Re: [CentOS] NetworkManager on servers

2020-02-13 Thread Valeri Galtsev 



On 2020-02-13 10:50, Stephen John Smoogen wrote:

On Thu, 13 Feb 2020 at 11:40, Nicolas Kovacs  wrote:


Le 11/02/2020 à 14:11, Jonathan Billings a écrit :

I've mentioned on this list countless times about how NetworkManager
is actually pretty good for a general server.  Automatic link
detection and activation/deactivation, a dispatch service on link
activation/deactivation, support for bringing up secondary interfaces
after a primary goes up, a dbus interface for automation, etc.


I just prepared myself to catch up and learn more about NetworkManager. So
I
opened my big fat "Unix and Linux System Administration Handbook 5th
edition",
with a text file open on the computer to take extensive notes...

... only to find out that there is only half a page on NetworkManager in
this
book. Allow me to quote it:

"NetworkManager is primarily of use on laptops, since their network
enviromment
may change frequently. For servers and desktop systems, NetworkManager
isn't
necessary and may in fact complicate administration. In these
environments, it
should be ignored or configured out."



The book was published in 2017 which means it was written in late 2016. As
much as I love that series of books (I have read them from 1st edition), I
do not expect that its comments on parts of Linux in the 3rd edition would
be useful now.

In the end, the problem is that NetworkManager, FirewallD, and other
'automatic' helpers are 'part' of the OS.. and while it was easy to tear
them out in earlier versions.. as time goes on it is not.


I like the way you called the fact that these "automatic" things are 
part of OS: the PROBLEM (in case of servers).


Every time I see these discussions on Linux lists, I tell myself how 
happy I am after fleeing servers to different OS (huh, I'll break my 
plea to not mention it: FreeBSD).


Valeri



For a car analogy, it was much easier to convert any 1970 car from
automatic back to manual as many parts were left over. Now in this era, you
can do so if you pick the right car but for a lot of them it is not going
to be easy in any form. I see the same trends in computer OS's with certain
tools which were easy to pull out now requiring you to build the whole os
from scratch as the part is assumed to be in so many other areas.





--

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager on servers

2020-02-13 Thread Matthew Miller 
On Thu, Feb 13, 2020 at 05:53:41PM +0100, Nicolas Kovacs wrote:
> I just came to the same conclusion. So it looks like I'll have to
> catch up and do some RTFM on NetworkManager, FirewallD (which I've
> replaced by a handcrafted iptables script) and Chrony (replaced by
> ntpd).

Whatever your views on the first two, I strongly discourage the latter
unless you have very specific functionality beyond Chrony's capability. The
original ntpd has a very large attack surface. Plus Chrony has some nice
additional features. Read more about Chrony here: 
https://opensource.com/article/18/12/manage-ntp-chrony


-- 
Matthew Miller

Fedora Project Leader
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Monitor email for office365.com with fetchmail

2020-02-13 Thread isdtor 
Jerry Geis writes:
> I am trying to use fetchmail to monitor box in office365.com.
> Its not working.
> 
> Is there a "better" way to monitor and inbox ?
> 
> I have verified all the ports are open, using 993, using ssl, using
> sslproto SSL3 etc..
> 
> Anyone done this ? Got it working.
> 
> I basically have:
> machine outlook.office365.com
> login myuser@mydomain
> password mypassword
> 
> fetchmail --ssl --sslproto SSL3 --smtpname X -u X outlook.office365.com

Yes - but I'm using a custom version of fetchmail 6.4, rebuilt from Fedora 
IIRC. It does SSL things a bit differently, so I built it with a static copy of 
the latest openssl rather than what comes with centos.

set invisible
poll outlook.office365.com protocol IMAP service 993 auth password
   user "username" password "password" folder Inbox is mylocalname here
   no idle
   no rewrite
   sslcertpath /home/mylocalname/.certs

The .certs directory contains the complete certificate chain for O365, hashed 
with c_rehash (three certs), so fetchmail is independent of the OS certificate 
store.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager on servers

2020-02-13 Thread Nicolas Kovacs 

Le 13/02/2020 à 17:50, Stephen John Smoogen a écrit :

In the end, the problem is that NetworkManager, FirewallD, and other
'automatic' helpers are 'part' of the OS.. and while it was easy to tear
them out in earlier versions.. as time goes on it is not.

For a car analogy, it was much easier to convert any 1970 car from
automatic back to manual as many parts were left over. Now in this era, you
can do so if you pick the right car but for a lot of them it is not going
to be easy in any form. I see the same trends in computer OS's with certain
tools which were easy to pull out now requiring you to build the whole os
from scratch as the part is assumed to be in so many other areas.


I just came to the same conclusion. So it looks like I'll have to catch up and 
do some RTFM on NetworkManager, FirewallD (which I've replaced by a handcrafted 
iptables script) and Chrony (replaced by ntpd).


Cheers,

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager on servers

2020-02-13 Thread Stephen John Smoogen 
On Thu, 13 Feb 2020 at 11:40, Nicolas Kovacs  wrote:

> Le 11/02/2020 à 14:11, Jonathan Billings a écrit :
> > I've mentioned on this list countless times about how NetworkManager
> > is actually pretty good for a general server.  Automatic link
> > detection and activation/deactivation, a dispatch service on link
> > activation/deactivation, support for bringing up secondary interfaces
> > after a primary goes up, a dbus interface for automation, etc.
>
> I just prepared myself to catch up and learn more about NetworkManager. So
> I
> opened my big fat "Unix and Linux System Administration Handbook 5th
> edition",
> with a text file open on the computer to take extensive notes...
>
> ... only to find out that there is only half a page on NetworkManager in
> this
> book. Allow me to quote it:
>
> "NetworkManager is primarily of use on laptops, since their network
> enviromment
> may change frequently. For servers and desktop systems, NetworkManager
> isn't
> necessary and may in fact complicate administration. In these
> environments, it
> should be ignored or configured out."
>
>
The book was published in 2017 which means it was written in late 2016. As
much as I love that series of books (I have read them from 1st edition), I
do not expect that its comments on parts of Linux in the 3rd edition would
be useful now.

In the end, the problem is that NetworkManager, FirewallD, and other
'automatic' helpers are 'part' of the OS.. and while it was easy to tear
them out in earlier versions.. as time goes on it is not.

For a car analogy, it was much easier to convert any 1970 car from
automatic back to manual as many parts were left over. Now in this era, you
can do so if you pick the right car but for a lot of them it is not going
to be easy in any form. I see the same trends in computer OS's with certain
tools which were easy to pull out now requiring you to build the whole os
from scratch as the part is assumed to be in so many other areas.



-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Monitor email for office365.com with fetchmail

2020-02-13 Thread Steve Clark 

On 02/13/2020 11:40 AM, Jerry Geis wrote:

I am trying to use fetchmail to monitor box in office365.com.
Its not working.

Is there a "better" way to monitor and inbox ?

I have verified all the ports are open, using 993, using ssl, using
sslproto SSL3 etc..

Anyone done this ? Got it working.

I basically have:
machine outlook.office365.com
login myuser@mydomain
password mypassword

fetchmail --ssl --sslproto SSL3 --smtpname X -u X outlook.office365.com

Thanks,

jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



This is what I am using to fetch to my local linux system and then have 
thunderbird fetch from dovecot.
poll outlook.office365.com timeout 60 protocol imap
username "username" there with password "password" is "mylocalname" here
folder inbox,"Junk Email"
fetchall

--
Stephen Clark
NetWolves Managed Services, LLC.
Sr. Applications Architect
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com

Email Confidentiality Notice: The information contained in this transmission 
may contain privileged and confidential and/or protected health information 
(PHI) and may be subject to protection under the law, including the Health 
Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This 
transmission is intended for the sole use of the individual or entity to whom 
it is addressed. If you are not the intended recipient, you are notified that 
any use, dissemination, distribution, printing or copying of this transmission 
is strictly prohibited and may subject you to criminal or civil penalties. If 
you have received this transmission in error, please contact the sender 
immediately and delete this email and any attachments from any computer. Vaso 
Corporation and its subsidiary companies are not responsible for data leaks 
that result from email messages received that contain privileged and 
confidential and/or protected health information (PHI).
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Monitor email for office365.com with fetchmail

2020-02-13 Thread Jerry Geis 
I am trying to use fetchmail to monitor box in office365.com.
Its not working.

Is there a "better" way to monitor and inbox ?

I have verified all the ports are open, using 993, using ssl, using
sslproto SSL3 etc..

Anyone done this ? Got it working.

I basically have:
machine outlook.office365.com
login myuser@mydomain
password mypassword

fetchmail --ssl --sslproto SSL3 --smtpname X -u X outlook.office365.com

Thanks,

jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager on servers

2020-02-13 Thread Nicolas Kovacs 

Le 11/02/2020 à 14:11, Jonathan Billings a écrit :

I've mentioned on this list countless times about how NetworkManager
is actually pretty good for a general server.  Automatic link
detection and activation/deactivation, a dispatch service on link
activation/deactivation, support for bringing up secondary interfaces
after a primary goes up, a dbus interface for automation, etc.


I just prepared myself to catch up and learn more about NetworkManager. So I 
opened my big fat "Unix and Linux System Administration Handbook 5th edition", 
with a text file open on the computer to take extensive notes...


... only to find out that there is only half a page on NetworkManager in this 
book. Allow me to quote it:


"NetworkManager is primarily of use on laptops, since their network enviromment 
may change frequently. For servers and desktop systems, NetworkManager isn't 
necessary and may in fact complicate administration. In these environments, it 
should be ignored or configured out."


H.

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, Fail2ban and SELinux

2020-02-13 Thread Bez Thomas 
> On Feb 13, 2020, at 9:01 AM, Jonathan Billings  wrote:
> 
> On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote:
>> I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive
>> mode for debugging. I've removed FirewallD and replaced it with a
>> custom-made Iptables script. I've also installed and configured Fail2ban
>> (fail2ban-server package) to protect the server from brute force attacks.
>> [...]
>> As far as I can tell - and please correct me if I'm wrong - if a package
>> doesn't play well with SELinux in the default configuration, this should be
>> considered as a bug. In that case, the appropriate reaction would be to file
>> a bug on the EPEL mailing list, since EPEL provides the fail2ban-server
>> package.
> 
> In your case, you are not using fail2ban in any sort of default
> configuration.  Firewalld is the default firewall management in CentOS
> 7.  fail2ban was set up to use firewalld, and in fact, is much more
> efficient than using iptables since the fail2ban-firewalld package
> uses ipsets instead of individual iptables rules.
> 
>> SELinux is preventing /usr/bin/python2.7 from read access on the file 
>> disable.
> 
> You mention the file 'disable' but I'm not aware of a file called
> 'disable' in the fail2ban-server package.  What file is it trying to
> read from?  Perhaps you've put a file someplace that has a label that
> makes sense for fail2ban to not be able to read from?

This bug (CLOSED WONTFIX) appears to be relevant: 

https://bugzilla.redhat.com/show_bug.cgi?id=1777562

The 'disable' file is /sys/module/ipv6/parameters/disable.

Bez Thomas
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, Fail2ban and SELinux

2020-02-13 Thread Jonathan Billings 
On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote:
> I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive
> mode for debugging. I've removed FirewallD and replaced it with a
> custom-made Iptables script. I've also installed and configured Fail2ban
> (fail2ban-server package) to protect the server from brute force attacks.
> [...]
> As far as I can tell - and please correct me if I'm wrong - if a package
> doesn't play well with SELinux in the default configuration, this should be
> considered as a bug. In that case, the appropriate reaction would be to file
> a bug on the EPEL mailing list, since EPEL provides the fail2ban-server
> package.

In your case, you are not using fail2ban in any sort of default
configuration.  Firewalld is the default firewall management in CentOS
7.  fail2ban was set up to use firewalld, and in fact, is much more
efficient than using iptables since the fail2ban-firewalld package
uses ipsets instead of individual iptables rules.

> SELinux is preventing /usr/bin/python2.7 from read access on the file disable.

You mention the file 'disable' but I'm not aware of a file called
'disable' in the fail2ban-server package.  What file is it trying to
read from?  Perhaps you've put a file someplace that has a label that
makes sense for fail2ban to not be able to read from?

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, Fail2ban and SELinux

2020-02-13 Thread Stephen John Smoogen 
On Thu, 13 Feb 2020 at 02:42, Nicolas Kovacs  wrote:

> Hi,
>
> I'm running CentOS 7 on an Internet-facing server. SELinux is in
> permissive
> mode for debugging. I've removed FirewallD and replaced it with a
> custom-made
> Iptables script. I've also installed and configured Fail2ban
> (fail2ban-server
> package) to protect the server from brute force attacks.
>
> Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's
> what I get.
>
> $ sudo sealert -a /var/log/audit/audit.log
> 100% done
> found 5 alerts in /var/log/audit/audit.log
> 
> SELinux is preventing /usr/bin/python2.7 from read access on the file
> disable.
>
> *  Plugin catchall (100. confidence) suggests   *
>
> If you believe that python2.7 should be allowed read access on the disable
> file
> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
> # semodule -i my-f2bfsshd.pp
> ...
>
> As far as I can tell - and please correct me if I'm wrong - if a package
> doesn't play well with SELinux in the default configuration, this should
> be
> considered as a bug. In that case, the appropriate reaction would be to
> file a
> bug on the EPEL mailing list, since EPEL provides the fail2ban-server
> package.
>
>
The appropriate action would be to file it as a bug in bugzilla.redhat.com.
Posting it to the epel-devel mailing list would probably not get any fix as
most packagers are not on it. (They are also not on the fedora-devel list
either) Whether it gets fixed or not is going to be up to the packager.
EPEL is a volunteer collection where we do not have much man-power to fix
things unless the main Fedora packager is involved.


> Other than that, the solution suggested by sealert seems to work.
>
> $ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
>  IMPORTANT ***
> To make this policy package active, execute:
> semodule -i my-f2bfsshd.pp
>
> $ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
>  IMPORTANT ***
> To make this policy package active, execute:
> semodule -i my-f2bfsshd.pp
> $ sudo semodule -i my-f2bfsshd.pp
> $ echo | sudo tee /var/log/audit/audit.log
> $ sudo systemctl restart fail2ban
> $ sudo sealert -a /var/log/audit/audit.log
> 100% done
> found 0 alerts in /var/log/audit/audit.log
>
> Any suggestions ?
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Mail : i...@microlinux.fr
> Tél. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Teo En Ming's Installing CentOS 8.1 (1911) Linux Server as a QEMU/KVM Virtual Machine PDF Manual

2020-02-13 Thread Turritopsis Dohrnii Teo En Ming 
Subject: Teo En Ming's Installing CentOS 8.1 (1911) Linux Server as a QEMU/KVM 
Virtual Machine PDF Manual

Redundant Google Drive download links for my PDF manual:

[1] https://drive.google.com/open?id=1BdV3qAjsshiVJoDEhZMQBxAXk2yXzDyY

[2] https://drive.google.com/open?id=1mHncd2Ngp1MpQ3T3-zPOweXK5vMeMtJJ

[3] https://drive.google.com/open?id=1bsS0F0TkLsrrHTT87jVNHmXJi2AmjLJb

[4] https://drive.google.com/open?id=1QzVEDAJUzIkGbb6_XIPYGVKI7n4skeRc

For future updates, please refer to my redundant RAID 1 mirroring Blogger and 
Wordpress blogs.

https://tdtemcerts.blogspot.sg

https://tdtemcerts.wordpress.com









-BEGIN EMAIL SIGNATURE-

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: 
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html




Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United 
Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and 
Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-END EMAIL SIGNATURE-

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos