On 2015-02-04, James B. Byrne byrn...@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known
point of attack to begin with. Why does user 0 have to be called
root? Why not beatlebailey, cinnamon or pasdecharge?
That is more or less what OS X does. User 0
On Wed, February 4, 2015 9:17 am, James B. Byrne wrote:
On Tue, February 3, 2015 14:01, Valeri Galtsev wrote:
On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:
On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev
galt...@kicp.uchicago.edu wrote:
Sounds so I almost have to feel shame for
On Wed, Feb 04, 2015 at 08:18:23AM -0800, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrn...@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known
point of attack to begin with. Why does user 0 have to be called
root? Why not beatlebailey,
On 02/04/2015 08:05 AM, Chris Adams wrote:
This is probably covered in many places, but my Google-fu is failing.
Samba's documentation/howto is here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
As others have mentioned, authconfig will take care of some of those
steps for
On Wed, February 4, 2015 10:35 am, Scott Robbins wrote:
On Wed, Feb 04, 2015 at 08:18:23AM -0800, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrn...@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known
point of attack to begin with. Why does
On Wed, Feb 4, 2015 at 10:05 AM, Chris Adams li...@cmadams.net wrote:
This is probably covered in many places, but my Google-fu is failing.
I have an existing office of Windows computers, in a domain, with a
couple of Windows Server 2012 AD servers. I need to add a file server,
so I'd prefer
On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrn...@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known
point of attack to begin with. Why does user 0 have to be called root?
Why not beatlebailey, cinnamon or
Hi,
I'm currently experimenting with CentOS 7 in order to get a grasp of
everything that's new.
After having read the FAQ entry on network interface names, I decided to
revert to the tradictional interface naming scheme by adding the
relevant kernel options to the bootloader. This went
On 02/04/15 22:53, Niki Kovacs wrote:
Hi,
I'm currently experimenting with CentOS 7 in order to get a grasp of
everything that's new.
After having read the FAQ entry on network interface names, I decided
to revert to the tradictional interface naming scheme by adding the
relevant kernel
On Wed, Feb 4, 2015 at 11:20 AM, Gordon Messmer
gordon.mess...@gmail.com wrote:
This is probably covered in many places, but my Google-fu is failing.
Samba's documentation/howto is here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
As others have mentioned, authconfig
On 02/04/2015 10:17 AM, James B. Byrne wrote:
I had a friend, now deceased, who worked as an RCA colour TV
technician when he was very young. In the 1950s he would be sent to
the homes of people having trouble adjusting the colour settings on
their new RCA's. That was system administration
Once upon a time, Les Mikesell lesmikes...@gmail.com said:
On Wed, Feb 4, 2015 at 10:05 AM, Chris Adams li...@cmadams.net wrote:
I have an existing office of Windows computers, in a domain, with a
couple of Windows Server 2012 AD servers. I need to add a file server,
so I'd prefer to use
On Wed, Feb 4, 2015 at 10:24 AM, Chris Adams li...@cmadams.net wrote:
Once upon a time, Les Mikesell lesmikes...@gmail.com said:
On Wed, Feb 4, 2015 at 10:05 AM, Chris Adams li...@cmadams.net wrote:
I have an existing office of Windows computers, in a domain, with a
couple of Windows Server
On Wed, Feb 4, 2015 at 11:23 AM, Niki Kovacs i...@microlinux.fr wrote:
Hi,
I'm currently experimenting with CentOS 7 in order to get a grasp of
everything that's new.
After having read the FAQ entry on network interface names, I decided to
revert to the tradictional interface naming scheme
Tim Dunphy writes:
Hey guys,
I need to give the 'nobody' user (which is what our apache runs as) no
password access to a file, via sudo. This is what I've tried:
In addition to all other comments so far, 'nobody' is a bad choice for
httpd. If this is your distro's default, it's a bad
On 2/4/2015 6:02 AM, Rushton Martin wrote:
OS is CentOS 5.3 (yes, I know - upgrade)
at least patch CentOS 5. 5.3 is a snapshot from 6 years ago (2009),
there've been 6 years of updates to CentOS 5 since that point, both
security and bug fixes. `yum update` would bring you up to CentOS
Le 04/02/2015 18:48, m.r...@5-cent.us a écrit :
That directory, and that file, exist in CentOS, also, since 6. And the new
naming... it's*so* much easier to deal with... yeah, right, I'll run the
install, and wait till it hangs, so I can see that the NIC is named, what
was it, on that HP last
On 02/03/2015 03:44 PM, Always Learning wrote:
There should be a basic defence that when the password is wrong 'n'
occasions the IP address is blocked automatically and permanently
unless it is specifically allowed in IP Tables.
As has been mentioned, fail2ban does this.
However, the reason
On 02/04/2015 02:08 PM, Lamar Owen wrote:
3.) Attacker uses a large graphics card's GPU power, harnessed with
CUDA or similar, to run millions of bruteforce attempts per second on
the exfiltrated /etc/shadow, on their computer (not yours).
4.) After a few hours, attacker has your password (or
On Wed, February 4, 2015 3:55 pm, Warren Young wrote:
On Feb 4, 2015, at 12:16 PM, Lamar Owen lo...@pari.edu wrote:
Again, the real bruteforce danger is when your /etc/shadow is
exfiltrated by a security vulnerability
Unless you have misconfigured your system, anyone who can copy
On Feb 4, 2015, at 12:16 PM, Lamar Owen lo...@pari.edu wrote:
Again, the real bruteforce danger is when your /etc/shadow is exfiltrated by
a security vulnerability
Unless you have misconfigured your system, anyone who can copy /etc/shadow
already has root privileges. They don’t need to
On 02/04/2015 04:55 PM, Warren Young wrote:
Unless you have misconfigured your system, anyone who can copy
/etc/shadow already has root privileges. They don’t need to crack your
passwords now. You’re already boned.
Not exactly.
There have been remotely exploitable vulnerabilities where an
On Feb 4, 2015, at 10:04 AM, Valeri Galtsev galt...@kicp.uchicago.edu wrote:
wikiedia is really vague on the date MacOS 10 was first shipped
It depends on what you mean by “shipped.”
The first OS X product released into the market was OS X Server 1.0, in March
1999:
On Wed, 2015-02-04 at 14:16 -0500, Lamar Owen wrote:
Oh, and the program to do this can be found very easily. It's called
'John the Ripper' and has GPU support available:
http://openwall.info/wiki/john/GPU
https://en.wikipedia.org/wiki/John_the_ripper
Again, the real bruteforce danger
On Feb 4, 2015, at 8:17 AM, James B. Byrne byrn...@harte-lyne.ca wrote:
I had a friend, now deceased, who worked as an RCA colour TV
technician when he was very young. In the 1950s he would be sent to
the homes of people having trouble adjusting the colour settings on
their new RCA's.
On 2015-02-04, Valeri Galtsev
galt...@kicp.uchicago.edu wrote:
On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
On 2015-02-04, James B. Byrne
byrn...@harte-lyne.ca wrote:
[SNIP]
(Users with sudo can still get a root shell, but that's
not the same as logging in as root.)
I thought
On Wed, 2015-02-04 at 14:08 -0500, Lamar Owen wrote:
However, the reason you want a password that is not easily bruteforced
has nothing to do with this, and all bruteforce attempts cannot be
blocked by this method.
Thanks for your well-explained concerns. You make good sense.
Just counted
Although you can choose this in the installer, isnt the provided values
supposed to be the default?
I tired the following
inst.repo=hd:/dev/sdb1:/repo
Result: /dev/sdb1 is not mounted.
inst.repo=nfs:[fc00::6009]:/home/auser/repo
Result: NFS is not mounted even the correct ip is set by
On 02/02/2015 03:15 PM, Tim wrote:
What are you exactly searching for?
Sounds like he is doing a network install, and is looking for the network
path that must be supplied in order to do the install. If he doesn't have
a local repository, then he has to supply the first part of the path
Am 04.02.2015 um 15:02 schrieb Rushton Martin:
Our cluster was supplied with two IBM DS3400 RAID arrays connected with
fibre channel. Both are old and one is failing so we bought an IBM
V3700 to replace it. The V3700 complained that we were using the IBM's
RDAC driver (true) and we were
On Feb 4, 2015, at 3:56 PM, Kahlil Hodgson kahlil.hodg...@dealmax.com.au
wrote:
I just had a peek at the anaconda source for Fedora 21.
This change isn’t in a released version of Fedora yet:
https://lists.fedoraproject.org/pipermail/test/2015-January/124827.html
The change will probably
On Feb 4, 2015, at 4:14 PM, Les Mikesell lesmikes...@gmail.com wrote:
Not exactly - it just becomes a question of whether the complexity
requirements imposed by the installer are really worth much against
the pre-hashed lists that would be used to match up the shadow
contents.
Rainbow
On 5 February 2015 at 10:53, Always Learning cen...@u64.u22.net wrote:
On C6, the default is:-
-- 1 root root 854 Mar 13 2014 shadow
Even better if you have SElinux enabled
--. root root system_u:object_r:shadow_t:s0/etc/shadow
On Feb 4, 2015, at 5:20 PM, Kahlil Hodgson kahlil.hodg...@dealmax.com.au
wrote:
On 5 February 2015 at 10:36, Warren Young w...@etr-usa.com wrote:
When the hashes are properly salted, the only option is brute force. All
having /etc/shadow does for you is let you make billions of guesses
On Wed, 2015-02-04 at 14:55 -0700, Warren Young wrote:
On Feb 4, 2015, at 12:16 PM, Lamar Owen lo...@pari.edu wrote:
Again, the real bruteforce danger is when your /etc/shadow is exfiltrated
by a security vulnerability
Unless you have misconfigured your system, anyone who can copy
On 2/4/2015 4:04 PM, Warren Young wrote:
# rpm -q --dump setup|grep shadow
/etc/gshadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1
0 0 X
/etc/shadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1 0
0 X
This says it should be mode 400, as it is here on
On Feb 4, 2015, at 5:43 PM, Warren Young w...@etr-usa.com wrote:
SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this
calculator assumes
Hmm, just thought of a counterattack:
If CentOS’s SSH currently allows 10 guesses per minute *per IP*, all you need
to do to get
I just had a peek at the anaconda source for Fedora 21. Apparently
you can waive the password strength tests (and the non-ASCII tests) by
simply clicking Done twice.
def _checkPasswordASCII(self, inputcheck):
Set an error message if the password contains non-ASCII characters.
On Wed, Feb 4, 2015 at 4:55 PM, Warren Young w...@etr-usa.com wrote:
There have been remotely exploitable vulnerabilities where an arbitrary file
could be read
CVEs, please?
I’m aware of vulnerabilities that allow a remote read of arbitrary files that
are readable by the exploited
On Feb 4, 2015, at 4:53 PM, Always Learning cen...@u64.u22.net wrote:
On C5 the default appears to be:-
-rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow
Nope:
# rpm -q --dump setup|grep shadow
/etc/gshadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1
0 0 X
On 5 February 2015 at 10:36, Warren Young w...@etr-usa.com wrote:
When the hashes are properly salted, the only option is brute force. All
having /etc/shadow does for you is let you make billions of guesses per
second instead of 5 guesses per minute, as you get with proper throttling on
On Feb 4, 2015, at 4:14 PM, Les Mikesell lesmikes...@gmail.com wrote:
On Wed, Feb 4, 2015 at 4:55 PM, Warren Young w...@etr-usa.com wrote:
Most such vulns are against Apache, PHP, etc, which do not run as root.
Those are common. Combine them with anything called a 'local
privilege
On Wed, 2015-02-04 at 17:50 -0700, Warren Young wrote:
On Feb 4, 2015, at 5:43 PM, Warren Young w...@etr-usa.com wrote:
SSH as shipped on CentOS doesn’t allow 1,000 guesses per second, as this
calculator assumes
Hmm, just thought of a counterattack:
If CentOS’s SSH currently
On 5 February 2015 at 12:09, Scott Robbins scot...@nyc.rr.com wrote:
On Thu, Feb 05, 2015 at 09:56:30AM +1100, Kahlil Hodgson wrote:
I just had a peek at the anaconda source for Fedora 21. Apparently
you can waive the password strength tests (and the non-ASCII tests) by
simply clicking Done
On Feb 4, 2015, at 7:23 PM, Les Mikesell lesmikes...@gmail.com wrote:
On Wed, Feb 4, 2015 at 6:32 PM, Warren Young w...@etr-usa.com wrote:
An LPE can only be used against your system by logged-in users.
Or any running program - like a web server.
That’s not what LPE means. “L” =
While this discussion has been very interesting, I would like to
encourage participants to be very careful about disclosing the
specifics their own security efforts. While is good to discuss the
pros and cons of strategies, disclosing the details of the exact
strategies that you use, no matter
On Wed, 2015-02-04 at 18:14 -0700, Warren Young wrote:
Nothing is free. Just as with my analogy with safes, we’re not
talking about absolute security. We just need to make an attack
*costly enough* that it will never succeed, if we do our part. (Like
not saying chmod 644 /etc/shadow !!)
On Wed, Feb 4, 2015 at 6:32 PM, Warren Young w...@etr-usa.com wrote:
Most such vulns are against Apache, PHP, etc, which do not run as root.
Those are common. Combine them with anything called a 'local
privilege escalation' vulnerability and you've got a remote root
exploit.
Not quite.
On Thu, Feb 05, 2015 at 09:56:30AM +1100, Kahlil Hodgson wrote:
I just had a peek at the anaconda source for Fedora 21. Apparently
you can waive the password strength tests (and the non-ASCII tests) by
simply clicking Done twice.
That's correct for Fedora 21. The inability to waive the
On Feb 4, 2015, at 5:55 PM, Always Learning cen...@u64.u22.net wrote:
On Wed, 2015-02-04 at 17:50 -0700, Warren Young wrote:
rent time on a 6,000 machine botnet.
Rent ? That costs money. Just crack open some Windoze machines and do
it for free. That is what many hackers do.
Acquiring
On Wed, Feb 4, 2015 at 8:43 PM, Warren Young w...@etr-usa.com wrote:
On Feb 4, 2015, at 7:23 PM, Les Mikesell lesmikes...@gmail.com wrote:
On Wed, Feb 4, 2015 at 6:32 PM, Warren Young w...@etr-usa.com wrote:
An LPE can only be used against your system by logged-in users.
Or any running
On 2015-02-04, Valeri Galtsev galt...@kicp.uchicago.edu wrote:
I'm neutral to sudo (even though I was taught the smaller number of
SUID/SGID files you have, the better). Yet, I'm considering it less safe
to have regular user who can log in with GUI interface, and likely to be
doing regular
Esta documentación realmente es para linux, pero puede que te sirva para el
problema que tienes.
hola , tengo un problema con unas carpetas que se ha compartido en mi
servidor centos, les muestro el escenario
mi servidor es un centos 5.9 con carpetas compartidas y tengo 2 tipos de
clientes
hola , tengo un problema con unas carpetas que se ha compartido en mi servidor
centos, les muestro el escenario
mi servidor es un centos 5.9 con carpetas compartidas y tengo 2 tipos de
clientes :cliente Windows xp en dominio y cliente Windows 7 en dominio, y el
servidor de dominio es un
On Feb 4, 2015, at 3:16 PM, Lamar Owen lo...@pari.edu wrote:
On 02/04/2015 04:55 PM, Warren Young wrote:
Unless you have misconfigured your system, anyone who can copy /etc/shadow
already has root privileges. They don’t need to crack your passwords now.
You’re already boned.
Not
55 matches
Mail list logo