Re: [CentOS] died again
On 1/23/2014 6:41 PM, Peter wrote: On 01/24/2014 03:47 AM, Michael Hennebry wrote: On Thu, 23 Jan 2014, Peter wrote: it has four molex four pin connectors any one of which should be suitable for your CD drive, and one floppy connector which should work for your floppy drive just fine. I needed the floppy connector for my video card. Fair enough, you can get a four pin molex to floppy adapter and use that if you really care about that 1980's piece of technology. Peter Some have said it already, but to me it is rude to have a discussion about hardware problems on a software mailing list. Everyone who signed up for this would have signed up for CentOS OS being 'Operating System'. I don't know how many are on this list... thousands I would assume. Having a discussion about fixing computers belongs somewhere else. Further, this list is archived in many locations. Off topic discussions degrade the quality of those archives when doing searches. Best Regards, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Using CentOS Wordpress rpms
On 11/12/2013 9:44 AM, Brian Mathis wrote: On Mon, Nov 11, 2013 at 10:59 PM, Max Pyziur p...@brama.com wrote: On Tue, 12 Nov 2013, Keith wrote: [...] I always install from the latest tarball from the WP site, as it's the latest at the time of installation. With regards to WP updates and versions, this is generally performed with it's own built in updating/upgrading mechanism which is the first thing you should check or do after install and on an ongoing basis - IMHO anyway. Makes sense. So what are the point of having RPMs if you can't apply it server-wide across multiple sites? MP Maybe the packages are meant for a different usage pattern than yours? Packaging anything, but particularly web apps, involves making tradeoffs. For most people, package defaults provide a basic set of functionality (which can be adequate for most people), but there are some cases where a power user might have need to install them with other settings. Your usage pattern as a hosting provider is on the power user end of the spectrum, and you should probably be using the tar file or even creating your own custom rpms so you can set it up as you need it. ❧ Brian Mathis ___ To my knowledge, there has always been a 'central WordPress install' method. I 'assume' that is what this RPM does? Aside from that... Plugin hell! The automated WP updates is really new and I am betting will break sites 'automatically'. We turn this feature off for the moment. The issue is plugins. Most people run some plugins on their WP installations and some people run dozens. Each of these can be website critical, or IOW, if they don't work the site is totally broken. This happens far too often during an update to WordPress. So, our method has been an extra fee added to hosting WP sites, so that we can monitor and do the upgrades, so we know they are done. We work with the client if there are conflicts with plugins. We do the update and then give the website a once over to try to find any broken 'features'. It all depends on how kind you wish to be with your customers. (but I do hope the automated part can actually work... perhaps in the future at least?) Best, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SpamAssassin under CentOS-6.4
On 7/12/2013 6:20 PM, Timothy Murphy wrote: I wonder if anyone is actually running SpamAssassin with Postfix/Amavisd-new under CentOS-6.4 . I have followed the instructions in http://wiki.centos.org/HowTos/Amavisd but as far as I can see SpamAssassin is not working. I should say that I do not understand from this document what is meant to happen to spam. I understand that a Spam header is added, but what actually happens to email considered to be spam? When I run spamassin --lint I get the response - [tim@alfred ~]$ sudo spamassassin --lint Jul 12 21:59:15.538 [19228] warn: config: failed to parse, now a plugin, skipping, in /etc/mail/spamassassin/local.cf: ok_languages en it fr de ga - But this is exactly where the ok_languages line is meant to go, according to http://wiki.apache.org/spamassassin/ImproveAccuracy. IIRC, SpamAssassin is run from Amavisd-new so the regular SA daemon does not run on its own. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what's wrong with dag.wieers?
On 7/2/2013 5:18 PM, Pete Geenhuizen wrote: On 07/02/2013 04:02 PM, Adrian P. van Bloois wrote: Hi, What happened to dag.wieers? There is an update for clamav but the rpm is still not distibuted after 4 weeks or more. :-) What's wrong there? Adrian I asked about clamav on the repoforge list, and apparently there are some longstanding on-going issues with rpmforge, not sure exactly what and that apparently for quite some time some people have been attempting to resolve them. Due to the length of time that these problems have existed there's also a fair amount of skepticism that the issues will be resolved. There are several suggestions on how to resolve the clamav issue, one of them was to use the version from epel which is what I opted to do. Depending on your point of view I found it to be a relatively easy switch, just had to deal with a few ownership issues. All in all it's a shame that there are issues as I've used rpmforge for years and have been pleased with the repo. Pete I very much liked the rpmforge repo for many years. However, clamav was one that I wasn't so happy with from them. It seems the username would switch back and forth from clam to clamav to clam to clamav and I would have a non-working version which I didn't always know about. (log file wrong user permission problems) I switched the clamav install to epel and have had flawless success with their packaging. It's easy to do excludes for various repos so that you don't get conflicting installations. Rpmforge and Daz have done great work and I'm not meaning for this to sound negative. It was just this one package. Maybe it was two packagers switching the username depending on who did the update? I don't know. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security breach - ftp?
On 5/19/2013 11:59 AM, Philipp Duffner wrote: Hi, I'm running Plesk 11.0.9 on a Centos 5.5. A website on that box got hacked last week and malicious code got inserted into some html/php files. So I went to find out what happened... I found no back doors by using rkhunter or manually searching for suspicious files in /tmp, etc. No activity at all in the php logs at the time of the attack. I also analysed of course the system logs (messages, secure, ...) - nothing that I could see either - except for an entry of an successful login to that domain via FTP just before the the modified dates of the infected files. I found one of the oldest infected files were in the folder of a hopelessly outdated version of a WYSIWYG editor and decided to blame that due to probability. So in order to recover I did in this order... * delete httpdocs from the website * change the FTP password * upgrade and update Plesk from 10.0.4 to 11.0.9 * upgrade php to php53 via plesk - this also updates mysql and phpmyadmin * yum update everything, also made sure I have the latest version of proftp * restore the entire website from a clean backup * delete the WYSIWYG folder that I believed had caused the vulnerability The next days I slept ok hoping I removed the attacker's entry point(s). ...so I thought! Today the website got hacked again - the same exploit on the pages, meaning same attacker. And again I can see nothing suspicious except for the successful FTP logon just before the modification time of the infected html/php: 2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack module called from service proftpd 2013-05-18T15:01:25.204731-07:00 MyServer proftpd: Deprecated pam_stack module called from service proftpd 2013-05-18T15:01:25.204831-07:00 MyServer proftpd: Deprecated pam_stack module called from service proftpd 2013-05-18T15:01:25.205183-07:00 MyServer proftpd: pam_unix(proftpd:session): session opened for user WEBSITEUSER by (uid=0) 2013-05-18T15:01:25.205244-07:00 MyServer proftpd: Deprecated pam_stack module called from service proftpd 2013-05-18T15:01:25.231034-07:00 MyServer proftpd[20243]: 127.0.0.1 (188.190.126.105[188.190.126.105]) - USER WEBSITEUSER: Login successful. 2013-05-18T15:04:08.095351-07:00 MyServer proftpd: Deprecated pam_stack module called from service proftpd 2013-05-18T15:04:08.095379-07:00 MyServer proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory 2013-05-18T15:04:08.095445-07:00 MyServer proftpd: Deprecated pam_stack module called from service proftpd 2013-05-18T15:04:08.095455-07:00 MyServer proftpd: pam_succeed_if(proftpd:session): error retrieving information about user 0 2013-05-18T15:04:08.095463-07:00 MyServer proftpd: pam_unix(proftpd:session): session closed for user WEBSITEUSER I know for a fact it couldn't have been the website owner because I didn't give him the new FTP password yet. # yum list | grep proftp psa-proftpd.i386 1.3.4a-cos5.build110121114.13 installed proftpd.i386 1.3.3g-2.el5 epel proftpd-ldap.i3861.3.3g-2.el5 epel proftpd-mysql.i386 1.3.3g-2.el5 epel proftpd-postgresql.i386 1.3.3g-2.el5 epel I think I really hit a snag with this one - I have no idea where to go forward from here. I'd appreciate any ideas. Thanks. Philipp ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos 1. Did you create a really strong password? 2. Does the new password you created still function or has it been reset by the intruder? 3. Are any files/directories/or the root directory on that website set world writable? (many of those CMS systems required this) 4. Is it possible that the system you used to change the password has a keystroke recorder/virus on it? (How did the intruder get the new password?) 5. Are there any new unexplained users on the system? 6. Is there more than one place where logins via Plesk might use the old password which have not been updated? Otherwise, I think it might be a good idea to hit the Plesk list as that overlay does at times have security issues. It also has many other functions not CentOS related adding too many other variables for good troubleshooting here, unless you get help from another Plesk/CentOS user. 188.190.126.105 is your intruder from the Ukraine... You might want to grep for that through most of your system logs. For instance, could they be accessing an email account that used that old pass where maybe new passwords are automatically sent? You might consider firewalling out that Class C 188.190.126.0/24 while you do the repairs again. What is commonly known as the WordPress attacks are hitting just about every possible
[CentOS] Anybody Else Seeing these internet spikes?
Is anybody else seeing these internet spikes that seemed to come along with the WP bots? And, what are good methods for defense? It looks like they are hitting port 80 but not leaving a trace in logs. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A question
On 2/12/2013 7:51 PM, Bassem Sossan wrote: I'm beginner with Linux... I have found a good resource, it's a book called Beginning Red Hat Linux 9... the centos's version that I've installed centos 6... Is this book may be compatible with Centos 6 ? Ahhh easy confusion. Red Hat Linux was a bit less Enterprise oriented. If I recall, Red Hat 9 was out about the same time the Red Hat Enterprise Linux 2.x was out. That became known as RHEL for short. CentOS is a clone of RHEL. So, CentOS 6 is the latest from Redhat other than the Fedora project. In summary, most of that book will have good information, in particular the basics, but it is very old at this point. I suppose around 10 years old now. That book will not cover a number of things that have been added into CentOS 6. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] More on amavis/clam permission errors on Centos 6.3
On 1/30/2013 5:05 PM, Robert Moskowitz wrote: On 01/30/2013 04:31 PM, Nicolas Thierry-Mieg wrote: Robert Moskowitz wrote: I should probably find either the amavis or clam list(s) and take this there? snip Oh, I have not applied the updated policy rpms that Dan Walsh pointed me to. This is all 'out of the box' rpms, following the amavis/clamav recommendations from: http://wiki.centos.org/HowTos/Amavisd is it? so your rpms come from rpmforge? I thought you mentioned epel at some point. Hopefully you're not mixing them? Sorry, I followed the HowTo, but got all the rpms from epel. If you are, then that might be your problem. If you really followed the wiki instructions you must be using RF packages, so you could take it to the RF list. And if you're using epel, then you didn't follow the wiki instructions but nevertheless you should take it to the epel list... epel list. Hmm. Now to find that. Thanks for the direction. Read near the top of the amavis config file. It will reference the directories you are having trouble with. It tells you to create them and that they need to be owned by whatever you set the amavis user to be. It is all right there in the conf file. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.3 - which repos to use?
On 1/26/2013 4:21 PM, James Freer wrote: On Sat, Jan 26, 2013 at 9:12 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 26.01.2013 22:07, schrieb James Freer: From what i have seen of fedora and centos in the rpm world the repos are very much better in the debian world. To me the stability comes from the distro and it's repos. Not being able to install Abiword or yumex, having to spend time selecting options for repos to me simply isn't worth it. I've just installed a Slackware distro today and it's the best i've ever tried in 6 years of using linux. It's speed, ease of installation put's it in a league of its own. Or as their 'chilling warning goes' Once you go Slack... you never go back! have fun with a package management without dependency tracking well, without the probles above are hidden, but not solved a funny thing to play with - but laughable for production environments which you maintain over many years without reinstall them ever Like debian is improved on with derivative distros, when i said slack i was referring to a derivative Salix... with package management Gslapt which is very similar to synaptic. Hate to say it but imo very much better than yum. You've been a nice friendly crowd but centos isn't for me. james ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos If I were doing a desktop setup, I would very likely not use CentOS EL. Remember E stands for Enterprise. What is an enterprise? What expectations does an enterprise have? Our 'enterprise' is web facing servers doing hosting and email mostly. In the hosting world, the users get to put up their content. Most of the time this 'enterprise' solution is great. I don't have to worry about upgrades that break things. I would not know for instance if a PHP upgrade broke a website until the client let us know. This might be the day it happened or it might be months after it occurred. Yes, some folks don't actually look at their website or maybe just one portion of their website for months. For instance, maybe a photo album script. The enterprise life pretty much avoids any of these issues. I can update something like Postfix without worrying about it being a new version with a new config file. The benefits to the 'enterprise' world are huge. Stuff very rarely breaks. If I am developing for CentOS 'EL', I would likely use CentOS as my desktop version. If my goal is watching movies, viewing images, doing graphics work... I think I would at least look at the other distros for something that stays current. CentOS is not bleeding edge. I rarely ever suffer a cut. Instead, stability and reliability. If we do something to break email or web services, our phones start ringing within 5 minutes. Those are not happy customers. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.3 - which repos to use?
on the power of yum where you can set priorities, do exclusions and such. Yes, you can get into trouble if you add 2 without any control. For instance, something like clamav. One repo might set it up with the username of clam while the other might use clamav. As the updates come down, suddenly it dies and you have to figure out that the logs are owned by the wrong user. This is just one example of many things that can go wrong with mixed repos. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] evaluating backup systems: rsync
On 1/19/2013 1:28 PM, Nicolas Thierry-Mieg wrote: Reindl Harald wrote: Am 19.01.2013 15:46, schrieb Nicolas Thierry-Mieg: M. Fioretti wrote: On Fri, Jan 18, 2013 08:07:40 AM -0500, SilverTip257 wrote: if you really want to eliminate that data being transferred, I suppose you could do the extra work and rename the directory at the same time on the source and destination. Not ideal in the least. Not ideal indeed, but I'll probably do it that way next time that some renaming like this happens on very large folders. I assume that after that, I'd also have to launch rsync with the options that says to not consider modification time. no I don't think you will, since the file modification times won't have changed. and even if the did - who cares? * rsync does not transfer unchanged data ever * rsync will sync the times to them from the sources * so have nearly zero network traffic Not true: if you change the modification time on a file, by default rsync will copy the whole file again. See man rsync: Rsync finds files that need to be transferred using a “quick check” algorithm (by default) that looks for files that have changed in size or in last-modified time. and yes I've tested this before posting ;-) to avoid this you need to use --size-only . Yet size only is not reliable. If for instance you have a simple text file with the word hellO and someone catches the typo and changes it to hello, the filesize doesn't change as near as I can see. Both show as 6 using ls -al. Unless rsync uses a more granular check of filesize that I am not aware of? If this is the case, then someone could potentially edit a large document fixing numerous simple typos and wind up with the same filesize. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] web mail and Squirrelmail
On 12/19/2012 3:21 AM, Nikolaos Milas wrote: We are currently still using SquirrelMail. I hate the GUI (aesthetically), but it works well and there are plugins for about everything one would ask. If only someone could create a nice contemporary GUI (HTML 5) for it! If someone wants Outlook / Thunderbird sync functionality, I would suggest starting from SoGo (even though I have not tested it yet). There are other open-source systems too which are not free: Zarafa, Zimbra, Open-Xchange etc. Nick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos This is not opensource, but the pricing is not too bad. It answered the GUI issue for us. http://nutsmail.com/ -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Oracle tries to capture CentOS users
On 7/20/2012 11:15 AM, Hakan Koseoglu wrote: On 20 July 2012 15:19, Chris xchris...@googlemail.com wrote: http://linux.oracle.com/switch/centos/ I found the update delay graph laughable. They're comparing themselves to a bunch of volunteers and then say we beat people work for free and for the love of it Right... IMHO, I'd rather go for RHEL if I'm paying. (Unfortunately I don't make that decision, customers do, disclaimer, $dayjob has OEL customers too). Yes, pick the one bad time for CentOS and release 6 and show that in a graph. I find it interesting the CentOS is showing as faster than Oracle now. Meanwhile, if this is linux.oracle.com, shouldn't Oracle database be included in the 'free version'? If you want something laughable. Anyway, Oracle came with some old distro or book I picked up. It was free with some strings as I remember, but that is likely a decade ago now. Still, shouldn't Oracle linux include Oracle? The word Oracle being synonymous with one thing. I might have to do an install if it did and if it was free for any use. ;) -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] tcptrack
On 7/9/2012 1:59 PM, John Hinton wrote: Does anybody have a working version of tcptrack running on Centos 6 x64? The rpmforge rpm installs and runs on the -t eth# command, but if you add a port to it, it bombs with a pcap compile error. It runs fine for me on Centos 5 x64, but seems to have what looks like an old bug reintroduced in 6. Crap... typo... I meant the -i eth# command. :( -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Failing Network card
On 6/20/2012 10:27 AM, Gregory P. Ennis wrote: Gregory P. Ennis wrote: snip I have been chasing a problem with a pci-e TrendNet(TEG-ECTX) gigabit card. After adding the card to a machine with a new Centos 6.2 install and naming it 'eth4' it works well for 6 to 12 hours and then fails. The failure is characterized by dropping its connection speed from 1000 to 100 while not allowing any data to flow in or out. When this happens a shutdown and reboot does not solve the problem, but shutting down and then removing the power does solve the problem. snip Some additional information that may be useful. The TrendNet card is the second TrendNet card I have used. The first card had the same symptoms, and I deduced the card was bad, and purchased another one. The symptoms are the same with the second card. snip Several questions: do you have another machine on the same network? Does *it* show the problem, around the same time? And, finally, did you buy both TrendNet cards from the same vendor? Are their MACs close? If so, it could be the vendor got a bad batch, either OEM's fault, or the gorilla who un/loaded it during shipping. mark - Mark, I have several machines on that network, and only one machine is having the problem. The machine is being used as a mail server, web server, and gateway for the network. After this problem surfaced with the failure of the eth4 card (internal network), I created a gateway out of one of the other machines that is working without incident. I did purchase both TrendNet Cards from Fry's. Fry's was good about taking the first one back without question, but now that the second one has failed, I thought it best to look deeper. I don't have the previous card's MAC address, but my first thought was that this was a bad card too. Both the first and second cards did not appear to have any damage on the boxes or the card itself. Before I tried to get a third card from a different manufacturer I wanted to post things here to see if there was an obvious problem I am missing. Thanks for your help!!! Greg ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos If you are having to fully 'cold boot' the system before it will work again I can't help but wonder if it is a conflict between special motherboard functions/settings and the card. I've seen this with some high end video cards under Winders. I am totally speculating here and have nothing to draw from, but wake on lan functions and such just leaves me wondering. Do you have a different machine/motherboard around where it wouldn't be hard to set up this testing? Maybe Googling a bit on motherboard model and eth card model might give a helpful return? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Failing Network card
away. If not, I'd hit the lan manufacture site to find this info as it would be specific to each. Or, it might be easier to just try a different manufacturer? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PMA attacks
On 6/19/2012 2:31 PM, m.r...@5-cent.us wrote: It appears to be a low-level attack, not so frequent as to be banned permanently, just a number of times a day. I did google on this, and I gather it's looking for phpmyadmin. We've been getting one from one specific network in Russia for weeks Here are more information about 91.201.64.24: [Querying whois.ripe.net] [whois.ripe.net] snip % Information related to '91.201.64.0 - 91.201.67.255' inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd country: RU snip But now I'm seeing the same from Azerbaijan, and France, and elsewhere. Two questions: first, are other folks seeing this? and second, I can't imagine malware this stupid, to keep hitting the same sites over and over when it's not found, rather than bad password or user, so I'm wondering if this could be a targetting vector for an upcoming serious attack using another vector. Opinions? mark I also see these frequently. As for dumb script? Well there are plenty of those out there. And, if you care to, you can set up rules in Fail2Ban to auto block these. This brings up a question I have. We do virtualhosting and keep separate http logs for every website. I have not been running any Fail2Ban rules on those logs as many are very active and spread about. I suppose I could concentrate only on the error logs which would be much smaller. My question... is anybody running something like Fail2Ban under a situation like this and does it use much horsepower? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail SMTP Brute-Force Attack
On 6/15/2012 9:10 PM, Gustavo Lacoste wrote:
Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I
tried use the following filters, but this is no sufficient for my yet.
*/etc/fail2ban/filter.d/sendmail.conf*
[Definition]
failregex = \[HOST\], reject.*\.\.\. Relaying denied
(User unknown)\n* \[HOST\]
badlogin: .* \[HOST\] plaintext .* SASL
reject=550 5.7.1 Blocked, look at
http://cbl.abuseat.org/lookup.cgi\?ip=HOST
ignoreregex =
*/etc/fail2ban/filter.d/dovecot-pop3imap.conf *
[Definition]
failregex = pam.*dovecot.*(?:authentication
failure).*rhost=(?:::f{4,6}:)?(?Phost\S*)
First, I switched to Postfix on my last CentOS 5 and all CentOS 6
installs. These rules are from v5 boxes, but are pretty old now. My
strongest rules were on CentOS 4 systems, which have been retired,
trashed or recycled. Make sure they match up to your logging.
Dovecot Auth Failures:
failregex = dovecot-auth: pam_unix\(dovecot:auth\): authentication
failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S*
rhost=HOST(?:\s+user=.*)?\s*$
Spamhaus Failures:
failregex = sendmail.*?(?:ruleset=check_relay).* relay=HOST .*
?reject=550 5\.7\.1 Email rejected due to Unsolicited Bulk Email \[xbl\]
policies see: http://spamhaus\.org/
Plug in what you want for xbl. This catches almost all of our blocks. I
cannot use pbl therefor zen due to outbound from pbl listed networks. Or
at least that is how I understand it. I never tried.
These systems were never what I would call production servers and
apparently there was never a need to catch the user unknown errors.
Unfortunately, my rules for that are gone now for Sendmail. Also, I'm
not good at regexs. Pretty much I started with the exact log containing
the failure and worked back from there to what I have.
I have noted that Fail2Ban maintainers seem to be supporting Postfix. I
think I've been grabbing it from epel or maybe dag. Most of the rules
work out of the box. But I'd never suggest that Postfix is better than
Sendmail, nor would I suggest you choose one over the other.
--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail SMTP Brute-Force Attack
On 6/14/2012 8:58 PM, Gustavo Lacoste wrote: The problem with my server is: I use it to offer webhosting services. Some customers using Outlook are blocked because they use black listed ips (ips simply are dynamic). That is the same problem I am dealing with. You have to set up a dual mailserver system with outbound set to not use the blacklist used on the inbound server or you will block some of your good users who happen to land on a dirty IP address from time to time. The situation is the same with SpamAssassin or any other anti-spam system in place. Sendmail and Postfix work the same in this regard. And I'm still not certain which one I like the most, after installing Postfix on our last 4 systems. I think the logging from Sendmail is way more logical (easier to comprehend), but maybe that is just because I have been reading those logs for many years. I would still take a look at Fail2Ban. You need to be very careful with your rules, but it is extremely flexible. You only provided about 30 seconds from your mail log. Fail2ban will look over a much greater time spam and activate whatever blocks you enable or write. I have written blocks based on not passing certain spam tests, such as the Spamhaus RBL (and yes we pay for that service). But I really didn't care for our systems to run the repeated DNS lookups. The rule blocks them at the firewall and over time, the number of blocks has decreased as many spammers have just quit trying. I have rules to block spammers mining for good email addresses (some of our domains were getting 10s of thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and just about every service login, with adjusted numbers of attempts and shorter or longer times based on how the rules might adversely effect one of our actual users. Higher security risk services with low volume use by users, get blocked after fewer failed attempts and for much longer times. FYI, Spamhaus is blocking around 90% of all our inbound emails as spam. That number should actually be higher, but Fail2Ban does not allow a number of messages in due to the firewall blocks, so those don't get figured in to that total. Spamhaus is perfect in blocking IP addresses that positively were used to send spam, but dynamic addresses do get caught creating some false positives. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] any reliable FTP server with HTTPS/FTPS, commercial or not
On 6/14/2012 7:23 PM, John R Pierce wrote: On 06/14/12 4:08 PM, Gelen James wrote: Please check the wiki pagehttp://en.wikipedia.org/wiki/List_of_FTP_server_software. There are so many choices psst? most of those are for MS Windows, which doesn't come with a decent FTP server built in. many of them are commercial. there's really only a couple on that list suitable for a linux server, headed up with vsftpd, the default ftp server in CentOS. I do hear good things about ProFTP and actually have it on one of my new installs, but haven't yet messed with it. I found it odd that it didn't make the wiki list. Maybe some others can give some feedback on it? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail problem - baffled
On 5/15/2012 4:57 PM, Bowie Bailey wrote: On 5/15/2012 4:48 PM, Jussi Hirvi wrote: On 15.5.2012 23.22, Alexander Dalloz wrote: It is technically impossible that the telnet to target port 25 succeeds from the same system on which the Sendmail gets a connection refused, unless Sendmail is configured to use a non-standard target port. That is why I am baffled. :-/ I could use a way to see what port sendmail is actually using to make the contact. My assumption is that when the log entry (see my orig post) says mailer=esmtp,, it implies port 25 - but then it really does not make sense that the connection is refused. On the primary mail server (which I try in vain to contact) I see *nothing* about the failed connections in the maillog, even though I raised log_level to 19. You could use wireshark to monitor the network traffic and determine exactly what happens when sendmail tries to make the connection. A couple of things to check. I don't know if these servers are in the same location or not but it is possible if not, that your provider blocks port 25. Here are two configs to check. dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl If this is not done on the primary, it will not listen to anything but itself so the backup wouldn't be able to contact it. dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl and this if it is possible that port 25 is blocked. Sorry if this has already been discussed. I stepped in late on the conversation. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Reject Action For SPF
On 5/3/2012 12:40 PM, Prabhpal S. Mavi wrote: are you sure you want to do this? It will definitely result in lots of legitimate mail being blocked, because SPF is by no means ubiquitous. You can set up your mail server to block mail if the SPF record suggests it, but I would never filter mail originating from domains having no SPF record at all. Best regards, Peter. Dear Peter, Thanks for your response. it is true what you are saying. but we want to set that way. Prabh S. Mavi A couple of notes. 1. SPF was not designed to be used this way. It is doubtful that anyone has written anything that even remotely considered this option in use. You will likely have to write it yourself. 2. SPF is still in RFC testing, so it is not yet a full internet standard. And once it is, the standard still does not condone using it the way you intend. IOW, there is nothing in the standard that states you must have a SPF record to be a legit email domain. Basically, you'll have a broken mailserver. We are actually stuck with having to take ours off for the moment as one 'service' we use demands sending email from their mailservers using our email address and they still have no SPF record. If you do this, most likely you will not get around 90% of the good email as SPF is not widely used as of yet. But I guess if you are only interested in receiving email from a few 'known' domains... it could work. Seems it would be easier to just blacklist all and whitelist the few? If it is just for internal... perhaps a webmail system with no outside email ability would be the way to go? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Reject Action For SPF
On 5/3/2012 1:16 PM, Prabhpal S. Mavi wrote: 1. SPF was not designed to be used this way. It is doubtful that anyone has written anything that even remotely considered this option in use. You will likely have to write it yourself. 2. SPF is still in RFC testing, so it is not yet a full internet standard. And once it is, the standard still does not condone using it the way you intend. IOW, there is nothing in the standard that states you must have a SPF record to be a legit email domain. Basically, you'll have a broken mailserver. We are actually stuck with having to take ours off for the moment as one 'service' we use demands sending email from their mailservers using our email address and they still have no SPF record. If you do this, most likely you will not get around 90% of the good email as SPF is not widely used as of yet. But I guess if you are only interested in receiving email from a few 'known' domains... it could work. Seems it would be easier to just blacklist all and whitelist the few? If it is just for internal... perhaps a webmail system with no outside email ability would be the way to go? Dear Hilton. J Thanks for your advice, i actually know this. what would you say about those who put there efforts to implement SPF. why they do it? I have been on the SPF list since before Microsoft just about killed it. SPF is perhaps the most misunderstood function in the email world. It is not a spam filter. The SPF website will tell you that very early on. It is quite simply this. It is to battle domain spoofing. Or, to battle the use of a legit domain in a from address sent by a spammer woh has no rights to use that domain name. It is and always will be voluntary, as some domains simply cannot implement it. Their systems are too complex and the TXT record in bind won't allow enough characters. There are some other good reasons to not use it... or good situations where you are forced to not use it. Either way, it is simply a statement to the world that email from my domain should be coming from these IP addresses and that is all it is. The receiving end can choose what to do with that information. There is a gray area between it being called a spam filter or not... The SPF folks won't let you call it a spam filter. It can do a really good job of avoiding finding your mailbox full of bounce messages, but that will only be reduced by the number of systems which did SPF checks. Ultimately, I think it will be a great thing, much like RevDNS is now, but we couldn't really get hard core on RevDNS until most of the major providers did. If you can't send email to AOL, Comcast, Netscape, Gmail and so on, then why should you be able to send to me? If you are planning to run a legit world facing email server, planning to use SPF as you are will make it a very broken system and it will not be anywhere near RFC compliant. Best, John Hinton Thanks / Regards Prabh S. Mavi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cloud on CentOS Server
On 3/7/2012 1:20 PM, John R Pierce wrote: On 03/07/12 10:06 AM, John Hinton wrote: I'm looking into adding a cloud to one of my servers. what does a cloud mean in this context ? to me, a cloud is a set of homogenous servers running distributed applications. classic cloud is google.the term has been degraded to also refer to a stack of servers running a virtualization platform such that the individual VMs don't care what hardware they are assigned to, classic example of a VM cloud is Amazon AWS. I don't understand how ANYTHING you do on a single server could be called 'cloudy'. Perhaps the definition of cloud has gone lower and should be called fog now? It seems however that the definition is an online infrastructure which may: provide applications provide file storage calendar contacts collaboration communication among a number of other things and that these services are all available to 'users' on the cloud via: servers desktops laptops tablets phones As for how many servers? Well that is a matter of how many users you have, loads, storage capacity and just about anything else a single or bank of servers might do. At the moment, our business has 4 people in four different locations and we want to better share our work. Seems like file shares are one aspect, but perhaps some applications, certainly collaboration and I really don't like putting stuff on Google. I see at least one of these allows you to run OpenOffice through the browser. I haven't really done a lot of research into this yet and really all I wanted was some ideas for a simple open source cloud software that was preferably friendly to CentOS. Also, this would be a good exercise in learning a bit more of what is out there that our clients might wish to use. No, I'm not building a system where anyone in the world can sign up, nor for a fortune 500 company, nor even one much smaller. Just for us at the moment, and perhaps do a bit of sharing to our clients from time to time. I have so far found eyeOS and am also looking at ownCloud. Thanks Devin for that link. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Cloud on CentOS Server
I'm looking into adding a cloud to one of my servers. Criteria: security accessible via Windoze, Android Mobile Devices, iPhones, iPads, Macs Preferably something living under one of the better repos, such as epel An active project doing updates and adding features. I don't suppose any of you have ideas for this? ;) -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Random Proliant Crashes CentOS 6.1
On 12/18/2011 2:22 PM, Richard Karhuse wrote: If you follow the cited bugzilla's, you'll see that you *must* upgrade your HP firmware too (for everything(!!) -- particularly RAID controllers and SAS expander, etc.) -- to the absolute latest release. [Note: the updates on the 9.30 ISO are *not* late enough, btw.] Then, you need the latest version of the kernel that has a work-around in the cciss / hpsa driver. HTH -rak- Thanks. I have already started down the firmware path. This is irritating! 15 years of solid reliability out of Proliant products and then suddenly this! :( I'm starting to wonder if the Linux kernel is just trying to do too many things... geez... (Isn't that what Windows does?) Maybe there is a need for a server kernel which could be a simplified version of a desktop or full kernel? Then again, I have no insight into what led to this... perhaps it was introduced due to the server side features. So, by latest kernel, I suppose that would not be the latest CentOS 6.1 kernel? If not, does anyone know if it is in any kernel provided by upstream and if it will soon be available under CentOS? For instance 6.2 that seems to be just around the corner? Upstream seemed to blame it on their upstream, or the kernel. The cases I found were closed in spite of no good resolution. There has to be a ton of Proliant stuff out there. Actually, HP seems to have a lot of holes in providing for RH6 and has only RH5 for many of these firmware updates. I did successfully run HP RH5 firmware updates on a RH6 box, but I'm not so happy about taking chances like that. Or worse perhaps we are starting to see a degradation due to ownership by HP vs. the fine products that Compaq created? I certainly hope not! Meanwhile, I guess I'll sit back and wait to see if what I have done is enough. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Random Proliant Crashes CentOS 6.1
I've been seeing some random Proliant DL380 G4 64bit crashes. Each time, on the console are messages relating tojbd2/cciss and something about a waitfor 120 seconds. Is anybody else seeing anything like this? Oddly, I can't seem to find this in the logs. I guess it can't write when this happens. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] duqu
On 12/6/2011 7:12 PM, Les Mikesell wrote: 2011/12/6 Fajar Priyantofajar...@arinet.org: I happen to have a copy of an older brute-forcer dictionary here (somewhere) and it's very large and has lots of very secure-seeming passwords in it. Why not don't allow root login from ssh? That's basic yet effective. This particular brute-forcer didn't require root access to spread. It can work under a normal user without root You miss my point. I'd expect it to be at least typical to firewall direct ssh access from the internet. This thread is mostly speculation. My 'other speculation' is that this 'could have been' a disgruntled employee. Someone that had root and also a user on the system. It 'could have been' that the user was not removed and the root pass not changed. Simple as that no break in per se, but just bad policies. If they were a couple of versions back on updates, there were other bad policies... but I think we 'speculated' on that as well? Further 'speculation' on this is just more CentOS list garbage unless someone can provide details on what exactly did happen. More than likely some inside CC do have ideas, but are likely too embarrassed to say it. Humans are lazy if they can be. Over time, complacent. Look at xBox. Now this. And even if you do run a perfect system, just like with a new virus... somebody has to get it first to turn it in for a signature to be written. A certain number of people will get that virus a certain number of servers will get exploited before patches are issued and the delay of putting them into place. Black hats work just as hard as gray hats and white hats and maybe harder. You will never stop crime... you will never stop terrorism... you can only do what you can to limit it without bankrupting yourself (in time or money) in the process, and try to be prepared for when it hits. So, when is CentOS 7.0 going to be ready? ;) -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] duqu
On 11/30/2011 1:55 PM, Benjamin Donnachie wrote: On 30 Nov 2011, at 18:51, Les Mikeselllesmikes...@gmail.com wrote: Ssh is mostly about being able to log in. I've always adopted the policy of disabling root logins, making admins use a separate account with public/private key authentication and then requiring them to use su to elevate privileges. Has the advantage that your logs will tell you who logged in and performed an action rather than the vague 'root'. Ben How would you automate daily logins from another server to do something like rsync the entire /etc directory to a backup system? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Changes at Red Hat confouding CentOS
On 11/16/2011 6:36 AM, Timothy Murphy wrote: Yves Bellefeuille wrote: What percentage are using iPhones and Androids to access the internet? I'd guess it is already over 50%. Not over 50%, but 5,5%, according to this source: http://www.netmarketshare.com/ I may have exaggerated the figure, but I don't believe it is as low as that. Smart phones have been outselling PCs for some time. So even if the figure is less than 50%, it will soon be up there. You are arguing two entirely different points. One 'Access' the other 'Market Share'. Likely both are very nearly right percentages. You buy a phone first to 'have a phone'. The rest are upgrades and useful features, but just because you buy a smart phone doesn't mean that is now your single method for 'accessing the net'. John Hinton -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Changes at Red Hat confouding CentOS
On 11/15/2011 9:35 AM, Reindl Harald wrote: Am 15.11.2011 14:56, schrieb Timothy Murphy: But isn't everyone today using laptops for everyday use? this is what some braindead developers seems to think but it is not true nor will it never get true! why in the world should i use a laptop in my office if i can have a Core i7 Quad combined with much more and better hardware as ever possible in a laptop? why in the world should i use a laptop @home where i have a dedicated place for a powerful machine with much less heat and noise than a crappy laptop? i have worked long enough with laptops and they was, they are and they will always be useless crap if you need power and comfort while you do more as webbrowsing or read a handful mails what i can do with my mobile Agreed! The cramped screen space (I run dual vid cards in sli with 4 monitors with development apps spread all over them!), sluggish response (open what I have running on my work station and any laptop goes into crawl mode), heat (if you really run it in your lap as the name infers) and that just touches on the very start of my list. Yes, I have few laptops and use them when I 'need' to and one often times goes with me when I leave my office (but my phone is rapidly replacing that need unless I'm going for days)... but why on earth would I consider using only a laptop? Well, if I was always mobile, but I'm not. Maybe if I didn't need to run any development systems... Eclipse on a laptop certainly works, but is sluggish vs. a workstation. Open Dreamweaver, Photoshop, Eclipse, three web browsers a secure shell or few, email, IM, and then need to open a Word attachment and most laptops chug to worst than a crawl. Yes, laptops are more becoming a tool of the trade, but I don't think 1% is any where near a real number. It 'might' be as high as 50% (totally grabbing at the stars saying that). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Can't run fail2ban 0.8.4 [CentOS 6]
On 11/4/2011 8:24 AM, Kévin GASPARD wrote: Le 04/11/2011 12:54, Patrick Lists a écrit : On 11/04/2011 12:48 PM, Kévin GASPARD wrote: The output of service fail2ban start in root (that's in french) : Démarrage de fail2ban :[ÉCHOUÉ] The docs on the fail2ban website also say how you can start fail2ban manually (at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Usage): $ fail2ban-client start Maybe starting it that way gives you more information why it fails. Regards, Patrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hi, [root@turing lighttpd]# fail2ban-client start WARNING 'action' not defined in 'php-url-fopen'. Using default value WARNING 'action' not defined in 'lighttpd-fastcgi'. Using default value ERROR Error in action definition ERROR Errors in jail 'lighttpd-fastcgi'. Skipping... Cordially Yeah... I was thinking that was the problem. I'm running Fail2Ban and I think I got it from EPEL, on CentOS 6 without problems. Looks like you need to kill off some of your jail confs and then turn them on and tune them one by one. Fail2Ban relies on logging and even certain log levels being run from the services you are checking. I found the default Fail2Ban install worked very well on a default webserver/mailserver install. There were a number of things that I needed to do to turn on other checks. And I have customized even further. For instance, I subscribe to Spamhaus. I use the spamhaus maillog entries to look for repeated attempts to one or more domains and after so many, block the offender at the firewall. Saves a lot of server load and 'seems' to make these folks give up on my systems to some extent. So, turn off most of the event triggers and then turn them back on one at a time. Then edit the rules as needed or set log levels on the service being checked to give the output needed to work with the rule. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 updating policy
On 11/4/2011 9:24 AM, David McGiven wrote: I am migrating from debian to RHEL (CentOS) and I am wondering how the CentOS 6 updating system works. Suppose I install CentOS 6.1 now. Suppose in 8 months CentOS 6.2 is released. yum update will pull in the new version and install it and update your release from 6.1 to 6.2. (if there were a 6.1... it might get skipped and 6.0 will update to 6.2) Now I issue a yum update, so my system will be updated to CentOS 6.2, or I will have an updated 6.1 ? It will be 6.2 What if I have been issuing yum update very day just to be sure there are no packages with urgent security bugs ? I am having a very updated 6.1 or an almost 6.2 ? Or are they the same thing ? I think that during this time I should be using Continous Release repository, right ? Yes, CR is optional but to me important. Also, which is the policy regarding new versions of software, kernel and libs ? The bugfixes will be backported or there will be major differences between, let’s say, 6.1 and 6.4 ? Security issues are almost always backported. Almost always on a CentOS major release, anything installed such as website scripts will work throughout the entire 7 year cycle of minor releases. This is the main beauty of CentOS, and also the main drawback. Sometimes clients want something newer... for instance PHP 5.3. It was not available via upstream until the release of 6 and the last minor release of 5 (although that was to me a sad attempt). So, there will be some gripes at times, but since you haven't broken their stuff during the major release cycle... what is better? And, you can always customize a system, but often times reliability will suffer somewhere along the line. I couldn’t find all of these question properly answered in the FAQs Basically it is just really easy and happens during yum update. Minor releases are times when the largest changes are made, but again, rarely do they actually break anything. I think I still have enough fingers on my hands to count the issues over the last 15 or so years when something client side broke in a server environment. Non-upstream repositories... not so much. But in fairness, some of these repositories provide packages that make core changes, like an entirely new conf file and one must go fix these. Upstream seems to operate under never forcing a replacement conf file... In other words, the service will generally continue to operate without admin intervention. John Hinton Thanks in advance. Regards, David ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 4 Dovecot Problem
On 11/1/2011 3:53 PM, Scott Silva wrote: on 11/1/2011 10:30 AM Grant McChesney spake the following: On Sun, Oct 23, 2011 at 10:19 AM, John Hintonwebmas...@ew3d.com wrote: For those of you that still are running CentOS 4... I have one system that is still going... there is a problem with the newest release of Dovecot under mbox. Certain spam is causing this error when users try to log on. file lib.c: line 37 (nearest_power): assertion failed: (num= ((size_t)1 (BITS_IN_SIZE_T-1))) Rolling back to a previous release fixes these issues. I'm not bothering to file a bug with Redhat as the EOL is rapidly approaching and I just about have my one system's users moved to a new server. I have not as of yet seen this problem on CentOS 5 mbox systems, but I don't have many users on those systems either as I'm 'slowly' migrating all to CentOS 6 Maildir systems. I got bit by this bug as well. I rolled back to dovecot-0.9.11-9 for now until I find time to upgrade to CentOS 5 or 6. DO yourself a favor and use a dovecot from a third party repo... the 0.9 series is YEARS old. We've dealt with if for nearly 7 years now and only have a few months to go. The problems have been few. I posted this to help those make it through to February. I delayed moving folks from the v4 systems waiting for the v6 systems so as to gain a couple or few more years before EoL for them and for other reasons that v5 does not properly address. Clients don't like to be moved around. In a perfect world, email client programs would not have problems with these moves... but we don't live in a perfect world. Those problems irritate the clients and increase our tech support by multiple times. Heading off into a repo 1.x upgrade at this point is rather silly IMO. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 4 Dovecot Problem
For those of you that still are running CentOS 4... I have one system that is still going... there is a problem with the newest release of Dovecot under mbox. Certain spam is causing this error when users try to log on. file lib.c: line 37 (nearest_power): assertion failed: (num = ((size_t)1 (BITS_IN_SIZE_T-1))) Rolling back to a previous release fixes these issues. I'm not bothering to file a bug with Redhat as the EOL is rapidly approaching and I just about have my one system's users moved to a new server. I have not as of yet seen this problem on CentOS 5 mbox systems, but I don't have many users on those systems either as I'm 'slowly' migrating all to CentOS 6 Maildir systems. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.0 Continuous Release ( CR ) repository
On 10/8/2011 10:30 AM, Timothy Murphy wrote: n...@li.nux.ro wrote: I don't really understand the function of this repository, or rather why the RPMs in it are not in the standard repository? Because there is no standard repository yet. These RPMs are from the next version (6.1 as we write this) which has not been published yet. CR is just a way to keep up with updates while they work on publishing Centos 6.1. I've read the various responses, and am not really convinced. It seems to me the developers are just making more work for themselves. Of course that is their prerogative ... It is really quite simple. 6.1 is not out. Many of us absolutely must have 6.0 serving the public at this point. There are no more security updates for 6.0. So, why not provide updated packages as they are available, if they don't break other packages? It seems very sound reasoning to me. Extra work? Well, it is some, but not really that much. To me, this is another case of the CentOS team trying hard to provide what the community needs as fast as they can. Choose to use the CR or not. For me and I'm certain many others, I'm very happy that it is there! And this provides an answer for now and perhaps again in the future when a minor release occurs just before a major security issue, leaving the ability to move forward with the new security packages before the minor release is ready. As for passing security 'testing'. Well, CR might not provide the answer the 'testers' want, but do they ultimately want security or do they only want you to pass the test? Sometimes I think the latter... a question of 'perceived' or 'actual'. I'll choose actual... and like it to be pretty quick... and CR provides an aid there. John Hinton -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 and Pyzor
Had anybody been successful in getting Pyzor to run on CentOS 6 64bit? I have it running fine on CentOS 6 32 bit, and I 'think' I did identical installs. But, from the command line I keep getting Oct 6 13:36:00.659 [16065] dbg: pyzor: network tests on, attempting Pyzor Oct 6 13:36:06.205 [16065] dbg: pyzor: pyzor is available: /usr/bin/pyzor Oct 6 13:36:06.206 [16065] dbg: pyzor: opening pipe: /usr/bin/pyzor check /tmp/.spamassassin160655GZkVEtmp Oct 6 13:36:06.281 [16065] dbg: pyzor: [16168] finished: exit 1 Oct 6 13:36:06.282 [16065] dbg: pyzor: check failed: no response And, yes the firewall port is open and I can ping pyzor. Been Googling this for hours now lots of returns without any helpful info. And 'odd' that it is running fine on 32 bit. And of course, the 32 bit install is for internal use while the 64 bit system needs to go live to the public really fast! -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 and Pyzor
On 10/6/2011 1:37 PM, John Hinton wrote: Had anybody been successful in getting Pyzor to run on CentOS 6 64bit? I have it running fine on CentOS 6 32 bit, and I 'think' I did identical installs. But, from the command line I keep getting Oct 6 13:36:00.659 [16065] dbg: pyzor: network tests on, attempting Pyzor Oct 6 13:36:06.205 [16065] dbg: pyzor: pyzor is available: /usr/bin/pyzor Oct 6 13:36:06.206 [16065] dbg: pyzor: opening pipe: /usr/bin/pyzor check /tmp/.spamassassin160655GZkVEtmp Oct 6 13:36:06.281 [16065] dbg: pyzor: [16168] finished: exit 1 Oct 6 13:36:06.282 [16065] dbg: pyzor: check failed: no response And, yes the firewall port is open and I can ping pyzor. Been Googling this for hours now lots of returns without any helpful info. And 'odd' that it is running fine on 32 bit. And of course, the 32 bit install is for internal use while the 64 bit system needs to go live to the public really fast! OK, so I'm an idiot!!! arrgh! I started comparing every file and every directory for all of the anti-spam stuff and guess what I found? On the 64bit system sample-spam.txt had 0 bytes. Well, I suppose everything was working just as it should have been. That file on the 32 bit system has a date of March 16 2010, so I didn't put that text in there. Anyway, after adding in the spam text on the 64 bit system... it all works. Why is it so often that the most obvious is the hardest to find? And why is this a 0 byte file instead of just not being there at all? On the 32bit system, spamassassin was installed from base. On the 64bit system, spamassassin was installed from anaconda during full server installation. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Expunge Old Email
On 9/27/2011 8:31 AM, John Hinton wrote: For those of you running mailservers on CentOS 6, what are the suggestions for programs to expunge old email? For instance, deleting email from a Spam folder that is 2 weeks old or older. I see that Dovecot does have a solution, but was wondering about what others have landed on. My systems are basically Postfix, Dovecot using Maildir. To answer myself-- At least some of the Dovecot 1.x Expunge Plug-in has made it into the 2.0 release... so no need to install/activate any plugins for this to work. I'm running a cron once per day with the following command: doveadm expunge -A mailbox Spam savedbefore 10d There are a number of options to this command. The one above, looks in all (-A) user's Maildirs for a Spam mailbox and deletes any older than 10 days. So far so good! It is particular about permissions and you might have a few things to clean up to get it working. It looks like if it trips, it stops. I'm running this on two new CentOS 6 servers which don't have many users yet... so not much spam yet... so not much debugging yet. Early testing on personal accounts set at 2d did show successful removal. As a side note... Since Outlook has chosen to pretty much hide and only use the term Expunge to empty trash on IMAP accounts (and average email users don't find it and don't know what expunge means) We're seeing a lot of trash left behind. A reinforcement of my opinion of M$ wisdom... Anyway, so we are now contemplating putting into place automated trash email removal as well as much as I feel this is outside of what should be good practices. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Expunge Old Email
For those of you running mailservers on CentOS 6, what are the suggestions for programs to expunge old email? For instance, deleting email from a Spam folder that is 2 weeks old or older. I see that Dovecot does have a solution, but was wondering about what others have landed on. My systems are basically Postfix, Dovecot using Maildir. Thanks, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Can't boot Centos6 ext4 partition from GAG bootloader
On 9/19/2011 2:18 PM, Maurice Batey wrote: On Mon, 19 Sep 2011 11:08:20 -0700, Drew wrote: Did the installer try to install /boot in the same partition as / ? That's what it did. I still keep /boot as ext3. OIC. So it needs an extra (ext3) /boot partition, as well as /. Now, if the installer had offered that, things might have been different! It is there. I don't recall exactly how I got to it... I think I selected 'Customize' at the point where you can choose your packages and then I selected that I wanted to set the partitions myself. I got the same partition interface I've always gotten with CentOS installs... but it wasn't as obvious during the install process. It seems like some of these buttons might be sort of greyed out, but in fact they are live buttons. Sorry I don't remember the exact process. It's been a couple of weeks since doing the last install. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix Question - CentOS 6
On 9/9/2011 3:15 AM, Nicolas Thierry-Mieg wrote:
John Hinton wrote:
/var/spool/postfix/private/auth
It seems this must be owned by postfix but it was owned by root.
So, can somebody check to see if this is there in a CentOS 6 Postfix
install where Amavis is not installed? And if so, what are the default
permissions?
maybe try
rpm -qf /var/spool/postfix/private/auth
to see if it belongs to an rpm.
You could then rpm -V that package if it exists.
OK... I found it.
In Dovecot master.conf, I enabled smtp-auth. Under that, it seems you
must set the user to postfix or each time you restart dovecot the auth
file is recreated and is owned by root... resulting in the failure. I
looked for the file earlier and it was not there. It seems to have
appeared due to enabling smtp-auth, but I did make other edits before
restarting the service.
Inside of service auth I have the following:
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
}
I am considering adding group = postfix as well as the file is now group
root.
Thanks,
John Hinton
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] Postfix Question - CentOS 6
I'm trying to figure out if this is a bug... I'm running Postfix with Dovecot Authentication and have Amavisd-new as the front end. I fought with the install and in particular being able to send mail Auth failed. Hours of looking through all the config files yielded nothing... so I started Googling about. I finally found a comment at the bottom of a blog to check permissions on: /var/spool/postfix/private/auth It seems this must be owned by postfix but it was owned by root. So, can somebody check to see if this is there in a CentOS 6 Postfix install where Amavis is not installed? And if so, what are the default permissions? Thanks, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix Question - CentOS 6
On 9/9/2011 1:28 AM, Steve Walsh wrote: On 09/09/2011 03:10 PM, John Hinton wrote: So, can somebody check to see if this is there in a CentOS 6 Postfix install where Amavis is not installed? And if so, what are the default permissions? Not present on a clean C6 install. Mind you, it's also not present after installing dovecot and amavisd-new (from epel), so I'm convinced it's part of a package per-se. According to the postfix SASL config (http://www.postfix.org/SASL_README.html), it's configured in dovecot.conf. Maybe take a look at what http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL says about it? Steve Thanks Steve... It was the epel amavis package. Also, I'll be doing another server like this in the next week or so and will try to see what/when this gets created. It might not get created until some particular service is started. I am running SSL connections and I think that plays into it. So far, that file has 0 bytes along with a bunch of others there. And, good to know that at least it appears that the CentOS packages are all fine. And now to go read the wiki! :) John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 Partitioning Help
On 9/1/2011 1:19 PM, Tom H wrote: On Thu, Sep 1, 2011 at 1:20 AM, Simon Mattersimon.mat...@invoca.ch wrote: from http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s2-diskpartrecommend-x86.html Do not place /usr on a separate partition If /usr is on a separate partition from /, the boot process becomes much more complex, and in some situations (like installations on iSCSI drives), might not work at all. Thanks for this Tom. I was operating in old_schema mode and now I see I need to do a couple of re-installs as I did create /usr partitions. I do wonder why upstream left /usr as a suggestion in the partitioning program used inside of Anaconda? I do believe that 6.0 has more core changes than any release I remember to date. Good to find this out 'before' I got lots of stuff on that system!! ;) I can easily just copy my configs and start over way easier now than on a in service system! John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] (c 5.6) Running 2 versions of Apache ?
On 8/29/2011 3:25 PM, Always Learning wrote: On Mon, 2011-08-29 at 13:35 -0500, Les Mikesell wrote: For light use you could drop in VMware server or player or virtualbox without much effect on the current system. It shouldn't be necessary, though, unless you'd like to install otherwise conflicting rpm packages or give root access to someone on the virtual server only. I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1. So why can't you do that for your new virtualhost instead of running on a different IP? A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web site. Its started about 5 August but significantly escalated on 22 August. My Apache routine can add the IPs to iptables and block them. Since 22 August the lunatic has used over 100 different IPs from around the world to send those wrong URLs which always seem to include one of these:- forgotten_password.php login.php contact.php If you can get a good list of what is requested, such as the one started above, and 'if' none of those pages exist, you can use modrewrite to redirect them to 127.0.0.1. :) Effectively sending the request back to themselves. That irritates them. Can be done on a per domain basis or serverwide for those regular attempts into what might exist on any server. For instance, I regularly see phpmyadmin references. I don't run that on any servers, but they come looking. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 7:27 AM, Always Learning wrote: On Thu, 2011-08-25 at 22:56 -0700, John R Pierce wrote: by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications. That is exactly the flexibility I have when I put my site specific Apache stuff in /data/config/apache Paul. I think the point is making use of what is by default built in to apache on our CentOS boxes. And this is and has been for some time making use of the include directed to look in /etc/httpd/conf.d directory and read in any *.conf files in that directory. So, why try to teach somebody to use another structure and customization? And why is this a good idea? Well, it does add complication in having multiple files to deal with. But the upside to that is it does reduce the number of edits to the main conf file. What is useful about this? Well, I do remember one time editing httpd.conf in Vi and after I finished Apache wouldn't restart. Panic of course immediately sets in when a webserver is not running and I looked and looked and looked and looked and couldn't find any problem with what I had done. Finally, after what seemed like an eternity, I found that I must have accidentally hit the 'x' key just after opening the file and had deleted the first '#' from the first line. I was working on a new virtual server during that edit and just knew I hadn't edited anywhere else... so had been totally concentrating on the end of the conf file instead of really looking at the top. If this had been in vhost.conf, I could have easily moved vhost.conf to vhost.conf.bak and immediately known that it was not the problem... and actually, wouldn't have had the main conf open to start with so would never have made that mistake. So, argue all you want, but many programs 'by default' add their apache conf files into /etc/httpd/conf.d so why not follow conventions? If you die, the next admin should know to look there first. And, removing or doing a temp something.conf.bak file quickly takes potential errors out of the equation. To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices? John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 12:13 PM, Always Learning wrote: Les, There are no /home directories on our servers. Data we create which is NOT essential for the operating system to function is usually not in an operating system directory. 'yum update' still works successfully. Paul. All good that you customize your servers and that shows the beauty of our chosen OS. However, posting non-standard configs on this list shows up in google searches all over the place and has a good potential to confuse those that need some help. That's my point. Obviously your point is you can put them anywhere and your company has decided that is a best practice. I would never argue against your decision to do that. Meanwhile, the original 'good suggestion' to use the /etc/httpd/conf.d directory for adding the patches has been totally watered down by this blathering (me included) which would best be under a totally different thread about how you can put stuff any where you want. Or, 'the merits of using a data directory'. You don't teach? If you post, you teach... like it or not. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 12:30 PM, Always Learning wrote: On Fri, 2011-08-26 at 11:22 -0500, Les Mikesell wrote: But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup? Definitely. That is essential. Non-operating system customisations go in /data OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up? Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom? John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 1:18 PM, Always Learning wrote: Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom? /etc/httpd/conf/httpd.conf has:- 112: Include conf.d/*.conf 126: User apache 127: Group apache 128: 129: # Section 2: 'Main' server configuration 130: 131: Include /data/config/apache/server.conf 132: 133: #- Section 3: Virtual Hosts --- 134: 135: include /data/config/apache/domain.* 136: 137: #-- OK, so you have just chosen to put your vhost confs in an alternate directory. There are sound reasons for doing that, like ease of backups and dumb minded restores that any low level tech could do. Me... I just do a single vhost.conf file for all virtual servers. Works fine for me thus far and there's less trash to look through when trying to find a conf file. All good. I backup all of /etc and am not worried as we have no dumb minded techs that would ever be doing a restore so don't need an easier solution. Doing what you are doing might be a simpler solution or a vastly more complex solution... all depending on the services running... upgrade frequency and how well everything works during those updates. It all depends on what the servers are doing. To suggest others follow in your footsteps however is very short sighted. Again, I would never tell you that you shouldn't do it your way. That would be very short sighted of me. The two includes in httpd.conf allows both areas to load, but does break 'alternative' installs, such as squirrelmail as just one of many examples (assuming you got rid of the /etc/httpd/conf.d include). So, yum install squirrelmail would not work without customization on your system, along with a number of other system wide tools one might want to run under apache. Python, php, manual, welcome, webalizer, ssl, squid, proxy_ajp, perl, cacti are all examples. Again though, adding in one new conf file for a temporary patch has nothing to do with how your servers are set up but how the vast majority of CentOS servers 'are' set up and to suggest an alternative area is just off the topic and potentially confusing to those that are trying to follow a step by step procedure down to the letter. I'm done with this this part of this thread and hope it can get back to what it was intended to do and that was simply how to avoid this DoS attack... NOT how to relocate where files are stored. I do recognize the merits of what you are doing. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 3:02 PM, Always Learning wrote: Oh, and php *certainly* requires configuration. Can't remember what I changed in /etc if I changed it. It should be there in your documentation... ;) LOL!!! Me? My documentation is in my head... 'burned' into my brain, from following upstream's suggestions for the last 15 or more years. And yes that 'upstream book' has been revised over those years, but not everything. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6, Postfix Dovecot
I only have one Postfix server running at the moment and have some questions. On that install, I did Amavisd-new with ClamAV, SpamAssassin, Postfix and Dovecot. I know this is a bit off topic, but I'm really hoping for performance guidance. Is the added layer of complexity running Amavis worth the effort on a system with moderate mail flow? Or should I just go down the path of getting Clam and SA working with Postfix and be done with it? Whatever path I decide upon now will hopefully be the future for other system builds to come. I have about a dozen Sendmail installs running (which will eventually need to be moved over). Some of what I didn't like about those is Clam/AV and other checks occurred on both incoming and outgoing email. We pretty much don't have an outbound email virus or spam problem, so were getting a number of false positives due to DHCP and clients being assigned a dirty IP address from time to time. So yes, what's a good mailserver setup which hopefully stays as close to upstream as possible on 6.0? John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] e-mail serving
On 8/3/2011 1:59 PM, Always Learning wrote: On Wed, 2011-08-03 at 10:53 -0700, Todd wrote: I am going to try an experiment with e-mail aggregation where I expect to receive over 1 million e-mails a day from public lists. You're surely not going to read all of them ;-) That might even be more difficult than keeping up with the CentOS list (sorry, and here I am adding to the nonsense) John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 Webmail
On this list, we are not supposed to talk about politics, religion, guns and helmet laws... Oops That's my motorcycling lists! ;) I guess the first three pertain to 'all' list except for those devoted to one or more of those three topics. Although, it can be really hard to refrain sometimes. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 Webmail
I see that SquirrelMail is gone from 6. Is there a package in here somewhere that is a webmail system? Otherwise, I suppose it lives in one of the repos like sourceforge. I just wanted to check if something new existed before doing that. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: [opensuse-offtopic] Microsoft struggles to get Hyper-V drivers in Linux kernel (fwd)
On 7/21/2011 8:03 AM, Keith Roberts wrote: Not too sure what to think about this, considering M$'s track record with OSS and other competitors. Kind Regards, Keith Roberts They undoubtedly must be trying to figure out a way to add a MacroShaft license to the Linux Kernal. LOL!!! -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fyi: RHEL 5.7 is out
On 7/21/2011 8:53 AM, Alain Péan wrote: Le 21/07/2011 14:47, Eric Viseur a écrit : Granted CentOS 4 continued getting updates while CentOS 5 was out, I guess we can hope this will continue with CentOS 5 getting updates while CentOS 6 is now out. There were two versions of RHEL that were supported, 4.x and 5.x. For a short time, there are three (4.x, 5.x and 6.x). But in February 2012, 4.x support will end, and there will again only two versiosn to support. I don't know if there will another 4.x (4.10) release after 4.9. Alain If I'm not mistaken, CentOS at one point was providing 3.X, 4.X and 5.X. 3.X ended at the EOL as set by upstream, just as it should and just as CentOS has stated in their policies/commitments. I expect that 4.X will follow that same path, will all updates/upgrades done until the predefined EOL, again as set by upstream. 5 and 6 should go down that same path. So, look to upstream for EOLs on your version of CentOS and expect to do a rebuild of your system at that point. This is one of the beauties of how upstream operates and what CentOS emulates. Rest at ease. If upstream holds true to its aimed for goals, I would predict we might see 4.11 or even 4.12 before it goes EOL. But that is just a guess based on quarterly updates that sometimes aren't exactly out on the third month. Gee, I have a bit of work to do. I think I still have like 4 version 4 systems running. One will be moved to 6 over the next couple of weeks... the rest are easy in comparison. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 system-config-bind missing?
On 7/13/2011 2:36 PM, Les Mikesell wrote: On 7/13/2011 1:03 PM, R P Herrold wrote: I promised I would not get drawn into this thread, but ... This thread and its description of the experience gap is telling ... One camp wants a 'black box' tool that does _something_, so they can ignore what is happening 'under the covers' and move on to more interesting uses of the computer. And then there are the professionals. And this _is_ billed as a boring, trailing edge and stable, enterprise operating system, after all But my use cases are related to a prodduction environment, maintaining several hundred zone files, with lots of adds, changes, and deletes. The s-c-bind GUI tool was useless, compared to TUI edits (certain legacy systems) and scripts to do the backups, accuracy audit, and creation of all files including the PTR record files So, aren't computer programs supposed to be able to deal with complicated cases, or just not free computer programs? Or is the input syntax just too weird? While s-c-bind may not have been the right answer, it just seems odd as a missing piece in the distribution and epel-provided packages. Almost as odd as not having a network-aware authentication mechanism working as a server out of the box on your initial install - as though it would be unusual to have more than one computer and want those initial users to be able to log into the others you'd add later. I would have to guess that UpStream decided it was not to be. They most likely had very good reasons for this. I 'barely' looked at it as it could not do what I need to do and that was some years back. Is/Was it capable of doing IPV6? That would be a good reason to put it to bed... given IPV6 will likely become widespread during the lifespan of CentOS 6. Various SPF/SenderID/DomainKeys things also ride on bind these days. It could be that UpStream decided that was a good reason to put it to bed? Either way, CentOS is a nearly exact clone of UpStream, so really you need to go complain at UpStream, not on this list. CentOS has exactly matched their goal of providing the same packages available under UpStream. There is no point to complaining here. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with net-install
On 7/12/2011 9:31 AM, Ljubomir Ljubojevic wrote: That being said, I never said it will not run on older hardware, just that they (most developers of most packages) don't care that much about older hardware, and my reply was aimed at gradual disappearance of CD medium from more and more distro's. Reply could be take DVD drive from somewhere and hook it up instead of CD drive, then return it when you finish. Ljubomir ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I suppose the Proliant users could be mad at HP for being old school with only CD-Roms in even their G4 servers. (and no, these 2U servers can't hold a standard DVD drive as the space if very low profile) But I'm rarely mad at the Proliant line of servers. I suppose as these are 'servers', they don't really need any DVD drive, except to answer to the packaging of OS softwares (and they normally go with 'known good hardware' over new stuff). I wouldn't consider G4s old and slow... 8 gigs of ram and a dual 3.6g xeon processors isn't all that slow or shabby. For a webserver, it is downright spunky! And, as PHP is so dead in 5, we must move on to 6. I will find a way to install this on these Proliants, but shame on Redhat for not doing CDs. Kudos to CentOS for helping our community with an upcoming CD solutions! In the meantime, I'll get around to experimenting and report any successes here. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyway to ensure SSH availability?
On 6/30/2011 4:53 PM, Robert Heller wrote: Right now it doesn't look like an mail run, more like a httpd run because it's starting to look like a large number of httpd threads was spawned just before that. OK, there are probably settings for Apache to run fewer threads. Probably better have a Server too busy type of message than a wedged server. (And most likely the extra httpd threads will just be spambots of some sort anyway -- who cares if they get tossed...) With the launch of Living Social, we have had a few clients use that service and you will suddenly have all Apache instances running and the server acting very laggy to all but unresponsive. I have cut back on the total number of Apache instances due to these 'non-attacks' which are much like a DoS attack. It seems the first day is horrid, the second not so bad and it wains down from there. This really raises a new question of what to do the handle such broadcast ads? We run very conservative server loads, but... I don't recommend running it all the time, only when you need to catch something, but server status can be your friend. You can run a refresh in your browser... leave it running in a tab set to refresh like once every minute or five. It will show the instances of Apache and the files being accessed. Much faster than digging through logs in a Virt server environment. This feature is built into Apache, but is not on by default. Look at your httpd.conf file. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.6 PHP 5.3 and SquirrelMail
On 5/24/2011 5:41 PM, John R. Dennison wrote: On Tue, May 24, 2011 at 01:00:01PM -0400, John Hinton wrote: OK, so I did an upgrade to PHP 5.3 on one of my servers. I noticed the uninstall of php also removed SquirrelMail and it won't install under PHP 5.3. Has anybody worked this out with a good RPM or repo solution? Dump the CentOS php53 package and use the 5.3 provided by the IUS repository. See http://wiki.centos.org/AdditionalResources/Repositories for more information and links to IUS. CentOS' 5.3 doesn't Provide: php and has some other issues the last time I looked. Thanks John. The IUS repository looks really good (or reliable). It seems that they have also used the same type of naming convention used by Redhat for php53 with the addition of i or whatever. This is pretty nice for adding and removing packages. Unfortunately, I'm thinking that this will cause the same dependency problem as things like php-common won't be found. Yes, I know I 'can' just go do an install of something like SquirrelMail, something we immediately would need, but that would potentially just be the beginning of issues on a shared hosting system. It sounds like I should just sit back and wait for 6 if I want to stay on upstream (and select repos) for package updates. That has been my hard headed decision for many years and in those many years, has proven to save a lot of future grief and eliminated in some cases some additional downtime during compiles. Looks like if my need for PHP53 is absolute, I'll just move that client to the one 'custom' system and they'll just have to understand that there might be a bit more downtime, then move them onto a 6 box once deployed. And yes, PHP has been the one thing that has repeatedly been the dawg with using Redhat. 6 was way late out from upstream and then the promised option in 5 appears to be at least a bit of a smoking gun. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5.6 PHP 5.3 and SquirrelMail
OK, so I did an upgrade to PHP 5.3 on one of my servers. I noticed the uninstall of php also removed SquirrelMail and it won't install under PHP 5.3. Has anybody worked this out with a good RPM or repo solution? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Am I being to paranoid?
On 5/8/2011 4:53 PM, John R. Dennison wrote: On Sun, May 08, 2011 at 08:57:23PM +0300, Eero Volotinen wrote: You should take a look at mod_security: http://www.modsecurity.org/ , if provides better ways to block hostile attacks and probes. Really? 99 lines of untrimmed material for a 2 line reply? I don't have personal experience with this, but I have heard that modsecurity does not play nice with some websites. If you are in a virtual hosting situation, it might be a bit too early to jump on that ship? I'll hopefully wait for it to become more of a 'standard'. I run Ossec on several servers and Fail2Ban on several others. At the moment, I prefer Fail2Ban. Configuration is not straight forward on either, but personally, I seem to get along better creating/editing Fail2Ban rules. It's sort of hard to do comparisons as each server has differing accesses, but my gut tells my that Fail2Ban is a little easier on server loads. Both do a lot of reads, constantly monitoring for intrusion attempts. I know Fail2Ban is not a CentOS standard package, but it would be nice if we could build a place on the CentOS website where rules could be shared. Each environment is a bit different and so the rules need to be adapted. I have found the need for edits even between CentOS 3, 4 and 5 boxes. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] I have RHel6. How does that turn into Centos 6?
On 4/29/2011 1:46 PM, Digimer wrote: On 04/29/2011 01:26 PM, Todd Rinaldo wrote: I've always been surprised that CentOS ships /etc/redhat-release given the above paragraph. Probably a programmatic requirement, if I was the betting type. I could easily be confused as it has been so long now... I think Whitebox actually changed that to whitebox-release and maybe CentOS did the save very early on. But, many applications look for that file and if they see redhat-release, know their stuff can run on your system and you are off to the races. I suppose the final answer was it wasn't an infringement and solved a lot of other problems. Seems I had to edit this file or name to get something to run on a server like 4 or 5 years ago? Am I required to remember everything I did from that long back? LOL There might be some stuff in the archives though... back in the early ver. 3 days. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Updating hardware clock from cron
On 3/4/2011 3:59 PM, Lamar Owen wrote: On Friday, March 04, 2011 03:54:21 pm John R Pierce wrote: just setup NTP and forget about it, and it will always work right, unless your system is really badly broken, whereupon, it would be better to fix it than to continue to hack around like this. For the sake of the archives, VMware guests should be set to sync from the host using the VMware tools functionality, and then the host should run NTP, even and especially on ESX. VMware timekeeping in the guest can be made worse by running NTP inside the guest. This is a well-known VMware issue, and is covered in depth on the VMware knowledgebase. If you happen to have a server that gains time instead of loses it, note that a quick set to a time in the past will trigger an automatic shutdown of dovecot by dovecot due to fears of logging issues. I have two such machines... the rest lose time. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6
On 3/1/2011 7:14 PM, Dag Wieers wrote: On Sun, 27 Feb 2011, JD wrote: OK, as a measuring yardstick: approximately how many months after RHEL5's release date was Centos 5 released? That might give people an approximate idea. Currently, I have no RHEL installed. I just joined this list to enquire about RHEL 6. From http://en.wikipedia.org/wiki/CentOS RHEL4:2005-02-14 CentOS-4: 2005-03-0923 days RHEL5:2007-03-14 CentOS-5: 2007-04-1229 days RHEL6:2010-11-10 CentOS-6: TBD 112+ days Priority is CentOS 5.6, which is what people are actually using. It is very likely a RHEL 6.1 Beta is out before CentOS-6.0. Early RHEL 6.1 Beta access has been offered by Red Hat to RHCE's already. I find it most interesting that upstream was also 'very' late with these last releases. I'm sorry I don't have time to do a history lookup on them, but it seems like 6 was a year or more overdue and it seems like 5.6 was also very late in appearing? That said, from what I think I'm hearing, 5.6 will have user selectable versions of some software... PHP for one? I've never known of a release with this type of situation. As PHP seems to have an effect on a lot of things, it seems that there must be some sort of fork in the dependency routine based on this choice. Anyway, I do wonder if this complexity has made the team's work more difficult. In other words, created a few new hurdles, maybe some of the reasons for why upstream was so late with their releases as well? But we can't say upstream was late, because with upstream, it is ready when it's ready. Dag, I assume you are packaging for both 5.6 and 6. Are you seeing any new complexities with your work? John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Alternative to cPanel
On 2/23/2011 9:49 AM, Trutwin, Joshua wrote: I was leaning towards webmin/virtualmin but thought I'd check with this list for any suggestions. Had bad experiences with Plesk from a while ago so leaving that off the table. We have experience with cPanel through another fail host, it's ok but too much stuff and too expensive. Josh Josh, I have been running webmin/virtualmin/usermin for a number of years. A few things factored into my decision. The main one was I didn't want to be stuck inside of a 'box'. So far, 'almost anything' you want to do via command line has no interference with what is done via the interface. Also, within most of the modules, is the ability to simply open the config files for the service and do direct edits. The Webmin project is very active. If you have a problem or perceived bug, and no one else gets around to answering, you will normally hear back from Jamie Cameron the man behind it all, within hours of making a post. That is very rare these days. Basically, I find the system very flexible and highly configurable. In fact, there are several of my ideas for the system that have been put into place. In fact one, years ago, was to get the CentOS OS recognized within the system and it was done and of course still does. The downside is that the interfaces are a bit geeky. One thing I would like to see is a total rewrite of all the module interfaces in Usermin in an attempt to better define things for the layman. Yes, the end user can do things that you allow. No, most end users won't really understand what they're trying to do. I think those 'boxes' in Plesk and cPanel better address those items due to the nature of 'boxes'. When I say 'boxes', I'm referring to the Windows world config boxes that pop up forcing you down a particular road with no method for customizations. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Alternative to cPanel
On 2/23/2011 12:18 PM, David Sommerseth wrote: That one user with more than 100 installations haven't experienced security issues with a product doesn't mean that there is no security issues. It can just as much mean nobody tried to hack any of those installations, or that they have tried but not succeeded yet, or that there are no security issues ... but to distinguish this, then you need to have more solid arguments than I haven't experienced it ... because you might not have experienced it _yet_. kind regards, David Sommerseth You are right David. The more you run on a server, the more you are vulnerable. That said, every control panel I have read about also has a history of security issues. So does just about every other 'server' application at one time or another. Each time this discussion comes up, security is mentioned. I don't want to start something here... I run some sendmail servers and some postfix servers. I find it odd that folks talk about the long history of security issues with sendmail. Well, sendmail has a long history. Postfix does not. Both seem to address any issues rapidly and that is what matters. Both seem to be very robust. There is another real world side to this. There is always some percentage of a chance that you will be taken down due to a security issue. There is always a percentage of a chance that you will be taken down by a system admin that lacks experience in some area. I would say system admins break things far more often than the outside world. And, in the real world of hosting, we are constantly 'pressed' for a 'Control Panel'. Clients simply expect it these days. I would dare say that those 'percentages' of uptime are greater with a control panel and an average admin, and any security issues that come with that, vs. no control panel and maybe a really dumb thing being done by someone. Heck, I'm generally my own worst enemy on my systems. Not that the outside world hasn't done some things to me over the years. Still a good point David. Adding anything like this does provide other ways in. I can say that having been on the Webmin list for about 7 or 8 years, very rarely has there been something critical to address. Most have been compatibility issues with various OSs. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Alternative to cPanel
On 2/23/2011 2:04 PM, Trutwin, Joshua wrote: +1 for Virtualmin. People will brag that it's insecure etc, but it has always done the job for me and I have more than 100 installations of it. I never had security problems because of it. Thanks for all the posts. Curious about the people will brag that it's insecure - is there a poor track record of security problems with webmin? I noticed these: http://www.webmin.com/security.html http://tensixtyone.com/perma/woes-of-webmin http://doxfer.webmin.com/Webmin/SecuringWebmin I certainly don't plan to allow access to webmin save for a couple selected IP's and I'm not surprised to see any web application have security vulnerabilities. But if it's on par with something like phpbb as far as security problems go, I'll probably look elsewhere. No where close! And I know that from a few phpbb installs being hacked on some of my webmin servers. LOL!!! John Hinton Josh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On 2/23/2011 2:23 PM, Larry Vaden wrote: On Wed, Feb 23, 2011 at 1:14 PM, Always Learningcen...@g7.u22.net wrote: Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. You are overlooking those on the list who are affected. Enuf said. Larry, Did you get your broken nameserver(s) fixed? Or are you maybe just complaining here trying to get a new release out which more than likely will not fix your issue, but it is easier to blame CentOS than to look at your install? If so, you more than likely will be let down when you find there is no magic wand in a new update. That said... I personally believe that upstream provides a rather stock install of bind, perhaps meant more for an intranet than the internet? Bind just might be the single hardest part of running a webserver. But, I spent a number of days reading on hardening bind and then the testing and moving into production. Larry, have you done this? If texoma.net is one of the affected domains, I note that there are some problems with DNS for that domain. The 2 level3.net nameservers are not providing either full or maybe correct information. If this is the case for other domain you manage, this is a serious problem and as DNS can be rather finicky, might be the root of your entire perceived problem. And, if you think you had an injection, please do some googling on hardening bind. There is a lot of good information out there. To me, this is what is needed today and is well beyond a standard bind installation done by CentOS. If in fact texoma.net is an example of the problem with all of the domains under your control, please fix your own house and quit complaining here until you have cleaned up things on your end. What I see has 0 to do with the bind version on CentOS. In fact, if you don't fix this before an upgrade, you may have a larger mess afterwards. I don't envy the task as I know very well that this is not easy. Alternatively, maybe you should consider using a service such as dnsmadeeasy... although they recently experienced a significant downtime themselves due to a huge DoS attack coming in from all over the world. Is it possibly a bit hypocritical to complain about other people's houses being dirty when you live in a dirty house yourself? Best, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Air Conditioning - ON!
All, (and please do not turn this into the next long thread) We have a small team which volunteers their time to create the CentOS releases. They are pounded right now with getting that done... it is as simple as that. Each of us 'chose' to use CentOS and with that choice comes nothing more. Why are we complaining? To me, it is all very self-centered. Basically we're all complaining because we 'want' something. And yes, I'm on edge wanting something as well... but that is life with RedHat in general. Some of the suggestions made: 1. Send money. OK, so using a very loose or reapplied definition of a word... we want to 'prostitute' the CentOS team. In other words, if we send money we have the 'right' to gripe and press for rapid releases? Demand services? 2. Add more staff. As a small business owner, the very last thing you want to do is add more staff when you are in a slammed state. It takes all of the 'productive' workers time to train the new staff and output slows to a crawl. 3. Make any other number of 'helpful' suggestions. Well, I think by now the CentOS team knows better than us how this needs to be done based on infrastructure and team members. And even if they aren't doing it right, we don't get to make demands that it be done differently as this is how they have decided to do it. Remember, you chose CentOS based on how they operate. You can go away if you like. 4. Bringing up other distros that are ahead of CentOS. This just an attempt at indirect pressure on the CentOS team to get a competition going. Only the team gets to choose their competition. CentOS 'rates' how it rates and that is up to the CentOS team and their decisions. Some cheerleading might be welcomed, as long as it doesn't become an I cheer for you therefore you owe me. 5. MOST IMPORTANT discussing this right now is the wrong time. The CentOS team needs to be focused on the builds. They need to 'feel good'. They do not need these distractions, complaints, suggestions, pressures and generally negative comments at this moment in time. If it really bothers you, save it for later and bring it up when things are back to normal loads. Perhaps some good will come out of it, but not now. I know that most mean well, but look inside of yourself and the rush is about something you want... and YOU chose a FREE distro, which just so happens to convert to the paid version very easily. 6,7,8,9 and 10 (fill in your own but keep them to yourself) If I were a member of the CentOS team right now, I'd likely be looking at the door. I positively would be needing to step back and take some time to myself to try to cool off and feel positive about what I'm doing. To me and from what I have heard from the CentOS team, very little of what is being said on the list is helping but instead is counterproductive at the moment. Obviously the team is 'reading' the list and 'obviously' some of us have pushed them further at a very high stress time, than they have ever been pushed before. You may also note that upstream was also 'very late' with these new releases. Could it be we are discovering why? (please don't try to answer that) Please please please... ease up, give them the time they need. Make notes for future conversations, but quit distracting them and making them feel bad. Or, write your scathing reply to a thread... get really down angry and in the dirt... then when you're done, just delete it. CentOS team, I do have just one suggestion (and I have no rights to ask this). It seems that the list goes quiet and waits for a while and then explodes a few days/weeks/months later with this banter. If you would consider a public release to this list, perhaps once per week during major releases with just some tidbit of how things are going, perhaps these threads wouldn't explode. With that would be the need for it to be an announcement or something that does not allow it to become a drawn out thread with hoards of perceived 'helpful' suggestions. I can't blame you for not doing this prior, as I'm sure it will fuel fires such as the one raging at the moment. Is there a way this could be done with a 'no-reply' setting or something? With Much Appreciation, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?
On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote: I haven't spoken with the hackerguardian people yet but it would be nice if I could just say I'm using CentOS 5.5 and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this? I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments. I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment. Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes, the trouble is the versioning numbers used by RH. If the system 'is' RH, most of the time those 'exceptions' are noted by the scanner but you may find yourself trying to 'teach them' a lot. Hopefully they have improved on this front. I really think much of this is no more than smoking mirrors. For instance they do not ask about username/password policies and obviously do not scan for such. So this scanning leaves a lot to be desired. After I met all scan problems, my affected clients discovered they just answered a question wrong and found that since CC processing was not actually happening on my systems, but instead through other processors, this all went away and ended the need to address the same issues (backports) for the same applications, sometimes still under the same version, just due to a new scan. Basically a huge waste of my time. But I must admit, I did learn of just a couple of areas which I did tighten up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the AV companies that allow broken virus sigs to set off alarms. We just saved your computer !--from this item that had no potential of harming your computer--. But, if you must, I did find the Nessus output was fairly close to what the compliance companies found and gave me a bit of time to tune systems before the real scan. It has been a while, but I think Nessus found some things I thought more important, which the commercial scanner did not mention. And hey, if you do breeze through with CentOS being recognized as a RHEL clone, I would love to hear about that back to this list. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
I was out yesterday and came home to a pile of messages on this thread. It seems that we have all at least to some extent raised the 'ire' level of at least several of our CentOS Core Team. And, then it took me maybe an hour to read most of the thread... and I see several replies back from the Core Team members What I'm saying is this. This list has taken up the time of the Core team, perhaps as much as they would have had available to work on CentOS releases, after day jobs for all of yesterday. So, when will CentOS 5.6/6 be out? I would guess due to this barrage on the list, at least one day later than it was 2 days ago? Can we all please just chill? Or, if you're not happy with the performance of the CentOS team, perhaps select some other alternative. I for one don't want the Core team to be 'distracted', 'disgusted', 'mad', 'defensive' or have any other negative feelings about the project as they are trying to concentrate on the work at hand. These negatives do not provide the best working environment when it comes to anything computers. And from me, a big 'Thank You' again to the maturity level of the Core team and for your unwavering devotion to this work. Yes, I am anxious, but also yes, I have perfectly good operating systems right now and I'll just sit knowing the packages I 'personally want' are coming... or I can build them myself. Me? I'll happily wait. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 2/15/2011 8:59 AM, robert mena wrote: That's a lovely story. But if that applies to CentOS core team (i.e they do not want to receive money) why don't use the money to hire more staff to do some of their tasks, specially those that they haven't been able to do in the way they would like them to be done. But it seems that I am barking at the wrong tree and find a way to pay RedHat for all CentOS machine that I have, since this is a 8 or 80 matter for some (i.e shut up and take whatever you get X pay something that you can't afford). I believe this was stated some time ago. Money equals 'Accounting' and a LOT of added complexities. Hiring staff comes with even more of a time sync (withholdings perhaps across multiple nations, insurances, unemployment insurance... basically a whole plethora of addition accounting... even freelancers require accounting) and suddenly a 'second job' instead of the situation as it exist now. I do believe they are happy to receive nice servers, so if you wanted to start a collection to buy them a really nice new server, I doubt that would go to waste... or better yet ask what equipment needs exist. However, if somebody thinks that a project like this should be a paid project, the source is available for anyone to introduce a new flavor. And, alternatively there are the RH subscriptions to answer immediate needs... where you can sit around asking When is RHEL (insert next number here) going to be released? If we can all just chill a bit and not create issues on this list that distract the folks putting it all together, then they will in theory get it done faster! John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] server specifications
On 2/14/2011 10:53 AM, Rob Kampen wrote: Nico-Garcia wrote: On Mon, Feb 14, 2011 at 12:16 AM, Rob Kampen rkam...@kampensonline.com wrote: Nico Kadel-Garcia wrote: Pleae, name a single instance in the last 10 years where ECC demonstrably saved you work, especially if you made sure ti burn in the ssytem components on servers upon their first bootup... Twice in the last two years my intel server mb with ECC RAM showed errors (after moving system physically) and thus I did a reseat (after cleaning) of the modules and all is now well. No data lost, complete confidence - definitely gets my vote for servers!! Same system? Did you burn it in (running it under serious load with memory and CPU testing tools for a day or two after initial installation)? And given that you opened it up, I also assume you cleaned out accumulated dust and cleaned the filters. This system was initially commissioned after burn in, in late 2004 - An Intel mb. It started with RH9, then went FC3, then CentOS5. As mentioned the ECC memory has warned me when things are not well and allowed me to take remedial action before anything impacted my data. It still does great work six years later. For some reason, each time I have shifted it, we started getting these errors. It may be accumulated dust and dirt - so I always clean everything while it is down. Re-seating the RAM after cleaning the contacts and blowing out the dust has always worked. So for me, getting a server grade mb with ECC RAM is a great investment and worth the slight extra cost, not to mention that CentOS seems to have the drivers and modules in place for these mb. I'm not going to mention that I still have one old Compaq R3000 up and running. It is a 1998 model! It was up over 500 days at one point (when I finally decided a new kernel really did need to go live). It has run 24/7/365(6) since 1998. Started it's life under RH5. Now is Centos 3. It doesn't do anything really critical and is on my list to deactivate simply due to the electricity use. Yes, server class is important. I have since moved to Compaq/HP DL 380s as the primary systems. Again, very much server class and worth every penny. Also, if you don't need the latest greatest, a lot of these units come off of corporate lease after 1 to 3 years and show up on eBay. I great way to get one at a fantastic bargain. A unit that started it's life as a $10K or so machine, may be under $1K in 3 years. I've had fantastic service out of the Proliant line with the exception of the 1U units. HP makes the Proliant line, but also makes a lot of home use cheap stuff. Fortunately, they so far seem to be following the Compaq goals of building tanks. All of the 380s seem to come with RILO, or remote insight lights out... which allows you to set up an alternate IP address into this separate card. From there, it is just like you are on the local console with even just a bit more control. For instance, you can power down the system and then power it back up from your remote location. Very nice. Also, redundant power supplies, cooling fans and on and on it goes. Yes, the setup software is a bit odd. This programs bios and raid systems. Anyway, it's an alternative method if you don't need hoards of horsepower but if reliability is most important. As always, watch the rating of any seller. I've had good luck over the years. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 5.5 check memoray usage too high???
On 2/3/2011 7:36 AM, Always Learning wrote: On Thu, 2011-02-03 at 20:18 +0800, mcclnx mcc wrote: kernel is: 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux I'm on Centos 5.5 and the kernel on my desktop machine is 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux If your swap drive is empty, as yours is, there is no shortage of ram. If your ram is full, as yours is, simply think of this as an automatic ram drive created and maintained by the system. You should be worried if ram is not full, unless your ram is greater than the total of everything accessed in the recent past. Basically, seeing your report is verification of 'perfection' with regards to efficiency (although I suppose the algorithm for what is stored could be argued until the end of days). Use of ram is fast... swap slow. Think windows rolling off to swap for a moment. John Hinton -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] The Natives are Restless!
Has anyone noticed over the years, that every time a major new CentOS release is just about to happen, suddenly there starts to be a few very long and drawn out threads? Has anyone ever considered that the core team is in fact monitoring this thread while trying to devote as much time as possible to actually getting the next release out the door? Could it possibly take longer for the next release to be launched due to the increase in volume on this list? So, when is CentOS 7 going to be released? ;) Sorry to add to the problem with this message, but I do find it really odd that this happened just before 4 and then again just before 5 and now just before 6. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] simple website hit counter
On 11/26/2010 11:37 PM, Frank Cox wrote: On Fri, 26 Nov 2010 23:32:07 -0500 John Hinton wrote: Webalizer comes with CentOS. I find it easy to enable and provides all the basic stats one would need. As far as I'm aware, webalizer is a comprehensive reporting tool similar to awstats. Which is a much bigger hammer than what I'm looking for. You set it to run once per day against the logs for that website... normally around midnight. The loads aren't that bad. The reporting I think defaults to 12 months of stored data which is stored normally in a directory in the web root for that website. That directory of course can be protected by something like htaccess. Most of the old hit counters counted 'hits' instead of pages. So if a page had the text document and 9 graphics they counted as 10 'hits', not 1 'page view'. It has been maybe 6 or 8 years since I've bothered to look at these counters as they are pretty much antiques now. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] simple website hit counter
On 11/26/2010 11:24 PM, Frank Cox wrote: On Sat, 27 Nov 2010 02:20:01 +0100 Patrick Lists wrote: Have you looked at Piwiki? See http://piwik.org/ As with awstats, that looks like it does far more than just count hits on index.html. I've found a stack of comprehensive reporting tools, and I've also found a ton of counters that put the number on the webpage that's being counted. Unfortunately, I still haven't found a simple counter that puts the count on a different webpage. Webalizer comes with CentOS. I find it easy to enable and provides all the basic stats one would need. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Word Perfect [Was: Novell sale news?]
On 11/23/2010 12:49 PM, Bill Campbell wrote: WP users *LOVED* reveal codes as it allows people to see exactly what's going on under the hood, and even fix some things when the files get out of whack. I answered the phone one time, and the opening from the caller was ``I want Reveal Codes''. Well, sorry, but I'm 'lured' into this thread now. I tried to resist. WordPerfect at one point in time was pretty much the defacto standard word processor... at least in the Windows world. This is a prime example of Microsoft's not playing fair. They started giving away Microsoft Office on just about every new computer with Windows pre-installed. Slowly, WordPerfect slipped to second and now almost oblivion. Further, if anyone has looked, there is no upgrade path to Office 2010, but instead you must buy the full version. So, we have gone from free to kill off (almost) all competition to one of the more expensive software suites. During this time, it has pretty much become a necessity in the business world, as everyone sends around Office filetypes. Crud, even certain Cad packages require Word to be installed if you want to use a spellchecker in your drawing. At the same time, to me, the Office suite has become on of the worst 'bloatwares' on the market. Yes, there are legal, medical, bookwriting and all sorts of templates and functions, but what most people need is simply a WordProcessor. Yes, I still have Perfect Office installed on my Windows system and I very much prefer it over Office. Yes, reveal codes is one of the reasons, but I don't feel it is bloatware. It has what I need and it is where I can easily find it. Also, Quattro runs circles around Excel in data handling and ease of use. Just try out the Quattro formula builder and you'll wonder what Microsoft was thinking when they built theirs for Excel. OK, sorry... but this is more of a Microsoft bashing and Perfect Office, along with many other innovations have been purchased and buried by M$. I hate how they use 'Explorer' for their products. They are 'settlers', not 'explorers'. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos podcast on FLOSS weekly
On 11/19/2010 7:45 AM, Karanbir Singh wrote: On 11/19/2010 04:26 AM, John Hinton wrote: Hey KB... you look and sound just like you type! :) Not sure if thats a good thing or a bad thing :) Well, being a heterosexual male... I don't think I can comment further as I'm not 'qualified'. LOL!!! A bit of my history. I was looking at Debian when RedHat ended my subscription method, which was quite reasonable and adopted the much higher rate. Then Whitebox came along and I quickly jumped to that. I cyber-met Johnny Hughes over there. I found CentOS at about the time it was forming and asked Johnny about it and switched to CentOS during that time when the downloads got pounded with each new minor version upgrade. So, I've been hanging out here for a while. That said, there is one thing that I have somehow known, but became crystal clear in that interview. The 'mindset' of the core team is phenomenal. The maturity level is actually astounding! I have seen some come into this list and 'go off' on a member of the core team, not knowing who they were talking to. It seems that in each case, any of you could have responded likewise. But, I have never known that to happen (or at least not in a kind or proper manner). We are 'all' obviously very much indebted to your long hours of hard work. And as humans, you must at least have some feeling of being owed or whatever you want to call that. But yet, always your tempers are put at bay and what comes forth is 'always' only positive for the entire project. Now, I don't know how in words to state my respect for that... and the fact that it seems to be the whole core team. You must have had lengthy discussions to all vow to such an attitude. Perhaps the most commendable portion of the entire project. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos podcast on FLOSS weekly
On 11/18/2010 9:15 PM, Eduardo Grosclaude wrote: 2010/11/18 Jorge Fábregasjorge.fabre...@gmail.com: On Thursday 18 November 2010 12:18:16 Les Mikesell wrote: check out this week's (142) video podcast at http://twit.tv/floss Hey thanks for the tip. I just finished watching it (very interesting interview). Agree, and I feel compelled to thank KB not only for his technical work but also for devoting his time and patience (and face!) to media-fueling the general attention given to the CentOS project. Hey KB... you look and sound just like you type! :) Really, it's a thanks to all the 'core' team in particular and all those others helping with the project and we also need to mention all those acting as mirrors and ... gee... suddenly I feel like someone trying to not forget somebody while accepting an Oscar or something. I'd like to thank my parents for raising a smart kid who knew to use only the best OS... I'd like to thank LOL Now if I can just figure out if it is pronounced sen-tose, sen-tas or what. Sounded more like sen-tos from KB and sen-tas from both interviewers. Either way, the interview was actually rather invigorating. Now if you guys would just quit hacking my websites. ;) -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] httpd RPM newer than 2.0.63 avail for CentOS 4.x?
On 11/12/2010 3:44 PM, Philip Amadeo Saeli wrote: * Robert Hellerhel...@deepsoft.com [2010-11-07 07:13:27 -0500]: At Sun, 7 Nov 2010 00:17:31 -0500 CentOS mailing listcentos@centos.org wrote: I'm maintaining an internet-facing web server which is now running httpd 2.0.63 (httpd-2.0.63-2.el4s1.centos.2) which is now neary 2.5 years old(!?!). I need to move to either 2.0.64 or 2.2.12 or later. However, I've been unable to find available RPMs for such releases for CentOS 4.x. I have to believe that others have these needs also. In light of this, how do others keep up with security upgrades for the httpd? I'm rather new to this aspect of things, so am still in the process of sorting things out in this regard. Red Hat backports security updates (from newer versions). So long as you have been applying the standard O/S updates (eg 'yum update') regularly, your http is up-to-date WRT security updates. This is true for vendor-supported version. However, for technical reasons (i.e., need for additional features or capabilities), we are running versions more recent than the vendor-supported ones. Up until recently, I have been able to obtain the needed versions (of, e.g., httpd, mysql, and php) from available third-party CentOS repos. However, this is no longer the case. My question in this regard is to find out how this problem is generally handled by others. I know anyone who has internet-facing, secure servers has to deal with these same issues. Up until now, I've been able to trust that the community response would result in the needed RPMs showing up in public repos. That model seems to now be broken (if indeed it was ever truly viable). In particular, I need the following package versions (for CentOS 4.x), none of which I've been able to locate in any publicly available repo: 1. httpd-2.0.64# released: 2010-10-19 2. php-5.2.14 # released: 2010-07-22 I have been able to locate packages for php-5.3.3 and am in the process of testing them. However, things would be *much* simpler in the short term if we could move first to php-5.2.14. Our longer-range plan is to upgrade the server to CentOS 5, which will help quite a bit in this regard. However, in the mean time I'm stuck with CentOS 4 on this server due to severe time, resource, and budget constraints. Of note, RHEL 6 was released this week, so CentOS 6 will likely be out maybe around the end of the year. Also, the next version release for RHEL 5 has an option to move to PHP 5.3. It's coming soon. Your time restraints might allow you jump two major releases! ;) As for the PHP upgrades. I don't know if you use SquirrelMail or not, but on a v5.x test machine, my upgrade to PHP 5.2 broke SquirrelMail. I didn't bother fixing it. I have recently upgraded that system to PHP 5.3 from EPEL repository and SquirrelMail works again. That's the only thing I found that was broken... Just beware as it was a surprise to me. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6 Officially Released
hi Guys, On 11/10/2010 07:52 PM, Scott Silva wrote: Last time there was only one build queue, so if 5.6 and 6 come out at the same time, they will have to choose which one gets attention first. CentOS doesn't have the multi-million dollar infrastructure to support multiple simultaneous releases. Just a quick note here - the centos buildsystem, as used for centos4 and 5 has 8 builder 'threads'. So there is a fairly good potential for rapid builds. Having said that, were not going to use those for centos6, we have a 6 node dedicated builder service that will get used for this. Over the next few days I'll post details on how you guys can keep track of whats going on. I'll also post some details on how everyone can get involved and help. Exciting times for sure :) - KB Now, if all of us 'leeches' can stop posting about this, the actual 'ants' will be able to do actual work beyond hitting the delete key when viewing this list. ;) Why does it seem that the immediacy for the next version increases at a greater rate than the versioning numbers? Yes, it has been painful waiting this time. My main issue has been trying to stay on upstream with PHP. And now it sounds like a double solution is on the way, 5 or 6. Sweet! Thanks CentOS team! -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dictonary attacks
. -- John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] black display during installation of CentOS5.5
On 10/22/2010 1:31 AM, Ritika Garg wrote: I havent't tried nofb. If I write linux nofb at boot:, then will the innstallation take place in text mode or graphical mode? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos It will still run in graphical mode. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] black display during installation of CentOS5.5
On 10/21/2010 1:38 AM, Ritika Garg wrote: I had posted the following question 4-5 days ago. I want to add something to the question which is important. The question was: During installation of CentOS5.3 from DVD, the installation was interrupted due to an error in a rpm package as the DVD had lot of scratches. So I burned image of CentOS5.5 on DVD. I selected installation in graphical mode. The first graphical interface screen comes from where we proceed further by clicking next. This screen is almost black and its impossible to carry out further installation as visibility is very poor. I was trying above for Dell Inspiron laptop which has Windows7 installed on it. I checked the CentOS5.5 DVD on another system which is desktop and found that the graphical interface is perfectly alright there. So is there any setting that has to be done in the laptop? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Have you tried nofb during the install process? I have had to use this on certain flat screens. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] FYI: Red Hat Enterprise Linux 6 Release Candidate Available to Partners
On 10/19/2010 11:24 AM, JohnS wrote: On Tue, 2010-10-19 at 14:21 +0100, Karanbir Singh wrote: Hi, On 10/19/2010 02:09 PM, Jerry Franz wrote: That is what it does. It *licenses* distribution between people. You can't say it's under GPL - but you can't redistribute it because I've Ok, so that is the point I am trying to make here. RHEL6 isnt released as a product. They have an in-development code snapshot that they are offering to a bunch of people to come look at with them for comments, feedback, prep whathever. Also worth keeping in mind is that the RC to partners does not prevent one of those partners from publishing the sources if they want for code where licensing and their agreement with Red Hat permits them to. I am not in a position to comment on that since I have neither seen the agreement that Red Hat have in place for these said partners, nor am I one of them. http://www.redhat.com/partners/ This is an interesting list. And to me, sending out a RC to a small selection of the partners is a grand idea. Looks like this partner list includes just about any aspect of real world computing. For instance, I would want my RC to be installed on as many new and varied computer systems as possible to check for compatibility issues. Each of these partner groups has a specialty. Seems extremely logical to send a RC out to them. Also, as they are 'partners' and not the world, would this be any different from sharing the RC around within the RedHat offices? Either way, this thread is really sounding a lot like we are just getting antsy for CentOS 6! ;) I'm chomping at the bit for like 2 years now. Fortunately I selected a titanium bit because if I ever manage to chew through it, I must migrate to Fedora. :) Patience grasshopper. Can we start asking when CentOS 7 is going to be released now? HAH!!! Thanks CentOS team! John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sendmail substitute?
On 10/14/2010 5:19 PM, Gary Greene wrote: On 14/10/10 10:58 AM, Baird, Joshjba...@follett.com wrote: Actually, as of RHEL6, the default MTA is now Postfix. Sendmail does indeed have a rather lengthy history of vulnerabilities. With that being said, in my opinion, Postfix is also a much more flexible MTA. Josh Well, I'd call that a red herring as Sendmail is just as flexible. The main issues that people have with Sendmail regarding security or flexibility come from the fact that you need to understand the configuration language that Sendmail's configuration files use. If you don't, yes, you can easily eff up the the security of your mail infrastructure and can get lost quickly if you're trying to configure it for more functionality/mail routing/etc. Sure there have been vulnerabilities in the past, but so has postfix/exim/dbmail/etc I think the main reason upstream changed to Postfix is mostly a) most Linux distributions are using it as the default MTA now, and b) it is easier to configure and nothing more. I think the key phrase above is 'lengthy history'. With that comes years of hack testing and some holes found. One could even argue that Sendmail has been more thoroughly 'tested', therefore more robust. I'm running both Sendmail servers and Postfix servers. I'm in the process of switching over to Postfix for other reasons, but I've gotten so good with Sendmail that I really hate making this change and find the Postfix configs foreign. Easier? Well, it's what you're used to. Most of this post is really about 'what I use so it is best'. That's not a bad thing, it just is. Any MTA will at some point in the future have security issues. The beauty of CentOS is they are dealt with in a timely manner and provided almost always, as a patch which breaks nothing else. So, it's really just easy. Choose the one you want and update your system. Sleep well. :) John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security updates
On 10/11/2010 9:17 AM, John Doe wrote: From: Giles Coocheygi...@coochey.net On Mon, October 11, 2010 13:36, Ritika Garg wrote: I can't understand exactly what these security updates do? Why is there a need to have a security update? What is your IP? :-D Keep this information secret, but I think his IP is 127.0.0.1 ... And there's no firewall!!! ;P JD Too funny JD! But, not to mention that for most Linux distros, source is available, so finding bugs in theory is easier. This leads to the theory that the code has been more deeply tested (snooped) and repaired leading to a most robust end product. Secure? Yes, as long as you apply the updates as needed. You can always read about why there is a patch and decide if it is applicable to your situation. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: linux desktop market share more than 1%
good when I buy any of their products as I feel I am just supporting the immoral. But yes, I am stuck using Winders, as much of the software I must run is only written for Windows. All I can say is GO Google and Android! We might yet again have an alternative? Cloud computing is going to have serious impacts on bloatware. We may have a new corner to round in the next decade. Did I ever mention I'm not really happy with Micro$oft? John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] best ways to do mysql backup
Keith Roberts wrote: On Sun, 15 Aug 2010, Agnello George wrote: To: CentOS mailing list centos@centos.org, li...@yahoogroups.com From: Agnello George agnello.dso...@gmail.com Subject: [CentOS] best ways to do mysql backup we have multiple servers approx 10 and each has about 100 GB of data in the /var/lib/mysql dir , excluding tar , mysqldump and replication how do we take backup for these databases on to a remote machine and store them datewise , ( the remote machine is a 2TB HDD ) currently tar is not feasible as the data is too huge and the same goes with mysqldump suggestion will be of great help Would there be some way of tee-ing off the SQL statements to a remote file in real-time? So in effect you are creating a text file dump of the databases in real-time? Kind Regards, Keith Roberts For uninterrupted delivery of dynamic content from the database... or no downtime, replication to a slave is the way to go. This is 'sort of' a T-ing effect, except it is to another database. That slave database however can be stopped, a mysgldump done to a backup and then restarted, at which point the replication restarts and the slave database is updated to match the master database. It works really well without huge overhead increases. Google MySQL replication for lots of info about setting it up. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Php 5.2.x support ends
On 7/26/2010 9:38 AM, John R Pierce wrote: On 07/26/10 12:04 AM, Bob Hoffman wrote: Thinking of just sitting on this for awhile? Thoughts? Last release for PHP 5.2 updates for 5.3 PHP Logo The users of PHP 5.2 should upgrade to 5.3 at their earliest convenience, as the active support of the 5.2 series came to an end with the release of version 5.2.14 earlier today. PHP 5.2.0 was released almost four years ago and according to the release announcement, http://www.php.net/archive/2010.php#id2010-07-22-1 ... sounds like a great reason to get away from using PHP entirely, since they seem to be incapable of releasing upgrades that don't massively break applications. 4 years is just too short of a life cycle for a major release used in a production system. Always a dilemma. The very beauty of upstream therefore CentOS is that security issues will be backported to our current installations. In a hosting environment, you don't have to worry about breaking people's php websites/apps. The downside is the long lived old php versions do not run many of the new apps those same hosted clients wish to run. But in most cases, it's those same clients that build something and expect it to run forever and get very upset when they are told they must upgrade/rewrite their scripts. Of note. I did a 5.2 upgrade on one of our local use systems. I don't know how much more is broken, but for certain the standard CentOS install of SquirrelMail is borked. We don't use it on that system, so no big deal. I thought I'd post this just so those with mission critical machines would know that upgrading PHP does have an effect on at least this one upstream package. I can only assume if one looked deep enough, some other things may be broken as well. It really is hard to test 'everything' that a client may be using. To me, the fact that PHP seems to have a 4 year life cycle, further strengthens the use of CentOS with its 7 year life cycle. Yes, it is an inconvenience from time to time. We don't get to count how many times it is a convenience however. You only hear when it doesn't or can't work, not how many times something continues to work due to this mindset. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem installing WordPress on CentOS
On 7/23/2010 12:40 PM, John R Pierce wrote: On 07/23/10 5:47 AM, Niki Kovacs wrote: 3) # chown -R apache:apache /var/www/html/wordpress I have always been told that apache shouldn't own or have write access to files or directories unless it absolutely has to, as this is a unnecessary security exposure Correct. However if you wish to implement the client upload feature, there is an uploads directory under wp-content which will need write ability. The WordPress created subdirectories within this directory will also be set to these permissions. But that is only place where write should be considered. This is where items like uploaded photos exist. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On 6/30/2010 8:54 PM, John Jasen wrote: m.r...@5-cent.us wrote: John Jasen wrote: m.r...@5-cent.us wrote: Frank Cox wrote: On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote: Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's Secure. snip Forgive the minor nit, and hopefully not continuing the talking past each other, but modern printers have more computer resources than a smart phone, and the embedded OS is either equally as complex or an embedded braindead version of Windows. In other words, they are assets worth protecting. So, you're saying protection is more important than having them usable for the folks whose use they were bought for? You're saying that we should just get rid of them, and buy less capable printers that can't do as much? Even when the only way to get to the existing printers is from a system that's *inside* the firewall, and on our network? Hey, how 'bout I just unplug them from the network altogether? They'll be doorstops, but they'll be secure. Well, I'm a security admin, so of course protection is more important than utility! :) But seriously, the assessment tools provide information on your environment, based on certain standard metrics. Its (HOPEFULLY! PCI compliance notwithstanding ) up to the people who end up reading them to fix the environment, determine that its not a problem, or accept the risk that was discovered. Sorry to drag this back out to the front... I've been beyond busy and just now catching up. One of the things that is blaring to me in these 'security' scans is that there is no check of passwords. We can jump through every hoop in the world to provide a 'secure' environment, yet without 'verifying' with the client a quality password and password policy, this is simply a moot point. Yes, one would hope... but if they don't check this how do they know? I have had requests for password changes to the most ignorant and guessable things. We don't allow any of our users to set their passwords, but I do wonder about these supposedly 'secure' sites. There are also no checks on the security of the server location. Who has access to the console? I think this whole business is simply another ploy to cost everyone a lot of money... but the 'form' gets filled out. It is absurdity at its finest! On the most secure systems, they couldn't even run their reports. The companies doing these checks are simply lining their pockets with green. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Logwatch with Postfix and Amavisd-new
I'm trying to get usable reports out of logwatch on this new system. Looks like the reports are running in an 'unformatted' mode under Postfix/Amavisd. I found a couple of programs, postfix-logwatch and amavisd-logwatch. These sound promising. I am running Amavisd as the frontend to Postfix. Is anybody running either of these as a logwatch filter? If so, is it repetitive to run both, or should I consider only one of above and which would provide the best results? And, are these in any of the CentOS repositories? Couldn't find them in Dag's. Thanks! John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On 7/6/2010 4:49 PM, John Jasen wrote: John Hinton wrote: On 6/30/2010 8:54 PM, John Jasen wrote: Well, I'm a security admin, so of course protection is more important than utility! :) But seriously, the assessment tools provide information on your environment, based on certain standard metrics. Its (HOPEFULLY! PCI compliance notwithstanding ) up to the people who end up reading them to fix the environment, determine that its not a problem, or accept the risk that was discovered. Sorry to drag this back out to the front... I've been beyond busy and just now catching up. One of the things that is blaring to me in these 'security' scans is that there is no check of passwords. We can jump through every hoop in the world to provide a 'secure' environment, yet without 'verifying' with the client a quality password and password policy, this is simply a moot point. Yes, one would hope... but if they don't check this how do they know? I have had requests for password changes to the most ignorant and guessable things. We don't allow any of our users to set their passwords, but I do wonder about these supposedly 'secure' sites. Well, security assessment tools should just be a part of your holistic security posture. Hopefully, if passwords are a concern, you've set requirements for complex password in your authentication system, and are routinely running password scans against them. FWIW, nessus does have a check for stupid default passwords for default accounts. My point is these 'secuity metrics' businesses that are paid, generally by credit card companies, to do these software scans and don't ever do these most basic checks. Not that my quoted text is the name of one of these companies or anything. ;) I really feel the scans are just scams. Pun intended. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On 7/6/2010 5:34 PM, Whit Blauvelt wrote: On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote: My point is these 'security metrics' businesses that are paid, generally by credit card companies, to do these software scans and don't ever do these most basic checks. Not that my quoted text is the name of one of these companies or anything. ;) I really feel the scans are just scams. Pun intended. As devils' advocate here, yes the scans are far from thorough or complete. But there is a significant number of really insecure sites where they do flag some of that. The credit card companies aren't going for 100% perfection, any more than merchants go for 100% safety from shrinkage. They aren't trying to eliminate sites where credit card data is insecure (or stores that can be shoplifted from), just keep the incidence down to levels where they can afford to write off the losses. Between finding real security problems sometimes, and scaring sysadmins into at least thinking about it other times, they accomplish that. Meanwhile it's a PITA for competent sysadmins, for all the reasons discussed here, because the scans are worthless against a system with a good security design, giving false positives and not probing deeply enough to improve our occasionally half-assed practices. But we're just collateral damage to them. The main aim is to knock down some portion of the really bad apples, and keep their insurers and the government happy. Whit You are right Whit. It makes us think and that is positive. The only other good thing I can think of in all of this, is apparently someone has figured out a way to get money out of a credit card company and that is a huge feat in itself! :) Unfortunately, we the consumers pay for that, too. :( OK... I guess my old frustration with this is now vented. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Amavisd-new UBE problem on Postfix server
This is a web hosting mailserver, so there are multiple domains being passed through this email system. I decided this new system would be Postfix and followed the Centos Wiki to aid in the installation and setup. It seems that Amavisd is throwing this error from time to time. - Subject: Considered UNSOLICITED BULK EMAIL, apparently from you From: Content-filter at mailserverdomainname.com - and now I'll skip to the bottom of the error message -- First upstream SMTP client IP address: [97.13.153.201] According to a 'Received:' trace, the message apparently originated at: [97.13.153.201], localhost 201.sub-97-13-153.myvzw.com [97.13.153.201] --- which shows this email was sent through a smart phone on the Verizon network. The email settings on the phone are correct. The domain name of the sender is properly configured and email is working on their computer. I have searched for this and found many questions about why and only one ugly solution. It seems that if you add the domain name to @local_domains_maps = in amavis conf, the problem goes away, at least in some situations. Obviously not something one wants to have to do with each additional domain added to a server. Amavis is set to the default @local_domains_maps = ( [.$mydomain] ); # list of all local domains on my system. $mydomain is set to the mailservername. Does anyone have a good solution to this problem? Thanks, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] security compliance vs. old software versions
On 6/29/2010 5:11 PM, Les Mikesell wrote: What's the correct response to a security scan that points out that apache versions below 2.2.14 have multiple known vulnerabilities? Is there an official document about what known vulnerabilities have been fixed in the RHEL/CentOS updates or do you have to wade through the changelog to try to find each thing? One of the things to do first is to find out if the client who needs the scan actually does any e-commerce on your server. Otherwise, I have found that the scans can be stopped by having your client contact their CC processing company. It seems that RHEL is in most of these scanner's systems, however CentOS is not, so they balk at the old versions. It's really all just a big pain. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
