Re: [CentOS-es] [Off-Topic] Driver WiFi Realtek me cicla la Laptop !
@Luis no es posible ya que la versión del módulo en las página de realtek no es para la versión del kernel mas reciente en ubuntu, hasta lo intente y simplemente las errores que tira son sobre la versión reciente del kernel... tendría que esperar a que liberaran una versión mas nueva :( @Francés José porque la actualización del kernel no me guardo en el grub la linea para ir al kernel anterior, y checando mi sistema también borro el kernel antiguo :( Creo que tendré que poner el kernel anterior al actual desde el repo... Saludos El lunes, 17 de marzo de 2014, Luis Muñoz Urrutia luis_2...@hotmail.com escribió: (perdón top-posting, pero me toca salir asi que doy respuesta rápida) Creo que para ese caso, la opción seria hacer una reinstalación del modulo rtl, usando para ello el driver para Linux de tu tarjeta realtek, para esto puedes buscar algo como. Driver tarjeta inalámbrica realtek 8188ce Linux. Saludos Enviado desde Correo de Windows De: Francesc Guitart Enviado el: lunes, 17 de marzo de 2014 12:20 Para: centos-es@centos.org javascript:; El 17/03/2014 16:11, angel jauregui escribió: Buen día. Lo he marcado como *Off-Topic* porque no es enfocado a CentOS, asi que se agradece enormemente al que me brinde su apoyo :D. Tengo Ubuntu en mi laptop y hace una semana mas o menos salio en los repos la actualización para el Kernel, la aplique en su momento y me lleve la sorpresa que al parecer el *driver* para mi Wifi Realtek 8188CE viene da~ado en los módulos o nose si sea algún otro modulo el que este da~ado, el detalle es que simplemente al cargarse el modulo *rtl8192ce* y este a su vez carga varios módulos mas, me cicla el equipo. El ciclado no es solo que se congele la pantalla, sino que me saca las las Xs (ambiente ventanas) y me muestra los errores (tipo Kernel Panic!) en pantalla. Y ya no puedo desplazarme ni hacer nada, simplemente queda apagar el equipo dejando pulsado el boton de Power !. Verificando el log de syslog led dejo el buffer del error: http://pastebin.com/WziFpidD *De momento* tuve que entrara a ubuntu con Jaula (chroot usando GNU/Linux Buteable), editar el *modules.d/blacklist.conf* y poner todos los módulos rtl*, para que pudiera encender mi equipo y trabajar en el, porque de lo contrario mientras encendía y se intentaba cargar el modulo de la wifi se ciclaba inmediatamente ! Ahorita tengo en blacklist los módulos rtl* para que pueda encender y estoy trabajando con la LAN :'( *Alguna recomendacion, opinion o en que foro poner este mensaje/bug ?* Para reportar bugs en Ubuntu: https://help.ubuntu.com/community/ReportingBugs No tengo ni idea de como solucionar tu problema pero en vez de blacklistar todos los módules rtl, ¿has intentado arrancar con el kernel antiguo? Si funcionara tendrías el ordenador operativo con WiFi otra vez. Saludos ! -- Francesc Guitart ___ CentOS-es mailing list CentOS-es@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos-es -- M.S.I. Angel Haniel Cantu Jauregui. Celular: (011-52-1)-899-871-17-22 E-Mail: angel.ca...@sie-group.net Web: http://www.sie-group.net/ Cd. Reynosa Tamaulipas. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] [Off-Topic] Driver WiFi Realtek me cicla la Laptop !
El 21/03/2014 17:28, angel jauregui escribió: @Luis no es posible ya que la versión del módulo en las página de realtek no es para la versión del kernel mas reciente en ubuntu, hasta lo intente y simplemente las errores que tira son sobre la versión reciente del kernel... tendría que esperar a que liberaran una versión mas nueva :( @Francés José porque la actualización del kernel no me guardo en el grub la linea para ir al kernel anterior, y checando mi sistema también borro el kernel antiguo :( Que raro, a mi siempre me toca desinstalar los kernels antiguos a mano. Creo que tendré que poner el kernel anterior al actual desde el repo... Saludos El lunes, 17 de marzo de 2014, Luis Muñoz Urrutia luis_2...@hotmail.com escribió: (perdón top-posting, pero me toca salir asi que doy respuesta rápida) Creo que para ese caso, la opción seria hacer una reinstalación del modulo rtl, usando para ello el driver para Linux de tu tarjeta realtek, para esto puedes buscar algo como. Driver tarjeta inalámbrica realtek 8188ce Linux. Saludos Enviado desde Correo de Windows De: Francesc Guitart Enviado el: lunes, 17 de marzo de 2014 12:20 Para: centos-es@centos.org javascript:; El 17/03/2014 16:11, angel jauregui escribió: Buen día. Lo he marcado como *Off-Topic* porque no es enfocado a CentOS, asi que se agradece enormemente al que me brinde su apoyo :D. Tengo Ubuntu en mi laptop y hace una semana mas o menos salio en los repos la actualización para el Kernel, la aplique en su momento y me lleve la sorpresa que al parecer el *driver* para mi Wifi Realtek 8188CE viene da~ado en los módulos o nose si sea algún otro modulo el que este da~ado, el detalle es que simplemente al cargarse el modulo *rtl8192ce* y este a su vez carga varios módulos mas, me cicla el equipo. El ciclado no es solo que se congele la pantalla, sino que me saca las las Xs (ambiente ventanas) y me muestra los errores (tipo Kernel Panic!) en pantalla. Y ya no puedo desplazarme ni hacer nada, simplemente queda apagar el equipo dejando pulsado el boton de Power !. Verificando el log de syslog led dejo el buffer del error: http://pastebin.com/WziFpidD *De momento* tuve que entrara a ubuntu con Jaula (chroot usando GNU/Linux Buteable), editar el *modules.d/blacklist.conf* y poner todos los módulos rtl*, para que pudiera encender mi equipo y trabajar en el, porque de lo contrario mientras encendía y se intentaba cargar el modulo de la wifi se ciclaba inmediatamente ! Ahorita tengo en blacklist los módulos rtl* para que pueda encender y estoy trabajando con la LAN :'( *Alguna recomendacion, opinion o en que foro poner este mensaje/bug ?* Para reportar bugs en Ubuntu: https://help.ubuntu.com/community/ReportingBugs No tengo ni idea de como solucionar tu problema pero en vez de blacklistar todos los módules rtl, ¿has intentado arrancar con el kernel antiguo? Si funcionara tendrías el ordenador operativo con WiFi otra vez. Saludos ! -- Francesc Guitart ___ CentOS-es mailing list CentOS-es@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos-es -- Francesc Guitart ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Matthew Miller Sent: den 20 mars 2014 20:49 To: centos@centos.org Subject: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I do use them both, together with some iptables-rules. As for caring of they disappear, well, maybe not to much, as most everything can be set in iptables as well. It will take an effort to redo our standard iptables rule list though, in order to cover up for the missing hosts.deny and hosts.allow files. -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Tar Compression issue
Dear Bonnie, Your not getting an answer because the emails you are sending look like spam to most email filters. Thanks, Andrew On 18 March 2014 09:22, Bonnie B Mtengwa bmten...@potraz.gov.zw wrote: I have a file Server CentOS 5.10, its on the internet, so I compress all csv into one file using (tar -czvf compressed_files.tar.gz *.csv) on this server so that I can download them as one compressed file to save bandwidth, Disk space on this server available is 50Gig, so when I copy the files onto Redhat EL 5.9 and decompress them using (tar -zxvf *.gz) It decompresses maybe 80% then get error: gzip: stdin: unexpected end of file tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now what might be the issue here? Bonnie B Mtengwa Email: mailto:bonnie.mten...@potraz.gov.zw bonnie.mten...@potraz.gov.zw | mailto:bonni...@gmail.com bonni...@gmail.comWeb: http://www.potraz.gov.zw/ www.potraz.gov.zw ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 3:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos We still use tcpwrappers extensively behind our firewalls to control many things. We still have a mixed CentOS 5/6 and older Solaris environment, so it would be big hassle to switch to something else. Of course, if it left Fedora today, it would still be in CentOS for years to come, and even then we could probably build our own pretty easily, but we'd rather not have to! -- Matt Phelps System Administrator, Computation Facility Harvard - Smithsonian Center for Astrophysics mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, March 20, 2014 18:52, Les Mikesell wrote: xml isn't intended for humans - it is supposed to be parsed and verified by machines. The bigger question is why the machines aren't managing the config files themselves yet? Possibly because the machines are running programs written by humans that need to understand what they think they have told the machine to do in order to determine why it is not doing what they want it to? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 08:33:19AM -0400, James B. Byrne wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) This whole conversation is meaningless. Our opinions on what Fedora does or doesn't do or what Puttering does or doesn't wreck next are irrelevant. John -- Most people hate the idea of evolution because they realize that if it were working properly, they'd be dead. -- Anonymous pgpipiYfBvdDr.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) I wouldn't know. I don't use it. I've been programming professionally since 1975 and I've managed to never use Windows. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 7:37 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Thu, March 20, 2014 18:52, Les Mikesell wrote: xml isn't intended for humans - it is supposed to be parsed and verified by machines. The bigger question is why the machines aren't managing the config files themselves yet? Possibly because the machines are running programs written by humans that need to understand what they think they have told the machine to do in order to determine why it is not doing what they want it to? Yes, but that reason is generally that someone changed the language syntax underneath it instead of settling on simple working APIs. What has actually stayed stable and backwards compatible over the years other than bourne shell syntax and perl (almost)? Everything else has made you repeat your work every few years instead of letting you build on it and advance. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Tar Compression issue
On Fri, Mar 21, 2014 at 10:55:33AM +, Andrew Holway wrote: Dear Bonnie, Your not getting an answer because the emails you are sending look like spam to most email filters. Thanks, Andrew On 18 March 2014 09:22, Bonnie B Mtengwa bmten...@potraz.gov.zw wrote: I have a file Server CentOS 5.10, its on the internet, so I compress all csv into one file using (tar -czvf compressed_files.tar.gz *.csv) on this server so that I can download them as one compressed file to save bandwidth, Disk space on this server available is 50Gig, so when I copy the files onto Redhat EL 5.9 and decompress them using (tar -zxvf *.gz) It decompresses maybe 80% then get error: gzip: stdin: unexpected end of file tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now what might be the issue here? Wild guess: Is the file, by anychance, somewhat over 4 gigs? I've had a problem, years past, when a particular compression tool blew up on files over 4 gigs, because it requires an integer larger than a 32-bit int to hold the file offsets. I wouldn't really expect that to be a problem on Centos 5.x, even on a 32-bit system, but one does wonder Fred -- Fred Smith -- fre...@fcshome.stoneham.ma.us - For him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy--to the only God our Savior be glory, majesty, power and authority, through Jesus Christ our Lord, before all ages, now and forevermore! Amen. - Jude 1:24,25 (niv) - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Larry Martell wrote: On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) I wouldn't know. I don't use it. I've been programming professionally since 1975 and I've managed to never use Windows. 1980. and I've had to. But I worked long and hard to get into *Nix, and with one 1.25 year excursion otherwise, have managed to stay here. So I *do* object to my toolset being cut down or mangled when it's unnecessary. tcp.wrappers, no big deal. Non-plain text configuration files, or crap that invokes crap that invokes crap to do what was formerly done by one program that read one simple configuration file, not so much mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/20/2014 04:13 PM, Matthew Miller wrote: On Thu, Mar 20, 2014 at 04:00:49PM -0400, John Jasen wrote: Various government entities may use it extensively. I don't recall if tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in several CIS benchmarks. Good question. I checked with both that and the DoD National Checklist Program, and neither mention it. Also, unless I missed something else, the USGCB covers RHEL 5, so there won't be any impact there. Are the CIS benchmarks something you could point me to? https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf Also note, agencies or groups required to implement CIS or better who maintain a mixed environment may also use tcp_wrappers on all their platforms, as from a cursory glance, ever UNIX benchmark lists it. I would recommend against dropping tcp wrappers. -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/20/2014 06:23 PM, Les Mikesell wrote: Not sure there's a one-to-one mapping or even a conceptual overlap in what tcpwrappers and iptables do. Applications can be configured to use different ports than someone setting up iptables might expect - and how would you handle portmapper? As another case, read some of the extended use cases for vsftpd. They require tcpd to pass an environmental variable telling vsftpd which configuration file to use. -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 09:29:01AM -0400, John Jasen wrote: https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf Also note, agencies or groups required to implement CIS or better who maintain a mixed environment may also use tcp_wrappers on all their platforms, as from a cursory glance, ever UNIX benchmark lists it. I would recommend against dropping tcp wrappers. Thanks, that is helpful. Cross-platform compatibility is a strong argument. I think this points towards the updated libwrap2 idea, although that does require someone who actually wants to do it. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 11:13 PM, Keith Keller kkel...@wombat.san-francisco.ca.us wrote: The technical problem is that there's no maintainer. Are you volunteering (and capable)? Then, for crying out loud... :) this discussion should have been started with a different subject line: Looking for a new tcp wrappers maintainer. That is much more constructive than calling the bulldozer early. FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Am 20.03.2014 um 22:22 schrieb Matthew Miller mat...@mattdm.org: On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote: Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. Well, that's why I'm asking. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Yes, I have heard of that. But, are you actually using it? Do you need to? we do and we also compile tcp wrappers support into service if the distro have't done it (e.g. mysql). its just used in a multiple layer protection / security model. There are real downsides to carrying unmaintained code forward. Someone put forth the possibility of developing and maintaining a maintaining a modern library implementing the same config files but with a an updated codebase and better API, but no one has actually volunteered to do that work. If you'd like to be that person, awesome. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page Yes, and know for sure people use that -- I do, for example. But I use it to manipulate IP tables, which is more secure and less fragile than the why is iptables more secure? its just on an other level and the attack vector persists. and by the way; you do not really want to run a firewall on the _same_ system, think about that. hosts.deny action (it's always a bit scary when configuration files are edited by a program!). Because it is actively maintained upstream, there's even support for new things like firewalld. well i would say its more scary when humans are editing configuration files :-) one think that i like on tcp_wrappers is the use of domain names. Even possible with iptables but not a good idea as with tcp_wrappers. -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 8:58 AM, Fernando Cassia fcas...@gmail.com wrote: The technical problem is that there's no maintainer. Are you volunteering (and capable)? Then, for crying out loud... :) this discussion should have been started with a different subject line: Looking for a new tcp wrappers maintainer. That is much more constructive than calling the bulldozer early. Even more to the point, why is this a fedora/RHEL or even linux specific issue? I'd expect to matter to OpenBSD. Do they maintain their copy? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, 21 Mar 2014, Leon Fauster wrote: its just used in a multiple layer protection / security model. Bingo! Same here. And it works well! well i would say its more scary when humans are editing configuration files :-) I can speak for nearly 20 years of experience on this, including blowing it myself and locking myself remotely out of my own system once. For what it is supposed to do...it does extremely well. Gilbert *** Gilbert Sebenste (My opinions only!) ** *** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/20/2014 12:48 PM, Matthew Miller wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. I use it in conjunction with other utilities... They modify the hosts.deny in response to log parsing. Please keep in mind, security in layers. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] (no subject)
Hey, kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0 ... kernel: Out of memory: Kill process 27974 (mysqld) score 361 or sacrifice child kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB, anon-rss:2890828kB, file-rss:3324kB rsync whines he wants more RAM and... mysql gets killed... That makes me a bit sad! And from my nagios graphs, at that time, ram usage was only 75% (4.5GB/6GB) and swap usage 0.3% (/2GB)! I cannot believe an rsync suddenly needed 1.5GB+2GB and was not satisfied... And even after the out of memory, the graphs show no swap usage change at all. Anybody would have an idea about this fake out of memory? Thx, JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync triggers oomkiller
I added a subject so we can track this message on the list easier. ;) On Fri, Mar 21, 2014 at 12:19 PM, John Doe jd...@yahoo.com wrote: Hey, kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0 ... kernel: Out of memory: Kill process 27974 (mysqld) score 361 or sacrifice child kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB, anon-rss:2890828kB, file-rss:3324kB rsync whines he wants more RAM and... mysql gets killed... That makes me a bit sad! And from my nagios graphs, at that time, ram usage was only 75% (4.5GB/6GB) and swap usage 0.3% (/2GB)! I cannot believe an rsync suddenly needed 1.5GB+2GB and was not satisfied... And even after the out of memory, the graphs show no swap usage change at all. Anybody would have an idea about this fake out of memory? Wild. I've not encountered oomkiller being triggered when the server has free memory and hasn't swapped to disk yet. After the fact, it will probably be almost impossible to figure out the list of files that rsync was storing in memory. This makes me wonder if there's an option to have rsync log the list of files (to be synced) to a log file of some sort. I'll have to look into it later today when I have a moment. Thx, JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Tar Compression issue
On Fri, Mar 21, 2014 at 8:57 AM, Fred Smith fre...@fcshome.stoneham.ma.uswrote: On Fri, Mar 21, 2014 at 10:55:33AM +, Andrew Holway wrote: Dear Bonnie, Your not getting an answer because the emails you are sending look like spam to most email filters. Thanks, Andrew On 18 March 2014 09:22, Bonnie B Mtengwa bmten...@potraz.gov.zw wrote: I have a file Server CentOS 5.10, its on the internet, so I compress all csv into one file using (tar -czvf compressed_files.tar.gz *.csv) on this server so that I can download them as one compressed file to save bandwidth, Disk space on this server available is 50Gig, so when I copy the files onto Redhat EL 5.9 and decompress them using (tar -zxvf *.gz) It decompresses maybe 80% then get error: gzip: stdin: unexpected end of file tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now what might be the issue here? Wild guess: Is the file, by anychance, somewhat over 4 gigs? Our grandfathered homegrown backup solution that is in place for web hosting at work tars up customer web content, which ends up being 15GB in some cases. And it's web content, so there's lots of files! I'm sure if I took the time, I might find an even larger tarball -- but 10-15GB is pretty hefty. I've had a problem, years past, when a particular compression tool Would you kindly share the name of the compression tool? blew up on files over 4 gigs, because it requires an integer larger than a 32-bit int to hold the file offsets. I wouldn't really expect that to be a problem on Centos 5.x, even on a 32-bit system, but one does wonder However ... we have a mix of 32-bit and 64-bit CentOS 5.10 systems that create the backups (I speak of above) without a problem. So 32 vs 64-bit may not be the cause. -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014, m.r...@5-cent.us wrote: Larry Martell wrote: On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: ... Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) I wouldn't know. I don't use it. I've been programming professionally since 1975 and I've managed to never use Windows. 1980. and I've had to. But I worked long and hard to get into *Nix, and with one 1.25 year excursion otherwise, have managed to stay here. 1966, and I have never used anything Microsoft willingly other than their Natural keyboard and wireless mice :-). So I *do* object to my toolset being cut down or mangled when it's unnecessary. tcp.wrappers, no big deal. Non-plain text configuration files, or crap that invokes crap that invokes crap to do what was formerly done by one program that read one simple configuration file, not so much Remember when SuSE's yast maintained a central configuration file, and would overwrite manually changed Linux configuration files if one changed something in the GUI? So many experienced admins complained that they finally went back to honoring the manual changes. Then there's the infamous Windows Registry Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 I consider trial by jury as the only anchor ever yet imagined by man, by which a government can be held to the principles of its constitution. -- Thomas Jefferson in a letter to Thomas Paine, 1789. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014, Keith Keller wrote: On 2014-03-21, Fernando Cassia fcas...@gmail.com wrote: Interesting double negative. Implies that once the technical barriers are removed, then it's OK to remove old features for change's sake. ;) If, as Matthew says, the codebase hasn't been maintained since 2001, then we should have concerns about unfound security issues, as well as concerns that, if others find security problems, nobody is responsible for fixing them. If tcpwrappers had a current maintainer this wouldn't be an issue. There's certainly at least one technical reason to prefer other options like iptables over tcpwrappers. I've had instances where an attacker made dozens of ssh probes per second; tcpwrappers was able to reject these, but sshd was so overwhelmed that it was unable to exchange host keys with legitimate clients. iptables would have blocked these attacks more effectively, letting sshd handle the legitimate client sessions properly. My solution to this is to have swatch watching the tcp_wrappers ssh, imap, and pop3 logs and blocking with iptables any IP address that has more than N (5 by default) failed connection attempts in a minute or that is listed in our blacklist DNSRBL. A postgresql database is used on each machine with a history of IPs blocked which is used to automatically expire blocks and to add them if a system is rebooted. We maintain a couple of DNSRBLs for whitelisting and blacklisting IP addresses and net blocks that are largely fed by the reports generated. The /etc/hosts.allow files on all the systems we monitor use these DNSRBLs on critical services (e.g. sshd) to ALLOW/DENY access. The net result of this has been that it's rare when a particular IP gets more than a few failed attempts before being blocked the first time, and one or two if it's in our blacklist DNSRBL whether it's on the first machine attacked or any of the other machines we monitor. FWIW, the the majority of the attacks seem to be password guessing attempts using IMAP, not ssh. The successful cracks on Linux machines I've seen were done via weak user accounts on ISPs that were then accessed via php to the user's writeable public html directory. As somebody already pointed out, no one tool is sufficient to limit access. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 It takes no great insight or intelligence to see that the health of a centralized economy built around dense concentrations of economic power and a close business alliance with government can't tolerate any considerable degree of intellectual schooling. John Taylor Gatto http://www.lewrockwell.com/gatto/gatto-uhae-8.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Want to create custom iso
Hi Guys, I have made custom Centos DVD , I have copied ks.cfg in top directory of my DVD. and it is working fine. My ks.cfg looks like : %post --log=/root/my-post-log yum remove libreoffice* -y ; /usr/bin/wget http://210.X.X.52/LibreOffice_4.1.5_Linux_x86-64_rpm.tar.gz ; tar -xvzf LibreOffice_4.1.5_Linux_x86-64_rpm.tar.gz ; cd LibreOffice_4.1.5.3_Linux_x86-64_rpm/RPMS/ ; yum install *.rpm -y ; %end I am downloading LibreOffice_4.1.5_Linux_x86-64_rpm.tar.gz from 210.X.X.52 , which consume bandwidth each time , So i want to keep this package in side my DVD, So i need Suggestion how can i do that , and access it on POST script run time. Like can i mount my dvd in any /tmp folder OR any suggestion.. Thanks in Advance :) On Monday 17 March 2014 11:34 PM, Earl A Ramirez wrote: On 17 March 2014 12:51, EljiUdia eljiu...@yahoo.com wrote: On Monday, March 17, 2014 6:41 PM, Anant anant.saras...@techblue.co.uk wrote: Hello All, I want to make custom iso of Centos 6.4 and want some feature in it by default Take a look here http://smorgasbork.com/component/content/article/35-linux/128-building-a-custom-centos-6-kickstart-disc-part-1or odesk.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos The following link [0] may help you with what you are trying to achieve. [0] http://centos.org/variants/ -- Anant Saraswat System Admin (RHCVA,RHCE,RHCSA) FOR AND ON BEHALF OF: Techblue Software Pvt. Ltd. 73, Sector-5 IMT Manesar Haryana E: anant.saras...@techblue.co.uk W: www.techblue.co.uk The contents of this email are confidential and may be privileged, and are intended only for the use of the person or company named herein. Any views or opinions presented are solely those of the author and do not necessarily represent those of Technology Blueprint Limited. If you are not the intended recipient of this email or a person responsible for delivering it to the intended recipient, you are hereby notified that any distribution, copying or dissemination of the information herein is strictly prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 7:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) Not sure when the capability was added, but the Windows Server versions' ability to convert a standard single NTFS volume to dynamiic and then add a RAID mirror is really quite nice. And unlike the linux counterparts it works on the fly with full backwards compatibility. You don't have to load some fuse module to hook up some experimental filesystem with some new bizarre configuration syntax and figure out a different way to boot it. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync triggers oomkiller
On Fri, Mar 21, 2014 at 11:49 AM, John Doe jd...@yahoo.com wrote: kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0 ... kernel: Out of memory: Kill process 27974 (mysqld) score 361 or sacrifice child kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB, anon-rss:2890828kB, file-rss:3324kB rsync whines he wants more RAM and... mysql gets killed... That makes me a bit sad! After more investigation, I found: - a vm.swappiness=0 in sysctl.conf, which should not prevent the kernel to swap to prevent an oom. - the rsync was part of 8 *sequential* rsyncs on 8 servers, rsyncing between 500 and 1000 files at most... Before very recent versions of rsync (not sure exactly when it changed), it would load the entire tree listing from both sides into memory before walking them for the comparison. What's the destination side look like? Maybe you aren't doing a --delete and a lot of cruft has accumulated. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] mellanox ofed on centos kernel 3.x
Hi all, Has anyone installed mellanox ofed on linux kernel 3.x? Regards ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mellanox ofed on centos kernel 3.x
On 21 March 2014 18:08, Robert Clove cloverob...@gmail.com wrote: Hi all, Has anyone installed mellanox ofed on linux kernel 3.x? I hear those guys over in Ubuntu land do that kind of thing a lot. Why Mellanox OFED and non OFED OFED? Ta Andrew Regards ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mellanox ofed on centos kernel 3.x
Will non ofed also work as mellanox ofed or any other difference will I face ? Where to get other ofed ? On Friday, March 21, 2014, Andrew Holway andrew.hol...@gmail.com wrote: On 21 March 2014 18:08, Robert Clove cloverob...@gmail.com javascript:; wrote: Hi all, Has anyone installed mellanox ofed on linux kernel 3.x? I hear those guys over in Ubuntu land do that kind of thing a lot. Why Mellanox OFED and non OFED OFED? Ta Andrew Regards ___ CentOS mailing list CentOS@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mellanox ofed on centos kernel 3.x
On 21 March 2014 18:24, Robert Clove cloverob...@gmail.com wrote: Will non ofed also work as mellanox ofed or any other difference will I face ? The Mellanox OFED stack is a development version maintained by Mellanox whereas the OFED OFED is maintained by the OpenFabrics Enterprise Distribution which is a consortium of all the IB vendors. Where to get other ofed ? yum groupinstall Infiniband Support usually does it although if your using kernel-ml this might be broken. Read these for more info: https://www.openfabrics.org/resources/ofed-for-linux-ofed-for-windows/ofed-overview.html http://www.mellanox.com/page/products_dyn?product_family=26 Thanks, Andrew On Friday, March 21, 2014, Andrew Holway andrew.hol...@gmail.com wrote: On 21 March 2014 18:08, Robert Clove cloverob...@gmail.com javascript:; wrote: Hi all, Has anyone installed mellanox ofed on linux kernel 3.x? I hear those guys over in Ubuntu land do that kind of thing a lot. Why Mellanox OFED and non OFED OFED? Ta Andrew Regards ___ CentOS mailing list CentOS@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
- Original Message - | Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, | would | you care strongly if it went away (or would you just migrate to | something | else)? | Yes, we do use TCP Wrappers. We also use IPTables, edge gateway firewalls, VPNs and other tools. The reason that we use them is to support additional security. The case is being made to remove a tool that is considered to be legacy. While it is understood that legacy = old/unmaintained/crap, it does remove an additional layer of security that can be applied for a base system. So the question then is, what can be used as a suitable replacement? If so what is that suitable replacement? If one doesn't exist, how long until we can get one? Security is about layering technology. IPTables doesn't solve all of the problems out there. People mentioned NFSv3 and moving to NFSv4 and while this may be suitable for some people it doesn't apply to others. To simply remove a tool because it's code hasn't been modified in X number of days,months,years,decades is really in many cases what I like to call version envy. I'd love to hear about the old and unmaintainable code. It's open source code. If somethings broken you can fix it right!?! That's the open source mantra! Either provide a set of reasons why it should be removed and the alternatives that cover all the use cases of TCP Wrappers or let the code, that obviously works remain there undisturbed. It's an extra layer of security that administrators can use to secure their systems and it's dead simple to understand! -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Around here, however, we don’t look backwards for very long. We KEEP MOVING FORWARD, opening up new doors and doing things because we’re curious and curiosity keeps leading us down new paths. - Walt Disney ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mellanox ofed on centos kernel 3.x
I have an VPI card and will ofed ofed convert the infiniband ports to Ethernet ports. On Saturday, March 22, 2014, Andrew Holway andrew.hol...@gmail.com wrote: On 21 March 2014 18:24, Robert Clove cloverob...@gmail.com javascript:; wrote: Will non ofed also work as mellanox ofed or any other difference will I face ? The Mellanox OFED stack is a development version maintained by Mellanox whereas the OFED OFED is maintained by the OpenFabrics Enterprise Distribution which is a consortium of all the IB vendors. Where to get other ofed ? yum groupinstall Infiniband Support usually does it although if your using kernel-ml this might be broken. Read these for more info: https://www.openfabrics.org/resources/ofed-for-linux-ofed-for-windows/ofed-overview.html http://www.mellanox.com/page/products_dyn?product_family=26 Thanks, Andrew On Friday, March 21, 2014, Andrew Holway andrew.hol...@gmail.comjavascript:; wrote: On 21 March 2014 18:08, Robert Clove cloverob...@gmail.comjavascript:;javascript:; wrote: Hi all, Has anyone installed mellanox ofed on linux kernel 3.x? I hear those guys over in Ubuntu land do that kind of thing a lot. Why Mellanox OFED and non OFED OFED? Ta Andrew Regards ___ CentOS mailing list CentOS@centos.org javascript:; javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org javascript:; javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org javascript:; http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 3:54 PM, James A. Peltier jpelt...@sfu.ca wrote: I'd love to hear about the old and unmaintainable code. It's open source code. If somethings broken you can fix it right!?! That's the open source mantra! Either provide a set of reasons why it should be removed and the alternatives that cover all the use cases of TCP Wrappers or let the code, that obviously works remain there undisturbed. It's an extra layer of security that administrators can use to secure their systems and it's dead simple to understand! +1 If it works, it works. Period. It doesn't matter if it was coded by an ancient civilization carved in stone, or that it hasn't been updated in centuries. Perhaps it hasn't been updated in centuries precisely because it work,s so there's no need to update it! FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, 21 Mar 2014, Fernando Cassia wrote: On Fri, Mar 21, 2014 at 3:54 PM, James A. Peltier jpelt...@sfu.ca wrote: I'd love to hear about the old and unmaintainable code. It's open source code. If somethings broken you can fix it right!?! That's the open source mantra! Either provide a set of reasons why it should be removed and the alternatives that cover all the use cases of TCP Wrappers or let the code, that obviously works remain there undisturbed. It's an extra layer of security that administrators can use to secure their systems and it's dead simple to understand! +1 +1 If it works, it works. Period. It doesn't matter if it was coded by an ancient civilization carved in stone, or that it hasn't been updated in centuries. Perhaps it hasn't been updated in centuries precisely because it work,s so there's no need to update it! FC MP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mellanox ofed on centos kernel 3.x
On 21 March 2014 19:03, Robert Clove cloverob...@gmail.com wrote: I have an VPI card and will ofed ofed convert the infiniband ports to Ethernet ports. I'm pretty sure it will. Check the docs! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 1:54 PM, James A. Peltier jpelt...@sfu.ca wrote: The case is being made to remove a tool that is considered to be legacy. While it is understood that legacy = old/unmaintained/crap, No, legacy = the foundation everything else builds on. Change it at the risk of forcing everyone who uses your product to rebuild everything from scratch. In my opinion, a new version of something isn't better unless it is also completely backwards compatible. It's not a fashion show - things aren't better just because they are different. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 9:44 AM, Les Mikesell lesmikes...@gmail.com wrote: Yes, but that reason is generally that someone changed the language syntax underneath it instead of settling on simple working APIs. What has actually stayed stable and backwards compatible over the years other than bourne shell syntax and perl (almost)? Everything else has made you repeat your work every few years instead of letting you build on it and advance. +1 FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Linux malware attack
On 3/19/2014 2:50 PM, Ned Slider wrote: Just to add, I'm sure everyone has already read and implemented many of the suggestions here: http://wiki.centos.org/HowTos/Network/SecuringSSH Numbers 2 and 7 have already been highlighted in this thread. #1 These days I would say that 8 chars minimum length is too few, even if they are completely random (and most won't be). If you're not willing to type gibberish, then a more reasonable minimum length is 12-14. Especially for your root password (or other administration accounts). If you have your users creating 15+ character passwords, don't make them change it every 30/60/90 days. Password aging hurts more then it helps as passwords grow longer. Users are more likely to adopt poor behavior like simply adding or incrementing numbers from month to month. Longer durations, like 3-5 years, give the users time to memorize the password rather then just keeping it on a sticky on the desk. #2 (disable root login) is a must for any public facing box, and a strong recommendation for all other boxes. It's the top target of attack, so why allow it to be attacked at all? #5 (non-standard port) is very useful. Not for protecting yourself against attack, but from not having your log files fill up with all of the automated attack scripts. Which makes it easier to spot the more serious attackers who have taken the time and effort to find your SSH port. #7 (public-key pairs) is also a must for any public-facing box. It defeats all attempts to brute-force account passwords remotely. Now you just have to worry that someone will steal your private key files. But if someone has gotten far enough inside to steal your private key file then you have bigger security problems to worry about. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Linux malware attack
Thomas Harold wrote: On 3/19/2014 2:50 PM, Ned Slider wrote: Just to add, I'm sure everyone has already read and implemented many of the suggestions here: http://wiki.centos.org/HowTos/Network/SecuringSSH Numbers 2 and 7 have already been highlighted in this thread. #1 These days I would say that 8 chars minimum length is too few, even if they are completely random (and most won't be). If you're not willing to type gibberish, then a more reasonable minimum length is 12-14. Especially for your root password (or other administration accounts). And most people can remember that? And then there's the annoyance factor. If you have your users creating 15+ character passwords, don't make them change it every 30/60/90 days. Password aging hurts more then it helps as passwords grow longer. Users are more likely to adopt poor behavior like simply adding or incrementing numbers from month to month. Longer durations, like 3-5 years, give the users time to memorize the password rather then just keeping it on a sticky on the desk. Unfortunately, the real issue on this is that I think most of us here do *not* have control of that, that's upper management. And even though NIST says, I think, 2 years, I'm at a US gov't agency and it's the inane 2 months Though I will say the *really* bad places are the folks who compare it to previous passwords, and do their best to keep you from having any pattern at all, and so making it a *lot* harder to remember your current one. When I worked at ATT, a few years back, for the very first time, I had a *list* of passwords for different systems (not the ones that we controlled) As Bruce Schneir says, security theater. #2 (disable root login) is a must for any public facing box, and a strong recommendation for all other boxes. It's the top target of attack, so why allow it to be attacked at all? Other than at the console, yep. And as you note later, if someone can log in as root to the console who shouldn't, you've got much larger security issues. #5 (non-standard port) is very useful. Not for protecting yourself against attack, but from not having your log files fill up with all of the automated attack scripts. Which makes it easier to spot the more serious attackers who have taken the time and effort to find your SSH port. Huh! That's the *only* rationale I've ever heard for security through obscurity that actually makes sense. (One of my ongoing goals for the annual review is cutting down the noise in our logs.) snip mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] OT: DELL PERC H200
Does anyone know if a PERC H200 is a real RAID controller? I'm about to build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno 'bout this one. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: DELL PERC H200
On 21/03/14 05:52 PM, m.r...@5-cent.us wrote: Does anyone know if a PERC H200 is a real RAID controller? I'm about to build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno 'bout this one. mark It says it's a hardware RAID controller, but it only supports RAID levels 0, 1 and 10. That tells me it has no real ASIC and so far as I can see with google, it doesn't support caching or a BBU. So while it might be hardware, I doubt it's real in the sense that it can do parity calcs, read/write reordering and write-back caching. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: DELL PERC H200
Digimer wrote: On 21/03/14 05:52 PM, m.r...@5-cent.us wrote: Does anyone know if a PERC H200 is a real RAID controller? I'm about to build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno 'bout this one. It says it's a hardware RAID controller, but it only supports RAID levels 0, 1 and 10. That tells me it has no real ASIC and so far as I can see with google, it doesn't support caching or a BBU. So while it might be hardware, I doubt it's real in the sense that it can do parity calcs, read/write reordering and write-back caching. Thanks! That's what I needed to know, esp. since they want RAID 6. Sounds like software RAID to me, he said, cheerfully. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: DELL PERC H200
On 3/21/2014 2:52 PM, m.r...@5-cent.us wrote: Does anyone know if a PERC H200 is a real RAID controller? I'm about to build a box to CentOS 6.5 (it was Windows...) with RAID 6 on Monday, and this PE R610 has this I'm familiar with PERC 6 and 7s, but just dunno 'bout this one. if it doesn't have a flash-backed or battery-backed write-back cache, then it hardly matters what it is. the specs on that H200 sound like an LSI 2008 SAS2 HBA chip that has hardware mirroring, but without writeback cache. I'd configure it for JBOD and do my raid in the OS. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] biosdevname
On 3/20/2014 10:33, SilverTip257 wrote: And an interface should only be detected as pXpY if it's a PCI NIC. THOUGH I've seen it already where an onboard NIC in a Lenovo desktop was detected as p5p1. Just because the MAC chip is soldered to the motherboard doesn't mean it can't be on the PCI[e] bus. As far as I know, this new NIC naming scheme doesn't actually make distinctions based on whether a card-edge connector is involved. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync triggers oomkiller
On Fri, Mar 21, 2014 at 1:16 PM, Les Mikesell lesmikes...@gmail.com wrote: On Fri, Mar 21, 2014 at 11:49 AM, John Doe jd...@yahoo.com wrote: kernel: rsync invoked oom-killer: gfp_mask=0x200da, order=0, oom_adj=0, oom_score_adj=0 ... kernel: Out of memory: Kill process 27974 (mysqld) score 361 or sacrifice child kernel: Killed process 27974, UID 27, (mysqld) total-vm:3804672kB, anon-rss:2890828kB, file-rss:3324kB rsync whines he wants more RAM and... mysql gets killed... That makes me a bit sad! After more investigation, I found: - a vm.swappiness=0 in sysctl.conf, which should not prevent the kernel to swap to prevent an oom. - the rsync was part of 8 *sequential* rsyncs on 8 servers, rsyncing between 500 and 1000 files at most... In one of the rsync backup cronjobs I wrote for work, I added logic to check for running rsync processes so they don't run on top of each other (that's to prevent simultaneous syncs and not sequential as you noted in your scenario). Before very recent versions of rsync (not sure exactly when it changed), it would load the entire tree listing from both sides into memory before walking them for the comparison. What's the destination side look like? Maybe you aren't doing a --delete and a lot of cruft has accumulated. I avoid this problem by having the cronjob run more often and the script checks that syncs are running (which means on average it should sync less files and re-sync as soon as the previous sync is finished). -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] biosdevname
On Fri, Mar 21, 2014 at 6:28 PM, Warren Young war...@etr-usa.com wrote: On 3/20/2014 10:33, SilverTip257 wrote: And an interface should only be detected as pXpY if it's a PCI NIC. THOUGH I've seen it already where an onboard NIC in a Lenovo desktop was detected as p5p1. Just because the MAC chip is soldered to the motherboard doesn't mean it can't be on the PCI[e] bus. I'm in agreement on that. ( I just wanted to point out that there are some differences and quirks [that may not be a bug]. ) I believe biosdevname applies only to Dell hardware, but maybe more hardware support has been added for other manufacturers. That particular Lenovo hardware had an install of the latest Fedora release at the time... As far as I know, this new NIC naming scheme doesn't actually make distinctions based on whether a card-edge connector is involved. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, 2014-03-21 at 08:33 -0400, James B. Byrne wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) Thankfully and gratefully: Linux Microsoft. :-) -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsync triggers oomkiller
On Fri, Mar 21, 2014 at 5:31 PM, SilverTip257 silvertip...@gmail.com wrote: Before very recent versions of rsync (not sure exactly when it changed), it would load the entire tree listing from both sides into memory before walking them for the comparison. What's the destination side look like? Maybe you aren't doing a --delete and a lot of cruft has accumulated. I avoid this problem by having the cronjob run more often and the script checks that syncs are running (which means on average it should sync less files and re-sync as soon as the previous sync is finished). The number of files being sync'd isn't the big memory consumer - it is the whole directory trees being traversed that are loaded into memory for the comparison. There is additional overhead it you use -H to propagate hardlinks. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 10:36 AM, Always Learning cen...@u62.u22.netwrote: On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? Because misguided fools believe XML is wundervol and they don't want simplicity of use. The advantages of XML are that it is a common, mature standard, it is easily parseable by humans and computers. Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote: Because misguided fools believe XML is wundervol and they don't want simplicity of use. On Sat, 2014-03-22 at 13:54 +1300, Cliff Pratt wrote: The advantages of XML are that it is a common, mature standard, it is easily parseable by humans and computers. Nothing is easier and simpler than [any-section] parameter1=value1 parameter2=value2 Compare to XML (= the WEB PAGE 'new idea'), plain text is common, well established and a significantly more mature standard. Plain text is easier to read with vastly improve clarity, compared to XML, and no line indentations or angular brackets required. I note your reference to XML being common, mature standard omits any praise for XML and also omits calling it good :-) -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Date: Thu, 20 Mar 2014 18:14:56 -0300 On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page FC --- I will have to add my 2 cent request with FC. Please do not remove it Greg Ennis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Sat, Mar 22, 2014 at 2:05 PM, Always Learning cen...@u62.u22.net wrote: On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote: Because misguided fools believe XML is wundervol and they don't want simplicity of use. On Sat, 2014-03-22 at 13:54 +1300, Cliff Pratt wrote: The advantages of XML are that it is a common, mature standard, it is easily parseable by humans and computers. Nothing is easier and simpler than [any-section] parameter1=value1 parameter2=value2 Compare to XML (= the WEB PAGE 'new idea'), plain text is common, well established and a significantly more mature standard. Plain text is easier to read with vastly improve clarity, compared to XML, and no line indentations or angular brackets required. I note your reference to XML being common, mature standard omits any praise for XML and also omits calling it good :-) http://lists.centos.org/mailman/listinfo/centos That text format is simple. Too simple. If you have multiple similar sub-sections you have to use some ad-hoc construction. For example if you require sub entries with eg a default sub-section and a per-user sub-section then the simple example doesn't work, or at least it is rendered a lot less readable. It doesn't nest. YAML is quite a good if you insist on a text type format, without the complexity of JSON. But back to XML. It is parseable using all sorts of libraries and on lots of platforms. We have a number of apps that use XML for configuration data. It is easy for the programmers to knock up a page to edit this and the app itself can easily parse the results. But I'm sorry, I must admit that there was an element of tongue in cheek in my reference to XML's advantages. I've been reading and writing it for years, so I speak it fluently, at least in the possibly limited set of usages that we have. Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
