Re: [CentOS] Centos OS Crash Recovery, Inquiry.

[Eero Volotinen]

there is no such as automatic backup.

if you are not familiar with system, you should hire consult and fast to
minimize damages.

doing low level disk level operations to system.. is very.. dangerous
without knowledge

Eero

3.11.2016 4.07 ap. "Christopher G. Halnin" <cghal...@pnri.dost.gov.ph>
kirjoitti:

> Actually, I am not sure if we have a backup, because honestly, I am not
> that very much familiar with Centos. We use it for our mail sever for
> zimbra and other web servers but after setting it up, as long it is working
> just fine we don't do any other thing.
>
> Does it have an automatic backup system? And if it does, how can we use it
> to restore it back?
>
> Thanks.
>
> Regards,
>
> CHRIS
>
> - Original Message -
> From: "Eero Volotinen" <eero.voloti...@iki.fi>
> To: "CentOS mailing list" <centos@centos.org>
> Sent: Wednesday, November 2, 2016 7:00:16 PM
> Subject: Re: [CentOS] Centos OS Crash Recovery, Inquiry.
>
> yes there is. restore system from backups.
>
> eero
>
> 3.11.2016 3.47 ap. "Christopher G. Halnin" <cghal...@pnri.dost.gov.ph>
> kirjoitti:
>
> > Dear Sir/s,
> >
> > As I have mentioned in my previous email, is there a way to recover or
> > bring back to life a crashed Centos OS after doing a Hard Driver
> > repartition or resizing?
> >
> > Thanks.
> >
> > Regards,
> >
> > CHRIS
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos OS Crash Recovery, Inquiry.

[Eero Volotinen]

yes there is. restore system from backups.

eero

3.11.2016 3.47 ap. "Christopher G. Halnin" 
kirjoitti:

> Dear Sir/s,
>
> As I have mentioned in my previous email, is there a way to recover or
> bring back to life a crashed Centos OS after doing a Hard Driver
> repartition or resizing?
>
> Thanks.
>
> Regards,
>
> CHRIS
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Cannot boot CentOS 7 VM after updating Host CentOS 7 Kernel

[Eero Volotinen]

so, Just chroot to mountpoint:

http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/

chroot /mounted/path /bin/bash and then .. mkinitrd (see man page for
documentation)

2016-10-30 22:57 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>:

> A bit hard to say. Try chrooting into environment and rebuilding initrd?
>
> --
> Eero
>
> 2016-10-30 22:53 GMT+02:00 Paul R. Ganci <ga...@nurdog.com>:
>
>> On 10/30/2016 12:26 PM, Paul R. Ganci wrote:
>>
>>> I am thinking of putting the CentOS iso out and then booting the
>>> VM into it just to poke around the file system. Otherwise my other option
>>> is to just clone a twin VM on another server and then just change the
>>> networking IPs/hostname. Anybody have any other ideas as to how to debug
>>> this problem?
>>>
>> So I booted off the CentOS-7-x86_64-DVD-1511.iso and everything looks
>> just fine:
>>
>> > df
>> Filesystem 1K-blocksUsed Available
>>  Use%   Mounted on
>> /dev/mapper/live-rw   20308999490221077781 47% /
>> devtmpfs   2004040  0 2004040
>>  0%   /dev
>> tmpfs 2023652  0 2023652
>>0%   /dev/shm
>> tmpfs 20236528520 2015132
>>  1%   /run
>> tmpfs 2023652  0 2023652
>>0%  /sys/fs/cgroup
>> /dev/sr1 4227724  4227724 0   100%
>> /run/install/repo
>> tmpfs 2023652  200 2023452
>>  1%  /tmp
>> /dev/mapper/centos-root  10799104  38941966904908 37%
>> /mnt/sysimage
>> /dev/vda1508588 143516 365072 29%
>> /mnt/sysimage/boot
>> tmpfs2023652   0 2023652
>>0%  /mnt/sysimage/dev/shm
>>
>> > ls /mnt/sysimage
>> bin   boot   dev   etc   home   lib   lib64   media   misc   mnt net
>>  opt   proc   rootrunsbin   srv   systmp   usr var
>>
>> > ls -l /mnt/sysimage/boot
>> total 109424
>> -rw-r--r--.1 root root   126431  Oct 10 23:18
>> config-3.10.0-327.36.2.el7.x86_64
>> drwxr-xr-x. 2 root root   26  Oct   2  2015  grub
>> drwx--.  6 root root 104  Oct 13 02:21  grub2
>> -rw-r--r--.1 root root   40655493  Apr   3  2015
>> initramfs-0-rescue-6494b5d98adc4f66b0cf4c19a0f6ab66.img
>> -rw---.1 root root   29666884 Oct 13  01:25
>> initramfs-3.10.0-327.36.2.el7.x86_64.img
>> -rw---.1 root root   18119089  Oct 13 02:20
>> initramfs-3.10.0-327.36.2.el7.x86_64kdump.img
>> -rw-r--r--.1 root root   10190975  Dec 19  2015 initrd-plymouth.img
>> -rw-r--r--.1 root root  252739  Oct  10 23:20
>> symvers-3.10.0-327.36.2.el7.x86_64.gz
>> -rw---.1 root root2965270  Oct  10 23:18
>> System.map-3.10.0-327.36.2.el7.x86_64
>> -rwxr-xr-x.   1 root root4902656  Apr3  2015
>> vmlinuz0-rescue-6494b5d98adc4f66b0cf4c19a0f6ab66
>> -rwxr-xr-x.   1 root root5157936   Oct  10 23:18
>> vmlinuz-3.10.0-327.36.2.el7.x86_64
>>
>> So the CentOS DVD iso in linux rescue mode shows that everything is there
>> and can be mounted. I guess that means somehow either grub itself is
>> corrupted or one of the boot images. So is there a way for me to generate a
>> new initrd while booted in linux resuce mode or will re-installing grub
>> help? How would I attempt re-installing grub while booted in linux rescue
>> mode?
>>
>> --
>> Paul (ga...@nurdog.com)
>> Cell: (303)257-5208
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Cannot boot CentOS 7 VM after updating Host CentOS 7 Kernel

[Eero Volotinen]

A bit hard to say. Try chrooting into environment and rebuilding initrd?

--
Eero

2016-10-30 22:53 GMT+02:00 Paul R. Ganci :

> On 10/30/2016 12:26 PM, Paul R. Ganci wrote:
>
>> I am thinking of putting the CentOS iso out and then booting the VM
>> into it just to poke around the file system. Otherwise my other option is
>> to just clone a twin VM on another server and then just change the
>> networking IPs/hostname. Anybody have any other ideas as to how to debug
>> this problem?
>>
> So I booted off the CentOS-7-x86_64-DVD-1511.iso and everything looks just
> fine:
>
> > df
> Filesystem 1K-blocksUsed Available   Use%
>  Mounted on
> /dev/mapper/live-rw   20308999490221077781 47% /
> devtmpfs   2004040  0 2004040
>  0%   /dev
> tmpfs 2023652  0 2023652
>  0%   /dev/shm
> tmpfs 20236528520 2015132
>  1%   /run
> tmpfs 2023652  0 2023652
>  0%  /sys/fs/cgroup
> /dev/sr1 4227724  4227724 0   100%
> /run/install/repo
> tmpfs 2023652  200 2023452
>  1%  /tmp
> /dev/mapper/centos-root  10799104  38941966904908 37% /mnt/sysimage
> /dev/vda1508588 143516 365072 29%
> /mnt/sysimage/boot
> tmpfs2023652   0 2023652
>  0%  /mnt/sysimage/dev/shm
>
> > ls /mnt/sysimage
> bin   boot   dev   etc   home   lib   lib64   media   misc   mnt net
>  opt   proc   rootrunsbin   srv   systmp   usr var
>
> > ls -l /mnt/sysimage/boot
> total 109424
> -rw-r--r--.1 root root   126431  Oct 10 23:18
> config-3.10.0-327.36.2.el7.x86_64
> drwxr-xr-x. 2 root root   26  Oct   2  2015  grub
> drwx--.  6 root root 104  Oct 13 02:21  grub2
> -rw-r--r--.1 root root   40655493  Apr   3  2015
> initramfs-0-rescue-6494b5d98adc4f66b0cf4c19a0f6ab66.img
> -rw---.1 root root   29666884 Oct 13  01:25
> initramfs-3.10.0-327.36.2.el7.x86_64.img
> -rw---.1 root root   18119089  Oct 13 02:20
> initramfs-3.10.0-327.36.2.el7.x86_64kdump.img
> -rw-r--r--.1 root root   10190975  Dec 19  2015 initrd-plymouth.img
> -rw-r--r--.1 root root  252739  Oct  10 23:20
> symvers-3.10.0-327.36.2.el7.x86_64.gz
> -rw---.1 root root2965270  Oct  10 23:18
> System.map-3.10.0-327.36.2.el7.x86_64
> -rwxr-xr-x.   1 root root4902656  Apr3  2015
> vmlinuz0-rescue-6494b5d98adc4f66b0cf4c19a0f6ab66
> -rwxr-xr-x.   1 root root5157936   Oct  10 23:18
> vmlinuz-3.10.0-327.36.2.el7.x86_64
>
> So the CentOS DVD iso in linux rescue mode shows that everything is there
> and can be mounted. I guess that means somehow either grub itself is
> corrupted or one of the boot images. So is there a way for me to generate a
> new initrd while booted in linux resuce mode or will re-installing grub
> help? How would I attempt re-installing grub while booted in linux rescue
> mode?
>
> --
> Paul (ga...@nurdog.com)
> Cell: (303)257-5208
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Cannot boot CentOS 7 VM after updating Host CentOS 7 Kernel

[Eero Volotinen]

You could mount image ja rebuild initrd.

Eero

2016-10-30 20:26 GMT+02:00 Paul R. Ganci :

> On 10/30/2016 07:33 AM, FrancisM wrote:
>
>> Any error in your host logs?
>>
> Nothing obvious. I checked /var/log/messages, /var/log/libvirt/qemu,
> /var/log/libvirt/lxc & /var/log/qemu-ga. The /var/log/libvirt/lxc &
> /var/log/qemu-ga were empty. The /var/log/libvirt/qemu directory had a log
> file of interest Outgoing-CentOS-7-VM.log but nothing in it that tells me
> anything obvious.
>
>  2016-10-30 06:40:09.764+: shutting down
> 2016-10-30 06:40:16.926+: starting up libvirt version: 1.2.17,
> package: 13.el7_2.5 (CentOS BuildSystem ,
> 2016-06-23-14:23:27, worker1.bsys.centos.org), qemu version: 1.5.3
> (qemu-kvm-1.5.3-105.el7_2.7)
> LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
> QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name Outgoing-CentOS-7-VM -S
> -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off -cpu Penryn -m 4096
> -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid
> 6494b5d9-8adc-4f66-b0cf-4c19a0f6ab66 -no-user-config -nodefaults -chardev
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-Outg
> oing-CentOS-7-VM/monitor.sock,server,nowait -mon
> chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew
> -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global
> PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device
> ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device
> ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5
> -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1
> -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2
> -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -drive
> file=/vm-images/centos7.0.qcow2,if=none,id=drive-virtio-disk0,format=qcow2
> -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virti
> o-disk0,id=virtio-disk0,bootindex=1 -drive 
> if=none,id=drive-ide0-0-0,readonly=on,format=raw
> -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -netdev
> tap,fd=25,id=hostnet0,vhost=on,vhostfd=27 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:7b:a5:c2,bus=pci.0,addr=0x3
> -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0
> -chardev spicevmc,id=charchannel0,name=vdagent -device
> virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel
> 0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice
> port=5900,addr=127.0.0.1,disable-ticketing,seamless-migration=on -vga qxl
> -global qxl-vga.ram_size=67108864 -global qxl-vga.vram_size=67108864
> -global qxl-vga.vgamem_mb=16 -device intel-hda,id=sound0,bus=pci.0,addr=0x4
> -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev
> spicevmc,id=charredir0,name=usbredir -device
> usb-redir,chardev=charredir0,id=redir0 -chardev
> spicevmc,id=charredir1,name=usbredir -device
> usb-redir,chardev=charredir1,id=redir1 -device
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -msg timestamp=on
> char device redirected to /dev/pts/1 (label charserial0)
> main_channel_link: add main channel client
> main_channel_handle_parsed: net test: latency 0.226000 ms, bitrate
> 37925925925 bps (36168.981481 Mbps)
> red_dispatcher_set_cursor_peer:
> inputs_connect: inputs channel client create
> red_peer_receive: Connection reset by peer
> red_channel_client_disconnect: rcc=0x7f2b11db6000 (channel=0x7f2b115b6600
> type=2 id=0)
> red_peer_receive: Connection reset by peer
> red_channel_client_disconnect: rcc=0x7f2b11d71000 (channel=0x7f2b10faa000
> type=3 id=0)
> red_channel_client_disconnect: rcc=0x7f2b11d8d000 (channel=0x7f2b10f8c4e0
> type=9 id=0)
> red_channel_client_disconnect: rcc=0x7f2b11d88000 (channel=0x7f2b10f8c680
> type=9 id=1)
> red_channel_client_disconnect: rcc=0x7f2b11a33000 (channel=0x7f2b10fa2000
> type=1 id=0)
> main_channel_client_on_disconnect: rcc=0x7f2b11a33000
> red_client_destroy: destroy client 0x7f2b10f2fd00 with #channels=4
> red_dispatcher_disconnect_cursor_peer:
> red_channel_client_disconnect: rcc=0x7f2b11d6c000 (channel=0x7f2b11938000
> type=4 id=0)
> red_dispatcher_disconnect_display_peer
>
> I reboot the host while the guests were running. Is it possible the root
> file system was corrupted during the host reboot? I am thinking of putting
> the CentOS iso out and then booting the VM into it just to poke around the
> file system. Otherwise my other option is to just clone a twin VM on
> another server and then just change the networking IPs/hostname. Anybody
> have any other ideas as to how to debug this problem?
> --
> Paul (ga...@nurdog.com)
> Cell: (303)257-5208
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org

Re: [CentOS] Power Cut

[Eero Volotinen]

you could use smart ups and connect information from it to system, so it
can shutdown system in clean way.

Eero

2016-10-30 7:12 GMT+02:00 Hadi Motamedi :

> Dear All
> I am using a centos server for cdr billing and mediation device on a remote
> network. I am experiencing problem that I am suspicious it comes from main
> supply power cut at the remote site. The power supply to the remote site
> comes from battery charger that will be automatically switched in circuit
> under main supply power cut but cannot provide adequate power for more than
> 2 hours . I am suspicious that the remote system is suffering from many
> frequent main supply power cut . Can you please do me favor and let me know
> if there is any log on my centos server that I can check to see if there
> would be many frequent power cut there ?
> Thank you for your time
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid question

[Eero Volotinen]

for SSL inception, SSLBump is required:
http://wiki.squid-cache.org/Features/SslBump

This a bit complex to setup. SSL inception is not really good idea to
implement.. I think it will not work with upstream proxy also.

--
Eero

2016-10-29 22:37 GMT+03:00 paul.greene.va :

> I'm having issues getting squid to send traffic through a specific
> upstream gateway.
>
> I need for a MS WSUS server and a Symantec Endpoint Protection Manager to
> get through a squid proxy to get out to Microsoft and Symantec respectively
> to get MS patches and Symantec DAT files.
>
> The traffic needs to go through the squid proxy, through a firewall, and
> through an upstream McAfee gateway server. If it tries to take a path
> different than that upstream gateway to get out to the internet, it'll get
> dropped.
>
> However, once the traffic goes through the proxy, it tries to go directly
> to the vendor website and not go through the McAfee gateway, and therefore
> is getting blocked by the firewall. The traffic never reaches the McAfee
> gateway.
>
> If I configure a browser to use the proxy server and browse to some
> websites, it can get to http sites, but not https sites. Port 443 is what
> isn't getting through.
>
> I thought this line in squid.conf was supposed to send the traffic to an
> upstream cache_peer parent gateway, but I could easily be misunderstanding
> what its supposed to do. (I'm pretty new with squid)
>
> cache_peer   parent 8080  3130
> proxy-only no-query no-netdb-exchange default login=:
>
> The Safe_ports  and SSL_ports is the squid.conf default settings, and
> include both port 443 and port 80 traffic
>
> Thanks,
>
> PG
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Anyone know anything about slurm on CentOS 7?

[Eero Volotinen]

looks like auditd logging is a bit tweaked.

eero

26.10.2016 6.11 ip.  kirjoitti:

> The recently-left programmer did *something*, and he didn't know what, and
> the guy who picked it up is working with me to find out why
> /var/log/messages is getting flooded with
> Oct 26 11:01:06  kernel: type=1105
> audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0
> msg='op=PAM:session_open
> grantors=pam_keyinit,pam_keyinit,pam_limits,pam_
> systemd,pam_unix,pam_krb5,pam_xauth
> acct="" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
> Oct 26 11:01:06  kernel: type=1106
> audit(1477494066.620:642431): pid=108548 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0
> msg='op=PAM:session_close
> grantors=pam_keyinit,pam_keyinit,pam_limits,pam_
> systemd,pam_unix,pam_krb5,pam_xauth
> acct="" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
> Oct 26 11:01:06  kernel: type=1104
> audit(1477494066.620:642432): pid=108548 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0
> msg='op=PAM:setcred grantors=pam_rootok acct="" exe="/usr/bin/su"
> hostname=? addr=? terminal=? res=success'
>
> Oct 26 11:01:11  su: (to ) root on none
> Oct 26 11:01:11  su: (to ) root on none
> Oct 26 11:01:11  systemd: Started Session c21839 of user
> .
>
> Other folks can submit jobs to slurm, and we don't get anything like this.
>
> Feel free to contact me offlist
>
>   mark
> Oct 26 11:01:11  systemd: Starting Session c21839 of user
> .
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Is bind-9.8.2-0.47.rc1.el6_8.1.x86_64 vulnerable

[Eero Volotinen]

https://access.redhat.com/security/cve/cve-2016-2776 check versions against
centos package numbers :)

--
Eero

2016-10-17 8:28 GMT+03:00 マスターズ イアン :

> Hi
>
> I'd like to know if the present version of Bind in CentOS 6
> (bind-9.8.2-0.47.rc1.el6_8.1.x86_64) is vulerable to CVE-2016-2776.
>
> According to https://www.isc.org/downloads/, version 9.8.x is End-of-Life
> (EOL) as of Sep 2014.
>
> Regards
>
> ian
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PHP vulnerability CVE-2016-4073

[Eero Volotinen]

https://pci.qualys.com/static/help/merchant/questionnaires/compensating_controls_definition.htm

Eero

2016-09-21 14:02 GMT+03:00 Прокси :

> Hello,
>
> My server with CentOS 6.8 just failed PCI scan, so I'm looking into
> vulnerable packages. PHP 5.3.3 have multiple vulnerabilities, some of
> them are fixed/patched or have some kind of workaround. But I can't find
> a way to fix this one. Red Hat state: under investigation.
>
> https://access.redhat.com/security/cve/cve-2016-4073
>
> This CVE is 6 months old, and it doesn't look like it will be fixed.
> Does anyone knows the way to go around this? Except blocking mb_strcut()
> function.
>
> Thanks!
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problem with CentOS 5.11 virtual machine

[Eero Volotinen]

Try reinstalling vmware-tools

Eero

24.8.2016 7.41 ip. "Kaplan, Andrew H."  kirjoitti:

> Hello --
>
> We completed an installation of CentOS 5.11 32-bit onto a Vmware ESXi
> 6.0.0 appliance for the purpose of running a legacy application. The
> hardware in question is a Dell PowerEdge R730xd system. The Vmware tools
> utility was installed onto the virtual machine, and that initially provided
> access to the network. Once that was done, patches from the CentOS
> repository were installed onto the virtual machine, and it was rebooted.
>
> The problem we are experiencing is that after that last reboot the network
> card is not recognized, and there is no connectivity. The error message we
> are getting is the following:
>
> vmxnet3 device eth0 does not seem to be present, delaying initialization.
>
> The setup utility within CentOS recognizes the card being present, but the
> running ifup command, and turning off the NetworkManager daemon did not
> help. I also went to the /etc/udev/rules.d directory, removed the existing
> 60-net.rules file, and recreated it with the echo command. A reboot did not
> populate the file. I then tried creating a 70-persistent-net.rules file,
> and that did not work either.
>
> Running the command
>
> ls /sys/class/net
>
> listed only the lo interface.
>
> So far, the only solution that I can think of is to recreate the virtual
> machine, install the Vmware Tools utility, and forget about installing any
> patches. Before I do that, I wanted to know if anyone has any other ideas.
>
> Thanks.
>
>
> The information in this e-mail is intended only for the person to whom it
> is
> addressed. If you believe this e-mail was sent to you in error and the
> e-mail
> contains patient information, please contact the Partners Compliance
> HelpLine at
> http://www.partners.org/complianceline . If the e-mail was sent to you in
> error
> but does not contain patient information, please contact the sender and
> properly
> dispose of the e-mail.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] vsftpd broken ?

[Eero Volotinen]

You could try setting in vsftpd.conf:




*use_sendfile=NO--*

*Eero*

2016-08-15 18:17 GMT+03:00 Günther J. <g...@gjn.priv.at>:

> Hello,
>
> Am Montag, 15. August 2016, 18:11:56 schrieb Eero Volotinen:
> > Sounds like hardware failure (memory, disk) or network problem.
>
> On all tested Systems ;-) and I mean I found 100 Messages in Goo...
> with
> the same Problem ??
>
> >
> > 2016-08-15 16:20 GMT+03:00 Günther J. <g...@gjn.priv.at>:
> > > Hello,
> > >
> > > CentOS 7.2
> > >
> > > have any a workaround for this Error ?
> > >
> > > vsftpd Error:426 failure Reading Network STream
> > >
> > > after transfer I have a broken file on the ftp Server
> > >
> > > I mean I have found a newer Version 3.0.3 bot not for CentOS 7.2 but I
> > > cant
> > > say is this Problem corrected in 3.0.3?
> > >
> > > Any hint please ;-)
> > >
> > > --
> > > mit freundlichen Grüßen / best regards,
> > >
> > >   Günther J. Niederwimmer
> > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
> --
> mit freundlichen Grüßen / best regards,
>
>   Günther J. Niederwimmer
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] vsftpd broken ?

[Eero Volotinen]

Sounds like hardware failure (memory, disk) or network problem.


--
Eero

2016-08-15 16:20 GMT+03:00 Günther J. :

> Hello,
>
> CentOS 7.2
>
> have any a workaround for this Error ?
>
> vsftpd Error:426 failure Reading Network STream
>
> after transfer I have a broken file on the ftp Server
>
> I mean I have found a newer Version 3.0.3 bot not for CentOS 7.2 but I cant
> say is this Problem corrected in 3.0.3?
>
> Any hint please ;-)
>
> --
> mit freundlichen Grüßen / best regards,
>
>   Günther J. Niederwimmer
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to update from 5.8 to 5.latest?

[Eero Volotinen]

Hi,

Just run 'yum upgrade' or 'yum update'. No other action is required. You
can also add -y switch to autoselect --yes

Eero

2016-08-15 13:36 GMT+03:00 Kai Schaetzl :

> Hi!
>
> I revived an old disk with CentoS 5.8 on it and want to update it to
> 5.latest (=5.11). However, it insists on getting 5.8 files. From the past
> I remember I would get a major release jump from 5.n to 5.m automatically.
> Or do I remember this wrong?
> I googled a bit around, but couldn't really find something similar.
>
> How do I update now? The repo file looks exactly like on machines that are
> up to 5.11. Should I change it manually to 5.11 or just 5 paths?
> Does it still understand that this is then an upgrade to a another major
> version?
>
> Or should I do something different to make it upgrade to 5.11?
>
> Thanks!
>
> Kai
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RPM help

[Eero Volotinen]

please check out logs and error messages.

Eero

2016-08-08 14:57 GMT+03:00 TE Dukes :

> Hello,
>
>
>
> My installation of clamav is hosed up. It won't start due to a malformed
> database.
>
>
>
> I ran freshclam and updated the database but still have the problem.
>
>
>
> I was going to uninstall clamav but there are other app dependencies.
> Virtualmin is one.
>
>
>
> How can I do an uninstall/re-install without hosing more stuff up?
>
>
>
> I have found some examples, --nodeps, --replacepkgs and -replacefiles
>
>
>
> Also, what is the rpm command that will tell me all packages named clam*.
> Haven't used it in a while and have forgotten. I tried rpm -q "clam*" but
> that didn't work.
>
>
>
> TIA
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] TLSv1.2 support for lftp on CentOS 6.x

[Eero Volotinen]

At least the latest version supports tlsv1.2 -- maybe packaged version is a
bit old?

Eero

2016-08-02 14:11 GMT+03:00 Olivier BONHOMME :

> Hello everybody,
>
> I am writing on that mailing list because I have an issue using lftp and I
> would
> love to have more infos about features available on the LFTP version
> provided by
> CentOS 6.
>
> I try to connect to a ftp server in secured mode using FTPS explicit and I
> would
> love to use TLSv1.2.
>
> After several tries, I understood that the TLS negociation was not possible
> using TLSv1.2 (It works only with TLSv1.1) but my issue is I don't
> understand
> why :
>  - The GNU TLS Library provided by CentOS is TLSv1.2 compliant. I can use
>gnutls-cli in order to make a TLSv1.2 connection
>  - It also works pefectly with an openssl client, so it's not a server side
>issue.
>  - I don't see anything in the lftp changelog or features list saying that
> lftp
>is not compliant with TLSv1.2.
>
> So my question is : Can lftp provided by CentOS (of course last version in
> the
> 6.x branch), do TLSv1.2 connection ? If it is not possible, I can deal with
> it but I'm curious to know if it is a feature or a bug. Indeed if it's a
> bug it
> could be interesting to submit an issue for a potential resolution.
>
> Thanks for your answers
>
> Regards,
> Olivier Bonhomme
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos7: ntpd not started on boot

[Eero Volotinen]

Is crony running? It's default ntpd nowadays

Eero

29.7.2016 11.34 ap. "Volker"  kirjoitti:

> Hi,
>
> I have got problems with the ntp daemon.
>
> It is enabled in systemd but is not started on boot.
>
> # systemctl status ntpd
> ● ntpd.service - Network Time Service
>Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor
> preset: disabled)
>Active: inactive (dead)
>
> Starting manually works
> # systemctl start ntpd
> # systemctl status ntpd
> ● ntpd.service - Network Time Service
>Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor
> preset: disabled)
>Active: active (running) since Fri 2016-07-29 10:29:45 CEST; 3s ago
>   Process: 2291 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS
> (code=exited, status=0/SUCCESS)
>  Main PID: 2296 (ntpd)
>CGroup: /system.slice/ntpd.service
>└─2296 /usr/sbin/ntpd -u ntp:ntp -g
>
> Jul 29 10:29:45 simpil1 ntpd[2296]: Listen normally on 2 lo 127.0.0.1
> UDP 123
> Jul 29 10:29:45 simpil1 ntpd[2296]: Listen normally on 3 eno1
> 10.17.66.11 UDP 123
> Jul 29 10:29:45 simpil1 ntpd[2296]: Listen normally on 4 lo ::1 UDP 123
> Jul 29 10:29:45 simpil1 ntpd[2296]: Listen normally on 5 eno1
> fe80::223:24ff:fea7:a264 UDP 123
> Jul 29 10:29:45 simpil1 ntpd[2296]: Listening on routing socket on fd
> #22 for interface updates
> Jul 29 10:29:45 simpil1 ntpd[2296]: 0.0.0.0 c016 06 restart
> Jul 29 10:29:45 simpil1 ntpd[2296]: 0.0.0.0 c012 02 freq_set kernel
> 8.993 PPM
> Jul 29 10:29:46 simpil1 ntpd[2296]: 0.0.0.0 c61c 0c clock_step -0.180109 s
> Jul 29 10:29:46 simpil1 ntpd[2296]: 0.0.0.0 c614 04 freq_mode
> Jul 29 10:29:47 simpil1 ntpd[2296]: 0.0.0.0 c618 08 no_sys_peer
>
> I see nothing ntpd related /var/log/messages or journactl during the
> boot phase. Seems like no attempt is made to start it at all.
>
> Is there something that need to be done besides enabling it with systemctl?
>
> Regards
> .Volker
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum install error http 403

[Eero Volotinen]

Do you have direct internet connection without proxy? if not, you need to
set proxy= variable in yum.conf. In any other case try running 'yum clean
all' and try again..

Eero

2016-07-19 8:38 GMT+03:00 李明伟 :

> Hi
>
>
> When I install package on CentOS7 with below command :
>
>
> yum install 
>
>
> I will hit errors like:
>
>
> # yum install  httpd
> Loaded plugins: fastestmirror
>
> http://centos-distro.1gservers.com/7.2.1511/os/x86_64/repodata/repomd.xml:
> [Errno 14] HTTP Error 403 - Forbidden
> Trying other mirror.
> To address this issue please refer to the below knowledge base article
>
>
> https://access.redhat.com/solutions/69319
>
>
> If above article doesn't help to resolve this issue please create a
> bug on https://bugs.centos.org/
>
>
> The link need an RedHat Product Series Number to access but I do not have
> one. So not read yet.
>
>
> I did a few search can sure about below information:
>
>
> 1. Do not using http_proxy in my env
> 2. SElinux and firewall is closed
> 3. yum clean all do not help
>
>
> I also try to replace all files in my /etc/yum.repos.d with files from a
> working machine. But still have error.
>
>
> One more thing I did is to add
>
>
> timeout=
> minrate=0
>
>
> in /etc/yum.conf. Because if I do not do this. There will be error like :
>
>
> Loaded plugins: fastestmirror
>
> http://centos-distro.1gservers.com/7.2.1511/os/x86_64/repodata/repomd.xml:
> [Errno 12] Timeout on
> http://centos-distro.1gservers.com/7.2.1511/os/x86_64/repodata/repomd.xml:
> (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30
> seconds')
> Trying other mirror.
>
>
> Please help me to look this. Thanks very much
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with C7 start script

[Eero Volotinen]

Try this
https://ask.fedoraproject.org/en/question/26898/what-is-the-auto-start-file-like-rclocal/

Eero

18.7.2016 6.42 ip. "Jerry Geis"  kirjoitti:

> Under the old C6 I put an entry in rc.local to run my programs I want. We
> will call it /path/boot.sh
> Worked fine.
>
> Under C7 I have created a new service file for systemd. It looks like:
> ---
> [Unit]
> Description=Company
> After=network.target
>
> [Service]
> Type=forking
> ExecStart=/path/boot.sh
>
> [Install]
> WantedBy=multi-user.target
>
> ---
> For the most part this works every time on boot.
>
> However - when I do a "yum update" and the kernel changes part of my
> boot.sh is to
> detect that kernel change and recompile some of my drivers.
> The kernel change is detected and the recomiling starts - but after some
> time the
> process just stops. If I rerun it manuall it will then complete as normal.
>
> So my question is  - Is my service script above not complete? Is they
> system looking for
> it to exit in a certain amount of time and it hasnt exited so it KILLs my
> script ?
> something like that ?
>
> What is missing from my script so it does not kill it after some time ?
>
> Thanks
>
> Jerry
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS7 firewalld ploblem

[Eero Volotinen]

Ok.

try following:

firewall-cmd --add-port=110/tcp --permanent
firewall-cmd --reload

Eero

2016-07-14 12:22 GMT+03:00 望月忠雄 <ta...@creative-japan.org>:

> I cannot add pop3 with following error.
> # firewall-cmd --permanent --zone=external --add-service=pop3
> Error: INVALID_SERVICE: pop3
>
> And cannot access to 143 too.
> telnet 153.153.xxx.xxx 143
> Trying 153.153.xxx.xxx...
> telnet: connect to address 153.153.xxx.xxx: No route to host
>
>
>
> 2016-07-14 17:53 GMT+09:00 Eero Volotinen <eero.voloti...@iki.fi>:
>
> > You need to add pop3. Please note that op3 is not secure as password and
> > username is transferred in plain text.
> >
> >
> > *firewall-cmd --add-service=pop3 --permanent*
> >
> >
> >
> >
> > *firewall-cmd --reload--*
> >
> >
> > *Eero*
> >
> >
> >
> > 2016-07-14 11:43 GMT+03:00 Subscriber <ml-li...@agoris.net.ua>:
> >
> > >
> > > Thursday, July 14, 2016, 11:32:31 AM, you wrote:
> > >
> > > > Dear Members,
> > >
> > > > Please tell me how can I fix this problem.
> > >
> > > > Against allow imap on firewalld, I cannot access to the server.
> > >
> > > imap - port 143
> > > pop3 - port 110
> > >
> > > add to firewalld service pop3 or try telnet 153.153.xxx.xxx 143
> > >
> > > > [root@speedex ~]# telnet 153.153.xxx.xxx 110
> > > > Trying 153.153.xxx.xxx...
> > > > telnet: connect to address 153.153.xxx.xxx: No route to host
> > >
> > > > After stopping forewalld I can access to the server.
> > > > [root@speedex ~]# telnet 153.153.xxx.xxx 110
> > > > Trying 153.153.xxx.xxx...
> > > > Connected to 153.153.xxx.xxx.
> > > > Escape character is '^]'.
> > > > +OK Dovecot ready.
> > > > ^]
> > > telnet>> quit
> > >
> > > > I have attached nmcli and firewalld data. Please check it.
> > > > If you need more please tell me.
> > >
> > > > Tadao
> > >
> > >
> > >
> > > --
> > > Best regards,
> > >  Subscribermailto:ml-li...@agoris.net.ua
> > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS7 firewalld ploblem

[Eero Volotinen]

You need to add pop3. Please note that op3 is not secure as password and
username is transferred in plain text.


*firewall-cmd --add-service=pop3 --permanent*




*firewall-cmd --reload--*


*Eero*



2016-07-14 11:43 GMT+03:00 Subscriber :

>
> Thursday, July 14, 2016, 11:32:31 AM, you wrote:
>
> > Dear Members,
>
> > Please tell me how can I fix this problem.
>
> > Against allow imap on firewalld, I cannot access to the server.
>
> imap - port 143
> pop3 - port 110
>
> add to firewalld service pop3 or try telnet 153.153.xxx.xxx 143
>
> > [root@speedex ~]# telnet 153.153.xxx.xxx 110
> > Trying 153.153.xxx.xxx...
> > telnet: connect to address 153.153.xxx.xxx: No route to host
>
> > After stopping forewalld I can access to the server.
> > [root@speedex ~]# telnet 153.153.xxx.xxx 110
> > Trying 153.153.xxx.xxx...
> > Connected to 153.153.xxx.xxx.
> > Escape character is '^]'.
> > +OK Dovecot ready.
> > ^]
> telnet>> quit
>
> > I have attached nmcli and firewalld data. Please check it.
> > If you need more please tell me.
>
> > Tadao
>
>
>
> --
> Best regards,
>  Subscribermailto:ml-li...@agoris.net.ua
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum returns error 'repolist 0'

[Eero Volotinen]

You can also add yum -v or -vv to debug issue more.

Eero

2016-07-14 11:36 GMT+03:00 Jose Maria Terry Jimenez :

> El 14/7/16 a las 9:01, ge lignored escribió:
>
>> greetings to one and all.
>>
>> a new iso burn w/ centos 6.8 failed to boot on a 686 32 bit mid tower box,
>> but will boot a 32 bit laptop, so i dropped back to 6.7 which did boot.
>>
>> after install with centos 6.7, attempt to upgrade fails with 'repolist 0'.
>>
>> all desire repo files have enable = 1.
>>
>> searched thru past 4 yrs of personal archives, nothing found related to
>> 'repolist 0'.
>>
>> ran web search for 'repolist 0' and 'repolist = 0' with all hits related
>> to repo files having 'enable = 0'.
>>
>> any suggestions/ideas/clues as to solution of problem greatly appreciated.
>>
>>
>> Hello
>
> Never seen this but i'd try
>
> yum repolist all
>
> Lists the enabled repos?
>
> Did you tried
>
> yum clean all
>
> Before the upgrade?
>
> I think this happens in RHEL if you have no active suscription, but not
> applicable to CentOS.
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DHCP max-lease-time maximum

[Eero Volotinen]

Static MAC ip mapping on dhcp server?

Eero
7.7.2016 12.38 ip. "Götz Reinicke - IT Koordinator" <
goetz.reini...@filmakademie.de> kirjoitti:

Am 06.07.16 um 18:19 schrieb John R Pierce:
> On 7/6/2016 1:27 AM, Götz Reinicke - IT Koordinator wrote:
>> :)  ... the long lease is for some Accesspoints which we dont like to
>> configure static, just plug in and run.
>
> why not configure reservations for those access points?
>
> the downside of a really long lease time is if you have to change
> something like DNS, gateway, whatever, the clients with a really long
> lease will not 'see' the change until 50% of hte lease time expires as
> thats the default refresh.
>
>
Hi, what do you mean with "reservations"? the APs in question just need
an IP for connecting to the managemnt server which is in the same subnet.

Thanks for your feedback . Götz



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to have more than on SELinux context on a directory

[Eero Volotinen]

2016-07-06 14:30 GMT+03:00 Bernard Fay :

> If I understand well, I could add a type to another type?!?!?!   If that is
> the case, I did not know about it like many things in the SELinux
> world. It is so complex and so badly documented.  :-(
>
>
>
Poorly? Just read the documents:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/

and google "selinux rhel" ..

--
Eero
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DHCP max-lease-time maximum

[Eero Volotinen]

How about static ip mapping on dhcp?

Eero

2016-07-06 11:27 GMT+03:00 Götz Reinicke - IT Koordinator <
goetz.reini...@filmakademie.de>:

> :) ... the long lease is for some Accesspoints which we dont like to
> configure static, just plug in and run.
>
> /Götz
>
> Am 06.07.16 um 10:24 schrieb Eero Volotinen:
> > DHCP uses 16 to represent an infinite lease. Try if it's
> supported.
> > Anyway, it's insane value as year lease time :)
> >
> > Eero
> >
> > 2016-07-06 11:22 GMT+03:00 Götz Reinicke - IT Koordinator <
> > goetz.reini...@filmakademie.de>:
> >
> >> Hi,
> >>
> >> I m looking for the max value for max-lease-time. would 512640 seconds
> >> (1 year) work?
> >>
> >> Thanks . Götz
> >>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DHCP max-lease-time maximum

[Eero Volotinen]

DHCP uses 16 to represent an infinite lease. Try if it's supported.
Anyway, it's insane value as year lease time :)

Eero

2016-07-06 11:22 GMT+03:00 Götz Reinicke - IT Koordinator <
goetz.reini...@filmakademie.de>:

> Hi,
>
> I m looking for the max value for max-lease-time. would 512640 seconds
> (1 year) work?
>
> Thanks . Götz
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Securing RPC

[Eero Volotinen]

Are you really exposing portmapper (RPC) and NFS to public network?

Eero

2016-07-01 9:38 GMT+03:00 Leon Vergottini :

> Dear Community
>
> I hope you are all doing well.
>
> Recently I have been receiving several complaints from our service
> provider.  Please see the complaint below:
>
> A public-facing device on your network, running on IP address
> XXX.XXX.XXX.XXX, operates a RPC port mapping service responding on UDP port
> 111 and participated in a large-scale attack against a customer of ours,
> generating responses to spoofed requests that claimed to be from the attack
> target.
>
> Please consider reconfiguring this server in one or more of these ways:
>
> 1. Adding a firewall rule to block all access to this host's UDP port 111
> at your network edge (it would continue to be available on TCP port 111 in
> this case).
> 2. Adding firewall rules to allow connections to this service (on UDP port
> 111) from authorized endpoints but block connections from all other hosts.
> 3. Disabling the port mapping service entirely (if it is not needed).
>
>
>
> Unfortunately, I cannot disable NFS which lies at the root of this
> problem.  In addition, I am struggling to find a proper tutorial of moving
> NFS from udp over to tcp.
>
> May I kindly ask you to point me in a direction or provide me with ideas on
> how to nail this thing in the 
>
> Kind Regards
> Leon
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] KVM HA

[Eero Volotinen]

How about trying commercial RHEV?

Eero
22.6.2016 8.02 ap. "Tom Robinson"  kirjoitti:

> Hi,
>
> I have two KVM hosts (CentOS 7) and would like them to operate as High
> Availability servers,
> automatically migrating guests when one of the hosts goes down.
>
> My question is: Is this even possible? All the documentation for HA that
> I've found appears to not
> do this. Am I missing something?
>
> My configuration so fare includes:
>
>  * SAN Storage Volumes for raw device mappings for guest vms (single
> volume per guest).
>  * multipathing of iSCSI and Infiniband paths to raw devices
>  * live migration of guests works
>  * a cluster configuration (pcs, corosync, pacemaker)
>
> Currently when I migrate a guest, I can all too easily start it up on both
> hosts! There must be some
> way to fence these off but I'm just not sure how to do this.
>
> Any help is appreciated.
>
> Kind regards,
> Tom
>
>
> --
>
> Tom Robinson
> IT Manager/System Administrator
>
> MoTeC Pty Ltd
>
> 121 Merrindale Drive
> Croydon South
> 3136 Victoria
> Australia
>
> T: +61 3 9761 5050
> F: +61 3 9761 5051
> E: tom.robin...@motec.com.au
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] iptables.service listed as: not-found inactive dead

[Eero Volotinen]

By default, Centos 7 uses firewalld.

Eero

2016-05-31 15:57 GMT+03:00 Alexander Farber :

> Hello fellow CentOS users,
>
> on a freshly installed 7.2 machine and after reading
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/chap-Managing_Services_with_systemd.html
>
> I try to enable iptables with following commands:
>
> # cat /etc/centos-release
> CentOS Linux release 7.2.1511 (Core)
>
> # rpm -qa | grep iptables
> iptables-1.4.21-16.el7.x86_64
>
> # sudo systemctl list-units --type service --all | grep iptables
> ● iptables.service   not-found inactive dead
>  iptables.service
>
> # sudo systemctl enable iptables.service
> Failed to execute operation: No such file or directory
>
> What missing file is meant here please?
>
> Thank you
> Alex
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] /etc/sysconfig/iptables syntax

[Eero Volotinen]

well, no. it's a bit different animal..

Eero

2016-05-23 22:24 GMT+03:00 Kenneth Porter <sh...@sewingwitch.com>:

> On 5/22/2016 9:45 PM, Eero Volotinen wrote:
>
>> Firewalld is preferred way. You should learn it..
>>
>
> Are there any good tools for converting an iptables-save file to a
> Firewalld configuration?
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] /etc/sysconfig/iptables syntax

[Eero Volotinen]

You need to disable firewalld and install iptables, if you really want use
old way:

https://www.certdepot.net/rhel7-disable-firewalld-use-iptables/

Firewalld is preferred way. You should learn it..

--
Eero

2016-05-23 5:55 GMT+03:00 Mike <1100...@gmail.com>:

> The last two router/firewall servers I had used Slackware and Gentoo.
> I'm used to writing complete and explicit iptables rules; however, when I
> set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.
>
> For example, I'm used to stating postrouting masquerade as:
>
> /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j
> MASQUERADE
>
> But when I use the rule above, iptables.service fails upon start and exits.
>
> Through a series of trial and error, I found a correct masquerade
> statement:
>
> *nat
> -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
> COMMIT
>
> This looks similar to output from iptables-save.
>
> Another example:
>
> /usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
> [DOES NOT WORK]
>
> *filter
> -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
> COMMIT
> [DOES WORK]
>
> After using iptables for a long time, I can't figure out where this syntax
> comes from.
> Can anyone point me in the right direction to understand the proper syntax
> necessary in /etc/sysconfig/iptables?
>
> Thanks for your help.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Verifing: CentOS 5 cannot resize a *live* root filesystem

[Eero Volotinen]

Btrfs supports live shrinking of filesystem.

Eero
18.5.2016 1.00 ap. "Robert Nichols"  kirjoitti:

> On 05/17/2016 02:30 PM, Robert Heller wrote:
>
>> Just want to verify: CentOS 5's FS utilities are too old to safely resize
>> a
>> *live* (mounted, etc.) root file system (and the CentOS 5 installer/rescue
>> system does not include either resize2fs or fsadm utilities).
>>
>
> I don't know of _any_ filesystem that supports live shrinking. Live
> expansion, yes. Live shrinking, no. The C5 install/rescue CD and DVD do
> include resize2fs.
>
> I'm
>> *hoping* Ubuntu's 32-bit installer can deal with a non-PAE 32-bit system).
>>
>
> Ubuntu is _not_ one of the few distributions that still support non-PAE
> 32-bit. From what I can find, Lubuntu and Xubuntu 12.04 were the last
> versions to support non-PAE. Sorry.
>
> --
> Bob Nichols "NOSPAM" is really part of my email address.
> Do NOT delete it.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Mod_radius_auth for apache?

[Eero Volotinen]

Any package with srpm available for radius auth on apache?

Eero
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Free Redhat Linux (rhel) version 7.2

[Eero Volotinen]

Dell provides linux laptops and lenovo too..

Eero
12.4.2016 10.39 ip.  kirjoitti:

> Valeri Galtsev wrote:
> >
> > On Tue, April 12, 2016 1:43 pm, Always Learning wrote:
> > 
> > In US you can buy some laptops without MS Windows OS (read: with Linux,
> > most likely Ubuntu) from some small manufacturers... I believe, one
> 
>
> I *think* you can buy Dell laptops with no o/s.
>
>   mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VPN suggestions centos 6, 7

[Eero Volotinen]

Yes, openvpn works on any single udp or tcp port.

On many hotels only http, https and dns allowed. So you just can't use
ipsec, but openvpn works as it's usually configured to listen https port.

--
Eero

2016-04-05 19:30 GMT+03:00 Gordon Messmer <gordon.mess...@gmail.com>:

> On 04/05/2016 12:07 AM, Eero Volotinen wrote:
>
>> IPSec is not recommended solution nowdays. OpenVPN runs top of single udp
>> or tcp port, so it usually works on strictly firewalled places like in
>> hotels and so on.
>>
>
> IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of
> NAT.  OpenVPN doesn't really have an advantage, there.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VPN suggestions centos 6, 7

[Eero Volotinen]

Well. IPSec might work with site-to-site connections, but usually
roadwarrior mode users experience (a lot of) problems.

They might be related to hotels that only allow https, http and dns
protocols or broken nat implementations and so on.



--
Eero

2016-04-05 18:52 GMT+03:00 Dennis Jacobfeuerborn <denni...@conversis.de>:

> How is IPSec "not recommended solution nowdays"?
>
> I tend to use IPSec for site-to-site connections i.e. the ones that run
> 24/7 and only require two experienced people to set up (the admins at
> both endpoints).
> For host-to-site setups I prefer OpenVPN since explaining to endusers
> how to set up an ipsec connection is neigh impossible whereas with
> OpenVPN I can simply tell them to install the software and then unzip an
> archive into a directory and they are done.
>
> Regards,
>   Dennis
>
> On 05.04.2016 09:07, Eero Volotinen wrote:
> > IPSec is not recommended solution nowdays. OpenVPN runs top of single udp
> > or tcp port, so it usually works on strictly firewalled places like in
> > hotels and so on.
> >
> > --
> > Eero
> >
> > 2016-04-04 23:18 GMT+03:00 Gordon Messmer <gordon.mess...@gmail.com>:
> >
> >> On 04/04/2016 10:57 AM, david wrote:
> >>
> >>> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and
> >>> probably others I haven't noted).  I'd be interested in hearing from
> anyone
> >>> who wishes to comment about which to use, with the following
> requirements:
> >>>
> >>
> >> I recommend l2tp/ipsec.  It's supported out of the box on a wide variety
> >> of client platforms, which means significantly less work to set up the
> >> clients.
> >>
> >> OpenVPN is a popular choice, and it's fine for most people.  It's more
> >> work to set up than l2tp/ipsec, typically.  We used it for quite a
> while at
> >> my previous employer, though ultimately dropped it because the Windows
> GUI
> >> requires admin rights to run, and we didn't want to continue giving
> admin
> >> rights to the users we supported.
> >>
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VPN suggestions centos 6, 7

[Eero Volotinen]

IPSec is not recommended solution nowdays. OpenVPN runs top of single udp
or tcp port, so it usually works on strictly firewalled places like in
hotels and so on.

--
Eero

2016-04-04 23:18 GMT+03:00 Gordon Messmer :

> On 04/04/2016 10:57 AM, david wrote:
>
>> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and
>> probably others I haven't noted).  I'd be interested in hearing from anyone
>> who wishes to comment about which to use, with the following requirements:
>>
>
> I recommend l2tp/ipsec.  It's supported out of the box on a wide variety
> of client platforms, which means significantly less work to set up the
> clients.
>
> OpenVPN is a popular choice, and it's fine for most people.  It's more
> work to set up than l2tp/ipsec, typically.  We used it for quite a while at
> my previous employer, though ultimately dropped it because the Windows GUI
> requires admin rights to run, and we didn't want to continue giving admin
> rights to the users we supported.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VPN suggestions centos 6, 7

[Eero Volotinen]

And openvpn. Avoid ipsec as it's too complex and pptp is unsecure.

Eero
4.4.2016 9.55 ip. "Richard Zimmerman" 
kirjoitti:

> SoftEther VPN
>
> Once setup, it just works
>
> Regards,
>
> Richard
>
>
> ---
> Richard Zimmerman
> Systems / Network Administrator
> River Bend Hose Specialty, Inc.
>  S Main Street
> South Bend, IN   46601-3337
> (574) 233-1133
> (574) 280-7284 Fax
>
> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of david
> Sent: Monday, April 04, 2016 1:57 PM
> To: CentOS mailing list
> Subject: [CentOS] VPN suggestions centos 6, 7
>
> Folks
>
> I would like to have my windows 7 laptop communicate with my home server
> via a VPN, in such a way that it appears to be "inside" my home network.
> It should not only let me appear to be at home for any external query, but
> also let me access my computers inside my home.
>
> I already have this working using M$'s PPTP using my home Centos 6
> gateway/router as the PoPToP server.  However, I am concerned about the
> privacy/security of such a connection.
>
> I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and
> probably others I haven't noted).  I'd be interested in hearing from anyone
> who wishes to comment about which to use, with the following requirements:
>
> 1)  As noted, it should be secure (anti NSA?)
> 2)  Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
> Windows 10)
> 3)  Can be set up on the server with command line interfaces only (no GUI)
>
> And, should not be a nightmare to set up.
>
> Any thoughts?
>
> David
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Free Redhat Linux (rhel) version 7.2

[Eero Volotinen]

And (big) commercial vendors/users always prefer RHEL as it commercially
supported platform.

--
Eero

2016-04-04 17:25 GMT+03:00 Digimer :

> On 04/04/16 10:06 AM, Valeri Galtsev wrote:
> >
> > On Mon, April 4, 2016 8:53 am, Johnny Hughes wrote:
> >> On 04/04/2016 08:39 AM, Timothy Murphy wrote:
> >>> I read that Redhat was offering their Linux free,
> >>> and downloaded the ISO, though I haven't run it.
> >>>
> >>> What do CentOS users think of Redhat's offer?
> >>>
> >>> The registration with Redhat seemed very bureaucratic to me,
> >>> and I'm not sure if I have carried it out properly.
> >>> Also, I didn't see if it was possible to get updates,
> >>> either with dnf or some other way.
> >>>
> >>> I've been (and am) very pleased with CentOS,
> >>> which I've been running for several years,
> >>> and I don't particularly want to change.
> >>>
> >>> Any views on this?
> >>>
> >>
> >> You need read the usage license.
> >>
> >> That subscription can only be used in development and not in a
> >> production environment.
> >
> > When I think about it I have a strange feeling. To be (become) a
> developer
> > of something that you yourself will not be able to use in production...
> > it's akin volunteer to become a slave. Is there anybody who _can_ make a
> > sense of such offer?
> >
> > Valeri
>
> Our company has been in Red Hat's ISV program for ages, and it is very
> helpful. There are differences between how CentOS and RHEL works, so
> being able to test against both makes it much easier for our users
> (community users and paid customers) to choose which system they want. I
> also means that we can be sure those who choose RHEL proper will have no
> problems.
>
> We also use the RHEL installs for demos and trade shows, which is
> important. Like it or not, there is a certain "professionalism" to being
> able to demo your product on RHEL instead of CentOS. Most customers
> insist on RHEL so seeing the product running already on RH is a useful
> sales tool.
>
> In short; The ISV program has been very helpful and benefited both RH
> and our company.
>
> --
> Digimer
> Papers and Projects: https://alteeve.ca/w/
> What if the cure for cancer is trapped in the mind of a person without
> access to education?
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Free Redhat Linux (rhel) version 7.2

[Eero Volotinen]

Yes, this helps at least "single" developers and people that are training
for rhce / rhcsa exam..

br,
--
Eero

2016-04-04 17:16 GMT+03:00 Mohammed Zeeshan :

> On Mon, Apr 4, 2016 at 7:36 PM, Valeri Galtsev 
> wrote:
>
> >
> > On Mon, April 4, 2016 8:53 am, Johnny Hughes wrote:
> > > On 04/04/2016 08:39 AM, Timothy Murphy wrote:
> > >> I read that Redhat was offering their Linux free,
> > >> and downloaded the ISO, though I haven't run it.
> > >>
> > >> What do CentOS users think of Redhat's offer?
> > >>
> > >> The registration with Redhat seemed very bureaucratic to me,
> > >> and I'm not sure if I have carried it out properly.
> > >> Also, I didn't see if it was possible to get updates,
> > >> either with dnf or some other way.
> > >>
> > >> I've been (and am) very pleased with CentOS,
> > >> which I've been running for several years,
> > >> and I don't particularly want to change.
> > >>
> > >> Any views on this?
> > >>
> > >
> > > You need read the usage license.
> > >
> > > That subscription can only be used in development and not in a
> > > production environment.
> >
> > When I think about it I have a strange feeling. To be (become) a
> developer
> > of something that you yourself will not be able to use in production...
> > it's akin volunteer to become a slave. Is there anybody who _can_ make a
> > sense of such offer?
> >
> > Valeri
> >
> > >
> > > If that works for want you want to use it for then it is an awesome
> move
> > > by Red Hat.
> > >
> > >
> > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> > 
> > Valeri Galtsev
> > Sr System Administrator
> > Department of Astronomy and Astrophysics
> > Kavli Institute for Cosmological Physics
> > University of Chicago
> > Phone: 773-702-4247
> > 
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
> Hi,
>
>   As things stand, you can signup for a Red Hat Developer Subscription for
> free to get full access
> to all Red Hat products as a developer. Yes, you cannot deploy Red Hat
> products in production
> with this subscription but anything you develop on it can be put into a
> production system which
> has a valid production grade Red Hat Subscription which has been paid for.
>
> --
> *Mohammed Zeeshan Ahmed, *
> B.E Computer Science Engineering
> Certified IT & Cloud Architect & RHCSA
> +919986458839
> Bengaluru, India
>
> https://mohammedzee1000.wordpress.com/
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Free Redhat Linux (rhel) version 7.2

[Eero Volotinen]

Yes, but this is not still (very) big change as redhat partner companies
get rhel linsences for developer / internal use for free.

--
Eero

2016-04-04 16:55 GMT+03:00 Johnny Hughes :

> On 04/04/2016 08:53 AM, Johnny Hughes wrote:
> > On 04/04/2016 08:39 AM, Timothy Murphy wrote:
> >> I read that Redhat was offering their Linux free,
> >> and downloaded the ISO, though I haven't run it.
> >>
> >> What do CentOS users think of Redhat's offer?
> >>
> >> The registration with Redhat seemed very bureaucratic to me,
> >> and I'm not sure if I have carried it out properly.
> >> Also, I didn't see if it was possible to get updates,
> >> either with dnf or some other way.
> >>
> >> I've been (and am) very pleased with CentOS,
> >> which I've been running for several years,
> >> and I don't particularly want to change.
> >>
> >> Any views on this?
> >>
> >
> > You need read the usage license.
> >
> > That subscription can only be used in development and not in a
> > production environment.
> >
> > If that works for want you want to use it for then it is an awesome move
> > by Red Hat.
>
>
> Here is the link for the download:
>
> http://developers.redhat.com/products/rhel/get-started/
>
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Free Redhat Linux (rhel) version 7.2

[Eero Volotinen]

Yes, they are providing free version only for "developer use".
--
Eero

2016-04-04 16:39 GMT+03:00 Timothy Murphy :

> I read that Redhat was offering their Linux free,
> and downloaded the ISO, though I haven't run it.
>
> What do CentOS users think of Redhat's offer?
>
> The registration with Redhat seemed very bureaucratic to me,
> and I'm not sure if I have carried it out properly.
> Also, I didn't see if it was possible to get updates,
> either with dnf or some other way.
>
> I've been (and am) very pleased with CentOS,
> which I've been running for several years,
> and I don't particularly want to change.
>
> Any views on this?
>
> --
> Timothy Murphy
> gayleard /at/ eircom.net
> School of Mathematics, Trinity College, Dublin
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

[Eero Volotinen]

IPSec is very complex with certificates. try first with PSK authentication
and then with certificates

--
Eero

2016-04-01 20:21 GMT+03:00 Glenn Pierce <glennpie...@gmail.com>:

> I generated according to the docs . Which produced
> my server.secrets as below
>
> used the command
>
>  ipsec newhostkey --configdir /etc/ipsec.d --output
> /etc/ipsec.d/www.example.com.secrets
>
>
> : RSA   {
> # RSA 3328 bits   ***.**.net   Fri Apr  1 15:39:32 2016
> # for signatures only, UNSAFE FOR ENCRYPTION
>
> #pubkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> Modulus:
>
> 0xecde067a1814494a8cbfe91c6b2ff70cbf4267604291fd26265d4095964045362d83ed526c6b5edf7ef9815232cb0fafd3ef6337d49be53e1912ccafd848fa6887c84db52078203943d961a4b3e85896743865239a8f92c71511687215154008925a0c783a7bc8f5c62b8feac364bff4bed19e2c32622de4d28f70cb7d60a2d831bf2f3675ba440c40211331beaf67d61c0b6d624143711072d52654d296d55da725a759f2afa10f4adcd162555b17674fa9b90087589aa9d4e42d7ac6920903737948239a19b95be915cd0d4d91e0b3e8c7b4890108cc7f9bea0749ae3473830854d594577ed84fe1088800d87d0bdb88d951a3d6d334e6a5e6d8fb3d2998a1a25c9048a9a364d5d4d5107341d7364f4f56b064413c5a6b1fc9379cdd8ca569168f54e58dac31eee468096b47d1490e85ed3890fcd9e0ce421e994d10cedf3b4e43ada46dec5f7da0dd9c62e4470b32c3e77430752f29b70dc6d450a248aefebf7925134cde9814e89271404f93b2e5788720b2e435c7235e6275d9ecb0d6a517fe333bafe08e19041f79f61bbfc7e8931272f9d481d8998fa8e4f4e6cb2f33
> PublicExponent: 0x03
> # everything after this point is CKA_ID in hex format - not
> the real values
> PrivateExponent: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Prime1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Prime2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Exponent1: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Exponent2: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> Coefficient: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> CKAIDNSS: 0x3d2c8bd4f34e4a395a5f57dd3d2211c8cbb82514
> }
> # do not change the indenting of that "}"
>
> On 1 April 2016 at 18:04, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> > You must define connection address and key in ipsec.secrets.
> >
> > --
> > Eero
> >
> >
> > 2016-04-01 19:38 GMT+03:00 Glenn Pierce <glennpie...@gmail.com>:
> >
> >> Just trying to follow the instructions here
> >>
> >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
> >>
> >> I don't think I am doing anything special.
> >>
> >> At the point where there is some communication going on
> >>
> >> Getting this error
> >>
> >> packet from *:1024: received Vendor ID payload [Cisco-Unity]
> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
> >> ***:1024: received Vendor ID payload [Dead Peer Detection]
> >> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
> >> :1024: initial Main Mode message received on :500 but no
> >> connection has been authorized with policy RSASIG+IKEV1_ALLOW
> >>
> >> The errors are so vague.
> >> Not sure what the problem is now
> >>
> >>
> >>
> >> My conf
> >>
> >>
> >>
> >> conn tunnel
> >> #phase2alg=aes256-sha1;modp1024
> >> keyexchange=ike
> >> #ike=aes256-sha1;modp1024
> >> left=192.168.1.122
> >> leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
> >>  (I am testing at home)
> >>
> >>
> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5C

Re: [CentOS] Libreswan PEM format

[Eero Volotinen]

You must define connection address and key in ipsec.secrets.

--
Eero


2016-04-01 19:38 GMT+03:00 Glenn Pierce <glennpie...@gmail.com>:

> Just trying to follow the instructions here
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
>
> I don't think I am doing anything special.
>
> At the point where there is some communication going on
>
> Getting this error
>
> packet from *:1024: received Vendor ID payload [Cisco-Unity]
> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from
> ***:1024: received Vendor ID payload [Dead Peer Detection]
> Apr 01 17:33:44 carneab4.memset.net pluto[15986]: packet from ***
> :1024: initial Main Mode message received on :500 but no
> connection has been authorized with policy RSASIG+IKEV1_ALLOW
>
> The errors are so vague.
> Not sure what the problem is now
>
>
>
> My conf
>
>
>
> conn tunnel
> #phase2alg=aes256-sha1;modp1024
> keyexchange=ike
> #ike=aes256-sha1;modp1024
> left=192.168.1.122
> leftnexthop=81.129.247.152   # My ISP assigned external ip adresss
>  (I am testing at home)
>
> leftrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> right=89.200.134.211
>
> rightrsasigkey=0sAQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> authby=secret|rsasig
> # load and initiate automatically
> auto=start
>
> conn site1
> also=tunnel
> leftsubnet=10.0.128.0/22
> rightsubnet=192.168.1.222/32
>
> conn site2
> also=tunnel
>
>
>
>
>
>
>
>
> On 1 April 2016 at 15:58, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> > So you are using pkcs12 on centos:
> >
> > https://www.sslshopper.com/article-most-common-openssl-commands.html
> > --
> > Eero
> >
> > 2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpie...@gmail.com>:
> >
> >> Sorry but I have looked for over two days. Trying every command I could
> >> find.
> >>
> >> There is obviously a misunderstanding somewhere.
> >>
> >> After generating a key pair with
> >> ipsec newhostkey --configdir /etc/ipsec.d --output
> /etc/ipsec.d/my.secrets
> >>
> >> I exported to a file with
> >> ipsec showhostkey --ipseckey > file
> >>
> >> The man pages says
> >> ipsec showhostkey outputs in ipsec.conf(5) format,
> >>
> >> Ie
> >>
> >>
> >> ***.server.net.INIPSECKEY  10 0 2 .
> >>
> >>
> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
> >>
> >>
> >> is this the format openssl is meant to beable to convert ? or is the
> >> an intermediate step I am missing as like I said not command I found
> >> seems to work.
> >>
> >>
> >> On 1 April 2016 at 14:35, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> >> > It works, try googling for openssl pem conversion
> >> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >> >
> >> >> I have tried
> >> >> openssl rsa -in bicester_le

Re: [CentOS] Libreswan PEM format

[Eero Volotinen]

So you are using pkcs12 on centos:

https://www.sslshopper.com/article-most-common-openssl-commands.html
--
Eero

2016-04-01 17:44 GMT+03:00 Glenn Pierce <glennpie...@gmail.com>:

> Sorry but I have looked for over two days. Trying every command I could
> find.
>
> There is obviously a misunderstanding somewhere.
>
> After generating a key pair with
> ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/my.secrets
>
> I exported to a file with
> ipsec showhostkey --ipseckey > file
>
> The man pages says
> ipsec showhostkey outputs in ipsec.conf(5) format,
>
> Ie
>
>
> ***.server.net.INIPSECKEY  10 0 2 .
>
> AQPs3gZ6GBRJSoy/6RxrL/cMv0JnYEKR/SYmXUCVlkBFNi2D7VJsa17ffvmBUjLLD6/T72M31JvlPhkSzK/YSPpoh8hNtSB4IDlD2WGks+hYlnQ4ZSOaj5LHFRFochUVQAiSWgx4OnvI9cYrj+rDZL/0vtGeLDJiLeTSj3DLfWCi2DG/LzZ1ukQMQCETMb6vZ9YcC21iQUNxEHLVJlTSltVdpyWnWfKvoQ9K3NFiVVsXZ0+puQCHWJqp1OQtesaSCQNzeUgjmhm5W+kVzQ1NkeCz6Me0iQEIzH+b6gdJrjRzgwhU1ZRXfthP4QiIANh9C9uI2VGj1tM05qXm2Ps9KZiholyQSKmjZNXU1RBzQdc2T09WsGRBPFprH8k3nN2MpWkWj1Tljawx7uRoCWtH0UkOhe04kPzZ4M5CHplNEM7fO05DraRt7F99oN2cYuRHCzLD53QwdS8ptw3G1FCiSK7+v3klE0zemBToknFAT5Oy5XiHILLkNccjXmJ12eyw1qUX/jM7r+COGQQfefYbv8fokxJy+dSB2JmPqOT05ssvMw==
>
>
> is this the format openssl is meant to beable to convert ? or is the
> an intermediate step I am missing as like I said not command I found
> seems to work.
>
>
> On 1 April 2016 at 14:35, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> > It works, try googling for openssl pem conversion
> > 1.4.2016 4.32 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >
> >> I have tried
> >> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
> >>
> >> I get
> >> unable to load Private Key
> >> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> >> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
> >>
> >>
> >>
> >> On 1 April 2016 at 13:59, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> >> > You can do any kind of format conversions with openssl commandline
> >> client.
> >> >
> >> > Eero
> >> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >> >
> >> >> Hi I am trying to setup a libreswan vpn between centos 7 and a
> Mikrotik
> >> >> router.
> >> >>
> >> >> I am try to get the keys working. My problem is the Mikrotik router
> >> >> wants the key in PEM format
> >> >>
> >> >> How do I export the keys generated with ipsec newhostkey
> >> >> into PEM format ?
> >> >>
> >> >>
> >> >> Thanks
> >> >> ___
> >> >> CentOS mailing list
> >> >> CentOS@centos.org
> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >>
> >> > ___
> >> > CentOS mailing list
> >> > CentOS@centos.org
> >> > https://lists.centos.org/mailman/listinfo/centos
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

[Eero Volotinen]

It works, try googling for openssl pem conversion
1.4.2016 4.32 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:

> I have tried
> openssl rsa -in bicester_left.pub -outform pem > bicester_left.pem
>
> I get
> unable to load Private Key
> 140372295030648:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
>
>
>
> On 1 April 2016 at 13:59, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> > You can do any kind of format conversions with openssl commandline
> client.
> >
> > Eero
> > 1.4.2016 3.56 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >
> >> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
> >> router.
> >>
> >> I am try to get the keys working. My problem is the Mikrotik router
> >> wants the key in PEM format
> >>
> >> How do I export the keys generated with ipsec newhostkey
> >> into PEM format ?
> >>
> >>
> >> Thanks
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Libreswan PEM format

[Eero Volotinen]

You can do any kind of format conversions with openssl commandline client.

Eero
1.4.2016 3.56 ip. "Glenn Pierce"  kirjoitti:

> Hi I am trying to setup a libreswan vpn between centos 7 and a Mikrotik
> router.
>
> I am try to get the keys working. My problem is the Mikrotik router
> wants the key in PEM format
>
> How do I export the keys generated with ipsec newhostkey
> into PEM format ?
>
>
> Thanks
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] www.centos.org/forums/

[Eero Volotinen]

> @Eero: IMHO you are missing some points here. There are more and more
> browsers that are unable to use SSL{2,3} as well as TLS1.0, not just
> disabled via config, but this decission was made at compile time.
> Newer Android and Apple-iOS devices for example.
>
>
This is not true. it works fine with latest android and ios. I just tested
it.


> And the point is not that the site supports TLS1.0, but that it does
> not support TLS1.1 and/or TLS 1.2, and as such is incassessible
> to devices that ask for TLS1.1 as minimum for HTTPS.
>
> But that is for the admins/webmasters of the servers to resolve.


Many sites are still using centos 5 and clones and cannot support tls 1.2
and tls 1.1 without upgrade.

--
Eero
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] www.centos.org/forums/

[Eero Volotinen]

Stop paranoia? Tlsv1.0 is not recommended when storing credit card data.

Eero
Hi List,

Does anyone know why the above URL is still using TLS V1.0.

I can't connect to it unless I enable TLS V1.0 which I was under the
impression that it should not be used
anymore.

Thanks for any enlightenment.

Steve
-- 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

Anyway, they both use compatible config files?

Eero
22.3.2016 12.23 ap. "Leon Fauster"  kirjoitti:

> Am 21.03.2016 um 18:17 schrieb Mike - st257 :
> > I second Eero's comment, use a new IPSec daemon.
> >
> > Openswan was forked and became Libreswan. Paul, now a RH employee, was a
> > main developer for the Openswan project before he and others created the
> > Libreswan fork.
> > https://libreswan.org/
> >
> > EL6 has Openswan
> > EL7 has Libreswan
> >
> > Racoon isn't all that fun to work with.
> > If you have the option, ditch it and EL5 and move to a newer platform
> > (preferably EL7 with Libreswan)
>
>
> Libreswan will be in the next EL6 release ...
>
> --
> LF
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

err. upgrades?

You mean reinstall? As upgrading between major releases are not supported
in any way on centos / rhel and clones..

--
Eero

2016-03-21 20:33 GMT+02:00 <m.r...@5-cent.us>:

> Glenn Pierce wrote:
> > I asked about upgrading once and got no reply. Does anyone have
> experience
> > of having a hosted centos upgraded on a virtual server. Would you usually
> > have to pay for a transition instance ?
> >
> I pay for my own hosting (5-cent.us) at hostmonster. They've done
> upgrades, and they announced it to *me*, and no, I didn't pay anything.
> And I'm just a "consumer grade" - something like $6US/month.
>
> I would expect *far* more for commercial hosting.
>
>   mark
>
> > -Original Message-
> > From: "Eero Volotinen" <eero.voloti...@iki.fi>
> > Sent: ‎21/‎03/‎2016 18:11
> > To: "CentOS mailing list" <centos@centos.org>
> > Subject: Re: [CentOS] IPSec multiple VPN setups
> >
> > Memset.com ? In real world, rhel 5/centos 5 gets only critical security
> > patches.
> >
> > Eero
> > 21.3.2016 7.54 ip. <m.r...@5-cent.us> kirjoitti:
> >
> >> Glenn Pierce wrote:
> >> > Will ask my boss :) We are hosted on memset so not so easy to update
> >> >
> >> > Thanks
> >>
> >> Um, wait a minute: you're hosted? And they haven't pushed you to 6 years
> >> ago? They haven't sent warnings that 5 was hitting eol?
> >>
> >> Who are they, please? I want to make sure that if someone asks me about
> >> hosting, I can add that to places they should avoid.
> >>
> >> mark
> >>
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

Memset.com ? In real world, rhel 5/centos 5 gets only critical security
patches.

Eero
21.3.2016 7.54 ip.  kirjoitti:

> Glenn Pierce wrote:
> > Will ask my boss :) We are hosted on memset so not so easy to update
> >
> > Thanks
>
> Um, wait a minute: you're hosted? And they haven't pushed you to 6 years
> ago? They haven't sent warnings that 5 was hitting eol?
>
> Who are they, please? I want to make sure that if someone asks me about
> hosting, I can add that to places they should avoid.
>
> mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

Err. Sounds like security nightmare.
21.3.2016 7.47 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:

> Will ask my boss :) We are hosted on memset so not so easy to update
>
> Thanks
>
> On 21 March 2016 at 17:36, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> > Centos 5 is still soon end of life. Using it as ipsec gateway is ..
> >
> > Eero
> > 21.3.2016 7.25 ip. "Mike - st257" <silvertip...@gmail.com> kirjoitti:
> >
> >> On Mon, Mar 21, 2016 at 1:17 PM, Mike - st257 <silvertip...@gmail.com>
> >> wrote:
> >>
> >> > I second Eero's comment, use a new IPSec daemon.
> >> >
> >> > Openswan was forked and became Libreswan. Paul, now a RH employee,
> was a
> >> > main developer for the Openswan project before he and others created
> the
> >> > Libreswan fork.
> >> > https://libreswan.org/
> >> >
> >> > EL6 has Openswan
> >> > EL7 has Libreswan
> >> >
> >> > Racoon isn't all that fun to work with.
> >> > If you have the option, ditch it and EL5 and move to a newer platform
> >> > (preferably EL7 with Libreswan).
> >> >
> >>
> >> There's an RPM spec file (though I've not used it) for building Openswan
> >> for EL5.
> >> https://github.com/xelerance/Openswan/tree/master/packaging/centos5
> >>
> >> Additionally, here's some info but I advise against the Racoon IPSec
> >> daemon.
> >>
> >>
> https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-racoon-conf.html
> >> https://wiki.debian.org/IPsec
> >>
> >>
> >> >
> >> >
> >> > On Mon, Mar 21, 2016 at 1:08 PM, Eero Volotinen <
> eero.voloti...@iki.fi>
> >> > wrote:
> >> >
> >> >> Yes you can. Please use newer version of centos and strong/openswan.
> >> >>
> >> >> Eero
> >> >> 21.3.2016 7.05 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >> >>
> >> >> > Hi I hope someone can answer something I'm sure is quite basic.
> >> >> >
> >> >> > I am following the instructions at
> >> >> >
> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
> >> >> > On setting up a VPN
> >> >> >
> >> >> > The part I am having trouble with is when it show the
> >> >> > /etc/racoon/racoon.conf file.
> >> >> > But it doesn't say whay you have to do with this file.
> >> >> >
> >> >> > When I bring up my connection
> >> >> >
> >> >> > ifup bicester
> >> >> >
> >> >> > I get
> >> >> > RTNETLINK answers: No such device
> >> >> >
> >> >> > looking at /var/messages I see
> >> >> >
> >> >> > ERROR: failed to bind to address 127.0.0.1[500] (Address already in
> >> >> use).
> >> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address
> *.*.*.*[500]
> >> >> > (Address already in use).
> >> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address
> *.*.*.*[500]
> >> >> > (Address already in use).
> >> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address
> *.*.*.*[500]
> >> >> > (Address already in use).
> >> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address ::1[500]
> >> >> > (Address already in use).
> >> >> > Mar 21 17:01:05  racoon: INFO: fe80::bcef:4fff:fe66:82ec%eth0[500]
> >> >> > used as isakmp port (fd=25)
> >> >> >
> >> >> > There was an existing setup done long ago.
> >> >> >
> >> >> > How can I setup more than one vpn connection (manually as this is a
> >> >> > headless server)
> >> >> > or is that not possible ?
> >> >> >
> >> >> > Thanks for any pointers
> >> >> > ___
> >> >> > CentOS mailing list
> >> >> > CentOS@centos.org
> >> >> > https://lists.centos.org/mailman/listinfo/centos
> >> >> >
> >> >> ___
> >> >> CentOS mailing list
> >> >> CentOS@centos.org
> >> >> https://lists.centos.org/mailman/listinfo/centos
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > ---~~.~~---
> >> > Mike
> >> > //  SilverTip257  //
> >> >
> >>
> >>
> >>
> >> --
> >> ---~~.~~---
> >> Mike
> >> //  SilverTip257  //
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

Centos 5 is still soon end of life. Using it as ipsec gateway is ..

Eero
21.3.2016 7.25 ip. "Mike - st257" <silvertip...@gmail.com> kirjoitti:

> On Mon, Mar 21, 2016 at 1:17 PM, Mike - st257 <silvertip...@gmail.com>
> wrote:
>
> > I second Eero's comment, use a new IPSec daemon.
> >
> > Openswan was forked and became Libreswan. Paul, now a RH employee, was a
> > main developer for the Openswan project before he and others created the
> > Libreswan fork.
> > https://libreswan.org/
> >
> > EL6 has Openswan
> > EL7 has Libreswan
> >
> > Racoon isn't all that fun to work with.
> > If you have the option, ditch it and EL5 and move to a newer platform
> > (preferably EL7 with Libreswan).
> >
>
> There's an RPM spec file (though I've not used it) for building Openswan
> for EL5.
> https://github.com/xelerance/Openswan/tree/master/packaging/centos5
>
> Additionally, here's some info but I advise against the Racoon IPSec
> daemon.
>
> https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-racoon-conf.html
> https://wiki.debian.org/IPsec
>
>
> >
> >
> > On Mon, Mar 21, 2016 at 1:08 PM, Eero Volotinen <eero.voloti...@iki.fi>
> > wrote:
> >
> >> Yes you can. Please use newer version of centos and strong/openswan.
> >>
> >> Eero
> >> 21.3.2016 7.05 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >>
> >> > Hi I hope someone can answer something I'm sure is quite basic.
> >> >
> >> > I am following the instructions at
> >> > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
> >> > On setting up a VPN
> >> >
> >> > The part I am having trouble with is when it show the
> >> > /etc/racoon/racoon.conf file.
> >> > But it doesn't say whay you have to do with this file.
> >> >
> >> > When I bring up my connection
> >> >
> >> > ifup bicester
> >> >
> >> > I get
> >> > RTNETLINK answers: No such device
> >> >
> >> > looking at /var/messages I see
> >> >
> >> > ERROR: failed to bind to address 127.0.0.1[500] (Address already in
> >> use).
> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> >> > (Address already in use).
> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> >> > (Address already in use).
> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> >> > (Address already in use).
> >> > Mar 21 17:01:05  racoon: ERROR: failed to bind to address ::1[500]
> >> > (Address already in use).
> >> > Mar 21 17:01:05  racoon: INFO: fe80::bcef:4fff:fe66:82ec%eth0[500]
> >> > used as isakmp port (fd=25)
> >> >
> >> > There was an existing setup done long ago.
> >> >
> >> > How can I setup more than one vpn connection (manually as this is a
> >> > headless server)
> >> > or is that not possible ?
> >> >
> >> > Thanks for any pointers
> >> > ___
> >> > CentOS mailing list
> >> > CentOS@centos.org
> >> > https://lists.centos.org/mailman/listinfo/centos
> >> >
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> >
> >
> >
> > --
> > ---~~.~~---
> > Mike
> > //  SilverTip257  //
> >
>
>
>
> --
> ---~~.~~---
> Mike
> //  SilverTip257  //
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

And centos 5 is really soon end of life.

Eero
21.3.2016 7.18 ip. "Mike - st257" <silvertip...@gmail.com> kirjoitti:

> I second Eero's comment, use a new IPSec daemon.
>
> Openswan was forked and became Libreswan. Paul, now a RH employee, was a
> main developer for the Openswan project before he and others created the
> Libreswan fork.
> https://libreswan.org/
>
> EL6 has Openswan
> EL7 has Libreswan
>
> Racoon isn't all that fun to work with.
> If you have the option, ditch it and EL5 and move to a newer platform
> (preferably EL7 with Libreswan).
>
>
> On Mon, Mar 21, 2016 at 1:08 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > Yes you can. Please use newer version of centos and strong/openswan.
> >
> > Eero
> > 21.3.2016 7.05 ip. "Glenn Pierce" <glennpie...@gmail.com> kirjoitti:
> >
> > > Hi I hope someone can answer something I'm sure is quite basic.
> > >
> > > I am following the instructions at
> > > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
> > > On setting up a VPN
> > >
> > > The part I am having trouble with is when it show the
> > > /etc/racoon/racoon.conf file.
> > > But it doesn't say whay you have to do with this file.
> > >
> > > When I bring up my connection
> > >
> > > ifup bicester
> > >
> > > I get
> > > RTNETLINK answers: No such device
> > >
> > > looking at /var/messages I see
> > >
> > > ERROR: failed to bind to address 127.0.0.1[500] (Address already in
> use).
> > > Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> > > (Address already in use).
> > > Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> > > (Address already in use).
> > > Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> > > (Address already in use).
> > > Mar 21 17:01:05  racoon: ERROR: failed to bind to address ::1[500]
> > > (Address already in use).
> > > Mar 21 17:01:05  racoon: INFO: fe80::bcef:4fff:fe66:82ec%eth0[500]
> > > used as isakmp port (fd=25)
> > >
> > > There was an existing setup done long ago.
> > >
> > > How can I setup more than one vpn connection (manually as this is a
> > > headless server)
> > > or is that not possible ?
> > >
> > > Thanks for any pointers
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
>
> --
> ---~~.~~---
> Mike
> //  SilverTip257  //
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPSec multiple VPN setups

[Eero Volotinen]

Yes you can. Please use newer version of centos and strong/openswan.

Eero
21.3.2016 7.05 ip. "Glenn Pierce"  kirjoitti:

> Hi I hope someone can answer something I'm sure is quite basic.
>
> I am following the instructions at
> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
> On setting up a VPN
>
> The part I am having trouble with is when it show the
> /etc/racoon/racoon.conf file.
> But it doesn't say whay you have to do with this file.
>
> When I bring up my connection
>
> ifup bicester
>
> I get
> RTNETLINK answers: No such device
>
> looking at /var/messages I see
>
> ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).
> Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> (Address already in use).
> Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> (Address already in use).
> Mar 21 17:01:05  racoon: ERROR: failed to bind to address *.*.*.*[500]
> (Address already in use).
> Mar 21 17:01:05  racoon: ERROR: failed to bind to address ::1[500]
> (Address already in use).
> Mar 21 17:01:05  racoon: INFO: fe80::bcef:4fff:fe66:82ec%eth0[500]
> used as isakmp port (fd=25)
>
> There was an existing setup done long ago.
>
> How can I setup more than one vpn connection (manually as this is a
> headless server)
> or is that not possible ?
>
> Thanks for any pointers
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager default route

[Eero Volotinen]

How about disabling network manager and using the static ip addresses?

Eero
17.3.2016 9.05 ip. "Sander Kuusemets"  kirjoitti:

> Hello,
>
> Why is it so, that NetworkManager allows, and in several cases I've had,
> defaults to setting default route to several interfaces at the same time?
>
> Had my fair share of problems with how 172.17.62.something interface tries
> to ask for a DHCP lease from 193.something network. I know I could set
> never-default to the interfaces, but I shouldn't have to do it to every
> machine I had.
>
> Especially bad was the situation when I had two VLANs and a normal
> ethernet interface, and dhclient tried to ask a lease for the ethernet over
> the VLAN.
>
> Best regards,
>
> --
> Sander Kuusemets
> University of Tartu, High Performance Computing, IT Specialist
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Openswan <-> VyOS

[Eero Volotinen]

Maybe the other end is not supporting needed ciphers? Try other selections?

Eero

2016-02-17 16:38 GMT+02:00 John Cenile :

> Hello,
>
>
> I'm having a bit of trouble connecting our current CentOS Openswan server
> with a Vyos server via IPSec.
>
> I've posted this on the VyOS forums, but haven't had many helpful
> responses, so I thought I would ask here.
>
> http://forum.vyos.net/showthread.php?tid=26504=29703#pid29703
>
> Basically our Openswan configuration is as follows:
>
> conn VYOS
> keyingtries=0
> keylife=20m
> ikelifetime=2h
> left=
> right=
> leftsubnets={
> 10.1.1.0/24,10.1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.5.0/24}
> rightsubnets={10.2.1.0/24,10.2.2.0/24,10.2.3.0/24,10.2.4.0/24}
> auto=start
> authby=secret
> dpddelay=30
> dpdtimeout=120
> dpdaction=hold
> phase2alg=aes256-sha1;modp1536
> phase2=esp
> ike=aes256-sha1;modp1536
>
> Our VyOS configuration is posted in the above forum post, except now I have
> followed their advice and created 20 tunnels (each subnet to each subnet,
> if that makes sense).
>
> However, when I enabled this, I got the following errors on the Openswan
> server:
>
>
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/3x3" #70: next payload type of
> ISAKMP Hash Payload has an unknown value: 243
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/3x3" #70: malformed payload in
> packet
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/3x3" #70: sending notification
> PAYLOAD_MALFORMED to :500
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/4x4" #69: next payload type of
> ISAKMP Hash Payload has an unknown value: 170
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/4x4" #69: malformed payload in
> packet
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/5x4" #68: next payload type of
> ISAKMP Hash Payload has an unknown value: 63
> Feb 18 01:24:27 OPENSWAN pluto[8010]: "VYOS/5x4" #68: malformed payload in
> packet
>
>
> And on our VyOS server we got the following errors:
>
> Feb 18 01:17:19 VYOS pluto[20807]: "peer--tunnel-20" #381:
> sending encrypted notification INVALID_ID_INFORMATION to :500
> Feb 18 01:17:19 VYOS pluto[20807]: "peer--tunnel-20" #381:
> cannot respond to IPsec SA request because no connection is known for
> 10.1.1.0/24===[]...[]===
> 10.2.3.0/24
> Feb 18 01:17:19 VYOS pluto[20807]: "peer--tunnel-20" #381:
> sending encrypted notification INVALID_ID_INFORMATION to :500
> Feb 18 01:17:23 VYOS pluto[20807]: "peer--tunnel-11" #422:
> cannot install eroute -- it is in use for "peer--tunnel-3"
> #403
> Feb 18 01:17:23 VYOS pluto[20807]: "peer--tunnel-16" #421:
> cannot install eroute -- it is in use for "peer--tunnel-4"
> #395
> Feb 18 01:17:23 VYOS pluto[20807]: "peer--tunnel-20" #420:
> cannot install eroute -- it is in use for "peer--tunnel-5"
> #417
> Feb 18 01:17:23 VYOS pluto[20807]: "peer--tunnel-20" #381:
> Informational Exchange message must be encrypted
> Feb 18 01:17:24 VYOS pluto[20807]: "peer--tunnel-20" #381:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x14702d90 (perhaps this is a duplicated packet)
> Feb 18 01:17:24 VYOS pluto[20807]: "peer--tunnel-20" #381:
> sending encrypted notification INVALID_MESSAGE_ID to :500
>
> Does anyone have any idea what I might be doing wrong? I've tried doing
> only 5 tunnels, however then some subnets couldn't reach certain subnets
> (as I said in the VyOS forum thread), and now I've tried each subnet to
> each subnet.
>
> I can't find much (any) information on it, but does Openswan support VTI
> interfaces? Would that solve my problem?
>
> Thanks in advance.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OpenSwan Drop Out Issue

[Eero Volotinen]

Try setting lower keyexpiry time on other endpoint.

--
Eero

2016-02-09 17:04 GMT+02:00 John Cenile :

> Hello,
>
> I'm cross posting this from the OpenSwan mailing list, in case someone here
> can help.
>
> We have two sites connected via OpenSwan 2.6.32-9 on CentOS 5, sharing 6
> /24 subnets each (so 12 in total).
>
> The problem we're having is completely randomly, be it in the middle of the
> day, or in the middle of the night (so I don't believe it's traffic
> related), certain (and sometimes all) routes will drop. They usually
> recover after a few minutes, but it's still long enough for our monitoring
> to detect downtime.
>
> The configuration we have on each device is:
>
> conn site-a
> keyingtries=0
> keylife=1h
> ikelifetime=8h
> left=1.1.1.1
> right=2.2.2.2
>
>
> leftsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24}
>
>
> rightsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24}
> pfs=yes
> auto=start
> authby=secret
> dpddelay=30
> dpdtimeout=120
> dpdaction=hold
> phase2alg=aes256-sha1;modp1536
> phase2=esp
> ike=aes256-sha1;modp1536
>
> It's mirrored exactly the same on the other side.
>
> I have tried changing the dead peer detection timeout to something high (5
> minutes), and removing it completely (which I believe defaults it to 30
> seconds), neither of which made any difference.
>
> I can't see any very obvious errors in the logs, however the most recent
> drop out produced the following message around the same time:
>
> Feb 10 00:53:09 site-b-vpn pluto[30584]: "site-a/5x5" #39: max number of
> retransmissions (2) reached STATE_QUICK_I1
> Feb 10 00:53:09 site-b-vpn pluto[30584]: "site-a/5x5" #39: starting keying
> attempt 2 of an unlimited number
> Feb 10 00:53:09 site-b-vpn pluto[30584]: "site-a/5x5" #95: initiating Quick
> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #39 {using
> isakmp#52 msgid:119495de proposal=AES(12)_256-SHA1(2)_160
> pfsgroup=OAKLEY_GROUP_MODP1536}
>
> and also
>
> Feb 10 00:52:25 site-a-vpn pluto[2414]: "site-b/6x6" #1: ignoring Delete SA
> payload: PROTO_IPSEC_ESP SA(0xde58eea3) not found (maybe expired)
> Feb 10 00:52:25 site-a-vpn pluto[2414]: "site-b/6x6" #1: received and
> ignored informational message
> Feb 10 00:52:25 site-a-vpn pluto[2414]: "site-b/6x6" #1: ignoring Delete SA
> payload: PROTO_IPSEC_ESP SA(0xa5298d7d) not found (maybe expired)
> Feb 10 00:52:25 site-a-vpn pluto[2414]: "site-b/6x6" #1: received and
> ignored informational message
>
> Before we move to another solution, does anyone have any suggestions on
> what the problem might be? Running a constant ping between the two hosts
> doesn't drop *any* packets (even when the IPSec connection itself drops
> out).
>
> Thanks in advance.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OpenSwan Drop Out Issue

[Eero Volotinen]

Well. Centos 5 is really near of it's end of life. There is not much
updates to kernel or openswan. You should at least try latest openswan
version.

Your issue looks like a bit network problem.

--
Eero

2016-02-10 8:34 GMT+02:00 John Cenile <jcenile1...@gmail.com>:

> So lowering the keylife / ikelifetime didn't solve the problem. I've
> enabled debugging and I'll see what it says.
>
> Unfortunately we can't (easily) upgrade CentOS, do you believe that would
> make a huge difference though? Are the newer versions of OpenSwan *that
> *much
> more reliable?
>
> On 10 February 2016 at 04:58, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > Centos 5 is also a bit old os. Is it possible to use newer version? (like
> > centos 7 or centos 6?)
> >
> > Eero
> >
> > 2016-02-09 19:52 GMT+02:00 Gordon Messmer <gordon.mess...@gmail.com>:
> >
> > > On 02/09/2016 07:04 AM, John Cenile wrote:
> > >
> > >> does anyone have any suggestions on what the problem might be?
> > >>
> > >
> > > Not off the top of my head, but if I were you, I'd enable debugging of
> > > "control" and "dpd".  See man ipsec.conf (/plutodebug) and man
> > ipsec_pluto.
> > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OpenSwan Drop Out Issue

[Eero Volotinen]

Centos 5 is also a bit old os. Is it possible to use newer version? (like
centos 7 or centos 6?)

Eero

2016-02-09 19:52 GMT+02:00 Gordon Messmer :

> On 02/09/2016 07:04 AM, John Cenile wrote:
>
>> does anyone have any suggestions on what the problem might be?
>>
>
> Not off the top of my head, but if I were you, I'd enable debugging of
> "control" and "dpd".  See man ipsec.conf (/plutodebug) and man ipsec_pluto.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid as interception HTTPS proxy under CentOS 7

[Eero Volotinen]

check out sslbump documentation:
http://wiki.squid-cache.org/Features/SslBump

--
Eero

2016-02-04 15:24 GMT+02:00 C. L. Martinez :

> Hi all,
>
>  I am trying to configure squid as a interception HTTPS proxy under CentOS
> 7. At every https request, I am receiving a certificate error.
>
>  My current config for squid is:
>
> # My localnet
> acl localnet src 172.22.55.0/28
> acl localnet src 172.22.58.0/29
>
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> #http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
>
> # My custom configuration
> http_port 8079
> http_port 8080 intercept
> https_port 8081 ssl-bump intercept generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB key=/etc/squid/custom.private
> cert=/etc/squid/custom.cert
>
> # Anonymous proxy
> forwarded_for off
> request_header_access Allow allow all
> request_header_access Authorization allow all
> request_header_access WWW-Authenticate allow all
> request_header_access Proxy-Authorization allow all
> request_header_access Proxy-Authenticate allow all
> request_header_access Cache-Control allow all
> request_header_access Content-Encoding allow all
> request_header_access Content-Length allow all
> request_header_access Content-Type allow all
> request_header_access Date allow all
> request_header_access Expires allow all
> request_header_access Host allow all
> request_header_access If-Modified-Since allow all
> request_header_access Last-Modified allow all
> request_header_access Location allow all
> request_header_access Pragma allow all
> request_header_access Accept allow all
> request_header_access Accept-Charset allow all
> request_header_access Accept-Encoding allow all
> request_header_access Accept-Language allow all
> request_header_access Content-Language allow all
> request_header_access Mime-Version allow all
> request_header_access Retry-After allow all
> request_header_access Title allow all
> request_header_access Connection allow all
> request_header_access Proxy-Connection allow all
> request_header_access User-Agent allow all
> request_header_access Cookie allow all
> request_header_access All deny all
>
> # SSL Bump Config
> always_direct allow all
> ssl_bump server-first all
> sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
>
>  I have tried disabling "sslproxy_cert_error" and "sslproxy_flags"
> directives, without luck.
>
>  Any ideas about what am I doing wrong?
>
>  Thanks.
> --
> Greetings,
> C. L. Martinez
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Python hashlib and ripemd160

[Eero Volotinen]

well, how about compiling instance to another directory like
/opt/python-alternative?

usually works like ./configure --prefix=/opt/python-alternative and then
other normal stuff..

--
Eero

2016-02-03 12:52 GMT+02:00 Alice Wonder :

> Hi - I think the patent monster has struck again.
>
> rmd = hashlib.new('ripemd160',binascii.unhexlify(someString)).hexdigest()
>
> That fails - ValueError: unsupported hash type
>
> From some googling, it appears that the supported hash types are from
> OpenSSL and that means the OpenSSL in CentOS doesn't support ripemd160.
>
> I've worked around other stuff missing from CentOS OpenSSL by building
> LibreSSL and linking against that but python is central to the operation of
> CentOS and I do not want to mess with replacing the CentOS packaging of
> python.
>
> Is there an alternate way to get a ripemd160 hash in python on CentOS ?
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I am not understanding the size of the iso

[Eero Volotinen]

redhat (centos) ships lot's of stuff. you don't really need to install
*everything* unless you have very specific needs..

2016-02-03 8:15 GMT+02:00 Ramaseshan :

> Yep, This is true,
> If I look at Fedora Gnome for example, which also ships all
> these(browser,libre, gnome etc), the final DVD version is just about 1.2
> GB.
> That is what surprises me.
>
>
> On Wednesday 03 February 2016 08:52 AM, Peter wrote:
> > On 03/02/16 16:15, Ramaseshan S wrote:
> >> While the minimal version is just 700M, what makes the minimal along
> with a
> >> GUI about 4.3 GB.
> > All the extra packages, libs, etc that are needed to support the GUI,
> > plus the extra apps that are available to run in the GUI (such as
> > LibreOffice, FireFox, etc).
> >
> >> Isint it too huge for an OS ?
> > u, no?
> >
> >
> > Peter
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
> --
> Cheers
> --
> S.Ramaseshan
> Engineer
> Fractalio Data Pvt Ltd
> email : ramases...@fractalio.com
> Web : www.fractalio.com
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum / rpm kernel problems - CentOS 7.2

[Eero Volotinen]

let me google that for you:

http://www.digitesters.com/centos-install-virtualbox-on-a-headless-system/

Eero

2016-01-28 20:42 GMT+02:00 Rob Kampen :

> This is the second time I have come across a problem with yum / rpm and
> kernel packages with CentOS 7.
> I install CentOS7 and do a yum update
> I add elrepo epel and virtualbox repos
> I install Virtualbox-5.0
> It fails to install
> it give a message similar to :
> - WARNING: The vboxdrv kernel module is not loaded. Either there is no
> module
>  available for the current kernel (3.10.0-327.el7.x86_64) or it
> failed to
>  load. Please recompile the kernel module and install it by
>
>sudo /sbin/rcvboxdrv setup
>
>  You will not be able to start VMs until this problem is fixed.
> 5.0.14r105127
>
> As I had done a yum update the kernel was actually 3.10.0-327.4.5.el7
>
> The initial install did not include kernel-devel so I yum install
> kernel-devel
> Still have the problem
> So I downgrade the kernel - it goes to 3.10.0-327.4.4.el7
> I downgrade repeatedly until I get 3.10.0-327.el7.x86_64 as that was the
> initial kernel installed.
> The downgrade correctly downgrades the kernel, kernel-headers,
> kernel-tools and kernel-tools-libs BUT NOT the kernel-devel which stays at
> -327.4.5.el7
> Trapped - didn't see that for a while!
> So I finally yum remove kernel-devel
> Then I look in yumex (with show latest - disabled) and only the
> kernel-devel for 3.10.0-327.4.5.el7 is shown. All the other kernel packages
> show the correct versions.
> At this point the only installed kernel rpms are 3.10.0-327.el7.x86_64
> So I explicitly ask yum to install
> sudo yum install kernel-devel-3.10.0-327.el7.x86_64
>
> so now I have
> >rpm -qa |grep kernel
> kernel-tools-libs-3.10.0-327.el7.x86_64
> kernel-3.10.0-327.el7.x86_64
> abrt-addon-kerneloops-2.1.11-36.el7.centos.x86_64
> kernel-headers-3.10.0-327.el7.x86_64
> kernel-tools-3.10.0-327.el7.x86_64
> kernel-devel-3.10.0-327.el7.x86_64
>
> The virtual box command to compile and install the vbox driver is sudo
> /sbin/rcvboxdrv
> which seems to have issues
> sudo /sbin/rcvboxdrv
>
> ** (pkttyagent:3047): WARNING **: Unable to register authentication agent:
> GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name :1.6 was
> not provided by any .service files
> Error registering authentication agent:
> GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name :1.6 was
> not provided by any .service files (g-dbus-error-quark, 2)
>
> zero idea of what that means
>
> a repeat of the command returns nothing
> but when I run
> >sudo VBoxManage -v
> WARNING: The vboxdrv kernel module is not loaded. Either there is no module
>  available for the current kernel (3.10.0-327.el7.x86_64) or it
> failed to
>  load. Please recompile the kernel module and install it by
>
>sudo /sbin/rcvboxdrv setup
>
>  You will not be able to start VMs until this problem is fixed.
> 5.0.14r105127
>
> BTW the setup param returns
> Bad argument setup
>
> At this point I have run out of ideas / patience / time and coffee.
> Any ideas as to how to fix this would be appreciated.
> TIA
> Rob
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get UEFI setting by shell?

[Eero Volotinen]

It works on linux, it can't be secure?

:)

Eero
22.1.2016 8.54 ip. "John R Pierce"  kirjoitti:

> On 1/22/2016 7:04 AM, Gordon Messmer wrote:
>
>> On 01/21/2016 11:33 PM, wk wrote:
>>
>>>   How can I sign my test.ko for CentOS7.1?
>>>
>>
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html
>>
>
>
> what a pile of security theater that MOK thing is.   theater of the
> absurd, anyways.
>
>
>
> --
> john r pierce, recycling bits in santa cruz
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 回复： How to get UEFI setting by shell?

[Eero Volotinen]

Well, you cannot sign it as you don't have access to signing key? It might
be possible to add keys to secure boot, I am not sure.

Looks like only way to get unsigned modules to work is just disable secure
boot..

Eero

pe 22. tammikuuta 2016 klo 12.40 wk <304702...@qq.com> kirjoitti:

> Hi,volotinen:
>
>   as it mentioned in your web link:
>   "Your on the right track your module need to be signed", my question
> how to sign test_file_system.ko?
>
>  thanks,
>  w.k.
>
>
>
>  -- 原始邮件 --
>   发件人: "eero.volotinen";;
>  发送时间: 2016年1月22日(星期五) 下午3:42
>  收件人: "CentOS mailing list";
>
>  主题: Re: [CentOS] How to get UEFI setting by shell?
>
>
>
>
> http://unix.stackexchange.com/questions/157539/cant-load-zfs-kernel-module-on-fedora-with-secure-boot-required-key-not-avai
>
> So, module must be signed with trusted key, or else it just fails.
>
> Eero
> 22.1.2016 9.34 ap. "wk" <304702...@qq.com> kirjoitti:
>
> > Hi,
> > another question.With secure boot on,
> > I make a kernel module test.ko
> > Then insmod test.ko:
> > [root@localhost linux]# insmod test.ko
> >insmod: ERROR: could not insert module test.ko: Required key not
> > available
> >
> >  How can I sign my test.ko for CentOS7.1?
> >
> > If I set secure boot off, insmod test.ko will be successful.
> >  w.k.
> >
> >  -- Original --
> >   From:  "我自己的邮箱";<304702...@qq.com>;
> >  Date:  Fri, Jan 22, 2016 03:07 PM
> >  To:  "eero.volotinen"; "gordon.messmer"<
> > gordon.mess...@gmail.com>;
> >  Cc:  "centos";
> >  Subject:  Re: [CentOS] How to get UEFI setting by shell?
> >
> >
> >
> >  volotinen and gordon.messmer:
> >
> > thank you for your answers.
> >
> >  w.k.
> >
> >
> >  -- Original --
> >   From:  "Gordon Messmer";;
> >  Date:  Fri, Jan 22, 2016 02:13 PM
> >  To:  "CentOS mailing list";
> >
> >  Subject:  Re: [CentOS] How to get UEFI setting by shell?
> >
> >
> >
> > On 01/21/2016 09:47 PM, wk wrote:
> > > How to check/get UEFI information by shell/bash terminal ?
> >  example:if UEFI is enabled? if secure boot is enabled?
> >
> > Systems that boot via UEFI will have /sys/firmware/efi.
> >
> > You may have access to your secure boot setting in
> > /sys/firmware/efi/efivars/, or in the output of "bootctl --path
> > /boot/efi status"
> >
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get UEFI setting by shell?

[Eero Volotinen]

http://unix.stackexchange.com/questions/157539/cant-load-zfs-kernel-module-on-fedora-with-secure-boot-required-key-not-avai

So, module must be signed with trusted key, or else it just fails.

Eero
22.1.2016 9.34 ap. "wk" <304702...@qq.com> kirjoitti:

> Hi,
> another question.With secure boot on,
> I make a kernel module test.ko
> Then insmod test.ko:
> [root@localhost linux]# insmod test.ko
>insmod: ERROR: could not insert module test.ko: Required key not
> available
>
>  How can I sign my test.ko for CentOS7.1?
>
> If I set secure boot off, insmod test.ko will be successful.
>  w.k.
>
>  -- Original --
>   From:  "我自己的邮箱";<304702...@qq.com>;
>  Date:  Fri, Jan 22, 2016 03:07 PM
>  To:  "eero.volotinen"; "gordon.messmer"<
> gordon.mess...@gmail.com>;
>  Cc:  "centos";
>  Subject:  Re: [CentOS] How to get UEFI setting by shell?
>
>
>
>  volotinen and gordon.messmer:
>
> thank you for your answers.
>
>  w.k.
>
>
>  -- Original --
>   From:  "Gordon Messmer";;
>  Date:  Fri, Jan 22, 2016 02:13 PM
>  To:  "CentOS mailing list";
>
>  Subject:  Re: [CentOS] How to get UEFI setting by shell?
>
>
>
> On 01/21/2016 09:47 PM, wk wrote:
> > How to check/get UEFI information by shell/bash terminal ?
>  example:if UEFI is enabled? if secure boot is enabled?
>
> Systems that boot via UEFI will have /sys/firmware/efi.
>
> You may have access to your secure boot setting in
> /sys/firmware/efi/efivars/, or in the output of "bootctl --path
> /boot/efi status"
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to get UEFI setting by shell?

[Eero Volotinen]

Hi,

Read this page:
https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface

2016-01-22 7:47 GMT+02:00 wk <304702...@qq.com>:

> Hi,
>
>CentOS7.1, Dell PowerEdge R730xd.
>
>How to check/get UEFI information by shell/bash terminal ?   example:if
> UEFI is enabled? if secure boot is enabled?
>
> Thanks.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Supervisory

[Eero Volotinen]

Telnet? (insane-non-encrypted-security-hole-protocol) please replace it
with openssh.

You can use auditd / user accounting / sudosh /rootsh/ or similar tools ..

--
Eero

2016-01-19 11:45 GMT+02:00 Hadi Motamedi :

> Dear All
> I have a centos server with super user password access. There are a
> number of users on the same net accessing it via telnet with their
> dedicated id/pwd . For the supervision purposes, I need to know which
> user is issuing what command on the server . In other words ,
> monitoring their activities . Can you please let me know how it can be
> done on the centos?
> Thank you in advance
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OpenSSH security flaw

[Eero Volotinen]

yes, it is already patched: https://lwn.net/Alerts/672044/

affects only c7..

--
Eero



2016-01-16 20:29 GMT+02:00 Boris Epstein :

> Hello all,
>
> Does anybody know if this one has been patched?
>
> http://thehackernews.com/2016/01/openssh-vulnerability-cryptokeys.html
>
> Thanks.
>
> Boris.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] when RedHat makes patches for only some versions

[Eero Volotinen]

Maybe or maybe not.

Redhat support policy is a bit intresting..

--
Eero

2015-12-10 17:47 GMT+02:00 Noam Bernstein :

> > On Dec 10, 2015, at 10:40 AM, Leon Fauster 
> wrote:
> >
> > Am 10.12.2015 um 16:16 schrieb Noam Bernstein <
> noam.bernst...@nrl.navy.mil>:
> >> I guess this is really a RedHat, not CentOS question, but I’m hoping
> that someone here will be familiar enough with the upstream policy to have
> some useful information.
> >>
> >> How does RedHat decide which versions to release patches for, e.g.
> https://access.redhat.com/security/cve/CVE-2015-7613 <
> https://access.redhat.com/security/cve/CVE-2015-7613> which has only a
> RH7 erratum, not 6?  And are they likely to eventually release a fix for
> this type of issue for RH6?
> >
> > Generally defined by the production phases:
> > https://access.redhat.com/support/policy/updates/errata/
> >
> > It explains not all but at least the big picture …
>
> That’s useful, thanks.
>
> It does seem to indicate that RH6 is still in production 1, with security
> and bug fix errata being released.  So does that mean that I can expect RH
> to eventually release a fix for this CVE, but they just haven’t gotten
> around to it yet?
>
>
>   Noam
>
> ---
> Noam Bernstein
> Center for Materials Physics and Technology
> Naval Research Laboratory Code 6390
>
> noam.bernst...@nrl.navy.mil
> phone: 202 404 8628
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Networking Question

[Eero Volotinen]

and you should also use bonding to aggregate link bandwith.

--
Eero

2015-11-26 22:48 GMT+02:00 Steven Tardy :

> > On Nov 26, 2015, at 10:43 AM, Alice Wonder  wrote:
> >
> > Is this sane ?
>
> No. Use VLANs instead of physical cables and physical switches.
> https://en.m.wikipedia.org/wiki/VLAN
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IP table Restore

[Eero Volotinen]

Well, that sounds like indian offsourcing company selling *high* *quality*
Linux maintenance for very low price :)

That is reason why you should never try to offsource Linux maintenance
work..

--
Eero

2015-11-25 23:46 GMT+02:00 :

> Jim Perrin wrote:
> > Sorry to step in here folks, but I have moderated this user for now for
> > their own good. Posting credentials to a public mailing list is not
> > going to end well for anyone.
>
> Thanks, Jim.
>
> If I knew who to email, I'd email his manager, and have this unqualified
> incompetent fired... *after* they yanked his access and changed the
> password.
>
> Actually, *what* the password is makes me wonder whether he's actually
> legitimately accessing that system as root
>
>mark
> >
> > On 11/25/2015 03:25 PM, Siva Prasad Nath wrote:
> > 
> >>
> >> If you wish then you can access it and able to get required info.
> >>
> >>
> >> Shiva Prasad Nath
> >> 92981134
> >>
> >> On Thu, Nov 26, 2015 at 5:14 AM, Fabian Arrotin 
> >> wrote:
> >>
> >> On 25/11/15 21:58, Siva Prasad Nath wrote:
> > modinfo: ERROR: Module alias ip_tables not found. Linux
> > ns1.currencybooking.com 3.10.0-229.20.1.el7.x86_64 #1 SMP Tue Nov
> > 3 19:10:07 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> >>
> >> Which should be under
> >>
> >>
> /lib/modules/3.10.0-229.20.1.el7.x86_64/kernel/net/ipv4/netfilter/ip_tables.ko
> >> ... so something else is broken on that node.
> >> Back to the initial question : which kind of setup is that :
> >> bare-metal, or a VM, VPS ? how was it installed, etc .. (because that
> >> ip_tables kernel module is there *by default*)
> >>
> >> The more details you can give, the better, as at first sight that
> >> doesn't seem to be a normal setup
> >>
> >> Cheers,
> >>
> >>> ___
> >>> CentOS mailing list
> >>> CentOS@centos.org
> >>> https://lists.centos.org/mailman/listinfo/centos
> >>>
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> https://lists.centos.org/mailman/listinfo/centos
> >>
> >
> > --
> > Jim Perrin
> > The CentOS Project | http://www.centos.org
> > twitter: @BitIntegrity | GPG Key: FA09AD77
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IP table Restore

[Eero Volotinen]

Well, usually pricing is ~about 100-250 dollars/hour, depending on how
complex case and contractor.

--
Eero

2015-11-25 10:35 GMT+02:00 Siva Prasad Nath <shivaprasadnat...@gmail.com>:

> How much I have to pay?
>
>
> Shiva Prasad Nath
> 92981134
>
> On Wed, Nov 25, 2015 at 4:01 PM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > How about learning the basics? Commercial support is also available, if
> you
> > really need some one to fix your server.
> >
> >
> >
> > --
> > Eero
> >
> > 2015-11-25 9:51 GMT+02:00 Siva Prasad Nath <shivaprasadnat...@gmail.com
> >:
> >
> > > Sorry for asking stupid question about Super key. I am not able to
> > > understand the key.
> > >
> > > press the Super key to enter the Activities Overview, type firewall and
> > > then press Enter
> > >
> > >
> > > Shiva Prasad Nath
> > > 92981134
> > >
> > > On Wed, Nov 25, 2015 at 3:07 PM, John R Pierce <pie...@hogranch.com>
> > > wrote:
> > >
> > > > On 11/24/2015 10:18 PM, Siva Prasad Nath wrote:
> > > >
> > > >> If possible advice me for below error.
> > > >>
> > > >> [root@ns1 sysconfig]# iptables-restore < /etc/sysconfig/iptables
> > > >> iptables-restore: line 2 failed
> > > >>
> > > >> Thanks in advance.
> > > >>
> > > >
> > > > If I recall correctly, you are using CentOS 7?   With 7, you really
> > > should
> > > > be using firewalld rather than manually writing iptables rules. see
> the
> > > > firewall section of the RHEL 7 networking manual I previously linked,
> > > twice.
> > > >
> > > > otherwise, which part of that error is unclear?   check line 2 of
> > > > /etc/sysconfig/iptables, it has a syntax error.   there may be more
> > > > information in the system logs, see chapter 20, 'logging'
> > > >
> > >
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Viewing_and_Managing_Log_Files.html
> > > >
> > > >
> > > > --
> > > > john r pierce, recycling bits in santa cruz
> > > >
> > > >
> > > > ___
> > > > CentOS mailing list
> > > > CentOS@centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos
> > > >
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IP table Restore

[Eero Volotinen]

How about learning the basics? Commercial support is also available, if you
really need some one to fix your server.



--
Eero

2015-11-25 9:51 GMT+02:00 Siva Prasad Nath :

> Sorry for asking stupid question about Super key. I am not able to
> understand the key.
>
> press the Super key to enter the Activities Overview, type firewall and
> then press Enter
>
>
> Shiva Prasad Nath
> 92981134
>
> On Wed, Nov 25, 2015 at 3:07 PM, John R Pierce 
> wrote:
>
> > On 11/24/2015 10:18 PM, Siva Prasad Nath wrote:
> >
> >> If possible advice me for below error.
> >>
> >> [root@ns1 sysconfig]# iptables-restore < /etc/sysconfig/iptables
> >> iptables-restore: line 2 failed
> >>
> >> Thanks in advance.
> >>
> >
> > If I recall correctly, you are using CentOS 7?   With 7, you really
> should
> > be using firewalld rather than manually writing iptables rules. see the
> > firewall section of the RHEL 7 networking manual I previously linked,
> twice.
> >
> > otherwise, which part of that error is unclear?   check line 2 of
> > /etc/sysconfig/iptables, it has a syntax error.   there may be more
> > information in the system logs, see chapter 20, 'logging'
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Viewing_and_Managing_Log_Files.html
> >
> >
> > --
> > john r pierce, recycling bits in santa cruz
> >
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unit network.service has failed

[Eero Volotinen]

systemctl restart name-of-service.service
24.11.2015 12.32 ip. "Siva Prasad Nath" 
kirjoitti:

> Sorry for disturbing all of you again and again.
> Network service cannot be started. All the commands are not working.
>
> How to start network service?net-tool already exists.
>
>
> --
>
> Shiva Prasad Nath
> 92981134
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: Replacing Venerable NAS

[Eero Volotinen]

Are you familiar with GlusterFs / Ceph ?

Eero
19.11.2015 8.34 ip. "Lamar Owen"  kirjoitti:

> On 11/18/2015 04:42 PM, John R Pierce wrote:
>
>> the /really/ hard one when rolling your own highly redundant systems with
>> high data integrity needed for things like transactional database servers,
>> is implementing redundant storage controllers with shared writeback
>> cache...   you pretty much have to get into EMC class hardware for this
>> level of reliability with data integrity and performance.   and thats
>> /really/ expensive stuff.
>>
> Yes it is, because it really is that hard to do shared writeback cache.
> EMC, Nimble, NetApp, and the like cost what they do because of those HA
> features.  EMC storage processors have specialized shared backplanes and
> replicated write caches just in case an SP goes down while the data to be
> written is in cache and has yet to be committed (so that the trespassing SP
> can write the correct data to disk).  They also have dedicated battery
> backup units and the whole concept of the 'vault' drives to specifically
> save the write cache in a powerfail emergency.
>
> But I would love to see something in the free software space that did that
> kind of thing, with appropriate hardware.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Urgent Help

[Eero Volotinen]

Using rescue mode or some other rescuecd..

Eero
21.11.2015 6.41 ip. "Siva Prasad Nath" 
kirjoitti:

> Hi,
> From yesterday my server was down.
> It was showing only rescue menu. I copy grub.cfg to grub.cfg.old. Replace
> grub.cfg from another server.
> Now I cannot start server. How to revert back grub.cfg and how to put vm in
> the boot folder?
>
> Thanks in advance.
>
> Shiva
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Intel SSD

[Eero Volotinen]

strace -f -e open software_binary might help, but I have noticed that
Centos is not really 100% binary compatible in some cases.



--
Eero

2015-11-18 17:42 GMT+02:00 Matt Garman :

> I always tell vendors I'm using RHEL, even though we're using CentOS.
> If you say CentOS, some vendors immediately throw up their hands and
> say "unsupported" and then won't even give you the time of day.
>
> A couple tricks for fooling tools into thinking they are on an actual
> RHEL system:
> 1. Modify /etc/redhat-release to say RedHat Enterprise Linux or
> whatever the actual RHEL systems have
> 2. Similarly modify /etc/issue
>
> Another tip that has proven successful: run the vendor tool under
> strace.  Sometimes you can get an idea of what it's trying to do and
> why it's failing.  This is exactly what we did to determine why a
> vendor tool wouldn't work on CentOS.  We had modified
> /etc/redhat-release (as in (1) above), but forgot about /etc/issue.
> Strace showed the program existing immediately after an open() call to
> /etc/issue.
>
> Good luck!
>
>
>
>
> On Wed, Nov 18, 2015 at 9:24 AM, Michael Hennebry
>  wrote:
> > On Wed, 18 Nov 2015, Birta Levente wrote:
> >
> >> I have a supermicro server, motherboard is with C612 chipset and beside
> >> that with LSI3108 raid controller integrated.
> >> Two Intel SSD DC S3710 200GB.
> >> OS: Centos 7.1 up to date.
> >>
> >> My problem is that the Intel SSD Data Center Tool (ISDCT) does not
> >> recognize the SSD drives when they connected to the standard S-ATA
> ports on
> >> the motherboard, but through the LSI raid controller is working.
> >>
> >> Does somebody know what could be the problem?
> >>
> >> I talked to the Intel support and they said the problem is that Centos
> is
> >> not supported OS ... only RHEL 7.
> >> But if not supported should not work on the LSI controlled neither.
> >
> >
> > Perhaps the tool looks for the string RHEL.
> > My recollection is that when IBM PC's were fairly new,
> > IBM used that trick with some of its software.
> > To work around that, some open source developers used the string "not
> IBM".
> > I think this was pre-internet, so google might not work.
> >
> > If it's worth the effort, you might make another "CentOS" distribution,
> > but call it "not RHEL".
> >
> > --
> > Michael   henne...@web.cs.ndsu.nodak.edu
> > "Sorry but your password must contain an uppercase letter, a number,
> > a haiku, a gang sign, a heiroglyph, and the blood of a virgin."
> >  --
> someeecards
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Intel SSD

[Eero Volotinen]

What is Intel SSD Data Center Tool (ISDCT) ? Does Linux kernel detect disk
on sata ports?

Supported usually means that they have tested it and they can say that it
works.. Many of hardware still works as linux kernel support
lots of drivers -- even they are not officially supported by vendor.

--
Eero

2015-11-18 16:25 GMT+02:00 Birta Levente :

> Hi
>
> I have a supermicro server, motherboard is with C612 chipset and beside
> that with LSI3108 raid controller integrated.
> Two Intel SSD DC S3710 200GB.
> OS: Centos 7.1 up to date.
>
> My problem is that the Intel SSD Data Center Tool (ISDCT) does not
> recognize the SSD drives when they connected to the standard S-ATA ports on
> the motherboard, but through the LSI raid controller is working.
>
> Does somebody know what could be the problem?
>
> I talked to the Intel support and they said the problem is that Centos is
> not supported OS ... only RHEL 7.
> But if not supported should not work on the LSI controlled neither.
>
> Thanks,
>
> --
>Levi
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Intel SSD

[Eero Volotinen]

2015-11-18 16:48 GMT+02:00 Birta Levente <blevi.li...@gmail.com>:

> On 18/11/2015 16:37, Eero Volotinen wrote:
>
>> What is Intel SSD Data Center Tool (ISDCT) ?
>>
>
> " This tool provides a command line interface for interacting with and
> issuning commands to Intel SSD Data Center devices. It is intended to
> configure and check the state of Intel PCIe SSDs and SATA SSDs for a
> production environment. "
>
>
> Does Linux kernel detect disk on sata ports?
>>
>>
> Of course they detected by kernel. They work very well, just this tool
> does not recognize them.
>
>
Well. You are using it on non supported configuration? You should try it
with official RHEL, it might work or not. If not, then open support ticket.

--
Eero
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fresh installation using usb

[Eero Volotinen]

Hi,

Please first boot to lifecycle controller (I think it was f11 or f10 key on
boot). Then update all firmware versions to latest.

Then try installing from DVD. this system is supported by RHEL, so I should
work fine with Centos too.

--
Eero

2015-11-13 9:54 GMT+02:00 Siva Prasad Nath <shivaprasadnat...@gmail.com>:

> ​
>  20151113_123827.mp4
> <
> https://drive.google.com/file/d/0BwbqyaG4rXrCUXNfTWI3ZEk4N1k/view?usp=drive_web
> >
> ​We are using R630. Do you think it is better to install from DVD?
> Few times I waited for a long time. Bar was not moving in the screen.
> Please refer to the video.
>
> On Friday, November 13, 2015, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > what is model of your poweredge server? did you wait some minutes after
> > error message?
> >
> > --
> > Eero
> >
> > 2015-11-13 7:35 GMT+02:00 Siva Prasad Nath <shivaprasadnat...@gmail.com
> >:
> >
> > > Hi,
> > > I am trying to install Centos 7 on Dell poweredge server. It prompts
> > i8042
> > > controller not found. After that screen was not moving.
> > >
> > > With regards,
> > > Shiva
> > >
> > >
> > > --
> > >
> > > Shiva Prasad Nath
> > > 92981134
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fwd: After installation

[Eero Volotinen]

How about reading the documentation and learning the basics. You are not
going to get step by step instructions.

Eero
14.11.2015 4.16 ap. "Siva Prasad Nath" 
kirjoitti:

> -- Forwarded message --
> From: *Siva Prasad Nath* 
> Date: Saturday, November 14, 2015
> Subject: After installation
> To: centos-de...@centos.org
>
>
> Hi,
> I installed Centos. After login as root I can see the config file.
> Please advice me about the next step.
>
> With regards,
> Shiva
>
>
> --
>
> Shiva Prasad Nath
> 92981134
>
>
>
>
> --
>
> Shiva Prasad Nath
> 92981134
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] After installation

[Eero Volotinen]

Www.centos.org or use google for 'rhel documentation'

Eero
14.11.2015 5.43 ap. "Siva Prasad Nath" <shivaprasadnat...@gmail.com>
kirjoitti:

> Agree with you. Can you email me the link?
>
> On Saturday, November 14, 2015, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > How about reading the documentation and learning the basics. You are not
> > going to get step by step instructions.
> >
> > Eero
> > 14.11.2015 4.16 ap. "Siva Prasad Nath" <shivaprasadnat...@gmail.com
> > <javascript:;>>
> > kirjoitti:
> >
> > > -- Forwarded message --
> > > From: *Siva Prasad Nath* <shivaprasadnat...@gmail.com <javascript:;>>
> > > Date: Saturday, November 14, 2015
> > > Subject: After installation
> > > To: centos-de...@centos.org <javascript:;>
> > >
> > >
> > > Hi,
> > > I installed Centos. After login as root I can see the config file.
> > > Please advice me about the next step.
> > >
> > > With regards,
> > > Shiva
> > >
> > >
> > > --
> > >
> > > Shiva Prasad Nath
> > > 92981134
> > >
> > >
> > >
> > >
> > > --
> > >
> > > Shiva Prasad Nath
> > > 92981134
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org <javascript:;>
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > ___
> > CentOS mailing list
> > CentOS@centos.org <javascript:;>
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
> --
>
> Shiva Prasad Nath
> 92981134
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fresh installation using usb

[Eero Volotinen]

what is model of your poweredge server? did you wait some minutes after
error message?

--
Eero

2015-11-13 7:35 GMT+02:00 Siva Prasad Nath :

> Hi,
> I am trying to install Centos 7 on Dell poweredge server. It prompts i8042
> controller not found. After that screen was not moving.
>
> With regards,
> Shiva
>
>
> --
>
> Shiva Prasad Nath
> 92981134
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Server used in DOS attack on UDP port 0

[Eero Volotinen]

Did you run basic checks like rkhunter and so on?

Is there password login enabled or only public key on ssh service.

Weak passwords on ssh is usually primary reason on system compromise.

Eero
4.11.2015 12.23 ip. "Andrew Holway"  kirjoitti:

> Hi,
>
> One of our AWS machines was used in an DOS attack last night and I am
> looking for possible attack vectors. AWS tells me it was sending UDP port 0
> traffic to a cloudflare address.
>
> This instance had an incorrectly configured AWS security group exposing all
> ports.
>
> The server in question is a Centos 7 based FreeIPA server, OpenVPN
> concentrator and DNS server.
>
> With a brief inspection before the instance was stopped no evidence of
> intrusion could be detected in the obvious places and the machine is
> protected by standard SELinux policies.
>
> On this machine Firewalld is currently configured with a single zone with
> masquerade enabled
>
> firewalld config.
> public (default, active)
>   interfaces: eth0
>   sources:
>   services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp
> openvpn ssh
>   ports: 81/tcp
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> Thanks,
>
> Andrew
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] getting a CentOS6 VM on VMware ESXi platform to recognize a new disk device

[Eero Volotinen]

Hi,

I think, this is possible with scsi disks

http://www.cyberciti.biz/tips/vmware-add-a-new-hard-disk-without-rebooting-guest.html

Eero
4.11.2015 4.32 ip. "Boris Epstein"  kirjoitti:

> Hello all,
>
> Is there a way to recognize a hot-plugged disk (i.e., to get the system to
> recognize it and build the appropriate /dev/sd* device for the new device)
> without a reboot?
>
> Thanks.
>
> Boris.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] getting a CentOS6 VM on VMware ESXi platform to recognize a new disk device

[Eero Volotinen]

It should work fine. What esxi version you are using?

Eero
4.11.2015 6.27 ip. "Boris Epstein"  kirjoitti:

> >
> >
> >
> > was the controller you added the virtual disk to an IDE or scsi
> controller?
> >
> > --
> > public gpg key id: 1362BA1A
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
> It was a SCSI controller.
>
> Boris.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] problem with openjdk version

[Eero Volotinen]

Corrected link:
http://www.if-not-true-then-false.com/2010/install-sun-oracle-java-jdk-jre-7-on-fedora-centos-red-hat-rhel/

Eero
2.11.2015 12.11 ip. "Eero Volotinen" <eero.voloti...@iki.fi> kirjoitti:

> Try with sun java:
>
> http://www.if-not-true-then-false.com
>
> Eero
> 2.11.2015 11.59 ap. "Arpita Mallick" <arpita_2...@yahoo.in> kirjoitti:
>
>> I am using cent OS 6.7 andI have installed omnet++ 4.6 on it.When I am
>> trying to create a new omnet++ project then suddenly omnet++ window is
>> terminating and an error message is showing as "A problem in the
>> Java-1.7.0-openjdk-1..7.0.85-2.6.1.3el6_7package has been detected".Then I
>> uninstalled this version of java and tried with version "1.7.0_91" and
>> "1.7.0_79" but can't solve this problem.please help me in solving this
>> problem.
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] problem with openjdk version

[Eero Volotinen]

Try with sun java:

http://www.if-not-true-then-false.com

Eero
2.11.2015 11.59 ap. "Arpita Mallick"  kirjoitti:

> I am using cent OS 6.7 andI have installed omnet++ 4.6 on it.When I am
> trying to create a new omnet++ project then suddenly omnet++ window is
> terminating and an error message is showing as "A problem in the
> Java-1.7.0-openjdk-1..7.0.85-2.6.1.3el6_7package has been detected".Then I
> uninstalled this version of java and tried with version "1.7.0_91" and
> "1.7.0_79" but can't solve this problem.please help me in solving this
> problem.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] disable ZTS in php

[Eero Volotinen]

This is really wrong way to do this. Install yum-utils and use
yumdownloader --source package-name to get rhel version of package. Then
modify spec file and recompile.

Eero
Hey guys,

 I'm trying to disable ZTS in php, because an application we need
(AppDynamics) is not compatible with it.

So I tried compiling php with the following flags:

php -i | grep configure
Configure Command =>  './configure'  '--with-apxs2=/opt/apache2/bin/apxs'
'--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64'
'--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl'
'--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd'
'--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64'
'--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64'
'--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets'
'--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
'--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc'
'--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl'
'--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath'
'--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql'
'--with-mysqli=/usr/bin/mysql_config' '--enable-zip' '--enable-dba=shared'
'--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell'
'--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'*


And for some reason the AppD installer is claiming that ZTS is still
enabled. So what I'd like to know is, did I disable ZTS correctly? If I did
that means the problem is on the AppD side so we should take a look there.

Appreciate any help on this!

Thanks
Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] disable ZTS in php

[Eero Volotinen]

I think command name is yum-downloader.

Then modify spec and rpmbuild -ba specname.spec

You need also modify version number a bit. Rebuilding is a bit issue as you
need to recompile as security patches come out ..

Eero
30.10.2015 6.04 ip. "Tim Dunphy" <bluethu...@gmail.com> kirjoitti:

> Yeah Erro, ok you have a point. I'll do that. Thanks!
>
> On Fri, Oct 30, 2015 at 11:40 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > This is really wrong way to do this. Install yum-utils and use
> > yumdownloader --source package-name to get rhel version of package. Then
> > modify spec file and recompile.
> >
> > Eero
> > Hey guys,
> >
> >  I'm trying to disable ZTS in php, because an application we need
> > (AppDynamics) is not compatible with it.
> >
> > So I tried compiling php with the following flags:
> >
> > php -i | grep configure
> > Configure Command =>  './configure'  '--with-apxs2=/opt/apache2/bin/apxs'
> > '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64'
> > '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl'
> > '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd'
> > '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64'
> > '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64'
> > '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets'
> > '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
> > '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc'
> > '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl'
> > '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath'
> > '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql'
> > '--with-mysqli=/usr/bin/mysql_config' '--enable-zip'
> '--enable-dba=shared'
> > '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell'
> > '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'*
> >
> >
> > And for some reason the AppD installer is claiming that ZTS is still
> > enabled. So what I'd like to know is, did I disable ZTS correctly? If I
> did
> > that means the problem is on the AppD side so we should take a look
> there.
> >
> > Appreciate any help on this!
> >
> > Thanks
> > Tim
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Detecting empty office doc containing virus macro

[Eero Volotinen]

How about scanning files using virustotal?

https://github.com/Gawen/virustotal

--
Eero

2015-10-30 12:58 GMT+02:00 Gary Stainburn :

> On Thursday 29 October 2015 20:37:03 Ned Slider wrote:
> > On 29/10/15 10:51, Gary Stainburn wrote:
> > > On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> > >> On 28/10/15 11:55, Gary Stainburn wrote:
> > >>> We are receiving LOTS of emails that contain empty XLS or DOC
> documents
> > >>> with embedded virus macros.  These are getting past SPAMASSASSIN,
> > >>> Clamav and Kaspersky.
> > >>>
> > >>> I'm trying to write a filter for EXIM to block these emails but I
> need
> > >>> to know a good, quick, command-line to detect an empty doc with a
> > >>> macro.
> > >>>
> > >>> Is there anything available that I can use??
> > >>>
> > >>> I have managed to write a PERL script to detect empty xls xlsx, doc
> and
> > >>> docx files but I cannot detect whether they have any macros embedded
> > >>>
> > >>> Gary
> > >>
> > >> If you've got a script to detect empty docs then it should be
> relatively
> > >> easy to detect these. I assume empty attachments are not normal in
> your
> > >> mail flows?
> > >
> > > I have come to the conculsiion that I am just going to have to stick
> with
> > > detecting empty documents and forget the macro checks.
> > >
> > >> I would look to write some custom SpamAssassin rules, maybe
> > >> incorporating your script, to detect these and filter them out.
> > >
> > > I would love to be able to write custom Spamassassin rules but do not
> > > know how to do this. All I have done in the past is add small pattern
> > > matching rules to local.cf
> >
> > That's a great place to start. Combining multiple simple rules in a meta
> > rule is also a great way to detect many spams. If you can find 3 or 4
> > factors specific to these spam (the more unique the better), combining
> > them usually gives excellent results. For example, they all contain a
> > doc,docx,xls,xlsx attachment, they all contain a specific phrase or
> > something unique in the Subject, maybe they all contain a URL or email
> > address in the body etc. Individually the rules might not be
> > particularly good indicators of spam, but when combined together they
> > may become highly effective.
>
> The big problem is that the emails are vastly different in content, and are
> send by distributed computers. That's why I went down the document content
> checking in the first place.  The empty office document is the only obvious
> common factor.
>
> >
> > This might not be the best forum to discuss in detail; the SpamAssassin
> > mailing list is a great place to get help with writing rules.
> >
> As I've had to implement a malware = * to call my new script it has given
> me
> the chance to inplement checks that I have never been able to manage in
> Spamassassin.  No doubt they are possible, but I've not managed them.
>
> I now have access to the whole email in PERL and MIME::Parser so can do
> lots
> of other checking.
>
> > > Another rule I would like to add to Spamassassin is to catch emails
> where
> > > the subject starts with the email local part in brackets as we get a
> LOT
> > > of those too.
>
> This is one of the checks I can now do in my perl script.
>
> > >
> > >> Are you able to post some examples to pastebin?
> > >
> > > http://www.stainburn.com/virus_files/I040777.doc
> > > http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
> >
> > Sorry, I meant examples of the emails (including the full headers,
> > redacted where necessary), not the attachments. We might be able to
> > point you in the right direction or offer a few thoughts on how to
> > detect them in SpamAssassin.
>
> Unfortunately, I've only got this one as an example. I didn't keep any of
> the
> previous ones, and hopefully any new ones will never get through.
>
> http://www.stainburn.com/virus_files/Purchase.mbox
>
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
>
>
> --
> Gary Stainburn
> Group I.T. Manager
> Ringways Garages
> http://www.ringways.co.uk
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Detecting empty office doc containing virus macro

[Eero Volotinen]

Hi,

Take look of http://www.cuckoosandbox.org

--
Eero

2015-10-28 13:55 GMT+02:00 Gary Stainburn :

> We are receiving LOTS of emails that contain empty XLS or DOC documents
> with
> embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and
> Kaspersky.
>
> I'm trying to write a filter for EXIM to block these emails but I need to
> know
> a good, quick, command-line to detect an empty doc with a macro.
>
> Is there anything available that I can use??
>
> I have managed to write a PERL script to detect empty xls xlsx, doc and
> docx
> files but I cannot detect whether they have any macros embedded
>
> Gary
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Detecting empty office doc containing virus macro

[Eero Volotinen]

and https://github.com/xme/cuckoomx

--
Eero

2015-10-28 16:59 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>:

> Hi,
>
> Take look of http://www.cuckoosandbox.org
>
> --
> Eero
>
> 2015-10-28 13:55 GMT+02:00 Gary Stainburn <g...@ringways.co.uk>:
>
>> We are receiving LOTS of emails that contain empty XLS or DOC documents
>> with
>> embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and
>> Kaspersky.
>>
>> I'm trying to write a filter for EXIM to block these emails but I need to
>> know
>> a good, quick, command-line to detect an empty doc with a macro.
>>
>> Is there anything available that I can use??
>>
>> I have managed to write a PERL script to detect empty xls xlsx, doc and
>> docx
>> files but I cannot detect whether they have any macros embedded
>>
>> Gary
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] phpMyAdmin mbstring extension is missing

[Eero Volotinen]

You need to install correct package. Name of package might be php-mbstring
..

Eero
27.10.2015 11.58 ip. "Frank M. Ramaekers"  kirjoitti:

> This is a fairly new install of CentOS7 and I'm trying to install
> phpMyAdmin (http).  When I access http://server/phpMyAdmin it throws:
>
>
>
> The mbstring extension is missing. Please check your PHP configuration.
>
>
>
> There is a mbstring.ini in /etc/php.d with:
>
> ; Enable mbstring extension module
>
> Extension=mbstring.so
>
>
>
> /etc/php.ini has:
>
>   :
>
>   extension_dir = "/etc/php.d"
>
>   :
>
>
>
> Not sure where to go now.
>
>
>
> Frank M. Ramaekers Jr. | Systems Programmer | Information Technology |
> American Income Life Insurance | 254-761-6649
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendations for image malware detection?

[Eero Volotinen]

Well. (clamd) clamscan should work.

--
Eero

2015-10-22 20:50 GMT+03:00 Kay Schenk :

> Hello all --
>
> This is not a CentOS specific question, but I have a feeling some of you
> are involved in enterprise malware efforts, so here goes.
>
> Does anyone have recommendations for malware detection that includes
> detection in image files? I'm looking for something that could be
> integrated into a batch cron process as opposed to a client end download
> check.
>
> Thanks.
>
> --
> --
> MzK
>
> “The journey of a thousand miles begins with a single step.”
>   --Lao Tzu
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Security implications of openssl098e on CentOS 7

[Eero Volotinen]

Ok, I just forget that latest PCI DSS standard requires TLSv1.2 that is not
supported under CentOS/RHEL 5.

So, you are using https to transfer credit card data?

--
Eero

2015-10-21 22:37 GMT+03:00 Nick Bright <nick.bri...@valnet.net>:

> On 10/21/2015 2:34 PM, Eero Volotinen wrote:
>
>> Remember that rhel/centos backports fixes, so just looking version number
>> is not reliable way to detect security issues.
>>
>> Eero
>>
> Indeed, though I can say on CentOS 5 the required configuration to be PCI
> compliand is not valid in apache, and httpd will not start.
>
>
> --
> ---
> -  Nick Bright-
> -  Vice President of Technology   -
> -  Valnet -=- We Connect You -=-  -
> -  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
> -  Web http://www.valnet.net/ -
> ---
> - Are your files safe?-
> - Valnet Vault - Secure Cloud Backup  -
> - More information & 30 day free trial at -
> - http://www.valnet.net/services/valnet-vault -
> ---
>
> This email message and any attachments are intended solely for the use of
> the addressees hereof. This message and any attachments may contain
> information that is confidential, privileged and exempt from disclosure
> under applicable law. If you are not the intended recipient of this
> message, you are prohibited from reading, disclosing, reproducing,
> distributing, disseminating or otherwise using this transmission. If you
> have received this message in error, please promptly notify the sender by
> reply E-mail and immediately delete this message from your system.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Security implications of openssl098e on CentOS 7

[Eero Volotinen]

Remember that rhel/centos backports fixes, so just looking version number
is not reliable way to detect security issues.

Eero

2015-10-21 21:18 GMT+03:00 Nick Bright :

> Greetings,
>
> I'm working with a new CentOS 7 installation, moving a system up from
> CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance
> requirements.
>
> However, while setting up the CentOS 7 environment one of the closed
> source applications is requiring 0.9.8. The software vendor has advised
> installing package openssl098e from yum; but I'm hesitant to do so from a
> compliance and security perspective.
>
> What are the implications of this compatibility package? What does it
> provide/do?
>
> Thank you,
>
> --
> ---
> -  Nick Bright-
> -  Vice President of Technology   -
> -  Valnet -=- We Connect You -=-  -
> -  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
> -  Web http://www.valnet.net/ -
> ---
> - Are your files safe?-
> - Valnet Vault - Secure Cloud Backup  -
> - More information & 30 day free trial at -
> - http://www.valnet.net/services/valnet-vault -
> ---
>
> This email message and any attachments are intended solely for the use of
> the addressees hereof. This message and any attachments may contain
> information that is confidential, privileged and exempt from disclosure
> under applicable law. If you are not the intended recipient of this
> message, you are prohibited from reading, disclosing, reproducing,
> distributing, disseminating or otherwise using this transmission. If you
> have received this message in error, please promptly notify the sender by
> reply E-mail and immediately delete this message from your system.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos