Tue, Dec 07, 2010 at 07:41:24AM -0200, Clovis Tristao wrote: Em 06-12-2010 15:55, Mathieu Baudier escreveu: Also, there will soon be a MediaWiki 1.16 package in EPEL[1]. There is Good news! Actually my dependencies were probably from EPEL in that case, not RPMForge. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos How to solve this problem, rebuild the package php-xml to CentOS 5.5 ? Cheers, Clóvis I guess I don't follow -- php-xml is already included in CentOS 5.5. Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. It isn't. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. Why? There is no reason. You are wrong, you do *NOT* need to continue that mapping. That mapping is pointless. No, it is not pointless. The first step in attacking any computer is finding the IP address. If that address is broadcast outside the firewall every time it talks to another computer, that step is simple. If it is hidden behind a firewall that does NAT, it becomes harder to find and that first step becomes much more difficult. Currently, the only IP address transmitted outside my firewall is the one assigned to that firewall by the Roadrunner DHCP server. None of the addresses inside are exposed. That is a level of protection I am not prepared to give up. I don't care how much you evangelists blab about the new improved sauce, I still see it as a solution in search of a problem. As far as I am concerned, NAT already solved the address space problem. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well). And a NAT66 will be implemented, and people *will* NAT66 their self-assigned ULA addresses (which, unlike PA /48's are portable; the alternative is all end users wanting portability getting PI /48's, and the router ops are getting their selves in a knot thinking about the route table bloat that will cause) to whatever the PA du jour is. This *will* happen, and no amount of wishful thinking by transparent-Internet-idealogues is going to change it, since this is and will be the market demand. Whether you and I like it or not, this is the direction things are going; we might as well get used to it. You can read the NAT66 draft standard yourself at (one mirror) http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
Question. In a chained cron job like this: sshfs . . . /usr/bin/rsync . . . | /bin/mail -s . . . . . . Is there anyway to get a failure message from the first part to be emailed or logged? Given the resolution of this problem I gather that sshfs must not have been found and therefore I would expect an error to be reported somewhere. The chained commands evidently interfered with the propagation of this error which would have immediately identified the source of the problem. Is it possible to get errors from the individual parts of such chained commands forwarded to an email address, or logged in the system log, or both? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 6:23 AM, Mathieu Baudier mbaud...@argeo.org wrote: b) Do I get charged by my ISP on a per-device basis? This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question) I've had such a provider. This is why you can assign a MAC address to a dsl router's WAN interface. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Not allowing the most popular OS on the network at all is another layer of protection. Keeping everything up to date is another. It is a well known and established process to keep my computers secure. But now you are taking away one of those layers without providing anything of equal strength to replace it. I fail to see how that is an improvement. However, it appears some of you are actually evangelists in disguise, and refuse to acknowledge any real concerns about this change. So it becomes pointless to continue the discussion. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 12/06/2010 06:47 AM, Daniel J Walsh wrote: I agree, and would like to look at the AVC's to understand what could have broken the labeling Well - since it happened again this morning, here you go. On further investigation in backups, I previously had the user account that I use for the FTP based update with its home directory set to a location inside the /var/www/html tree. Since that unknowingly passed this rule, it silently worked. It was changed to a /home/ based directory instead a while ago - tripping this rule. But not consistently: FTP appears to at least partially work outside the home tree even with the rule active. I *really* dislike landmines when doing routine system tasks. Dec 7 07:14:19 10.96.1.9 setroubleshoot: SELinux is preventing the ftp daemon from writing files outside the home directory (./upgrade). For complete SELinux messages. run sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce Summary: SELinux is preventing the ftp daemon from writing files outside the home directory (./upgrade). Detailed Description: SELinux has denied the ftp daemon write access to directories outside the home directory (./upgrade). Someone has logged in via your ftp daemon and is trying to create or write a file. If you only setup ftp to allow anonymous ftp, this could signal a intrusion attempt. Allowing Access: If you do not want SELinux preventing ftp from writing files anywhere on the system you need to turn on the allow_ftpd_full_access boolean: setsebool -P allow_ftpd_full_access=1 The following command will allow this access: setsebool -P allow_ftpd_full_access=1 Additional Information: Source Contextsystem_u:system_r:ftpd_t Target Contextsystem_u:object_r:httpd_sys_content_t Target Objects./upgrade [ dir ] Sourcevsftpd Source Path /usr/sbin/vsftpd Port Unknown Host XX Source RPM Packages vsftpd-2.1.0-2 Target RPM Packages Policy RPMselinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name allow_ftpd_full_access Host Name X Platform Linux 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 17 First SeenThu Dec 2 12:10:14 2010 Last Seen Tue Dec 7 07:14:19 2010 Local ID e7787694-644e-4e4e-9b45-bd86c7eb33ce Line Numbers Raw Audit Messages host= type=AVC msg=audit(1291734859.344:6678): avc: denied { write } for pid=1018 comm=vsftpd name=upgrade dev=dm-5 ino=1926503 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir host= type=SYSCALL msg=audit(1291734859.344:6678): arch=4003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330 a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502 suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017 comm=vsftpd exe=/usr/sbin/vsftpd subj=system_u:system_r:ftpd_t:s0 key=(null) -- Benjamin Franz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Lamar Owen wrote: On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well). snip Sorry, let me jump in here: how is a hidden IP address, whether it's 10.x, or 192.168.x, obscurity. Rather, AFAIK, trying to get there from outside are unreachable, because the addresses are not valid on the 'Net itself. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:11 -0500, Lamar Owen wrote: On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. In your opinion. Others hold a different opinion. Others are wrong. Check the RFCs and other papers. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. False analogy. And a NAT66 will be implemented, and people *will* NAT66 their self-assigned ULA addresses (which, unlike PA /48's are portable; the alternative is all end users wanting portability getting PI /48's, and the router ops are getting their selves in a knot thinking about the route table bloat that will cause) to whatever the PA du jour is. But it isn't NAT. Not like IPv4 NAT, so this doesn't do much to the argument in defense of IPv4-style NAT. IPv6 routing tables are significantly smaller - which is a large advantage to IPv6. This *will* happen, and no amount of wishful thinking by t ransparent-Internet-idealogues is going to change it, since this is and will be the market demand. Whether you and I like it or not, this is the direction things are going; we might as well get used to it. You can read the NAT66 draft standard yourself at (one mirror) http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt I'm certain some people will use it, and that there are legitimate uses. But it doesn't, and won't, serve the same purpose as NAT does in IPv4. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
At Tue, 7 Dec 2010 10:21:27 -0500 (EST) CentOS mailing list centos@centos.org wrote: Question. In a chained cron job like this: sshfs . . . /usr/bin/rsync . . . | /bin/mail -s . . . . . . Is there anyway to get a failure message from the first part to be emailed or logged? Given the resolution of this problem I gather that sshfs must not have been found and therefore I would expect an error to be reported somewhere. The chained commands evidently interfered with the propagation of this error which would have immediately identified the source of the problem. Is it possible to get errors from the individual parts of such chained commands forwarded to an email address, or logged in the system log, or both? It is probably easiest to create a shell script with all of the chaining there and use shell script flow control to deal with mailing/logging errors: #!/bin/sh -e sshfs . . . /usr/bin/rsync . . . 21 | /bin/mail -s . . . .. Or something like that (eg using '|| error-handling/reporting code' instead of -e). -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
James B. Byrne wrote: Question. In a chained cron job like this: sshfs . . . /usr/bin/rsync . . . | /bin/mail -s . . . . . . Is there anyway to get a failure message from the first part to be emailed or logged? Given the resolution of this problem I gather that sshfs must not have been found and therefore I would expect an error to be reported somewhere. The chained commands evidently interfered with the propagation of this error which would have immediately identified the source of the problem. Is it possible to get errors from the individual parts of such chained commands forwarded to an email address, or logged in the system log, or both? If you're going to get that complicated, why not just write a short shell script, and run that via cron. Then you can set your environment explicitly (as opposed to in your crontab, which some folks like to do). Also, if you want logs from each piece, you could then break it up, and dump/read stuff from temp files. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 10:36 AM, Benjamin Franz wrote: On 12/06/2010 06:47 AM, Daniel J Walsh wrote: I agree, and would like to look at the AVC's to understand what could have broken the labeling Well - since it happened again this morning, here you go. On further investigation in backups, I previously had the user account that I use for the FTP based update with its home directory set to a location inside the /var/www/html tree. Since that unknowingly passed this rule, it silently worked. It was changed to a /home/ based directory instead a while ago - tripping this rule. But not consistently: FTP appears to at least partially work outside the home tree even with the rule active. I *really* dislike landmines when doing routine system tasks. Dec 7 07:14:19 10.96.1.9 setroubleshoot: SELinux is preventing the ftp daemon from writing files outside the home directory (./upgrade). For complete SELinux messages. run sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce Summary: SELinux is preventing the ftp daemon from writing files outside the home directory (./upgrade). Detailed Description: SELinux has denied the ftp daemon write access to directories outside the home directory (./upgrade). Someone has logged in via your ftp daemon and is trying to create or write a file. If you only setup ftp to allow anonymous ftp, this could signal a intrusion attempt. Allowing Access: If you do not want SELinux preventing ftp from writing files anywhere on the system you need to turn on the allow_ftpd_full_access boolean: setsebool -P allow_ftpd_full_access=1 The following command will allow this access: setsebool -P allow_ftpd_full_access=1 Additional Information: Source Contextsystem_u:system_r:ftpd_t Target Contextsystem_u:object_r:httpd_sys_content_t Target Objects./upgrade [ dir ] Sourcevsftpd Source Path /usr/sbin/vsftpd Port Unknown Host XX Source RPM Packages vsftpd-2.1.0-2 Target RPM Packages Policy RPMselinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name allow_ftpd_full_access Host Name X Platform Linux 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 17 First SeenThu Dec 2 12:10:14 2010 Last Seen Tue Dec 7 07:14:19 2010 Local ID e7787694-644e-4e4e-9b45-bd86c7eb33ce Line Numbers Raw Audit Messages host= type=AVC msg=audit(1291734859.344:6678): avc: denied { write } for pid=1018 comm=vsftpd name=upgrade dev=dm-5 ino=1926503 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir host= type=SYSCALL msg=audit(1291734859.344:6678): arch=4003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330 a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502 suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017 comm=vsftpd exe=/usr/sbin/vsftpd subj=system_u:system_r:ftpd_t:s0 key=(null) Where is the directory upgrade located. SELinux is complaining about the ftp site writing to a directory labeled as apache content (httpd_sys_content_t. The way we usually handle shared data between sharing domains is to label the content public_content_rw_t. The following man pages explain these labels. man ftpd_selinux man httpd_selinux -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+VdAACgkQrlYvE4MpobMQiACeI5mbC5rOqwxphNavqoomcOMn fgEAniywRXmiDrnje2nC2vdrv+DGU56f =qJ03 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 10:32:32 am Tom H wrote: Is 172.16.10.72 a private address of yours or of your ISP? More to the point; do you have a route to his address? Blackhole routing makes the best firewall in the world; you can't even attempt to hack an address to which your autonomous system (or your provider's autonomous system) has no route in the BGP routing tables. You can't even reproducibly DoS his address, since he can probably acquire another inside global one fairly easily through DHCP. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? +1 NAT isn't doing what Bob McConnell thinks it is. Any russian mobster can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Gavin Carr wrote: On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] difference between cron and shell invocation.
On 12/7/10 9:21 AM, James B. Byrne wrote: Question. In a chained cron job like this: sshfs . . . /usr/bin/rsync . . . | /bin/mail -s . . . . . . Is there anyway to get a failure message from the first part to be emailed or logged? Given the resolution of this problem I gather that sshfs must not have been found and therefore I would expect an error to be reported somewhere. The chained commands evidently interfered with the propagation of this error which would have immediately identified the source of the problem. Is it possible to get errors from the individual parts of such chained commands forwarded to an email address, or logged in the system log, or both? Cron should default to mailing anything sent to stdout or stderr to the owner of the job if you don't redirect it elsewhere. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 12/07/2010 07:36 AM, Benjamin Franz wrote: On 12/06/2010 06:47 AM, Daniel J Walsh wrote: I agree, and would like to look at the AVC's to understand what could have broken the labeling Well - since it happened again this morning, here you go. On further investigation in backups, I previously had the user account that I use for the FTP based update with its home directory set to a location inside the /var/www/html tree. Since that unknowingly passed this rule, it silently worked. It was changed to a /home/ based directory instead a while ago - tripping this rule. But not consistently: FTP appears to at least partially work outside the home tree even with the rule active. I *really* dislike landmines when doing routine system tasks. Ok. SELinux blew up something else that was previously working on that machine (yes - I've already done something to fix it for now. I don't need anyone saying 'well run sealert'. Been there - done that. Things are running now.) This repeated time suckage is why people routinely turn it off. sealert -l e6e017f5-9c2b-4e7b-895e-51a232042588 Summary: SELinux is preventing the httpd from using potentially mislabeled files /var/XX/misc/manage_clients/config.xml (var_t). Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /var/XX/misc/manage_clients/config.xml. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/XX/misc/manage_clients/config.xml so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/XX/misc/manage_clients/config.xml'. You can look at the httpd_selinux man page for additional information. Additional Information: Source Contextsystem_u:system_r:httpd_t Target Contextuser_u:object_r:var_t Target Objects /var/XX/misc/manage_clients/config.xml [ file ] Sourcehttpd Source Path /usr/sbin/httpd Port Unknown Host XX Source RPM Packages httpd-2.2.3-43.el5.centos.3 Target RPM Packages Policy RPMselinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name httpd_bad_labels Host Name XX Platform Linux XX 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 3 First SeenMon Apr 26 10:20:36 2010 Last Seen Tue Dec 7 07:38:17 2010 Local ID e6e017f5-9c2b-4e7b-895e-51a232042588 Line Numbers Raw Audit Messages host=XX type=AVC msg=audit(1291736297.720:6786): avc: denied { getattr } for pid=21363 comm=httpd path=/var/XX/misc/manage_clients/config.xml dev=dm-0 ino=5355222 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file host=XX type=SYSCALL msg=audit(1291736297.720:6786): arch=4003 syscall=195 success=no exit=-13 a0=82e7380 a1=8297c68 a2=296ff4 a3=82e7380 items=0 ppid=3398 pid=21363 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) -- Benjamin Franz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 9:07 AM, Adam Tauno Williams wrote: site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote: There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, It is FUD. it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. Calling IPv6 unproved is absurd. It is widely deployed and used extensively. Security is/was taken very seriously in the design. I consider that information leakage to be very significant. You have a huge address pool - periodically change your address if you feel that is significant. That certainly adds more obfuscation than IPv4 NAT ever did. It advertises the presence of another computer with explicit information on where to reach it. You already do that with every e-mail message and HTTP request. Do you obscure the User-Agent string in all your traffic? (Your not using Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as [if not more] valuable to a potential attacker than your firewalled address. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. You are on a network - you can always disconnect the drive. If you really feel *NAT* is really that critical to hiding your data this seems a very reasonable option. Because NAT is providing only an extremely trivial additive to security you feel you need. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.5 on a new Mac Mini? no CD Driver?
On 12/6/10 3:54 PM, Jason T. Slack-Moehrle wrote: Hi All, I am attempting to install CentOS 5.5 64 bit on my new Mac Mini. I boot to the CD and when I get to selecting where I am installing from (local cd, hard disk, ftp, etc) I select Local CD and it cannot find a driver and wants me to manually specify or use a driver disk. I ave no idea what drive is in this system. Can anyone point me in the right direction? -Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos You need to install and use Apple's Boot Camp to make CentOS work on a Mac Mini. It will install a utility on the drive that will make the Mini look like an ordinary system instead of the Apple based hardware including standard drivers for the Cd/DVD and hard drives and network and sound support. I have an old single core Mac Mini running CentOS 5 32 bit just fine. One problem though is that I believe that Snow Leopard Server version does NOT come with Boot Camp. If so you'll need to get a version of Snow Leopard that does have Boot Camp available. I think the Standard version of Snow Leopard is about $30.00 from Apple. If you need help I can be available via Skype to answer your questions. Bob Arnold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 10:59 AM, Benjamin Franz wrote: On 12/07/2010 07:36 AM, Benjamin Franz wrote: On 12/06/2010 06:47 AM, Daniel J Walsh wrote: I agree, and would like to look at the AVC's to understand what could have broken the labeling Well - since it happened again this morning, here you go. On further investigation in backups, I previously had the user account that I use for the FTP based update with its home directory set to a location inside the /var/www/html tree. Since that unknowingly passed this rule, it silently worked. It was changed to a /home/ based directory instead a while ago - tripping this rule. But not consistently: FTP appears to at least partially work outside the home tree even with the rule active. I *really* dislike landmines when doing routine system tasks. Ok. SELinux blew up something else that was previously working on that machine (yes - I've already done something to fix it for now. I don't need anyone saying 'well run sealert'. Been there - done that. Things are running now.) This repeated time suckage is why people routinely turn it off. sealert -l e6e017f5-9c2b-4e7b-895e-51a232042588 Summary: SELinux is preventing the httpd from using potentially mislabeled files /var/XX/misc/manage_clients/config.xml (var_t). Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /var/XX/misc/manage_clients/config.xml. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/XX/misc/manage_clients/config.xml so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/XX/misc/manage_clients/config.xml'. You can look at the httpd_selinux man page for additional information. Additional Information: Source Contextsystem_u:system_r:httpd_t Target Contextuser_u:object_r:var_t Target Objects /var/XX/misc/manage_clients/config.xml [ file ] Sourcehttpd Source Path /usr/sbin/httpd Port Unknown Host XX Source RPM Packages httpd-2.2.3-43.el5.centos.3 Target RPM Packages Policy RPMselinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name httpd_bad_labels Host Name XX Platform Linux XX 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 3 First SeenMon Apr 26 10:20:36 2010 Last Seen Tue Dec 7 07:38:17 2010 Local ID e6e017f5-9c2b-4e7b-895e-51a232042588 Line Numbers Raw Audit Messages host=XX type=AVC msg=audit(1291736297.720:6786): avc: denied { getattr } for pid=21363 comm=httpd path=/var/XX/misc/manage_clients/config.xml dev=dm-0 ino=5355222 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file host=XX type=SYSCALL msg=audit(1291736297.720:6786): arch=4003 syscall=195 success=no exit=-13 a0=82e7380 a1=8297c68 a2=296ff4 a3=82e7380 items=0 ppid=3398 pid=21363 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has similar problems, in that you need to make sure the permission flags and ownership is correct. Of course admins have been dealing with DAC for years so they understand it, and the number of UID/Permision combinations is more limited then the amounts of labels that SELinux presents. I wrote this paper to try to explain what SELinux tends to complain about. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+XQsACgkQrlYvE4MpobNrgACfZduLdW/ISac6otm8SRO+c4Za S0QAn3l00KRGtNmnaVAy4cFpL/jjrwuz =7ega -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:01 -0600, Les Mikesell wrote: On 12/7/10 9:07 AM, Adam Tauno Williams wrote: site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Yes. Exactly like IPv4! (given that network security professionals have existed for a long time) Install a stateful firewall just like with IPv4! Stateful firewalls being things created by people having a high level of knowledge about ... internals. Problem solved [for 99.44% of the population], just like IPv4! And to add a nice sprinkling of obscurity - every time your computer reboots [or interface resets] it generates a different [random] IPv6 address within your *HUGE* subnet. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 9:04 AM, Adam Tauno Williams wrote: The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. Agreed, but the reason that hasn't happened is that there's no visible benefit to the consumer. most people have no idea what NAT is, don't care, and shouldn't have to care. Agreed again, but the reason is that the vast majority only want outbound client connections and they would be perfectly happy if application protocols adapted to client registration to some central registry for portability instead of ever assuming that a person or associated application had anything to do with any particular device or fixed address. Compare the number of people who use an IM/chat application to the number who have directly reachable SIP endpoints without a forwarding service, for example. There are good reasons for that. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:16 -0600, Les Mikesell wrote: On 12/7/10 9:04 AM, Adam Tauno Williams wrote: Some people's belief that NAT is some magic sauce that makes themmore secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else. And doesn't that sound like you just describe a firewall? permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T. bbrun...@gai-tronics.com wrote: Trim your quotes. LOL I was in a hurry... I think that this applies to all in this thread so I hope that you've email everyone else... Also, please keep your commands on-list; I only caught your email because it was at the top of my spam directory when I was emptying it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 10:43 AM, Lamar Owen lo...@pari.edu wrote: On Tuesday, December 07, 2010 10:32:32 am Tom H wrote: Is 172.16.10.72 a private address of yours or of your ISP? More to the point; do you have a route to his address? I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) I didn't want my whining (not commanding) archived for-frigging-ever, so I sent it direct. TBH I ran out of steam/indignation/angst after a few of the over-quoter under-trimmers, so I didn't get all. -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Tom H Sent: Tuesday, December 07, 2010 11:34 AM To: CentOS mailing list Subject: Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6? On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T. bbrun...@gai-tronics.com wrote: Trim your quotes. LOL I was in a hurry... I think that this applies to all in this thread so I hope that you've email everyone else... Also, please keep your commands on-list; I only caught your email because it was at the top of my spam directory when I was emptying it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 12/07/2010 08:12 AM, Daniel J Walsh wrote: Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has similar problems, in that you need to make sure the permission flags and ownership is correct. Of course admins have been dealing with DAC for years so they understand it, and the number of UID/Permision combinations is more limited then the amounts of labels that SELinux presents. I wrote this paper to try to explain what SELinux tends to complain about. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it. SELinux remains *hard* for most non-default users. As the lead SE developer, things you find utterly routine and only slightly annoying are major roadblocks to many other people. You aren't the average user. You aren't even close to one. A *sophisticated* user will see the suggestion given by sealeart to run chcon, follow it, *and have no idea that a system relabel can screw it up again*. sealert doesn't even mention the issue! It is as if the person who wrote the sealert messages never considered that people would like things fixed permanently rather than just until the next SELinux update relabels the system. I have 15 years experience running Linux servers. And I find SELinux damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue. The issue is similar to that of using passwords of more than 10 characters composed of random mixed-case alphanumeric characters (ideally with special characters mixed in). Yes - they are provably more secure in a technical sense than virtually any easily remembered system. However *real people* have to use the passwords. And they will put the damn things on taped notes on the bottom of their laptop if you make them too hard (not conjectural - I've caught people here doing exactly that). BTW: You have a typographical error on your semanage example. You don't have a closing ' character on the file_spec. -- Benjamin Franz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 10:20 AM, Adam Tauno Williams wrote: Some people's belief that NAT is some magic sauce that makes themmore secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else. And doesn't that sound like you just describe a firewall? It sounds like a complex setup for a firewall with dynamic entries to temporarily pass tcp and upd with different timeouts, where 1-many NAT doesn't have any other choice. If you don't send outbound you don't get the nat table entry to forward anything back through it. permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 16:49, Bob McConnell wrote: Gavin Carr wrote: On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. This is FUD. IPv6 has been talked about and worked on for about 15 years, the early talks about IPv6 started in the early 1990's. It's been implemented in most OSes over the last 10 years. It's been available to users for a long time. But a reluctant market who is not willing to change until it's absolutely needed have delayed the implementation. Now we're running out of IPv4 addresses pretty soon, and system admins and network implementers begins to feel the heat. http://datatracker.ietf.org/wg/ipv6/ Notice that the IETF IPv6 Working Group concluded their work Jun 2007. For more information, also check out: http://www.ipv6actnow.org/info/statement/ Based on the list of supporters, it also seems to quite proven. I meet every day more and more Internet services which provides both IPv4 and IPv6 services. IPv6 is in production many places already. Did you know that these sites already provide IPv6? http://ipv6.google.com http://www.v6.facebook.com http://www.heise.de None of them are small. A-Pressen, a Norwegian media group, is looking into rolling out IPv6 to the vast majority of on-line newspapers. That IPv6 is unproven, is simply a false statement. I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. There is no more information leakage in IPv6 compared to IPv4. In IPv4 and IPv6 you still have to use public IP addresses to communicate with the rest of the world. The only difference with IPv4 + NAT is that all computers on the inside uses your firewalls public IP address. That's actually an even worse situation in my opinion. As that tells an attacker where your firewall is. With IPv6, you can have your firewall with whatever IPv6 address you want, and an attacker don't know if he is hitting a firewall or the destination host. Which means the attacker will know *less* about the attack vector than with IPv4. And due to the enormous address space IPv6 gives each single site, doing a brute-force attack against more IP addresses will be a never-ending story. Try to double 4.294.967.296 32 times, and you'll have the number of addresses available *only to you* in *one* /64 subnet. If you then even introduce IPv6 Privacy Extensions, which will randomise and change the IPv6 address regularly, an attacker will shoot at a moving target. Then put this moving target behind a firewall which doesn't provide access from the outside to the inside (only from inside to outside), and the attacker will not know if he hits or not. (This is seen from an IPv6 client side perspective, as for the server side
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Les Mikesell said the following on 07/12/10 17:01: So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants? A network protocol should not be designed to accommodate for the flaws of some OSes. If an OS is full of bug and if certain OS installations out of the box cannot survive longer than few hours exposed to a direct Internet connection, it's not a failure of the network protocol, but is a failure of the OS. Let's try not to build an infrastructure in a way to make easier to develop and distribute bogous OSes Ciao, luigi - -- / +--[Luigi Rosa]-- \ Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+a7IACgkQ3kWu7Tfl6ZTWqgCdG/gfNuVTqU8A+SFjh3ArJlwz uCYAoIHECm9/yxXENF/fRsP1//kr4CYy =tIoS -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 6:01 PM, Les Mikesell lesmikes...@gmail.com wrote: On 12/7/10 9:07 AM, Adam Tauno Williams wrote: site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants? -- Yes, I can see where you're coming from with this argument. We supply ADSL to our clients and could offer them security on a network level. I know some mobile operators already do this on their networks on IPV4. Basically, if I want remote access to a machine connected to the internet via their network I have to apply for permission to have the security removed. The contract states that I know what I'm doing and will take full responsibility for anything that goes wrong on my side. They're basically covered legally (if one could call it that) if something goes wrong with my connection. We have some measures in place where we block, at a client's request, all ports except 23, 25, 80, 110 and 443. So, I'm sure many other ISP's could do the same thing? -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.5 on a new Mac Mini? no CD Driver?
You need to install and use Apple's Boot Camp to make CentOS work on a Mac Mini. It will install a utility on the drive that will make the Mini look like an ordinary system instead of the Apple based hardware including standard drivers for the Cd/DVD and hard drives and network and sound support. I have an old single core Mac Mini running CentOS 5 32 bit just fine. One problem though is that I believe that Snow Leopard Server version does NOT come with Boot Camp. If so you'll need to get a version of Snow Leopard that does have Boot Camp available. I think the Standard version of Snow Leopard is about $30.00 from Apple. If you need help I can be available via Skype to answer your questions. Bob Arnold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Refit is commonly used to boot multiple OS's on the mac mini and is fairly easy to install (you can burn a CD of it and boot from that to test first). I've booted the Fedora14 liveCD on my mac mini and the disk drivers DO work. Also Ubuntu 10.04 LTS (lucid) has working drivers. I believe that grub2 can directly boot linux without bootcamp or refit, but may not be easy to setup. For most of the livecd's you'll need to go to manually edit the grub command line and add nomodeset reboot=pci. nomodeset may not be needed on the latest kernels. If you lose video, then you need it. For all but the latest kernels you'll need to download broadcom tg3 drivers from the broadcom website and compile them for the ethernet to work. Fedora14 has current broadcom drivers. You may also need to download a driver for the wireless. For sound you may need the following, or the equivalent for your distribution: echo 'options snd-hda-intel model=mbp55' /etc/modprobe.d/alsa-base.conf The real gotcha for the mac mini and all mac's is the GPT partition table. The major problem is that most of the gpt partitioning tools are still pretty flakey and turn on incorrect bits or in some other way set something in the partition table that some other program doesn't like. If you manage to do an install and it works the first time you are lucky, but once it fails you can pull your hair out trying to fix the partition table. This is definitely not recommended for the inexperienced. I believe that Ubuntu 10.04.1 LTS (lucid), the standard live install CD (NOT the alternate install), might be your best bet for a trouble free installation. When you boot the livecd, you'll want to keep hitting keys as it's booting to force the grub menu's to come up. (in fedora14, just hit a space when you get the boot timeout message, then hit tab to edit the boot command line). After you enter your language, hit F6 and select 'nomodeset' (space selects, escape exits this menu). Then use your arrow keys and move back on the boot line and add 'reboot=pci'. If you forget reboot=pci you can always power cycle to boot. You'll also want the Nvidia drivers I will be installing fedora14 at some point soon. In general, linux on the Mac Mini is not an easy install though it can be done. The following might be useful, though is not completely up to date: https://help.ubuntu.com/community/Macmini4-1/Lucid Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
The issue is similar to that of using passwords of more than 10 characters composed of random mixed-case alphanumeric characters (ideally with special characters mixed in). Yes - they are provably more secure in a technical sense than virtually any easily remembered system. However *real people* have to use the passwords. And they will put the damn things on taped notes on the bottom of their laptop if you make them too hard (not conjectural - I've caught people here doing exactly that). My solution is to use complex passwords, and write them down wrong, making my write-down a password hint, but not a password. My task is to remember what is my transform from hint to fact: (examples follow, choose your own) 1: Spell the 2 words in the password in English, but In the password use g33kp3ak on one of the words and alternating case on the other. 2: The numbers and shifted-numbers (e.g. 2 and @ on my US keyboard) in the password are swapped from the hint: the '@' in the hint is a 2 in password ... Or are they NOT case-shifted but instead position-shifted one to the right or left? Once I have a simple transform memorized, written password hints aren't much use to the on-site attacker who has access to my machine. Word-for-word transforms within context are also possible The hint of 1red9football;; becomes !ReD8f00tb411:: I think this meets the 'memorizable' need and strength-of-password need. This is only vaguely a CentOS issue. More to the CentOS point, IPv4 still words, so behind-the-firewall networks can still use it with utter abandon. Mapping internal IPv4 addresses to publicly-visible IPv6 addresses is a routing issue. How good is Linux/RH/CentOS with V6-to-V4-and-back address-type mapping? *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 16:45, Adam Tauno Williams wrote: On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? +1 NAT isn't doing what Bob McConnell thinks it is. Any russian mobster can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago. You mean something along the way ... Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ntfs
On Sun, 5 Dec 2010, Ron Loftin wrote: On Sun, 2010-12-05 at 23:52 +0530, Ritika Garg wrote: CentOS 5.5 is installed in the system. I installed the package kmod-ntfs-2.1.27-3.el5.elrepo.x86_64.rpm I mounted Seagate external hard disk. I am able to copy contents from the hard disk to the system but not from the system to the hard disk. Yes. If you go to this page on the ElRepo site: http://elrepo.org/tiki/kmod-ntfs and check the limitations you will see that this is the expected behavior. If you want full write capabilities with NTFS I suggest that you remove kmod-ntfs and instead use the fuse-ntfs-3g package from RPMForge. That relies on DKMS ( which works well enough for me ) and has full read-write capabilities. Just a small correction. Fuse filesystems do no longer need dkms installed since the fuse kernel-module is now part of RHEL5 since RHEL 5.4. So if people still have the dkms module installed and/or use ELRepo's fuse kernel module they can safely remove it :) -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ntfs
On Mon, 6 Dec 2010, Niki Kovacs wrote: Robert Heller a écrit : Will FAT support the larger external disks, such as the .5TB and larger? I read the replies to my previous posts, and I get your point, since I didn't know about the various limitations. It's probably due to the fact that we're 100% GNU/Linux here. I haven't booted Windows for work since before the time Windows XP came out (around 2001). The only time I get to work on Windows is usually to retrieve data before moving it to CentOS. As far as external hard disks are concerned, they're all ext3 here. Whenever the odd non-Linux user has to exchange data with Linux here, he or she has to use a Samba share. So I admit my point of view is somewhat biased :o) However one point you make is still valid. There is no alternative to NTFS nowadays if you need so share files between Windows and Linux. It is a shame there are not better Ext3/Ext4 drivers that integrate properly into Windows. Something similar to ntfs-3g must be easier to write for ext3 on Windows (as the ext3 format is well-known). -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors]___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 11:59 AM, Benjamin Franz wrote: On 12/07/2010 08:12 AM, Daniel J Walsh wrote: Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has similar problems, in that you need to make sure the permission flags and ownership is correct. Of course admins have been dealing with DAC for years so they understand it, and the number of UID/Permision combinations is more limited then the amounts of labels that SELinux presents. I wrote this paper to try to explain what SELinux tends to complain about. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it. SELinux remains *hard* for most non-default users. As the lead SE developer, things you find utterly routine and only slightly annoying are major roadblocks to many other people. You aren't the average user. You aren't even close to one. A *sophisticated* user will see the suggestion given by sealeart to run chcon, follow it, *and have no idea that a system relabel can screw it up again*. sealert doesn't even mention the issue! It is as if the person who wrote the sealert messages never considered that people would like things fixed permanently rather than just until the next SELinux update relabels the system. I have 15 years experience running Linux servers. And I find SELinux damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue. The issue is similar to that of using passwords of more than 10 characters composed of random mixed-case alphanumeric characters (ideally with special characters mixed in). Yes - they are provably more secure in a technical sense than virtually any easily remembered system. However *real people* have to use the passwords. And they will put the damn things on taped notes on the bottom of their laptop if you make them too hard (not conjectural - I've caught people here doing exactly that). BTW: You have a typographical error on your semanage example. You don't have a closing ' character on the file_spec. I am not arguing that SELinux is easy, I am arguing that it is not rocket science. I have worked for a several years to try to make SELinux easier to use, while making it more comprehensive and adding tools like svirt and sandbox to give administrators more tools to secure their systems. We have fixed thousands of bugs in policy and applications that were acting bad, so I have seen the problems people have had with SELinux, I am encouraged by the number of people who have worked with SELinux and continue to leave SELinux enabled by default. But I understand why SELinux is disabled on some machines. RHEL6 SELinux usability compared to RHEL4 is light years better. But setting up security on a computer system is hard. Then there is always the battle between greater security versus decrease in usability as you illustrate in your password example. http://danwalsh.livejournal.com/2008/10/22/ We have a new version of setroubleshoot which will hopefully be far easier to understand and will recommend the proper commands to setup labeling versus using chcon. We will hopefully be back porting this to RHEl6. Having people work with us to fix issues by reporting bugs, submitting patches and any other help is greatly appreciated. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+b4sACgkQrlYvE4MpobMHGACfdfqoA25Hhyu7JnqkOTCpvuUN URkAoOe5Zx8zvVh8wnU0a+GOghbRMbZu =Ntj7 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 11:19 AM, David Sommerseth wrote: On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Brunner, Brian T. wrote: snip My solution is to use complex passwords, and write them down wrong, making my write-down a password hint, but not a password. My task is to remember what is my transform from hint to fact: (examples follow, choose your own) snip Yeah, I use hints, too... but do *not* translate them at all. A hint is just that, a hint. I might put a couple of letters and/or numbers in, to remind myself of what the password is, but then block out the rest, such as Bu-01 mark, pulling brown paper bag over head before admitting to having written a lot of COBOL back in the day ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP. Bingo! You have caught the point exactly! An attacker will not know for sure if there is a firewall in between or not. Most probably he will presume so. But he still don't know for sure the IPv6 address of that firewall, or even if there are more cascaded firewalls in front of a public IPv6 address. Traceroute might give some clues, but if it's a strict firewall just dropping packages, this can take a looong loong time. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Daniel J Walsh wrote: On 12/07/2010 11:59 AM, Benjamin Franz wrote: On 12/07/2010 08:12 AM, Daniel J Walsh wrote: Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has snip I wrote this paper to try to explain what SELinux tends to complain about. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it. SELinux remains *hard* for most non-default users. As the lead SE snip I have 15 years experience running Linux servers. And I find SELinux Ditto, and that's also Solaris and Tru-64. damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue. Yup. snip I am not arguing that SELinux is easy, I am arguing that it is not rocket science. I have worked for a several years to try to make If rocket science means very difficult and obscure, yes, it is. SELinux easier to use, while making it more comprehensive and adding tools like svirt and sandbox to give administrators more tools to secure their systems. We have fixed thousands of bugs in policy and applications that were acting bad, so I have seen the problems people have had with SELinux, I am encouraged by the number of people who have worked with SELinux and continue to leave SELinux enabled by default. But I understand why SELinux is disabled on some machines. snip What have you done for folks who have third-party software, either F/OSS or COTS, or in-house developed stuff, *none* of which was written with selinux in mind, and is *not* going to be rewritten any time soon? You've seen me on the selinux list, and I have yet to figure out why I see the complaints about contexts, since they *appear* to be temp files, and I don't know where they're located, or where the CGI scripts are that create them are, and *all* of it's got the added complexity that some of that are on NFS-mounted directories. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:39, Les Mikesell wrote: On 12/7/10 11:19 AM, David Sommerseth wrote: On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? Yes. Either a /64 subnet or more likely a /48 subnet, where a /48 subnet == 65536 /64 subnets. And the 48 bits ISPs gives customers corresponds to 281.474.976.710.656 /48 subnets. Compare that number to IPv4 32 bits: 4.294.967.296 Kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/2010 12:43 PM, David Sommerseth wrote: On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections. Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote: Daniel J Walsh wrote: On 12/07/2010 11:59 AM, Benjamin Franz wrote: On 12/07/2010 08:12 AM, Daniel J Walsh wrote: Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has snip I wrote this paper to try to explain what SELinux tends to complain about. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it. SELinux remains *hard* for most non-default users. As the lead SE snip I have 15 years experience running Linux servers. And I find SELinux Ditto, and that's also Solaris and Tru-64. damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue. Yup. snip I am not arguing that SELinux is easy, I am arguing that it is not rocket science. I have worked for a several years to try to make If rocket science means very difficult and obscure, yes, it is. SELinux easier to use, while making it more comprehensive and adding tools like svirt and sandbox to give administrators more tools to secure their systems. We have fixed thousands of bugs in policy and applications that were acting bad, so I have seen the problems people have had with SELinux, I am encouraged by the number of people who have worked with SELinux and continue to leave SELinux enabled by default. But I understand why SELinux is disabled on some machines. snip What have you done for folks who have third-party software, either F/OSS or COTS, or in-house developed stuff, *none* of which was written with selinux in mind, and is *not* going to be rewritten any time soon? You've seen me on the selinux list, and I have yet to figure out why I see the complaints about contexts, since they *appear* to be temp files, and I don't know where they're located, or where the CGI scripts are that create them are, and *all* of it's got the added complexity that some of that are on NFS-mounted directories. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos We have attempted to work with them, setup default labeling for them when we know about the problems, embarrass them when they say you need to disable SELInux. Red Hat is working on new developer tools to help third party developers work on RHEL systems. I am not sure what else I can do to get them to work with the security systems in place on RHEL. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+dIsACgkQrlYvE4MpobPOYgCfda4PZuY809Hatmg3EMMRwAYk dJoAoNcTrfM7izAnsGZIf/INEIzSQCk9 =Y6L+ -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 11:10 AM, Bowie Bailey wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. What port/computer would that be? Most consumer routers default to not forwarding anything that is not related to prior outbound activity. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:52, Bowie Bailey wrote: On 12/7/2010 12:43 PM, David Sommerseth wrote: On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections. Ahh, well, yeah. With NAT, you will expose your single public IP address no matter what, providing a good surface for starting an attack immediately, no matter who is doing what on the inside. Your public IP address will be available in all kind of logs and mail headers - and with more users on the inside using the Internet, the more likely it is that someone will find your address interesting. But that won't be much more different with IPv6, except that you spread the attack surface over multiple IP addresses in a huge address scope. But then by using the IPv6 Privacy Extensions, it will be more like shooting on a moving target. The public IP address being used today might not be the same which was used yesterday, or even some hours ago. However, if someone uses a public IPv6 address for SSH from the outside world, that IPv6 address will need to be static and known. And a static IPv6 address is still just as vulnerable for an attack as any public IPv4 address. But finding this IP address will be much more difficult due to the different huge address scope, unless there's a DNS pointer to it from www.my-own-cool-site.com. Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion. Absolutely true. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 12/7/10 11:53 AM, Daniel J Walsh wrote: We have attempted to work with them, setup default labeling for them when we know about the problems, embarrass them when they say you need to disable SELInux. Red Hat is working on new developer tools to help third party developers work on RHEL systems. I am not sure what else I can do to get them to work with the security systems in place on RHEL. Ummm, get a standards body to ratify it... -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] display issue after installing centos 5.5 on hp probook 4420s
HI I was just assigned a laptop with a pre install windows 7 in it. I decide to dual boot this server with cent os 5.5 , i did a linux text at the boot prompt as anaconda was not able to display the graphis screen ( it was barely viable ) . The installation happened perfect , but when i start x windows startx or init3 , i can barely see the display. I dont know where the issue lies , what module do i need to load .The display is barely visible . Thanks for all the help !! -- Regards Agnello D'souza ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On Tue, 7 Dec 2010, m.r...@5-cent.us wrote: I am not arguing that SELinux is easy, I am arguing that it is not rocket science. I have worked for a several years to try to make If rocket science means very difficult and obscure, yes, it is. I've got to cry foul here. Difficult and obscure can be applied to just about any *nix command-line utility (or Windows registry hack, or Mac OpenDirectory tweak, ...). I don't consider SELinux any more difficult to understand and manage than other Linux security-related controls like iptables or extended ACLs. That isn't to say that my mother-in-law would take to it, but I'd expect any sysadmin on my IT staff to be able to learn it. In that sense, it's certainly not rocket science. Daniel's other point concerns increased usability. I've been using SELinux for a while now -- not always successfully, and I certainly do NOT consider myself an expert -- and it's quite apparent to me that the folks at Red Hat have unquestionably made it easier to use over that time. It's apparently quite difficult to write policies for some applications (*cough* Nagios) that want to do a ton of things -- and third-party or in-house apps have a different set of challenges -- but I can't imagine anyone claiming that there hasn't been marked progress in SELinux usability over the CentOS 4 - 5 life cycles. -- Paul Heinlein heinl...@madboa.com http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 7/12/10 8:33 PM, Christopher Chan wrote: Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled. It's okay, soon we'll have a new monopoly to whinge about: NBN Co. ;) The real problem here is the quotas on broadband connections, although that is in part due to the cost of hauling almost all the data half-way around the globe. The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh* Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/07/2010 01:13 PM, m.r...@5-cent.us wrote: Daniel J Walsh wrote: On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote: Daniel J Walsh wrote: On 12/07/2010 11:59 AM, Benjamin Franz wrote: On 12/07/2010 08:12 AM, Daniel J Walsh wrote: mvnch What have you done for folks who have third-party software, either F/OSS or COTS, or in-house developed stuff, *none* of which was written with selinux in mind, and is *not* going to be rewritten any time soon? You've seen me on the selinux list, and I have yet to figure out why I see the complaints about contexts, since they *appear* to be temp files, and I don't know where they're located, or where the CGI scripts are that create them are, and *all* of it's got the added complexity that some of that are on NFS-mounted directories. We have attempted to work with them, setup default labeling for them when we know about the problems, embarrass them when they say you need to disable SELInux. Red Hat is working on new developer tools to help third party developers work on RHEL systems. I am not sure what else I can do to get them to work with the security systems in place on RHEL. Ok, it's good to know you are thinking about that. How 'bout a tool, point it at a directory, and it reports only the files/directories that are default, or break policy, or that *might* suggest where there's a problem (scripts in this directory will write default_t if they run anywhere but /here/ohly/, etc? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I think you would need to further explain. We can tell you what file directory is mislabeled # restorecon -R -N -v PATH We can tell which types have access to which types seseach -A -s httpd_t -t default_t Are you looking for something like What access does /usr/bin/httpd have to /myweb/html? What types does /usr/bin/httpd have write access to? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+jpEACgkQrlYvE4MpobM/ZwCg1eA8BXjjcevAUfPiMHVXyyvj GAsAoIAroEzhxQEnhPb9Dnhinof1yV55 =/hYg -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/2010 1:13 PM, Les Mikesell wrote: On 12/7/10 11:10 AM, Bowie Bailey wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. What port/computer would that be? Most consumer routers default to not forwarding anything that is not related to prior outbound activity. And is there any reason to believe that a consumer IPv6 router would default any differently? If nothing is being allowed through, there's not much to be concerned about in either case. Outside attacks are only possible if the router/firewall allows the packets through. I was referring to a case where there are computers on the inside doing HTTP, SSH, VPN, SMTP, etc. If we are talking about a true consumer where there are no services on the inside, then what does it matter whether the network is presented as a NAT or a collection of different IP addresses? If the firewall does not allow any connections from the outside, who cares whether an attacker knows your IP? -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 8/12/10 4:12 AM, David Sommerseth wrote: On 07/12/10 16:49, Bob McConnell wrote: No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. This is FUD. Agreed, but I'm not adding more to the pro-IPv6 chorus, because it's already being covered very well, both here and on NANOG (and ipv6-ops). And due to the enormous address space IPv6 gives each single site, doing a brute-force attack against more IP addresses will be a never-ending story. Try to double 4.294.967.296 32 times, and you'll have the number of addresses available *only to you* in *one* /64 subnet. Anyone wanting a nice clear explanation of the numbers of IPv6 address space: http://www.ripe.net/info/info-services/addressing.html If you then even introduce IPv6 Privacy Extensions, which will randomise and change the IPv6 address regularly, an attacker will shoot at a moving target. Then put this moving target behind a firewall which doesn't provide access from the outside to the inside (only from inside to outside), and the attacker will not know if he hits or not. This coupled with statefull firewalling should cover everyone's needs. No doubt there will still be people like Bob who will remain unconvinced until everyone around them become the proof. If they really want to deliberately break things to retain their NAT-like world, they can configure a single box with 6to4 and 4to6, give it a /128 and then run their existing v4 NAT space behind that. They'll get very little sympathy when it breaks other things, though. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 12:26:30 pm David Sommerseth wrote: You mean something along the way ... Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path And if his or your or any ISP between you and him implements BCP38 properly the packets with a destination of the RFC1918 address will be blackholed and will never get there, even if you put a static source route to them. You don't have a direct path to his router, at least not for routing purposes, since your packets are going to be inspected and routed by routers in between. It does depend on some best current practices being implemented, though. Like RFC1918 bogon filtering at the AS boundary as part of the BGP session between AS routers. And unless you are operating your own BGP border (I am at one site), you can't influence the AS path the packet will follow on the DFZ. The basis for 'NAT security' is relying on the best practice of blackholing RFC1918 addresses on the DFZ router mesh. Not all AS's implement the policy properly, but enough do that trying to route (using essentially source routing) to an RFC1918 address will fail when it hits the DFZ, and virtually all inter-AS packets hit the DFZ at some point. Source routing is blocked by most AS borders, so you can't 'hint' the routers in between that you have to pass traffic to 172.16.0.0/12 through that particular router; the DFZ is going to tell your hint to shove it. But it does depend on the specific policies of each AS between you and the RFC1918-using target. The security for RFC1918, or for IPv6 ULA RFC4193 addresses relies not on NAT per se, but on the basic non-global-routability of the addresses in question on the default-free-zone. NAT just allows you to use non-globally-routable addresses by translating to globally-routable ones. About the only thing you could really do to gain direct access to his RFC1918-using network behind the NAT is to compromise his router and set up GRE (or similar) tunnels into it. Further, what's to say his MUA isn't set to poison the mail headers this 172.160.0.0/12 address came from? That's relying on the mail headers; if I were to ssh to your server from behind a NAT I challenge you to determine the RFC1918 address I'm using. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 12:39:28 pm Les Mikesell wrote: How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? Abbreviations: PI = Provider Independent, PA = Provider Assigned, RIR = Regional Internet Registry, ARIN = American Registry of Internet Numbers, BGP = Border Gateway Protocol, AS = Autonomous System (the routing 'atom' at the BGP level), ASN = Autonomous System Number. It will depend upon your provider if you get PA addresses; if you go straight to the RIR (ARIN for North America) and pay to get PI addresses you will get by default a /48; but then you have to get your provider to agree to advertise that /48 over BGP. The IPv6 table has the potential to be vastly larger than the IPv4 table (the number of /48's in IPv6 is 65,536 times the total addresses in IPv4!) One hopes providers will intelligently aggregate; until there is sane multihoming for enterprise endusers good aggregation is going to be elusive, since multihomed sites are going to desire PI space, which will fragment the routing tables. IPv6 routing tables do require larger entries thanks to the four times larger address, after all, and with 32 bit ASN's the AS path for that table entry also doubles in size. Having said that, most providers probably will give you one of a /48, /56, or /64. There are plenty of addresses available, but if you ever have to renumber (like when changing providers) you'll want PI, or ULA with NAT66 to PA. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 03:31:15 pm Lamar Owen wrote: It will depend upon your provider if you get PA addresses; Minor edit: 'The prefix size of your address block with depend upon your provider, if you get PA addresses by default from your provider; Sorry for the error. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 07, 2010 at 11:51:16AM -0500, Brunner, Brian T. wrote: LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) Really? In blatant disregard for the published guidelines for use on this and other centos.org mailing lists? How very sporting of you. http://www.centos.org/modules/tinycontent/index.php?id=16 John -- Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for -- in order to get to the job you need to pay for the clothes and the car, and the house you leave vacant all day so you can afford to live in it. -- Ellen Goodman (1941-), American journalist and Pulitzer Prize-winning syndicated columnist pgpEg1bCxeZak.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] display issue after installing centos 5.5 on hp probook 4420s
On Wed, 8 Dec 2010, Agnello George wrote: To: CentOS mailing list centos@centos.org From: Agnello George agnello.dso...@gmail.com Subject: [CentOS] display issue after installing centos 5.5 on hp probook 4420s HI I was just assigned a laptop with a pre install windows 7 in it. I decide to dual boot this server with cent os 5.5 , i did a linux text at the boot prompt as anaconda was not able to display the graphis screen ( it was barely viable ) . The installation happened perfect , but when i start x windows startx or init3 , i can barely see the display. I dont know where the issue lies , what module do i need to load .The display is barely visible . Thanks for all the help !! Are you running on the mains charger? Is there some sort of key configuration on your laptop to adjust the brightness of the display? Kind Regards, Keith -- In theory, theory and practice are the same; in practice they are not. This email was sent from my laptop with Centos 5.5 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LVM change disk
On Mon, Dec 6, 2010 at 9:23 PM, Adam Tauno Williams awill...@whitemice.org wrote: On Sat, 2010-12-04 at 10:29 -0800, John R Pierce wrote: On 12/03/10 10:47 PM, muhammad panji wrote: Dear all, I have a 4,1TB Logical volume consist of four disks with size of 2TB, 1TB, 1TB, and 500GB. The LV currently full. I plan to change the 1Tb disks and 500Gb disks. I plan to remove one 1TB disk or the 500GB so that I can replace it with 2TB disk. most LVM tutorial ask to use pvmove to move phisical extent to the new disk. The problem is that I have no SATA port left so that I can't move PE to the new disk. How to migrate the data safely so that I can replace the disk? Thank you in advance Attach the drive to the system using a USB caddy. Do the the pvmove Remove the old physical volume from the volume group Shutdown Remove the drive from the caddy Install the drive into the system in place of the old drive. Boot. Hi all, Thanks for the reply. I know I didn't plan well when I setup for the first time, even the PE size is 128MB so that I can only have a 8TB LV. I have moved around 1,3Tb data to another computers, is it save to resize the LV filesystem and then resize the volume group so that I can remove one of the disks? I plan to do more less like this tutorial http://www.tcpdump.com/kb/os/linux/lvm-resizing-guide/shrink.html After removing the disk, I can attach the new disks, add it to the VG and then resize the LV and the filesystem. Second alternative is to buy and use SATA-to-USB cable and do pvmove etc The third is, I have similar machine that will be used to hold the removed disk from the first machine. At the end the first machine will have 4x 2Tb disks and the second machine will have 2x1Tb disks + 500Gb disk. So I will attach the new disks to the second machine, move all the data from the first machine, and remove the 2Tb disk from the first machine and attach it to the second machine. Any Suggestion which one is the best way to do this? Thank you in advance regards, -- - Muhammad Panji http://www.panji.web.id http://www.kurungsiku.com http://sumodirjo.wordpress.com http://www.kurungsiku.web.id http://www.linuxbox.web.id ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Daniel J Walsh wrote: I wrote this paper to try to explain what SELinux tends to complain about. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf I am having difficulty with the pdf file - both adobe and kpdf have problems with the pages with screen shots - any chance of a fix? Paper is well writen and sheds light on the SElinux methodology. TIA - Rob -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+XQsACgkQrlYvE4MpobNrgACfZduLdW/ISac6otm8SRO+c4Za S0QAn3l00KRGtNmnaVAy4cFpL/jjrwuz =7ega -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 12/7/10 1:45 PM, Marko Vojinovic wrote: And it isn't really rocket science. It's just an extension to the existing classical permissions system --- it works in analogous way, just with greater flexibility and power. If you know how to understand and use file permissions, you will easily grasp all about SELinux. No, it doesn't have much in common with the standard uid/gid based permissioning system. 5) disable SELinux and be ignorant about security. If you choose 5), feel free to also disable iptables, log in as root all the time, and make sure that the root password is clearly visible on the company website. Why bother with all that stuff, anyway? ;-) I think you've missed the point that 'all that stuff' (being traditional unix security mechanisms) are not all that insecure. It is only when you get them wrong that you need to fall back on selinux as a safety net. And if you can't get the simple version right, how can you hope to do it right with something wildly more complicated? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] display issue after installing centos 5.5 on hp probook 4420s
On Tue, Dec 7, 2010 at 1:34 PM, Agnello George agnello.dso...@gmail.com wrote: HI I was just assigned a laptop with a pre install windows 7 in it. I decide to dual boot this server with cent os 5.5 , i did a linux text at the boot prompt as anaconda was not able to display the graphis screen ( it was barely viable ) . The installation happened perfect , but when i start x windows startx or init3 , i can barely see the display. I dont know where the issue lies , what module do i need to load .The display is barely visible . Thanks for all the help !! Have you installed, and run system-config-display? Unless the hardware was successfully configured at install time, which it obviously was not due to the difficulties you had with the graphical installation, your /etc/X11/xorg.conf or similar configuration files are not well configured. Find out the resolution of your laptop display screen, be sure to select an LCD screeen of the matching size, and see how it goes. If you have an NVidia chipset, you may need to install NVidia's drivers for best performance, but this should get you started. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos