Re: [CentOS-docs] Wiki Edits: HowTos/OS_Protection
On 08/21/2009 11:50 PM, Voyek, William wrote: whats your username ? wvoyek Would you be able to make it FirstnameLastname ? That way things stay uniform for everyone -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] document proposal: TipsAndTricks/ApacheVHostDir
On Fri, Aug 21, 2009 at 3:41 PM, Ed Herone...@heron-ent.com wrote: ... I've written a quick little article detailing how to create a vhost directory under CentOS. ... From: Brian Mathis, Friday, August 21, 2009 1:52 PM I always figured that the CentOS way to handle that was to put them into the conf.d folder. Is there an advantage to using this method? One thing I can think of is that the conf.d is included in the middle of the httpd.conf file, while this would be at the bottom. On 08/22/2009 12:12 AM, Ed Heron wrote: That is exactly my reasoning. The config file, as distributed, has the virtual host containers at the end of the file. From: Manuel Wolfshant, Friday, August 21, 2009 3:31 PM No, the config file as distributed has - just like the original apache config - an example at the end of it. I do understand that there is already a config file directory. However, the example virtual host is at the end of the the distributed Apache config file. From that positioning, I conclude that it is recommended to have the virtual host stuff at the end, rather than the middle. The existing include is in the middle, therefore, (I'm concluding that) it is not recommended. conf.d appears to be for module config files. I don't know if the virtual host only inherits configuration directives that are defined before it is. If that is the case, any configuration items after the conf.d include would not apply to the virtual hosts (though this is easy to test). Even if that is not the case, it still seems that putting virtual host files in conf.d is improper. Putting virtual host files in conf.d may work but appears to be a shortcut. While nobody would suggest you can't take a shortcut, if it works for you, there should be an official method. To me, moving virtual hosts out of the main config file requires a separate directory. It may be my 'heritage' but separate directories is how it is done in Gentoo. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] document proposal: TipsAndTricks/ApacheVHostDir
On 08/22/2009 10:29 PM, Ed Heron wrote: It may be my 'heritage' but separate directories is how it is done in Gentoo. While we are at it, let's also add a folder for all existing modules and another one for symlinks of active modules, pointing back to the first folder. And also, let's have all vhosts in a folder, but all active vhosts should be symlinks to them, from another folder. And why not compile the binary from source, that's how gentoo does it ! ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-docs] document proposal: TipsAndTricks/ApacheVhostDefault
Draft at http://wiki.centos.org/EdHeron/ApacheVhostDefault Obviously, if ApacheVhostDir is not accepted, I'd remove the parts that refer to my vhost.d... ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] document proposal: TipsAndTricks/ApacheVHostDir
From: Manuel Wolfshant, Saturday, August 22, 2009 2:00 PM While we are at it, let's also add a folder for all existing modules and another one for symlinks of active modules, pointing back to the first folder. And also, let's have all vhosts in a folder, but all active vhosts should be symlinks to them, from another folder. And why not compile the binary from source, that's how gentoo does it ! I didn't realize I was inviting sarcasm. I don't think it is appropriate in this forum. I was, apparently unreasonably, expecting calm, thought out discussion followed by a consensus. I was merely suggesting I am not alone in my opinion. As were you when you made reference to Fedora method. Both Fedora and Gentoo are merely alternate examples of GNU/Linux distributions. Just because an idea is used in another distribution, whose basic tenents you don't agree with, doesn't make the idea useless or valueless or, worse, worthy of scorn. CentOS has a philosophy of method. Apache has a philosophy of method. I am making a suggestion that I believe fits with both that would make a more proper solution than putting the virtual host files in conf.d. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] document proposal: TipsAndTricks/ApacheVHostDir
On Sat, Aug 22, 2009 at 4:00 PM, Manuel Wolfshantwo...@nobugconsulting.ro wrote: On 08/22/2009 10:29 PM, Ed Heron wrote: It may be my 'heritage' but separate directories is how it is done in Gentoo. While we are at it, let's also add a folder for all existing modules and another one for symlinks of active modules, pointing back to the first folder. And also, let's have all vhosts in a folder, but all active vhosts should be symlinks to them, from another folder. And why not compile the binary from source, that's how gentoo does it ! There's a saying in the US: If you have nothing nice to say, say nothing at all. I think that could be modified a bit to something like If you have nothing constructive to add, and prefer to make passive-aggressive pot-shots from the sidelines, say nothing at all. As for the topic at hand... I am not what one might call an advanced user of apache -- I usually host one or two sites, and even with that minimal config I find it difficult to configure apache by only creating files in the conf.d directory. I've not done a complete analysis, but often it seems like settings in the main httpd.conf file do not get overridden completely for every case. I always end up editing the httpd.conf file when the main purpose for a server is to act as a web server. I'd really like to know how to handle this as close to the CentOS Way as possible. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Wiki Edits: HowTos/OS_Protection
On Fri, Aug 21, 2009 at 6:50 PM, Voyek, Williamwvo...@edmc.edu wrote: wvoyek Once you have your username in the format Karanbir describes, we can give you the appropriate permissions. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-docs] document proposal: TipsAndTricks/ApacheVHostDir
On Sat, 22 Aug 2009, Ed Heron wrote: From: Manuel Wolfshant, Saturday, August 22, 2009 2:00 PM While we are at it, let's also add a folder for all existing modules and another one for symlinks of active modules, pointing back to the first folder. And also, let's have all vhosts in a folder, but all active vhosts should be symlinks to them, from another folder. And why not compile the binary from source, that's how gentoo does it ! I didn't realize I was inviting sarcasm. I don't think it is appropriate in this forum. I was, apparently unreasonably, expecting calm, thought out discussion followed by a consensus. The problem is this -- a vhost.d and linkfarm constellation works (for some meanings of 'works'), and is not unheard of -- but it also contemplates adding directories not identifiable by: rpm -qf /path/to/vhost.d/templates is note integrated with SELinux, and it not accompanied by a documented or LSB or FHS model management tool (see, eg, alternatives, or chkconfig) Local extensions are all well and good; but the CentOS approach is conservative, and not developmental; it is about management within the model of the upstream, of a form that will not get 'tromped on' by an async upstream security upgrade, and automatable sysadmin provisioning and management tools. We have the memory of the 'cacheing nameserver' and 'bind' named.conf changes mid release causing outages upon the unwary. Those using non-upstream docoed's approaches were caught when a local extension was stepped on by upstream. That means we at CentOS, when we extend, package sources into RPMs, with directories that SELinux is comfortable with, and use versioned tools so delivered. I strongly suspect that the draft model of links needs a raft of SElinux modifications as well. Haven't tried yet, as frankly, it strikes me that this type of work needs to be thrashed out in the Fedora context and rough and tumble of development. It is just not where the CentOS wiki needs to be, in my opinion. 'wolfy' used the executive sumamry and telegraphic model to communicate this which we use in IRC when proposals like this arise; I hope this longer form is not considered 'sarcastic' -- Russ herrold ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-virt] virtio
Hello Everyone, Can I use virtio modules for network and block devices in CentOS 5.3 VMs when using the KVM packages from the lfarkas repo? I've tried change an existing VM to virtio for disk and network, but each time I start it, I get this error: error: Failed to start domain popdns02 error: internal error unsupported disk type 'vda' I don't know why this is happening. From what I've read, virtio should be available. Can someone please tell me what I'm doing wrong? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 11:32:58 up 6 days, 12:29, 4 users, load average: 0.26, 0.21, 0.33 ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] Performance tunning CentOS / Xen
Hello, I have followed standard documents to install CentOS 5.3 Xen. After playing around, stuffs are OK. So I move forward to tune the performance, are there any recommended documents/tutorial that specialized on performance tuning VM host/guest, on CentOS / Xen architecture? Thanks ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS] httpd - mysql - paypal.com.tar - hacker
Am Freitag, den 21.08.2009, 23:29 +0200 schrieb Rainer Duffner: Am 21.08.2009 um 23:24 schrieb R P Herrold: On Fri, 21 Aug 2009, Gregory P. Ennis wrote: place. I looked like the hacker downloaded his paypal spoof files into a subdirectory of /var/www/phpmyadmin I am running 5.3 with all current updates. and third party software as well. We do not ship phpmyadmin, and clearly and repeatedly caution against it in the IRC channel -- its CVE history is appalling, and people are just not willing to remove it, or limit it to just a specific IP (not that I expect its ACL model to work either) Is there an alternative? I do think that it's the Internet Explorer of OSS. The General Public loves it, the admins hate it - but use it nevertheless Because there's no alternative. mysql gui-tools (http://dev.mysql.com/downloads/gui-tools/5.0.html) openoffice base financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to tell if I've been hacked?
On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrl...@gmail.com wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? This is an interesting and frustrating question. Perfect security is impossible, but maybe we can achieve 'good enough'. On Tue, Aug 18, 2009 at 5:14 PM, Christopher Chanchristopher.c...@bradbury.edu.hk wrote: rpm -Va is a good start for modified binaries/libraries. Problems with rpm: 1) Many files on a system did not come from an rpm or had good reasons to change, so dealing with false positives is a problem 2) Some packages are sloppy and no longer verify immediately after installation 3) rpm cannot address memory-only attacks or bios attacks. Still, if rpm tells you some binary has changed since installation, you know you're in trouble. Or you're using prelink. rootkit detectors is another thing you can try. Problem with rootkit detectors I have used: many false positives. At least, I hope they were false! Googling around, I found that once you had a positive result, it was sort of complicated process to figure out whether you'd really been hacked or were just having timing problems or had an unusual configuration. Other than that, it is checking your logs and looking for odd files lying around... And prayer. On Tue, Aug 18, 2009 at 5:22 PM, Ryan Pugatchr...@tripadvisor.com wrote: Also, processes running that you don't recognize. Unfortunately, if you're like me there are really a lot of processes running on a virgin linux box (never touched the internet) that I don't recognize. I once tried just making a big file of them and having a cron job send me email when the list changed significantly. This could have caught an unlucky or inept cracker who launched some process named meEvilCrackhead, but wouldn't have done much to catch someone using an innocuous name, like say 'grep'. Users you don't recognize. Again, it is possible to catch someone who doesn't bother to get rid of the smoking gun. Someone who has root on your system can create a new user, or they could use a pre-existing user. You can keep an eye out for strange users, but the real problem is spotting familiar users doing stuff they ought not. Even that can be covered if the cracker replaces your tools or hacks the kernel. Logged in sessions that you don't recognize. I'm not sure what Ryan means here, unless he is assuming only one person (you) has authorized access to your machine, and you see sessions logged in as you that you know nothing about. Yeah, that would tip you off. If lots of users can log in, there's not much point. Free space shrinking abnormally. Again not really sure what this would mean. Too high a load, too many programs running? Again, someone with root access could hack the tools you use to monitor this, or even the kernel, and make it really hard to see. Assuming you really know how much free space you ought to have at a given moment, which, for me, I am ashamed to admit, would be quite rare. An increase in bandwidth usage that is unexpected. Now we're talking! Well, I am still pretty damn ignorant of what a system's bandwidth demand ought to be, but at least you could see the stuff actually happening and make a sort of reasonable investigation of 'what do I have running that would possibly want to talk to IP xxx.yyy.zzz.aaa?' And for once, no matter how good the intruder is, they won't be able to get your own system to lie to you for them (assuming you're using a different system to do the network analysis). But while you analize the traffic, the bad guys has more time to damage your data. On Tue, Aug 18, 2009 at 5:58 PM, Christopher Chanchristopher.c...@bradbury.edu.hk wrote: Yeah...one should not assume that those will be hidden by rogue libraries/binaries. Not every case will be taken that far or unspotted before it gets that far. Every intrusion is vulnerable for a while at least, while the intruder is trying to get in and get root. After that they will probably try to cover their tracks. On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcen...@celestial.com wrote: To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide, And very carefully. Only that won't help you with memory-only attacks, or bios stuff, etc. These tools concentrate on verifying that your disk files have not been altered. I don't think they would help with an attack that uses free space (guessing here). Also, they are a pain, unless your system stays absolutely static, which in effect means, if you never use it. Have them ignore your data space, and the hacker can exploit that. And even then, linux is constantly updating various files in the background, and of course you need to update software to keep up with the security patches. You need to track every change of every file. I doubt many people have the patience.
Re: [CentOS] how to check the MD5 sums ISO directory
Michael Wright wrote: Ok guys How do i check MD5 SUM in the ISO Directory Mike Hi Michael, Try this site: http://linuxwave.blogspot.com/2009/06/validate-your-downloaded-files-using.html It will explain a little bit about using md5sum. HTH. Lee Perez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Centos kernel problem
My system is Centos 5.3. and I want to study the kernel, for example, write myself kernel module. So I download the kernel source *.2.6.18.tar.bz2 and compile it in my system. make bzImage make make modules make modules_install make install. When reboot, I find I can not mount the ntfs disk to the system and some other software have the problems. Before compile the kernel source, I have installed the kernel-module-ntfs-* , and when compile the *.tar.bz2 kernel source, I added sata support with modue style. I want to know if anything I do not do ? when modify the kernel, how to update all the software? If I install the *.src.rpm kernel, is it difficult to start kernel with it? Fox example, if write myself module, it needs to make rpm then can debug it? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] p800 and HP
On Fri, Aug 21, 2009 at 07:40:24PM +0200, Rainer Duffner wrote: Am 21.08.2009 um 19:08 schrieb Peter Kjellstrom: On Friday 21 August 2009, Joseph L. Casale wrote: We have a few (p800). My opinion is that they're acceptable but not fast. Heard this a few times now, in the interest of getting something better next time, what have you found equally reliable but faster? Nothing as cheap as a full dl185 that's for sure unless you count SUNs thor (thumper ng) machines but then you'll have to do the raid part in software somehow. Yeah, but that is as easy as zpool create tank raidz2 dev1 dev2 dev3 dev4 dev5 dev6 etc. zfs create tank/bigdisk But I'd go one step further and use one of SUNs OpenStorage devices. Once you have a lot of no-name JBOD SATA-drives, the inability of Solaris to light-up the yellow light of the broken one will make it painfully obvious that while one can spend to much on storage, one can as easily spend too little... ;-) Uhm.. Solaris/zfs can't really light-up the failure lights on Sun's own hardware? -- Pasi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos kernel problem
Hanmo wrote: My system is Centos 5.3. and I want to study the kernel, for example, write myself kernel module. So I download the kernel source *.2.6.18.tar.bz2 and compile it in my system. make bzImage make make modules make modules_install make install. When reboot, I find I can not mount the ntfs disk to the system and some other software have the problems. Before compile the kernel source, I have installed the kernel-module-ntfs-* , and when compile the *.tar.bz2 kernel source, I added sata support with modue style. I want to know if anything I do not do ? when modify the kernel, how to update all the software? If I install the *.src.rpm kernel, is it difficult to start kernel with it? Fox example, if write myself module, it needs to make rpm then can debug it? Take a look at this wiki article: http://wiki.centos.org/HowTos/BuildingKernelModules signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos kernel problem
Hanmo wrote: My system is Centos 5.3. and I want to study the kernel, for example, write myself kernel module. So I download the kernel source *.2.6.18.tar.bz2 and compile it in my system. make bzImage make make modules make modules_install make install. When reboot, I find I can not mount the ntfs disk to the system and some other software have the problems. Before compile the kernel source, I have installed the kernel-module-ntfs-* , and when compile the *.tar.bz2 kernel source, I added sata support with modue style. I want to know if anything I do not do ? when modify the kernel, how to update all the software? If I install the *.src.rpm kernel, is it difficult to start kernel with it? Fox example, if write myself module, it needs to make rpm then can debug it? Also this article: http://wiki.centos.org/HowTos/Custom_Kernel signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] p800 and HP
Am 22.08.2009 um 12:37 schrieb Pasi Kärkkäinen: Uhm.. Solaris/zfs can't really light-up the failure lights on Sun's own hardware? Of course it can - on SUN's own hardware. But you can run Solaris on almost any hardware - and that turns into a problem sometimes. Like in this case... ZFS has nothing to do with lighting up lights on disks. The OS must know which SCSI-commands to send to do that. With our Promise JBOD, that's a lost case ;-) Rainer___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] httpd - mysql - paypal.com.tar - hacker
Am 22.08.2009 um 10:26 schrieb Christoph Maser: Am Freitag, den 21.08.2009, 23:29 +0200 schrieb Rainer Duffner: Because there's no alternative. mysql gui-tools (http://dev.mysql.com/downloads/gui-tools/5.0.html) openoffice base Fat client - FAIL ;-) *Some* of our customers do use fat-clients for access to mysql. But there's no way we can force all of them to use some fat-client. Some probably don't have the right to install stuff on the computer they use to access phpmyadmin now, you know. We *have* to provide a web-client. Rainer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] fasttest mirror -doesnt seem to pick sites near my region
guys, i have the yum plugin - fastest mirror . But not even once i have seen it selecting repos which are near my region such as japan or australia ( where i get the best speeds). Something is wrong. It seems stuck with these 3 sites ; Determining fastest mirrors * ftp-stud.fht-esslingen.de : 0.309373 secs * apt.sw.be : 0.483867 secs * fr2.rpmfind.net : 0.503842 secs ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fasttest mirror -doesnt seem to pick sites near my region
i have tried yum clean all , yum clean metadata - Original Message From: Linux Advocate linuxhous...@yahoo.com To: CentOS mailing list centos@centos.org Sent: Saturday, August 22, 2009 8:56:37 PM Subject: [CentOS] fasttest mirror -doesnt seem to pick sites near my region guys, i have the yum plugin - fastest mirror . But not even once i have seen it selecting repos which are near my region such as japan or australia ( where i get the best speeds). Something is wrong. It seems stuck with these 3 sites ; Determining fastest mirrors * ftp-stud.fht-esslingen.de : 0.309373 secs * apt.sw.be : 0.483867 secs * fr2.rpmfind.net : 0.503842 secs ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fasttest mirror -doesnt seem to pick sites near my region
On 22/08/2009, at 10:37 PM, Linux Advocate wrote: i have tried yum clean all , yum clean metadata - Original Message From: Linux Advocate linuxhous...@yahoo.com To: CentOS mailing list centos@centos.org Sent: Saturday, August 22, 2009 8:56:37 PM Subject: [CentOS] fasttest mirror -doesnt seem to pick sites near my region guys, i have the yum plugin - fastest mirror . But not even once i have seen it selecting repos which are near my region such as japan or australia ( where i get the best speeds). Something is wrong. It seems stuck with these 3 sites ; Determining fastest mirrors * ftp-stud.fht-esslingen.de : 0.309373 secs * apt.sw.be : 0.483867 secs * fr2.rpmfind.net : 0.503842 secs Hi Linux Advocate, I have found this a problem for the Australian servers I manage as well. I suggest you manually test the speed of some local mirrors then manually specify a mirror rather than relying on the fastest mirror plugin. If your ISP mirrors content locally then that'd be the logical mirror to use. Good luck, Oliver ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fasttest mirror -doesnt seem to pick sites near my region
Hi Linux Advocate, I have found this a problem for the Australian servers I manage as well. I suggest you manually test the speed of some local mirrors then manually specify a mirror rather than relying on the fastest mirror plugin. If your ISP mirrors content locally then that'd be the logical mirror to use. my repos are configured to use mirrorlist. how do i add mirrors manually? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CENTOS 4.8 available time????
Thanks a lot. Which site have DVD version? --- 09/8/21 (五),Johnny Hughes joh...@centos.org 寫道: 寄件者: Johnny Hughes joh...@centos.org 主旨: Re: [CentOS] CENTOS 4.8 available time 收件者: CentOS mailing list centos@centos.org 日期: 2009年8月21日,五,下午6:59 James Pearson wrote: Karanbir Singh wrote: On 08/20/2009 01:22 PM, James Pearson wrote: Is it possible to get an update on the status of 4.8? its going out to the mirrors right now, Depending on how long they take to stabalise, we should see release in the next 24 - 48 hrs. Thanks James Pearson CentOS-4.8 is now released: http://lists.centos.org/pipermail/centos-announce/2009-August/016106.html -內含下列夾帶檔案- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! http://messenger.yahoo.com.tw/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CENTOS 4.8 available time????
This website, http://ftp.tcc.edu.tw/Linux/CentOS/4.8/isos/i386/ has the dvd version. 在 2009-08-22六的 21:48 +0800,mcclnx mcc写道: Thanks a lot. Which site have DVD version? --- 09/8/21 (五),Johnny Hughes joh...@centos.org 寫道: 寄件者: Johnny Hughes joh...@centos.org 主旨: Re: [CentOS] CENTOS 4.8 available time 收件者: CentOS mailing list centos@centos.org 日期: 2009年8月21日,五,下午6:59 James Pearson wrote: Karanbir Singh wrote: On 08/20/2009 01:22 PM, James Pearson wrote: Is it possible to get an update on the status of 4.8? its going out to the mirrors right now, Depending on how long they take to stabalise, we should see release in the next 24 - 48 hrs. Thanks James Pearson CentOS-4.8 is now released: http://lists.centos.org/pipermail/centos-announce/2009-August/016106.html -內含下列夾帶檔案- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! http://messenger.yahoo.com.tw/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to tell if I've been hacked?
On Fri, Aug 21, 2009, Dave wrote: On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrl...@gmail.com wrote: ... stuff deleted On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcen...@celestial.com wrote: To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide, And very carefully. Only that won't help you with memory-only attacks, or bios stuff, etc. These tools concentrate on verifying that your disk files have not been altered. I don't think they would help with an attack that uses free space (guessing here). Also, they are a pain, unless your system stays absolutely static, which in effect means, if you never use it. Have them ignore your data space, and the hacker can exploit that. And even then, linux is constantly updating various files in the background, and of course you need to update software to keep up with the security patches. You need to track every change of every file. I doubt many people have the patience. One of the problems I've found with tripwire in particular and aide to a lesser extent is that they (a) tend to be very verbose even when nothing has changed, and (b) updating their database is fairly complex. I have developed a system that we use here and at our client sites that uses the tripwire formatted configuration files, but maintains its own database, and produces minimal reports of changes (none of nothing has changed). Updating its database after changes have been checked and verified is a simple file ``mv'' command. I review daily reports from over 50 systems every morning, checking changes found, usually taking no more than 10 minutes a day. The key is to keep the reports simple, and to make updating easy (and to have procedures that monitor systems to be sure they's still alive and reporting in). We also remove prelink from our kickstart installs on CentOS systems because I think that the benefits of prelinking are marginal compared with the problems it creates tracking system changes. The changes of prelink makes on a system can be removed by turning it off then the appropriate /etc/sysconfig file and waiting a day for the daily maintenance to restore things to their original condition. [snip] It's also a good idea to check for executables in places they normally shouldn't be, /tmp, /dev/shm on SuSE systems, /var/tmp, and similar directories where crackers like to hide their work. Often these executes will be in directories with names like ``.. '' (note the trailing space) that look legitimate. I like this, because it might actually be automated. Of course, you're trusting stat or whatever. Actually I'm trusing the python os.path.walk and ``file'' command to check for executables. [snip] You cannot trust tools like ``ps'', ``find'', ``netstat'', and ``lsof'' as these are frequently replaced by ones that are modified to hide the cracker's work. Naturally we are running aide and tripwire from a CD or other read-only medium, why not toss in a copy of these tools as well? Of course, if the kernel has been hacked, even that won't save us, but we have to take what we can get. We create a file system initially, the same size as ``/'', and make a copy of ``/'' in it identical except for the /etc/fstab entry. This is not mounted in normal operations, but the system can be booted from it to get to a clean system. Of course this must be updated using rsync after significant changes in the root file system. The key to all of this is to plan for security and intrusion detection at the outset. ... Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forego their use. -- Galileo Galilei ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] how to get mail stats for a single email address, on an Exim mail server?
Hi, Can someone please tell me how to get the stats for a single email address, and all the addresses on a certain domain? -- Kind Regards Rudi Ahlers CEO, SoftDux Hosting Web: http://www.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] domainkeys, dkim, bind
Hello, I'm trying to implement domainkeys and dkim on my domain and then to get it set up with postfix. Currently i'm having difficulty with the first stage, adding the domainkey txt record to bind, is a special version of bind required to do this? The machine that handles dns is using bind 9.5.1-p3. Thanks. Dave. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Schnitzer, Ted is out of the office.
I will be out of the office starting 08/21/2009 and will not return until 09/02/2009. In my absence please contact Dave Lowenstein for UNIX/Linux technical issues. Please contact Kim Richardson for management issues. Thanks, Ted ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to get mail stats for a single email address, on an Exim mail server?
Rudi Ahlers wrote: Hi, Can someone please tell me how to get the stats for a single email address, and all the addresses on a certain domain? grep . /var/log/maillog | wc -l .. etc etc. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] domainkeys, dkim, bind
On Sat, 2009-08-22 at 15:58 -0400, Dave wrote: Hello, I'm trying to implement domainkeys and dkim on my domain and then to get it set up with postfix. Currently i'm having difficulty with the first stage, adding the domainkey txt record to bind, is a special version of bind required to do this? The machine that handles dns is using bind 9.5.1-p3. Thanks. Dave. Dave, You need to make an entry in the appropriate zone file of your domain. Unless you have modified the standard setup your zone file should be here: /var/named/chroot/var/named/domain.zone Your zone file has to be referenced in : /var/named/chroot/etc/named.conf Put this a line like this one at the bottom of your zone file : domain.com. IN TXT v=spf1 ip4:###.###.###.### a mx include:alternatedomane.net ~all Greg ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] transfer file for window
Hi What is the best way to transfer file for window via internet ls samba doing it? thank you __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] transfer file for window
ann kok wrote: Hi What is the best way to transfer file for window via internet ls samba doing it? samba/smb/cifs performs very poorly over WAN links like the intenet, further, its not considered very secure. I use SCP for all my windows - unix file transfers. WinSCP makes a nice client for Windows, and the SCP server is built into any Unix/Linux system that you can ssh to. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] anaconda and x86_64
On 08/21/2009 05:57 PM, lheck...@users.sourceforge.net wrote: I'm trying to build a bugfixed anaconda package for 5.3 x84_64, What bugs are you trying to fix here ? -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to tell if I've been hacked?
On 08/19/2009 02:53 AM, Scott Ehrlich wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? there have been some really good ideas that came through this conversation, would someone like to take ownership of a wiki page that puts all this together, into the Security section perhaps ? -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fasttest mirror -doesnt seem to pick sites near my region
John R Pierce wrote: fwiw, it appears linux advocate is sending his email from a Malaysia IP per the email headres... $ whois 60.50.xxx.yyy [Querying whois.apnic.net] [whois.apnic.net] % [whois.apnic.net node-2] % Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html inetnum: 60.48.0.0 - 60.54.255.255 netname: XDSLSTREAMYX descr:Telekom Malaysia Berhad descr:Network Strategy descr:Wisma Telekom descr:Jalan Pantai Baru descr:50672 Kuala Lumpur country: MY For the record on this one, it seems that our version of the geoip database does not do a proper lookup for IP addresses in the 60.50.50.50 (as an example IP of that range). What I get is unknown (with our current version). When unknown, it passes a list of high bandwidth machines. I will get and build a newer version of the GeoIP database and see if I can get a better result. Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to tell if I've been hacked?
On Sat, Aug 22, 2009, Dave wrote: On Sat, Aug 22, 2009 at 6:49 AM, Bill Campbellcen...@celestial.com wrote: I review daily reports from over 50 systems every morning, checking changes found, usually taking no more than 10 minutes a day. The key is to keep the reports simple, and to make updating easy (and to have procedures that monitor systems to be sure they's still alive and reporting in). So how do you track the inevitable changes? Not saying you can't, just curious. For me, when I look at a batch of changes, some of them are obviously stuff I've done, other stuff not so obvious. I also filter reports through a script that sort of does a diff and makes an attempt to limit the boilerplate. Sometimes it is a bit too terse. First off, we don't allow automatic updates on most systems, much preferring to do them manually making it pretty easy to refresh the comparison database immediately after the update is complete. The odds that a cracker will get in and do their dirty deeds while this are going on are pretty low, and can probably be ignored. We handle pretty much all server stuff under the OpenPKG portable package management system so things like spamassassin, amavisd, clamav, and postfix are not the distribution versions, but those from OpenPKG (which are generally updated more quickly then the distribution's). A typical occurrence will be that we get an e-mail saying that clamav is out of date from the nightly freshclam update, I will pick up the new sources, update the OpenPKG SRPM for it, and deploy it 40 or so systems running it, and expect to see a corresponding set of notices the next morning that files under clamav have changed. The clusterssh program makes this sort of thing much more efficient as one can execute shell commands on multiple systems simultaneously. We create a file system initially, the same size as ``/'', and make a copy of ``/'' in it identical except for the /etc/fstab entry. This is not mounted in normal operations, but the system can be booted from it to get to a clean system. Wow, elaborate. How do you protect this file system from intruders? Exterrnal and powerred off? That's one way to do it. We also run a fair number of Linux servers under VMware so periodic snapshots and backups simplify the task. I have not seen many successful cracks of Linux boxes that we have configured from scratch. Some basic things can be done to minimize the chances of cracks. + Create the baseline for intrusion detection tools before putting the syste on line, and monitor it daily. + Configure openssh to refuse password authentication requiring authorized_keys access. + Configure openssh with tcp_wrappers support, restricting access by IP address and/or domain names. I consider this absolutely mandatory if one needs to all username and password authentication. + Use fail2ban or similar techniques to quickly block IP addresses that are found probing the system (don't forget to look at POP and IMAP logs for failed login attempts). + Use /bin/false as the standard shell for accounts that don't have good reason for shell access. This does not affect e-mail or most services that a typical ISP customer needs. + Use OpenVPN for access. This works well even when in hotels with NAT firewalls, and is not easily hacked anonymously. + Restrict access of webmin and usermin to local networks so they are not vulnerable to outside attack. These services are available to people outside connecting with OpenVPN. + Restrict webmail, pop, and imap access to secure connections using https, tls, ssl. We have never been able to get the average ISP customer to use good passwords, but every little bit helps. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 bad economics will sink any economy no matter how much they believe this time things are different. They aren't. -- Arthur Laffer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to tell if I've been hacked?
On Sat, Aug 22, 2009 at 10:49 AM, Bill Campbell cen...@celestial.com wrote: On Fri, Aug 21, 2009, Dave wrote: On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrl...@gmail.com wrote: ... stuff deleted On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcen...@celestial.com wrote: To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide, One of the problems I've found with tripwire in particular and aide to a lesser extent is that they (a) tend to be very verbose even when nothing has changed, and (b) updating their database is fairly complex. I have developed a system that we use here and at our client sites that uses the tripwire formatted configuration files, but maintains its own database, and produces minimal reports of changes (none of nothing has changed). Updating its database after changes have been checked and verified is a simple file ``mv'' command. Another open source tool you might want to consider. http://ftimes.sourceforge.net/FTimes/index.shtml -- Drew Einhorn ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fasttest mirror -doesnt seem to pick sites near my region
Johnny Hughes wrote: What I get is unknown (with our current version). When unknown, it passes a list of high bandwidth machines. I will get and build a newer version of the GeoIP database and see if I can get a better result. I reported a problem like this much earlier. I am in Hong Kong. Mirror selects .TW sites for me. BUT, although .TW is close the actual data transfer between there and here is very slow. I learned almost 20 years ago not to do transfers from there. I excluded all .TW sites in the .CONF file. This wasn't working so good. I noticed that almost all of the sites listed were .EDU.TW so I changed my exclusion to just the .EDU.TW sites. I now live with this exclusion. Mel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fasttest mirror -doesnt seem to pick sites near my region
tech wrote: Johnny Hughes wrote: What I get is unknown (with our current version). When unknown, it passes a list of high bandwidth machines. I will get and build a newer version of the GeoIP database and see if I can get a better result. I reported a problem like this much earlier. I am in Hong Kong. Mirror selects .TW sites for me. BUT, although .TW is close the actual data transfer between there and here is very slow. I learned almost 20 years ago not to do transfers from there. I excluded all .TW sites in the .CONF file. This wasn't working so good. I noticed that almost all of the sites listed were .EDU.TW so I changed my exclusion to just the .EDU.TW sites. I now live with this exclusion. OK, the original problem is fixed in that we now have a better database. WRT what is considered fast for a given country, I will publish what we currently use, and have the community tell us if it is working or not. I will do this on another thread. One thing to consider is countries where we actually have mirrors as well. It will all be in the new thread. Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos