[CentOS] leap second
- Kernel Begin 1 Time(s): Clock: inserting leap second 23:59:60 UTC -- Kernel End - hee hee. gotta love it ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] reinventing the wheel? page checker
On 6/22/2012 9:50 AM, m.r...@5-cent.us wrote: Bob Hoffman wrote: On 6/21/2012 12:44 PM, Keith Roberts wrote: On Thu, 21 Jun 2012, Bob Hoffman wrote: From: Bob Hoffmanb...@bobhoffman.com Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/ *snip* Anything out there like that? http://www.changedetection.com/ snip As I said originally, you might want to check out rkhunter. It'll check your system for rootkits, and once configured - which isn't a big deal, just a configuration file - will complain when run if something's changed. You can tell it to look at your web pages. Another thing to consider (and I really, really don't enjoy suggesting it), is selinux. Turn it on to at least permissive, and it'll bitch and moan if something's changed. Turn it to enforcing, and *nothing* will be allowed to be changed. It is, however, a royal pain to configure, esp. when you want to be able to allow a directory for users to put pics. mark Would love to use SElinux. I searched high and low for any kind of manual and there was none. Most of the information online was for versions that were not on centos 6, and little info on centos 6. I am considering going back to it for the virtual hosts, dns servers, but for production web servers I think it will take a long time. I know that fail2ban will not work properly with it in any case, as per their own website. It seems that to run the webservers selinux wants me to allow a ton of privledges to apache, the ftp user, and a bunch of other things...seems like that defeats the purpose. And a script injection will have all those privledges. I wish I had to time and knowledge to implement it...and add it to my handbook, but on a webserver that is doing mail ins, mail outs, httpd, mysql, php, self made scripts, fail2ban, and host of other programs it seems like it requires an experienced hand at it. Or a book. Neither of which are available to me. Who knows, once I figure out the mutli_mysql back up, amanda, then I may go for it. One thing I learned...SElinux in permissive mode only gives a warning once for an issue...and never again. Makes it hard to play with it that way, would prefer a constant error variable to keep them coming. well. We derailed. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] reinventing the wheel? page checker
Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/ I was thinking either running a sum on the directory or each file...but thinking a simple date check would be fine. The idea is web application, except the uploads area for photos, never has changes to its files except when I change it. However, if it gets injected or hacked, I would want to know right away. So thinking of running a script every minute looking for files where the date changed since 'x' date or something like that. Anything out there like that? thanks ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] basic auth fails
On 6/21/2012 10:03 AM, Tim Dunphy wrote: Hello, I've setup apache basic auth on by web server to protect my nagios site. It's been working just fine, but suddenly it stopped accepting passwords even tho they are being typed in correctly. I was wondering if I could get some advice on how to troubleshoot this? I'm on a centos 5.4 machine Linux 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux Server version: Apache/2.2.21 (Unix) Server built: Nov 14 2011 18:03:07 I don't see any indication in the logs as to why this may be happening, but it's possible I might not be looking for the right things. Thanks Tim gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos perhaps wrong password? password might be set to expire? did you check your htaccess files...? do you have any kind of security that blocks anyone after failing a few log ins? (denyhost?) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] reinventing the wheel? page checker
On 6/21/2012 12:44 PM, Keith Roberts wrote: On Thu, 21 Jun 2012, Bob Hoffman wrote: To: CentOS@centos.org From: Bob Hoffmanb...@bobhoffman.com Subject: [CentOS] reinventing the wheel? page checker Not sure if there is an app like this yet. I want to keep tabs on my web applications and thought of using a 'page checker'/ *snip* Anything out there like that? http://www.changedetection.com/ HTH, Keith thanks Keith, I see where you are going with that. However I am going to be keeping an eye on all my files in the html folder, along with those outside of it (ones you keep outside of html for security), and my htaccessed admin areas and such... Just gonna build a little script to sms and email me if anything changes. When I finally get around to doing it in the project I will post what I did and how it worked. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PMA attacks
On 6/19/2012 2:31 PM, m.r...@5-cent.us wrote: But now I'm seeing the same from Azerbaijan, and France, and elsewhere. Two questions: first, are other folks seeing this? and second, I can't imagine malware this stupid, to keep hitting the same sites over and over when it's not found, rather than bad password or user, so I'm wondering if this could be a targetting vector for an upcoming serious attack using another vector. Automated scripts will attack just about every port or program on your server, even if you do not use it. They know sometime in the future you may turn that service, port, or program on and might not have it set up correctly. Then bam..they are in. When I put in a new server with a new ipaddress I have never used before there is a massive amount of attacks that first week or two. Attacks on everything you could think of. It is like they know a server is suddenly open at that ip and go nuts trying to get in. Here is my logwatch on just one server, just one day, a server that is not being used and has a blank html page with no other services on..Stay vigilant. 404 Not Found //3rdparty/phpMyAdmin/scripts/setup.php: 3 Time(s) //MyAdmin/scripts/setup.php: 3 Time(s) //MySQLAdmin/scripts/setup.php: 3 Time(s) //PHPMYADMIN/scripts/setup.php: 2 Time(s) //PMA/: 1 Time(s) //PMA/scripts/setup.php: 3 Time(s) //PMA2005/: 1 Time(s) //PMA2005/scripts/setup.php: 3 Time(s) //SQL/scripts/setup.php: 3 Time(s) //SSLMySQLAdmin/scripts/setup.php: 3 Time(s) //_admin/scripts/setup.php: 3 Time(s) //_phpMyAdmin/scripts/setup.php: 3 Time(s) //_phpmyadmin/scripts/setup.php: 3 Time(s) //admin/: 1 Time(s) //admin/mysql/scripts/setup.php: 3 Time(s) //admin/phpmyadmin/scripts/setup.php: 3 Time(s) //admin/pma/scripts/setup.php: 3 Time(s) //admin/scripts/setup.php: 3 Time(s) //admm/scripts/setup.php: 3 Time(s) //admn/scripts/setup.php: 3 Time(s) //backup/phpMyAdmin/scripts/setup.php: 3 Time(s) //backup/phpmyadmin/scripts/setup.php: 3 Time(s) //bbs/data/scripts/setup.php: 3 Time(s) //bkup/phpMyAdmin/scripts/setup.php: 3 Time(s) //bkup/phpmyadmin/scripts/setup.php: 3 Time(s) //cpadmin/scripts/setup.php: 3 Time(s) //cpadmindb/scripts/setup.php: 3 Time(s) //cpanelmysql/scripts/setup.php: 3 Time(s) //cpanelphpmyadmin/scripts/setup.php: 3 Time(s) //cpanelsql/scripts/setup.php: 3 Time(s) //cpdbadmin/scripts/setup.php: 3 Time(s) //cpphpmyadmin/scripts/setup.php: 3 Time(s) //databaseadmin/scripts/setup.php: 3 Time(s) //db/scripts/setup.php: 3 Time(s) //dbadmin/: 1 Time(s) //dbadmin/scripts/setup.php: 3 Time(s) //myadmin/: 1 Time(s) //myadmin/scripts/setup.php: 3 Time(s) //mysql-admin/: 1 Time(s) //mysql-admin/scripts/setup.php: 3 Time(s) //mysql/: 1 Time(s) //mysql/scripts/setup.php: 3 Time(s) //mysqladmin/: 1 Time(s) //mysqladmin/scripts/setup.php: 3 Time(s) //mysqladminconfig/scripts/setup.php: 3 Time(s) //mysqlmanager/: 1 Time(s) //mysqlmanager/scripts/setup.php: 3 Time(s) //p/m/a/: 1 Time(s) //p/m/a/scripts/setup.php: 3 Time(s) //pHpMy/scripts/setup.php: 3 Time(s) //pHpMyAdMiN/scripts/setup.php: 3 Time(s) //pMA/scripts/setup.php: 3 Time(s) //php-my-admin/: 1 Time(s) //php-my-admin/scripts/setup.php: 3 Time(s) //php-myadmin/: 1 Time(s) //php-myadmin/scripts/setup.php: 3 Time(s) //php/scripts/setup.php: 3 Time(s) //phpMyA/scripts/setup.php: 3 Time(s) //phpMyAdmi/scripts/setup.php: 3 Time(s) //phpMyAdmin-2/: 1 Time(s) //phpMyAdmin/: 1 Time(s) //phpMyAdmin/scripts/setup.php: 3 Time(s) //phpMyAdmin1/scripts/setup.php: 3 Time(s) //phpMyAdmin2/: 1 Time(s) //phpMyAds/scripts/setup.php: 3 Time(s) //phpadmin/scripts/setup.php: 3 Time(s) //phpm/scripts/setup.php: 3 Time(s) //phpmanager/: 1 Time(s) //phpmanager/scripts/setup.php: 3 Time(s) //phpmy-admin/: 1 Time(s) //phpmy-admin/scripts/setup.php: 3 Time(s) //phpmy/scripts/setup.php: 3 Time(s) //phpmya/scripts/setup.php: 3 Time(s) //phpmyad-sys/scripts/setup.php: 3 Time(s) //phpmyad/scripts/setup.php: 3 Time(s) //phpmyadmin/: 1 Time(s) //phpmyadmin/scripts/setup.php: 3 Time(s) //phpmyadmin1/scripts/setup.php: 3 Time(s) //phpmyadmin2/: 1 Time(s) //pma/scripts/setup.php: 3 Time(s) //pma2005/: 1 Time(s) //pma2005/scripts/setup.php: 3 Time(s) //roundcube/scripts/setup.php: 3 Time(s) //scripts/setup.php: 3 Time(s) //sl2/data/scripts/setup.php: 3 Time(s) //sql/: 1 Time(s)
Re: [CentOS] Failing Network card
On 6/20/2012 11:09 AM, Gregory P. Ennis wrote:
That's interesting. Here are the log entries for the previous card as
well as the eth4 that is currently installed.
# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM==net, ACTION==add, DRIVERS==?*,
ATTR{address}==00:e0:b3:10:f6:81, ATTR{type}==1, KERNEL==eth*,
NAME=eth3
# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM==net, ACTION==add, DRIVERS==?*,
ATTR{address}==00:e0:b3:10:fc:6e, ATTR{type}==1, KERNEL==eth*,
NAME=eth4
have you deleted all the information from udev of the old card you
pulled out.
Could be an issue, not sure, if you are using the same slot ?
Sometimes you get bad batches though and one failure can mean many more too.
if both cards had the same issue, then I doubt udev or any of that is at
fault.
Having to unplug power to the machine is odd, but would support a bad
card idea.
Try instead of pulling plug, rebooting but unplugging network cable
first, see if that has an effect.
I would just return it and get a different type of card...or try an
extra one you have lying around.
All I know is with computers is come down to two things
1) its broke, return it
2) its something really silly, usually one misconfiguration or error,
something simple but overlooked.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] how is this possible?
I got a spam today (from a yahoo server, surprise!) with nothing but a single link. http:// 2927755261/ I separated the http so it would not be a link in your email... suggest not going to it without proper measures. it takes you to a record search site. When I look up this number block here, http://www.ip-adress.com/ip_tracer/2927755261 it comes up with a different ip address... The ip address has no correlation to the numbers I searched for though. How is it possible to have a url that does not conform to the internet standards? Even ip addresses need 'periods' between each group of numbers and everything seems to require a period somewhere or the browser will get angry. At first I thought it was some kind of browser hack, but then the iptrace pulls up an ip. so how is this possible? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how is this possible?
On 6/20/2012 11:21 PM, Bob Hoffman wrote: I got a spam today (from a yahoo server, surprise!) with nothing but a single link. http:// 2927755261/ I separated the http so it would not be a link in your email... suggest not going to it without proper measures. it takes you to a record search site. When I look up this number block here, http://www.ip-adress.com/ip_tracer/2927755261 it comes up with a different ip address... The ip address has no correlation to the numbers I searched for though. How is it possible to have a url that does not conform to the internet standards? Even ip addresses need 'periods' between each group of numbers and everything seems to require a period somewhere or the browser will get angry. At first I thought it was some kind of browser hack, but then the iptrace pulls up an ip. so how is this possible? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos okay, I got it...the browsers all the use of IP decimals.. Not sure why they would do that, but I guess it is needed.. Great, another way to hide spammers.. http://www.allredroster.com/iptodec.htm ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fail2ban logrotate [was: Update on spam, postfix, fail2ban, centos 6]
On 6/18/2012 9:53 AM, Leonard den Ottolander wrote: Hello Bob, On Sun, 2012-06-17 at 23:41 -0400, Bob Hoffman wrote: /etc/fail2ban/jail.conf change line 39 to backend = gamin Without this fail2ban will ignore log rotations by logrotate and stay on the old file in your jails. Polling doesn't work with python= 2.6. I haven't tested if you will actually get a warning when using backend = polling, but there's some code in asyncserver.py disables polling. Using backend = auto will fall back to using pyInotify. This backend causes the issue with fail2ban not noticing the log files having been rotated. Might be an issue with too few events being passed to fail2ban. Couldn't quite work it out yet. I have reported the issue: https://bugzilla.redhat.com/show_bug.cgi?id=833056 with more than one jail you can (and will) get chances of errors when starting fail2ban. Some people seem to attribute it centos 6 having an older version of netfilter. The program goes to fast for iptables and chokes setting up the chains. This issue is known in Debian's bug tracker which also provides a reference to a patch that you might want to check out. I have reported the issue: https://bugzilla.redhat.com/show_bug.cgi?id=833046 You have to have debug with at least 'info' to see these errors. They are reported as errors, so I think you might be mistaken here. If not then there's a bug with the error reporting :p . When stopping you will get a ton of these errors too, but they seem to have no effect on anything. Those errors are caused by the chains to be removed not actually being there. add sleep command into the following That won't work with the current version. The code has changed significantly. See the patch mentioned in the bugzilla entry above. The whole log thing is borked. if you try to use fail2ban.log, fail2ban itself will choke on it. Haven't run into this one yet. Perhaps you can report that via https://bugzilla.redhat.com/ (you can find EPEL under Fedora). Regards, Leonard. Leonard, The debian and redhat issues seem to be worlds apart. I know as I tried all the fixes and found debian fixes a dead end. Gamin is the only polling that allowed fail2ban to work. No other polling worked after rotate. The errors on shutdown are the same as the errors for startup, when not using sleep. I get one for each jail it kills in iptables. the sleep command that I presented does prevent the issue on startup. I tried about 10 different ones until that one hit. It does work with centos 6, so far mine is running well. However, since that last updates a few weeks ago I have not restarted it, so will check on it. The log file issue is due to all three programs wanting to look in a different place for the logfile. You have to pick one and change all other references. Why fail2ban dies looking for fail2ban.log, but works fine looking for a log file named 'fail2ban' has to be something in their code somewhere. I don't know if this is any bug I would submit to redhat, it seemed to be fail2ban's issue...and each issue I had has been going on for years according to the huge number of pages I went too...including fail2ban's own documents of these various issues. Now I am afraid to restart it...lol ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fail2ban logrotate [was: Update on spam, postfix, fail2ban, centos 6]
Here is what I had to do to make fail2ban work with centos 6, fail2ban
from epel
This is a long letter and no html to make it read better.
It deals with failed jails during start, loss of ban/unban after systems
logrotates files, errors in jails,
sasl errors, logging file correctly to work with fail2ban and logwatch,
fail2ban logrotate.
I hope this helps others, it was a real bear and the first program/rpm I
used that really does not work very well as set up.
(a update was pushed a few weeks back, not sure how this affects
anything below...mine still works as is.)
Forgive me if I left something out.
first I added these programs to the EPEL repo ( I do not allow any
except those I use, so I use the following to limit the repo.)
includepkgs= fail2ban shorewall shorewall-core python-inotify gamin-python
Fail2ban has recently been updated on the epel repo and shorewall-core
is now needed too, this is new.
How the new updates affects any of the below is beyond me, but I doubt
it changed anything.
1st issue
--
/etc/fail2ban/jail.conf
change line 39 to
backend = gamin
Without this fail2ban will ignore log rotations by logrotate and stay on
the old file in your jails.
This was needed or it failed. No errors, nothing.
Force log rotate did not make this happen, only the program running each
morning did it.
I changed mine to a daily rotate of /var/log/secure,vsftpd.log, etc...
to test this.
Without gamin it failed every time.
(also you need to add this)
line 16 (add your ip (or ip block?) after the 127 ip) Use a space
between them all.
ignoreip = 127.0.0.1 yourip
2nd issue
---
with more than one jail you can (and will) get chances of errors when
starting fail2ban. Some people seem to attribute it centos 6
having an older version of netfilter. The program goes to fast for
iptables and chokes setting up the chains.
Sometimes they all go on, most times I would lose one to two chains
during each restart of fail2ban.
You have to have debug with at least 'info' to see these errors. When
stopping you will get a ton of these errors too, but they seem
to have no effect on anything.
To stop these errors and allow all jails to start properly you have to
add a sleep line deep in the code.
I have not tested since the update to see if this was overwritten but
will do that this week.
/usr/bin/fail2ban-client
Find the following code and add the time.sleep(0.1) in there as I have.
You need to press the tab 3 times to indent it, python pays attention to
white space, it will choke if you do not do this.
add sleep command into the following, (tab three times)
starts at line 142
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
time.sleep(0.1)
beautifier.setInputCmd(c)
try:
This lets netfilter catch up with the fail2ban client and allows all
jails to get started properly.
If you only use one jail this would not be needed, but each one after
that offers a chance of not being turned on.
3rd issue
---
The whole log thing is borked.
if you try to use fail2ban.log, fail2ban itself will choke on it.
If you try to use the repo's set up of using /var/log/messages than
logwatch will get borked on it.
However, if you set it all to /var/log/fail2ban as the log file, it will
work.
No matter which way you want it, logwatch, fail2ban, and logrotate all
point to different files for logging and it is a real mess.
Here is what I did to make it log and allow logrotate to work with it.
/etc/fail2ban/fail2ban.conf
line 25
logtarget = /var/log/fail2ban
/etc/logrotate.d/fail2ban
Below I changed the logtarget and stopped the 'restart' the repo wanted.
Thus it will keep running day after day.
/var/log/fail2ban {
missingok
notifempty
rotate 7
create 0600 root root
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban 2
/dev/null || true
endscript
}
finally for logwatch
/usr/share/logwatch/default.conf/logfiles/fail2ban.conf
LogFile = fail2ban
Archive = fail2ban-*
--
jails I set up...this is gonna be quick with little info, still writing
notes for the book on this one
I lowered the times in them for this letter, but mine are much higher.
I separated the ports for each for testing and safety. You could make
all the ports blocked if you wanted too.
The first ssh in the repo is enabled by default I think. Make sure if
you use these you check all others to make sure they
are not enabled.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=22444, protocol=tcp]
logpath = /var/log/secure
maxretry = 2
bantime = 3600
[apache-tcp]
enabled = true
filter = apache-auth
bantime = 1
action = iptables[name=ApacheAuth, port=80, protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
Re: [CentOS] Update on spam, postfix, fail2ban, centos 6
On 6/15/2012 8:44 PM, Dave Stevens wrote: Quoting Bob Hoffmanb...@bobhoffman.com: I have been using centos 6 in a virtualized system for a few months now. Took a while to batten down the hatches with postfix, rbls, and to use fail2ban correctly. Thanks for this,Bob. I'm having trouble making fail2ban work in my Centos 5.8 box. Would you be willing to share your fail2ban setup? Jails.conf would be most welcome. Dave I will try to post some notes tomorrow, but I think I posted a how to last month or so on this list. 1- you must use gamin as the setting or the log rotations will make fail2ban fail 2- you must add a sleep command in the config files in usr/share/fail2ban or using more than one jail can cause a failure of 1 or more jails when starting up..(too fast for netfilter version that comes with centos 6) I do not have my notes with me now, but without those two things it will not work...period...at least not correctly. If you search google you can find the sleep command...but there are like 7 different ways people did it for different linux distros and versions of fail2ban. the jails are not so bad... I will post what I figured out tomorrow after work.. It is a very trying program. It is a neat idea though. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Update on spam, postfix, fail2ban, centos 6
I have been using centos 6 in a virtualized system for a few months now. Took a while to batten down the hatches with postfix, rbls, and to use fail2ban correctly. The mailserver for my website(s) are located on the http server as well..an 'all in one' server. DNS servers are separated. My two sites, and their emails addresses (1 for each) have been around for 10 and 15 years respectively. One site was a business site, one was news and politics...both were very busy at one point, thus 'on the radar' of hackers and spammers. I decided to see what I could do with my system to prevent hacks and spams in regards to email and brute force attacks on all systems except for my web apps (which are down right now and in development). Fail2ban is really good at the brute force, assuming it is just one ip and not all attempts are at once. Thus it works on script kiddies but I do not think it would work well on a dedicated hack attempt by a serious individual or group. But I am using fail2ban to auto ban ips regarding spam. As far as spam, very little gets through now. A few a day. Between blacklists, my own blacklist of commercial spammers, stringent settings of postfix the actual spam that gets through is small. But it still gets through. I was using fail2ban on attempts that numbered 3 or more that ended in 5xx replies from my server. I would block for 10 minutes. I found I was blocking about 800 ips a day on one server, half that on the other. I did notice that there were a ton of attempts that were under 3. Lots of 2's and a ton of 1's. So a couple weeks ago (not sure when I started) I decided to try blocking any 5xx reply by IP. This is a private server and just my own mail comes to it, so I am not worried too much about false positives or other effects. So what happened? The ips jumped up considerably, to 1,500 to 1,700 a day banned on one server, about 1000 on the other. What is interesting in those numbers is they are constant. Every week day I can count on about 1500 banned ips on one, 1000 on the other, give or take. What really changed was the mail servers sending mail that got through the restrictions, but were sending to non existent addresses. A majority (like 80%) were from yahoo. This was a sudden change. It was not like this before. Yahoo spammed like crazy. And they got the mailserver ip banned. 10 to 20 emails a day from yahoo mail servers, going to non existent emails. Where before it would be one or two. The yahoo mails got bigger every day until they started waning (probably due to ip banning). The mail that actually got through all of this was 50% free mail (yahoo, msn/live, some aol, etc) Yahoo being the biggest. Another thing I noticed. When I started adding domains to my 'blacklist of commercial senders', legitimate or not, I started to get yahoo mails with references inside the mails to many of the illegitimate sites that were coming from the UCE's I had blocked. It is quite interesting to watch this process. More interesting that no matter how strict or lax I make the system there will be the same number of attempted mails sent to my server. (give or take a few hundred). If I unban all the ips, which I did once, there was a one day bump up, then it leveled off to the same amount of individual attemtps (not counting the same attempt being tried again). I have 35,000 ips blocked right now and nothing changed...except yahoo spam. Spamassassin I use, but only for level 10 or more spam...it is deleted. I found all of these over the last few months to be the kind with attachments, probably viruses. - What Have I learned? I have learned a large number of attempts are from ISP's and not websites. I have learned that ISP's will not do anything at all, ever, about this. (someone trying to send 1 million mails a day might be suspicious, but they ignore it) I have learned a large majority of 'hosts' are technically challenged small business owners who have no sys admin knowledge. Those hosts spew spam bots I have learned the chinese have really taken a liking to play with my server, possibly for training purposes. My server is a hit in beijing and some other province I cannot spell. -- What can be done? Not much. If the isp's do nothing, and the technology is not available to datacenters and hosts, there is not much I can do at all. Complaining to an isp or host would take 24 hours a day of messages, 99% which would be ignored. There is a consideration for the scumbags that call themselves legitimate mailers, like vocus.com. They are in the US, as I am. I am considering going to small claims for some of these spam attempts. I cannot use the can-spam act, since they are technically not in violation. However, I could use the logs and attempts, copies of emails and phone
Re: [CentOS] 75% - 80% Rebuild Complete
On 6/8/2012 1:13 AM, Nataraj wrote: On 06/07/2012 03:48 PM, Les Mikesell wrote: And if the server is colocated, but you have remote console access, you can leave a recovery CD in the drive, but set the boot order to boot the hard drive and then remotely change the boot order if you have problems. Nataraj out of curiosity, how do you prevent centos from ejecting the dvd when it is done installing? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] some security measures I would like to share
I apologize for the html, but it is a copy from a web post I did. I wanted to share this with list members and hope it helps others. I tried not to be redundant and add things I have not seen posted before. Always interested in constructive thoughts, better ideas, etc. ** *Security thoughts for server admins/webmasters* I would like to add some security measures I like to use. These are not listed on security sites and I feel it is time someone posted this stuff. This concerns programs/items used by webmasters/server admins on a very irregular basis. (not very often). This list assumes you have an IPMI card with its own eth port or an onboard IPMI interface, both having video access. Or accessing the shell of a virtual host to access virtual servers located on it. (if no IPMI) Quote: *PHPMYADMIN* - This is a wonderful tool for use by web programmers. Most security with this program lists just two protections. a)Use htaccess to password protect, force SSL b)Alias the folder from /phpmyadmin to something like /examp This is where security measures, aside from keeping updated, seem to end. This is bad. There is more you can do to protect that access to your database. PhpMyAdmin is a program you will use at times, but 99% of the time you will never touch it at all. So why would you leave it open to hackers all the time? Simply disable the 'alias' in httpd to prevent it from being accessed. For example in CentOS 6 the file /etc/httpd/conf.d/phpmyadmin.conf contains this directory information. (or something like it.) I have added 'Deny from ALL and commented out 'Allow from ALL' and restarted httpd. (the allowoverride is allowing htaccess protection for the folder). You could comment out everything except the allowoverride and deny from all... Quote: Directory /usr/share/phpMyAdmin/ *Order Deny,Allow* Deny from All Allow from 127.0.0.1 Allow from ::1 *#Allow from All* allowoverride All /Directory Once httpd is restarted no one can access the phpmyadmin folder if it is not in the html folder. (in centos 6 the program is usually located in /usr/share/phpmyadmin). This prevents the hacking of your phpmyadmin program. If you think about it, outside of a small fix or initial programming you will almost never use the program. So why do you leave it open to everyone 24 hours a day? Quote: *IPMI* IPMI is great but if you are a webmaster you are probably leaving this open to the internet. If you are local to the datacenter, or the datacenter is really cool, you can remove the eth cable from the ipmi port. And ask them to plug it in when there is an issue. This only works if you have a separate ipmi card with its own eth port. (and helps if you tag the cable and port for the center) I think most of us seldom, if ever, use our IPMI during the course of a year once the system is set up. This prevents root access, IPMI card getting hacked, and still allows emergency access with a quick visit or a phone call *IPMI, Virtual Host, Virtual Machines* Quote: *Your Virtual Host server* I seldom ever need to go into my virtual host. It is set up correctly and I get my logwatches every day. I have no ports open up on it. If I never use it, why would I leave a shell port open 24 hours a day? If I have an IPMI card I can log in and open that port. Then I can do what I need to do. Safest, if IPMI is available (with video) is to comment out/disable the ssh port. On a virtual host you most likely use a physical bridge. This means nothing is touching the host. Great Security tip. Quote: *Virtual Machines- DNS* Are your DNS servers virtual machines on a server (or on a dedicated with an IPMI card in it)? I bet you never access shell except to make that very rare dns change. And if you use rndc you never use shell. If you have IPMI with video disable ssh port. Enable it via IPMI on those very rare instances you need to access it. Logwatch can still send out. Only port 53 should be open 24 hours a day (and if rndc that port too...and 5353 if you are doing that.) There is no reason to leave this system open to the net at all. Enable shell when you need it and then disable when done. You do not need to open port 25 (or any port) to send emails out of the system. So why do you leave port 22 (or other shell port) on 24 hours a day if you never ever use it? Quote: *MYSQL servers* Again, if on a virtual host or even its own dedicated disable port 22 (ssh port) and only enable via IPMI on those rare times you need to use it. Quote: *Your website/webserver* The same issue remains. Outside of the times you are using shell OR FTP...these ports should be disabled. Enable using IPMI. This simple act prevents a lot of hack attempts, log filling, and gives massive peace of mind. Yes, you use shell and ftpbut not that much. Think about it. You might use ftp and shell a lot, but you are leaving those ports open
Re: [CentOS] some security measures I would like to share
On 6/7/2012 7:42 PM, Bob Hoffman wrote: *On a final note* If you are building a web application you should use a mysql user that is only allowed to update and select... With proper programming you can set up items to be deleted via a cron job using a mysql user that has a bit more access. This prevents a hacker from actually deleting or altering any dataand easily rolled back. This is how I program and I think it should be standard. As far as I know not one single program does this...and that is a shame. Sorry, I meant select and insert only. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] noexec tmp directory
Hello, I am fixing up a system for someone and they did not make a separate partition for /tmp...but I want to make it noexec, nosuid. I came across a site that said I could skip all the mount/unmount and new partition stuff (which would probably include downsizing a lvm to make room for it)... by adding this in fstab /tmp /tmp bind nosuid,noexec,bind 0 0 and then reboot... There is no /tmp in their fstab at the moment and I am afraid to test this Is this a correct workaround to mount that folder as noexec? OR was this site wrong? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] problems installing parted tool
On 6/1/2012 4:34 AM, Jane Wayne wrote: i have downloaded the CentOS distribution that comes with Xen Cloud Platform (XCP) at http://www.xen.org/download/xcp/index.html. i am trying to install the parted utility. yum install parted however, i get the following message. Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Setting up Install Process No package parted available. Nothing to do any ideas on what's going on? i have the following files: /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Media.repo /etc/yum.repos.d/Citrix.repo the CentOS-Base.repo has the following. [base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=os #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 exclude=kernel-xen*, *xen* enabled=0 #released updates [updates] name=CentOS-$releasever - Updates mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=updates #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 exclude=kernel-xen*, *xen* enabled=0 #packages used/produced in the build but not released [addons] name=CentOS-$releasever - Addons mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=addons #baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 enabled=0 #additional packages that may be useful [extras] name=CentOS-$releasever - Extras mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=extras #baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 enabled=0 #additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=centosplus #baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 #contrib - packages by Centos Users [contrib] name=CentOS-$releasever - Contrib mirrorlist=http://mirrorlist.centos.org/?release=$releaseverarch=$basearchrepo=contrib #baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 the CentOS-Media.repo has the following. [c5-media] name=CentOS-$releasever - Media baseurl=file:///media/CentOS/ file:///media/cdrom/ file:///media/cdrecorder/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 the Citrix.repo has the following. [citrix] name=XCP 1.4.90 updates mirrorlist=http://updates.vmd.citrix.com/XCP/1.4.90/domain0/mirrorlist #baseurl=http://updates.vmd.citrix.com/XCP/1.4.90/domain0/ gpgcheck=1 gpgkey=http://updates.vmd.citrix.com/XCP/RPM-GPG-KEY-1.4.90 enabled=0 When I do a search on the centos base repos this is what I get. [root@main ~]# yum search parted Loaded plugins: downloadonly, fastestmirror, security Loading mirror speeds from cached hostfile epel/metalink| 12 kB 00:00 * base: ftp.linux.ncsu.edu * epel: mirror.hiwaay.net * extras: mirror.cs.vt.edu * rpmforge: mirror.us.leaseweb.net * updates: centos.digitalcompass.net base | 3.7 kB 00:00 extras | 3.5 kB 00:00 rpmforge | 1.9 kB 00:00 updates | 3.5 kB 00:00 = N/S Matched: parted == pyparted.x86_64 : Python module for GNU parted parted.i686 : The GNU disk partition manipulation program parted.x86_64 : The GNU disk partition manipulation program parted-devel.i686 : Files for developing apps which will manipulate disk : partitions parted-devel.x86_64 : Files for developing apps which will manipulate disk : partitions Name and summary matches only, use search all for everything. [root@main ~]# ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] question for those who run mail servers
Not technically a centos question, but a lot of you guys seem to manage some large systems and I could use some clarification on a postfix setting.* *reject_unknown_client_hostname (in postfix 2.3 reject_unknown_client) When I first used this there were issues with users trying to send mail through the server from hotels, wireless spots, etc. This was solved by pushing up permit sasl_authenticated. I took it out after those issues. I read many online posts from 2008 saying too many false positives. (though none were clear if those were incoming mail or from mail users) Do you use reject_unknown_client_hostname? Other than someone trying to access the server to send mail through it as a user I do not see how this could be a bad setting and am thinking of using it. A person sending out a mail to the server, even if in that badly set up hotel wireless should be using their gmail, yahoo, own server, isp mail servers and should not be directly sending from their iphoneis that correct? or do you ignore the use of this setting still? -thanks for any updates on the use of this setting. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] question for those who run mail servers
On 5/31/2012 9:59 AM, Ned Slider wrote: On 31/05/12 14:09, Bob Hoffman wrote: Not technically a centos question, but a lot of you guys seem to manage some large systems and I could use some clarification on a postfix setting.* *reject_unknown_client_hostname (in postfix 2.3 reject_unknown_client) When I first used this there were issues with users trying to send mail through the server from hotels, wireless spots, etc. This was solved by pushing up permit sasl_authenticated. I took it out after those issues. I read many online posts from 2008 saying too many false positives. (though none were clear if those were incoming mail or from mail users) Do you use reject_unknown_client_hostname? I don't use it because as you already say the false positive rate is too high. This is caused largely by incorrectly configured entries in dns. For example, suppose a client connects from a given IP address. Postfix will do a rDNS lookup on that IP address to get the client hostname. If that lookup fails then the mail will get temp rejected. Then Postfix will do a DNS lookup on the client hostname it just retrieved. If that lookup fails then the mail will get temp rejected. The above two conditions result in temp rejections in case of temporary dns lookup failures which provides a bit of a safety net allowing 5 days (by default) for folks to notice (and fix) issues in their logs. From my experience I'd say most people do not bother reading their logs on a daily basis, at best only when they are made aware of a problem. Finally, Postfix will check that the DNS lookup on the client hostname matches the client IP that is connecting to the server. If it doesn't match then the message will be permanently rejected. This is where FPs will result as far too many people do not understand how to correctly configure their server in DNS. To summarise, you are looking for IP - hostname - IP to match. Mail admins typically take two lines of approach on this: 1. I can't afford the potential FPs from idiots who don't know how to configure their mail servers. 2. I have no sympathy for idiots who don't know how to configure their mail servers and to hell with the FPs, - I'm going to teach them a lesson and reject their mail. It's your mail server and you are free to configure it as you see fit. Decide which of the two camps above best describes your view and act accordingly. I am not too concerned about a mail server on some website not being set up right, the notice they get would be fine with me. I am just concerned someone sending from an iphone using someone's poorly setup wireless would be affected I am gonna test it out and see what happens. Should be thrilling experience. And man, once you figure out how to use DNS correctly, it seems so simple to make it work right. on a side note, I tested apews.org as a rbl and rhsbl and it worked fine... until. it blocked amazon.com receipts, dominos online orders, and my sisters mail from earthlink.. lol ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] question for those who run mail servers
On 5/31/2012 10:20 AM, m.r...@5-cent.us wrote: I guarantee that those folks with too-smart-for-their-own-good phones will send directly from them. Having never looked at a header from an email sent via iPhone, I don't know - don't they have a legit mailserver as their gateway? yea, that is what I think. I feel this setting, once you permit authenticated users, should only be dealing with badly setup dns for an internet based mail server and not someone's home computer or iphone. at least, I think so. Most of the issues I find on the net appear from pre-2009 era. Gonna add it to end of smtpd restrictions and see if anything comes of it. crossing fingers. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Request for CentOS stats
On 5/30/2012 3:35 PM, Karanbir Singh wrote: Hi, On 05/30/2012 08:26 PM, Max Pyziur wrote: Greetings, Are there any summary CentOS numbers available? yes The number of subscribers to this email list, and the number of server installs? There are atleast 8 subscribers to this list, and I know of atleast 4 servers that run CentOS. beyond that - feel free to pull a number out of thin air - its just about as likely to be accurate as the numbers above. - KB lol ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Request for CentOS stats
On 5/30/2012 5:50 PM, Hakan Koseoglu wrote: I trust the administrators of the centos.org mailing lists not to give out any information on my subscription(s) to anyone, even including a count of it. Actually, I would really like them to clean up our email addresses from the archives. Those pages are copied throughout the net and a lot of sites change the 'me at mysite' to m...@mysite.com and it does add to issues and such. Never liked the mailman, majordomo, etc cause they all seem to love to do that...post emails on the web. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Request for CentOS stats
On 5/30/2012 6:49 PM, Nataraj wrote: On 05/30/2012 03:36 PM, Bob Hoffman wrote: On 5/30/2012 5:50 PM, Hakan Koseoglu wrote: I trust the administrators of the centos.org mailing lists not to give out any information on my subscription(s) to anyone, even including a count of it. Actually, I would really like them to clean up our email addresses from the archives. Those pages are copied throughout the net and a lot of sites change the 'me at mysite' to m...@mysite.com and it does add to issues and such. Never liked the mailman, majordomo, etc cause they all seem to love to do that...post emails on the web. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Very easy solution, create a unique email address to subscribe to the list, then add: whitelist envelope-to = unique-email-address client-hostname='regex:.*\.centos\.org' blacklist envelope-to = unique-email-address Of course you need to be running something on your mailserver to let you whitelist/blacklist on these different fields and then process whitelist and blacklist requests in the order specified. Using this method you get 0. spam messages from being subscribed to the list. As you've pointed out though, other list members can't easily send you private email. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos lol..true, except I have a few years of the old address up there.. too late. :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NTP and virtual guests
On 5/28/2012 9:59 AM, James B. Byrne wrote: On Mon, May 28, 2012 08:50, Reindl Harald wrote: Am 28.05.2012 14:41, schrieb James B. Byrne: when power returned all of the restored guests were immediately shutdown by ntp because the time differential between the restored systems and that of the ntpd sync servers exceeded the panic threshold. how can ntpd shutdown a guest? I have no idea. Perhaps I misunderstood what the ntpd man page referred to as a panic. If it is not ntpd then I still need to discover some way of ensuring that all the KVM guests that were active at the time of a power failure automatically come back on line when the KVM host system starts up. I cannot find any reference to how this is done. Are there any recommended solutions? These systems are on UPS already but the power failure duration exceeded the endurance of the the UPS. I know when ntp changes the time drastically (like ntpdate) my vsftpd just commits suicide and dies.. I imagine something like that is going on with the lvm software either on the host or the kvm? I would suggest turning off ntp before long time shut downs...and (ugh) manually going through the host and all vms upon turn on and ntpdate them, then turn ntp on, then reboot to make it all come back on? perhaps a script that turns off ntp, runs ntpdate on host, then on each kvm upon reboot? this sounds rather scary. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache error
On 5/22/2012 3:49 AM, Luigi Rosa wrote: (38)Function not implemented https://www.google.com/search?q=+%2838%29Function+not+implemented+apache ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache error
On 5/22/2012 3:49 AM, Luigi Rosa wrote: I have a VMware virtual machine with CentOS 6 32bit updated to the lates patches Yesterday Apache started to give this error: [Tue May 22 09:46:07 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:08 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) [Tue May 22 09:46:09 2012] [error] (38)Function not implemented: apr_socket_accept: (client socket) Any suggestion about this? Ciao, luigi my guess is this is a non base package apache install or you changed something in the settings. you updated the kernel a few days ago and now an issue with file locking. that is what I got from the threads I read... I don't know about your set up though. keep plugging away, whatever it is should be simple to fix once you find it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mysql secure installation and multi mysqld
On 5/17/2012 5:30 AM, Leon Jacobs wrote: On Thu, May 17, 2012 at 5:44 AM, Bob Hoffmanb...@bobhoffman.com wrote: is it possible to make each one of those instances a replicate/slave of a different master (thus a backup mysql server in a way?) I just recently finished playing with this. I ended up brining up a dedicated VM for this backup mysql server. I then created 2 new init scripts (based off the mysqld one) and modified both to point to their respective my.cnf's (with auto startup via chkconfig etc etc). Both have separate data directories, run off 2 separate ports (and socket files) - which are fire walled anyways as I have no requirement for this to be open on the slaves and replicate 2 separate masters :) L. Okay, so it looks doable. My plan is to add the instances inside of the my.cnf and then use mysqld_multi to run them as slaves to separate website masters... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] mysql secure installation and multi mysqld
If you adjust the my.cnf file to make separate instances of mysql. How would you go through the mysql secure installation? Is is possible or must it all be done manually for each one? is it possible to make each one of those instances a replicate/slave of a different master (thus a backup mysql server in a way?) working on this now, but having issues getting it to work. (centos 6) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] webmin and DNS configuration on CentOS 6.2
On 5/10/2012 4:57 AM, John Doe wrote: From: Boris Epsteinborepst...@gmail.com I have two seemingly identical (in this reglard, at least) machine - both of them are running CentOS 6.2 with bind (bind-chroot) installed. I used webmin to edit the DNS configuration. One one of them it seems to work fine, on the other I get messages akin to the following: Failed to create master zone : Failed to replace /var/named/chroot/etc/named.conf with /var/named/chroot/etc/named.conf.webmintmp.13214 : Device or resource busy http://www.virtualmin.com/node/19608 From that page: The best fix for now would be to stop using the chroot completely, as it has few real security benefits in my opinion. JD What I got out of it is virtualmin is trying to play with chrooted files in the chrooted location instead of understanding that bind-chroot kinda dynamically or symbolically puts them there (or whatever it does). It should be changing them in /var/named and then restarting... Sounds like that is all you can do if you want to use virtualmin not an expert, so take all this with salt... All my files are chrooted when it is running, but no files actually reside in the chroot folder. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Spam, fail2ban and centos
Been working on my anti-spam centos mailserver for a while now and thought I would share fail2ban's help. I installed fail2ban a few weeks back. It was tough to get it working properly but pretty much working now. Although it works fine for brute force, I thought I would run it pretty tough against spammers. I started with a regular mail server, my old one, that is horrendously pounded daily by spammers and has been for years. I installed centos 6 and used postfix to replace my 5.x and sendmail system. As I added some smtpd restrictions I noticed an immediate drop in spam getting through...til the next day when spam from new sources arrived. Then I would add more smtpd restrictions and the same thing happened. I get the feeling that they go for low hanging fruit and when they see that stop, they go a step higher. Eventually ran out of smtpd restrictions and still a lot getting through. I used spamassassin to tag mails, but not delete..I wanted to find out who it was and stop them, not delete them. Then I started adding rbl rejects. That too had the same effect..a day with little spam, then next day a whole new set would hit me. Then I added a ton of rbls like spamhaus, etcEven apews. That really stopped what was getting through and my mail logs went from 30 MB a day to 5MB (this was for a one email address server, one that is seldom used at all). 5MB of rejects, rarely would one ever get through. I wanted to limit those log sizes, so with fail2ban I decided to start banning any ip that made more than 2 attempts to send mail of they were rejected by a rbl, bad helo, or non existent recipient. Bascially all the rejects that my smtpd restrictions were using. First day, much less attacks, went to less than 1MB log files. Then starting the second day and every day there after the attacks started.. Each day 1 or two IPs now send a concurrent blast to the site, just a connect but not trying to send anything..then that IP goes for sasl auth, but never sends a user/passthen it sends an encrypted pass...then it is finally taken out by fail2ban. Also, the attacks of bad addresses have now greatly increased. I am now banning 1,000 IPs a day with fail2ban (I have it set for a 5 day ban to test it)but each day 1,000 new ones go after it. I have logs going back 4 years (logwatch) and can definitely see that these newer ips were not used before. I think I made them madlol Working on adding some kind of regex to fail2ban to look for concurrent attacks. I find it rather interesting, after analyzing my spam, how it seems to fall into about 10 or 12 different formats and that is about it... I found it very interesting that as I really started rejecting that places like ovh.net suddenly cropped up pounding me. Vocus, constant contact, etc...really started going in overdrive once I had it set up. I am starting to see a real pattern to all this. I would love to see someone do a case study on spam attacks. Their system seems well honed to scale up with your defenses until they finally have to 'appear' on their real computers like the ovh.net servers, and many more hosts, and through legitimate (ha ha) spammers like vocus, constant contact, etc. Here is the logwatch from today for fail2ban and postfix if you want to see how much I get each day http://www.politicalgateway.com/postfix.txt http://www.politicalgateway.com/fail2ban.txt this is for a one email address mailserver, that never had other addresses used. It was a somewhat popular site for candidates for a few years, but has been closed down for about 3 years. Usually not one email gets through for days, spam that is. And those reports are after about 4 days of long term ip bans. My log file size is now about 1MB, down from 5MB thanks to fail2ban. Quite an experience. Going to work on consolidating all those banned ips and see if I can find a 'iptables drop' solution for most of them. Fail2ban really helps out in the number of times these bozos try to send a mail. Instead of 100 times, they get 2 off then banned. That has really helped the server out. Can't sue anyone for the can-spam act, but places like vocus.com and the likethinking of suing them for harassment and DDoS attacks...maybe then they will stop sending me their legitimate spam. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] webmin and DNS configuration on CentOS 6.2
On 5/9/2012 4:38 PM, Boris Epstein wrote: Hello listmates, I have two seemingly identical (in this reglard, at least) machine - both of them are running CentOS 6.2 with bind (bind-chroot) installed. I used webmin to edit the DNS configuration. One one of them it seems to work fine, on the other I get messages akin to the following: Failed to create master zone : Failed to replace /var/named/chroot/etc/named.conf with /var/named/chroot/etc/named.conf.webmintmp.13214 : Device or resource busy From what I can tell, the file /var/named/chroot/etc/named.conf.webmintmp.13214 never even gets created to begin with. Has anyone experienced that? Does anyone know what the issue is? Thanks. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I don't know anything about webmin, but I know in 6.x the zone files go in /var/named... and then when you reload named, they are chrooted...but you should let named do that. I might hazard to guess webmin is trying to put it where it should not go? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] hack / spam/ probe /attack
On 5/4/2012 12:27 PM, Asymmetrics Webmaster wrote: You were lucky you got a repsonse. I didn't and I was getting persistent spam for years. Till I started looking deeper. The company behind was internap. I think still it is. I went around and published the information I had including the MTAs. It then stopped. http://www.spamhaus.org/sbl/listings/internap.com well, the mail to abuse was just a 'don't call us, we'll probably not call you, thanks for the info' Guess it is not worth wasting the time if the isps won't furnish info without a court order..bs. but understandable. On a lighter note, my spam set up is getting better and it is interesting to see how they move it around and upgrade their attacks as you upgrade your spam system. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] hack / spam/ probe /attack
On 5/3/2012 4:05 PM, m.r...@5-cent.us wrote: whois only lists a technical contact ofhostmas...@telepacific.com. However, from their website, I went to contact http://www.telepacific.com/support/corporate-contacts.asp, and see snip 877-487-8349 Emergency Law Enforcement Option 2. Fraud and subpoena compliance 866-839-8545 Non-Emergency Toll Fraud, Call Annoyance, Subpoena Compliance and non-emergency law enforcement 877-702-2873 Internet Abuse Complaints snip Thanks for the ideas guys. I got home late and could only send a mail to abuse. Gonna try the calls tomorrow. It would be nice to know the way all these isps would like this stuff presented... And if I can get this yahoos name and address. bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DKIM Pass - Fail
On 5/2/2012 7:51 AM, Prabhpal S. Mavi wrote: Hello Mike, that actually worked!! i configured ntpd ntpdate restarted the server. But when i restarted the server, dovecot failed to start on boot (it is virtual machine). with this error. dovecot: dovecot: Fatal: Time just moved backwards by 537 seconds. This might cause a lot of problems, so I'll just kill myself now. immediately then, i tried to send one email from command line, here are the results. WORKED !! mta1001.mail.gq1.yahoo.com from=example.net; domainkeys=neutral (no sig); from=digital-infotech.net; dkim=pass (ok) i am sure i can deal with dovecot problem. When you use ntpdate and move the time by a large amount I found some programs did not like that, dovecot being one of them. All you have to do is start/restart it and it will be fine. Best make sure nothing else failed in your logs or just reboot after such a large time fix. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] editing bind (DNS) configuration under CentOS 6
On 5/2/2012 4:17 PM, Karanbir Singh wrote: Hi, On 05/02/2012 05:58 PM, James B. Byrne wrote: and then you have 2 problems, one of which is a security hole. I've mostly just gone to using nsupdate from the cli for all zone For those of us not blessed with either the depth of experience or the sure, if you are new to Linux on the whole and need a point and click basics interface to a bunch of things webmin might be a suiteable option - but no matter how you swing it, Linux admin done right, is going to need you to graduate from that point-click-livewiththelimitations mentality and make an effort to learn a few things. The earlier one gets into that, the better overall experience you are likely to have. security issue respecting access to Webmin is handled simply and efficiently in three steps: ( you then listed 3 ways to limit access, and you are wrong by a wide margin ) the most important vuln in webmin is how its designed, perl interfaces running as root with exclusive rights to anything on the machine, easily fiddled with on the machine itself. Perhaps 90% of all hacked centos machines running webmin, that I've looked at, were exploited locally. Also, your email client looks to be broken, its not setting headers needed for mailing lists threading - KB Oh snap ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] down to the nitty gritty, mysql replication
Almost done with my centos handbook project on my server. Last two things are related, backups. Looking for anyone who feels like chiming in on mysql backups...this is what I am thinking at this point. Mysql backup system for all websites Each website is on a separate server, each running mysql, no site is related to the others. A server will be built (VM) that will host mysql. I believe the way to do this is as follows... 1- make a separate instance of mysql on the backup server equal to the number of websites I am going to backup 2- set up each website's mysql to be a Master 3- set up each instance of mysql on the backup to be a slave to its website Master 4- run them all at the same time, replication from master to slave 5- on the backup / slave mysql instances run logs, back up by day, dump daily I believe, not sure, this will work. Not sure if a better way. The replication allows for a full and almost up to the second copy should a corruption happen on the Master. The daily log files and dumps on the backup server allow for rebuild due to hacker attack. The backup server handling the dumps prevents any issue with the website mysql and the web application. From there, amanda will grab those backup log and dumps to add to each site's file backups. And that is the logic of what I think I can do with this. Trying to back up multiple websites files, logs, and mysql. Amanda will do all but the mysql. sound right? This is the last big step before I start writing the chapters out for the book. Hope to get it done within a month or two after the backup system is done. any thoughts appreciated. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] fail2ban logrotate failure
I got the fail2ban from epel. There were a number of issues relating to using a log file... logwatch was looking for both fail2ban and fail2ban.log logrotate file fail2ban added looked for fail2ban.log and then reset itself to syslog fail2ban itself went to syslog, over riding its fail2ban.log. took a while, but I use /var/log/fail2ban now, that finally worked through logrotates and logwatch. Problem with centos variant of fail2ban: logrotate causes all 'ban' actions to stop happening. I am pretty sure it stops reading the logs but still functions. Unban actions still keep showing up in the log, but the 'ban' actions just stop. Program is running, but no longer working. Long searches online show a million others with the same issue. Only way to prevent it seems to be to add a reload or restart in the syslog file. This is undesired due to losing all banned ips listed. It happens as part of the logrotate. The logrotate file I have changed a few times and recently tried this postrotate /usr/bin/fail2ban-client set logtarget /var/log/fail2ban 1/dev/null || true endscript setting the logtarget, which the original called for changing it to syslog and 2dev/null || true so what would you do? I imagine when logrotate happens and syslog restarts something is causing fail2ban to stop working properly, but still timing 'unbans'. This is apparently a bug/problem for almost everyone of all distros. Other than just uninstalling, the only way to make it work would be a restart around 4 every morning, making any long term bans useless. My last thought is to just throw the /var/log/fail2ban to be rotated by syslog like maillog and the others..and not doing anything special. Maybe it would just work. I write here because I know there are hundreds of you and someone must have figured out how to make fail2ban work for more than 24 hours without a restart ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban logrotate failure
On 4/27/2012 8:41 AM, Maxim Shpakov wrote: https://github.com/fail2ban/fail2ban/issues/44 I played with the gamin, but will give it one more try with just adding the log file to the logrotate.d/syslog file instead of its own...and then wait til tomorrow for the full logrotate (since I cannot force a real logrotate even with 'force'..lol) the other issue was the failures at restart..got the restart failures to stop in the code, but the stop ones still pop up, but seem to not be an issue. thanks for pointing at this, will try it and see. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] iptables drop on virtual host
Does this work? adding DROP to iptables on the virtual host's iptables, before the phys bridgewill it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used? -A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6 - Create raid 1 + LVM during gui install
On 4/27/2012 10:35 AM, aurfalien wrote: Hi all, Does any one know of a how to for creating raid 1 + LVMs during install for Centos 6? Do I create the physical LVM first and then raid or vise versa? Its seems diff then doing it for Centos 5. - aurf The way I did it was one drive at a time. I did two, one for boot, the second was the OS boot- add a raid partition, did it for each drive, then make a raid device and select all both drives, /boot for mount point OS- added a raid partition for each drive, then when you make the raid device select physical volume as the file system type and both raid partitions you made for the OS. then you hit create again and select volume group, select the raid device you want to play with. you add mount points, these are your logical volumes... /swap / /var etc etc etc you cannot clone like you did in centos 5, so you must make the raid devices on each drivea lot of deselecting and repetition to add a slave, you need to go through the motions, then edit your physical volume raid deviceit will then allow you to make one a spare...until then the spare selection is greyed out... hope this helps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with software raid + LVM on Centos 6
On 4/27/2012 10:52 AM, aurfalien wrote: Hi all, Please excuse the many posts. Wondering if any one can help me with the the setup. I have 2x2TBdisks. I would like to mirror them. I would like to create two LVMs so that I can snap shot from one to the other. During Centos 6 install, how would I go about this as its confusing? So far I am here; 1) Created the following raid devices; md0 500MB (use it for /boot) md1 4000MB (use it for swap) md2 All remaining space (use it for /) 2) Created two physical LVMs, one on md0, the other on md1. 3) ? This is were I am confused, do I create two LVM volume groups? I was thinking that my primary LVM can be ~1TB and that my other LVM which I snapshot to can also be ~1TB. Anyways, I am very green on this topic as I usually do hardware raids but I don't have that option. Thanks in advance, - aurf md0, your boot, cannot be a physical volum...so don't add things to it... md1 and md2 can be merged, make instead md1 with all remaining space. create a raid partition on each drive with 'remaining space' (making sure both are the same size) then create a physical volume raid device and select each drive that has the big raid partition then select create volume group... add /swap and '/' to as mount points, these will be volume groups. there is a drop down when adding a mount point that determines file type, one is 'swap' you only need one group.. the physical volume holds the logical group, which holds the logical volumes. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables drop on virtual host
On 4/27/2012 9:36 AM, Bob Hoffman wrote: Does this work? adding DROP to iptables on the virtual host's iptables, before the phys bridgewill it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used? -A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT would something like this work -A PREROUTING -s 66.77.65.128/26 -j DROP or would my server die upon testing it...lol ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables drop on virtual host
On 4/27/2012 5:05 PM, Bob Hoffman wrote: dropping IPs by host machine, protecting the vms. would something like this work -A PREROUTING -s 66.77.65.128/26 -j DROP or would my server die upon testing it...lol ___ okay, after about 400 atempts and some hour or so of reading, I find that red hat auto disables the ability to use the host iptables rules to protect the virtual machines. # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 not sure which would be turned on, bottom two or just the middle net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 There is a lot of talk about making this change but no real talk of any security or performance issue. I imagine with multiple bridges this could be an issue, but my machine is just a host with one bridge going to all the VMs... but is it safe to change this? It seems like until rhel 6 it was set on by default. anyone got a clue on dangers or issues of this? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does SMTP Connection Drop When Posfix Reload is Issued ?
On 4/25/2012 7:42 AM, Prabhpal S. Mavi wrote: i work with ISP, we host email service for almost 500+ companies and 200+ mail servers relay through my smart host. i implemented something that when our smart host would become blacklisted. It will automatic switch to next available smart host (which is ready sitting). that mean it will start relaying message through another smart host automatically. well, as someone who has been really fighting spam lately I can say that that system will definitely work out quite well and most bulk spammers use something like that. with that many companies and mail servers, I have no idea how you can police them...wow ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does SMTP Connection Drop When Posfix Reload is Issued ?
On 4/25/2012 12:00 PM, m.r...@5-cent.us wrote: John Doe wrote: automatically. Why not find out why you get blacklisted instead of trying to bypass it? You seem to imply that it is something that will happen and often... It happens. It's certainly happened to me. When you're a hosting co (like the host I use), and have tens or hundreds of thousands of clients with many domains, and some are businesses or organizations that legitimately send out mass emailings, you're trying to catch the idiot whose machine got infected, it was uploaded to their hosted site, and voila, spam going out of your domain. *AND* the blacklisters *insist* on blocking the *entire* address range assigned to the hosting co, rather than the source IP. I am just now getting into blacklisting by ips, but I would never do it that way. The only time I have added a host to the blacklist is when it is the host's actual mail servers spamming me. I had to to that with only a few so far (like ovh). For individuals like you speak of, I would only add their domain, not an ip range. the only ones I have added ipranges for are bulk list spammers like constant contact and vocus and the like. blacklisting ip blocks is fraught with danger, but in the case of an individual mail server for a individual person, not so bad. I think it would be impossible to police clients as a host...I cannot see how you could do it. My main reason for never entertaining the idea of running a host company.. Give you credit for trying though. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Not Quite Minimal CentOS 6.2
On 4/24/2012 7:22 PM, listmail wrote: I a working on configuring a not-quite minimal installation of CentOS 6.2. I tried doing the minimal installation available with the installer, but it's a bit too minimal to be useful. So I'm cutting down from a less minimal starting place. I'm pretty familiar with 5.x, but what I'm finding in 6.2 is a lot of new stuff, and a lot of odd behavior. For example, cups is starting at boot time, despite being disabled by chkconfig. And I'm finding things like qpidd, matahari, messagebus, and portreserve that really don't belong in a minimal setup. To clarify, I'm shooting for a simple config, like one would use for a dedicated DNS server. Can anyone point me to an up-to-date list of daemon processes that indicates what they do and whether they can be safely disabled? Also, any ideas as to what would be launching cups would be appreciated. I did a 'basic server' for my dns and then did this for cleaning up... yum install yum-cron logwatch bind bind-chroot yum-cron remove packages yum remove samba-winbind-clients qpid-cpp-client matahari* cups the two clients will get rid of a lot. chkconfig atd off chkconfig autofs off chkconfig kdump off chkconfig netfs off chkconfig nfslock off chkconfig rpcidmapd off chkconfig rpcgssd off chkconfig rpcbind off I left the rest on but that pretty much did it for me.. here is my chkconfig list, off and on /root$ chkconfig --list |grep 3:on abrt-ccpp 0:off1:off2:off3:on4:off5:on6:off abrt-oops 0:off1:off2:off3:on4:off5:on6:off abrtd 0:off1:off2:off3:on4:off5:on6:off acpid 0:off1:off2:on3:on4:on5:on6:off auditd 0:off1:off2:on3:on4:on5:on6:off cpuspeed 0:off1:on2:on3:on4:on5:on6:off crond 0:off1:off2:on3:on4:on5:on6:off haldaemon 0:off1:off2:off3:on4:on5:on6:off ip6tables 0:off1:off2:on3:on4:on5:on6:off iptables 0:off1:off2:on3:on4:on5:on6:off irqbalance 0:off1:off2:off3:on4:on5:on6:off lvm2-monitor 0:off1:on2:on3:on4:on5:on6:off mcelogd0:off1:off2:off3:on4:off5:on6:off mdmonitor 0:off1:off2:on3:on4:on5:on6:off messagebus 0:off1:off2:on3:on4:on5:on6:off named 0:off1:off2:on3:on4:on5:on6:off network0:off1:off2:on3:on4:on5:on6:off ntpd 0:off1:off2:on3:on4:on5:on6:off portreserve0:off1:off2:on3:on4:on5:on6:off postfix0:off1:off2:on3:on4:on5:on6:off rsyslog0:off1:off2:on3:on4:on5:on6:off sshd 0:off1:off2:on3:on4:on5:on6:off sysstat0:off1:on2:on3:on4:on5:on6:off udev-post 0:off1:on2:on3:on4:on5:on6:off yum-cron 0:off1:off2:on3:on4:on5:on6:off /root$ chkconfig --list |grep 3:off atd0:off1:off2:off3:off4:off5:off 6:off autofs 0:off1:off2:off3:off4:off5:off 6:off certmonger 0:off1:off2:off3:off4:off5:off 6:off cgconfig 0:off1:off2:off3:off4:off5:off 6:off cgred 0:off1:off2:off3:off4:off5:off 6:off kdump 0:off1:off2:off3:off4:off5:off 6:off netconsole 0:off1:off2:off3:off4:off5:off 6:off netfs 0:off1:off2:off3:off4:off5:off 6:off nfs0:off1:off2:off3:off4:off5:off 6:off nfslock0:off1:off2:off3:off4:off5:off 6:off ntpdate0:off1:off2:off3:off4:off5:off 6:off oddjobd0:off1:off2:off3:off4:off5:off 6:off psacct 0:off1:off2:off3:off4:off5:off 6:off quota_nld 0:off1:off2:off3:off4:off5:off 6:off rdisc 0:off1:off2:off3:off4:off5:off 6:off restorecond0:off1:off2:off3:off4:off5:off 6:off rngd 0:off1:off2:off3:off4:off5:off 6:off rpcbind0:off1:off2:off3:off4:off5:off 6:off rpcgssd0:off1:off2:off3:off4:off5:off 6:off rpcidmapd 0:off1:off2:off3:off4:off5:off 6:off rpcsvcgssd 0:off
[CentOS] fail2ban attempt, anyone want to add anything?
Tonight I added fail2ban to one of my webservers to test it out. Here is my step by step, as best as I could figure it out...documentation a bit sketchy. feel free to add anything to it or suggest changes. I tried to set it up to deal with ssh, http authentication, dovecot, ftp, and postfix I could find no working example for centos 6 and there is no fail2ban book available to peruse. So, just winging it I used the EPEL repo and it needed the following packages to work correctly I do not use priorities, but I add things by using includepkgs= in the repo file. fail2ban shorewall python-inotify gamin-python (logging) although fail2ban adds a logrotate file for fail2ban.log, it logs everything to the /var/log/messages file so I changed /etc/fail2ban/fal2ban.conf line 25 logtarget = /var/log/fail2ban.log Perhaps overlooked by the rpm developer? /etc.fail2ban/jail.conf In all sections I commented out the mailto section since it just sends a ton of mails when start/stopped...yikes. Not sure if there is a setting only for errors or actions...but the start/stop mails are too annoying. Will use logwatch daily to check on it. line 16, added a space then my server ip address 123.123.123.123 (example ip address, not real) ignoreip = 127.0.0.1 123.456.789.123 SSH section line 48 enabled=true line 50, changed to my port number commented out the mailto section sasl section (for postfix) line 68 enabled=true backend = polling (I left this but have no idea if I should or not) line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port=25,465,993,995, protocol=tcp] this blocks all mail ports when someone tries and fails at least I think it does? :) Apache (this was tough since many online sources says it will not work, but will test and see) [apache-tcpwrapper] enabled = true filter = apache-auth action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] logpath = /var/log/httpd/*error_log maxretry = 4 Several docs suggest tcpwrapper and centos are a no go, and that this will not work...trying it anyway All the http stuff is not set up for centos, its default is to look for /var/log/apache so this was not set up at all by the rpm dev...at least not the working examples in the jail.conf file. added this to the bottom (and a new file must be created to work with it) [Dovecot] enabled = true filter = dovecot maxretry = 5 action = iptables-multiport[name=DOVECOT, port=25,465,993,995, protocol=tcp] logpath = /var/log/maillog (again, I added all mail ports in case of a hacker) New file added /etc/fail2ban/filter.d/ new file dovecot.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named host. The tag HOST can # be used for standard IP/hostname matching. # Values: TEXT # failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?Phost\S*),.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban attempt, anyone want to add anything?
On 4/20/2012 2:02 AM, Bob Hoffman wrote: /etc.fail2ban/jail.conf commented out the mailto section port=25,465,993,995, protocol=tcp] action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart) ___ if I could add something, definitely put ports, if numbers, in quotes...without quotes I got some errors in the logs port=ftp, no quotes.port= quotes and I added one for vsftp, I use port 5000 [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=5000, protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban attempt, anyone want to add anything?
On 4/20/2012 2:24 AM, Bob Hoffman wrote: if I could add something, definitely put ports, if numbers, in quotes...without quotes I got some errors in the logs port=ftp, no quotes.port= quotes and I added one for vsftp, I use port 5000 [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=5000, protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos my final add on this tonight.. due to the older versions of 'whatever' centos uses, there will be errors on startup of fail2ban regarding multiport jails. To avoid these errors it was suggested to add a sleep mechanism to the start up commands in the proper file. /etc/fail2ban/action.d/iptables-mutliport.conf added a sleep line sleep `perl -e 'print rand(3);'` to line 14 and dropped everything down one line to make room for it actionstart = sleep `perl -e 'print rand(3);'` iptables -N fail2ban-name iptables -A fail2ban-name -j RETURN iptables -I INPUT -p protocol -m multiport --dports port -j fail2ban-name ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban attempt, anyone want to add anything?
On 4/20/2012 9:25 AM, Tilman Schmidt wrote: Am 20.04.2012 08:02, schrieb Bob Hoffman: ction = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that. service fail2ban start chkconfig fail2ban on service iptables restart (not sure if you have to or not with each fail2ban restart) I don't think you have to. I never do, and it works fine anyway. U will try the 'all ports' for sure, that was what I wanted. Logwatch, as it comes with centos, does not have any scripts at all for fail2ban, mine were pretty devoid of anything I added the 7.4 stuff and am playing with it now. I have seen no logging yet of any attempts nor do I know any way of seeing if it works. will post final solution if I ever see it working. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] fail2ban attempt, anyone want to add anything?
On 4/20/2012 9:25 AM, Tilman Schmidt wrote: I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that there was no information about 'allports' on any official fail2ban docs... as to the one time it would be an issue is when you try to test it out from your home IP and ban yourself from your entire server :) oops, well, at least it is working for ssh... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A request from the CentOS Project
On 4/20/2012 11:12 AM, Tilman Schmidt wrote: Am 20.04.2012 16:02, schrieb m.r...@5-cent.us: mark why, yes, I *do* remember Kantor Siegal, and the aftermath to them Don't get me started. Ah, the good old pre-spam days! I was not working for a computer company, but I finally got online in 93 through various things like prodigy, aol, compuserv, etc. I do remember a fateful day when I was in aol, back when it was $4 an hour and there was a chat room called 'spam' I thought it was rather odd that a group of people would be discussing an old monty python skit and jumped in. After a few minutes it was obvious they were not talking about monty python. even then, they were there figuring out how to spam spam spam. not all of us were lucky enough to be working main frames in the 80s for the usenet dang it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A request from the CentOS Project
On 4/19/2012 5:40 AM, Karanbir Singh wrote: Hi Larry, On 04/19/2012 01:28 AM, Larry Martell wrote: The CentOS Project seems to be having a problem within some of our community interactive areas that we need to address. ... I think this classic from 1996 (author unknown) needs to be resurrected. I dont quite get the point of that post, or maybe I do and prefer not to. So to be clear, is that rant your way of justifying offensive and elitist behaviour on the various communication avenues in the project ? - KB well, I for one never thought this thread would be full of drama. I think we all should thank you for your work KB. Without it I would have to use ubuntu (ugh) and hate life. I think his post about the internet was a tongue in cheek quote about how rough and realistic responses can be on the net. We should all find ways to be tolerant. We should all realize that others have bad days and just say things, due to this being a mailing list, that cannot be taken back. We should all realize the way we wrote something can come across with a different feeling or meaning that can be misconstrued as anger, resentment or abusebut not intended to be. but dang it, this list is too quite..!! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rhel/centos alternative to logwatch?
On 4/13/2012 2:23 PM, Karl Vogel wrote: On Thu, 12 Apr 2012 12:13:14 +0200, Tilman Schmidtt.schm...@phoenixsoftware.de said: T The most frequent reason for a lot of unmatched entries showing up is T that the corresponding logwatch script is out of date wrt the program T whose log is being watched. Program maintainers tend to change the T wording of messages on a whim, and the logwatch scripts need to be T updated to keep up with them. So yes, there is a constant need to update T logwatch, specifically its scripts. I found the checksyslog setup easier to understand and modify. http://www.hcst.net/~vogelke/src/logfiles/ has some examples. I was trying to stay with the base centos repo and only grab a few programs off of other repos (like phpymyadmin). Unfortunately, I think it is better, now that I have played with them, to skip the repos and go straight to the source for some thing. phpmyadmin rpm from the source company works 'correctly' over the epel rpm, especially the log in feature...and has 4 less programs needed to run. Logwatch has a new version that is obviously not going to be available and I will probably skip to the source company for that much newer version too. as part of the tutorial I was stressing the importance of staying with the rhel/centos repo builds so you get the backports and proper updates/upgrades...but in these two cases (and a few other addons) I am rethinking that. the new postfix logwatch alone is worth upgrading for...lol. I actually added it as an overwrite in the /etc/logwatch folders for now. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rhel/centos alternative to logwatch?
On 4/13/2012 5:57 PM, Markus Falb wrote: On 13.4.2012 23:39, Bob Hoffman wrote: I was trying to stay with the base centos repo and only grab a few programs off of other repos (like phpymyadmin). Unfortunately, I think it is better, now that I have played with them, to skip the repos and go straight to the source for some thing. phpmyadmin rpm from the source company works 'correctly' over the epel epel has phpMyAdmin3-3.4.9-1.el5 and there is phpMyAdmin3-3.5.0-1.el5 in testing. https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5554/phpMyAdmin3-3.5.0-1.el5 rpm, especially the log in feature...and has 4 less programs needed to run. I don't understand what you talking about. epel is 3.4.9 http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/phpMyAdmin.html http://dl.fedoraproject.org/pub/epel/6/x86_64/phpMyAdmin-3.4.9-1.el6.noarch.rpm epel rpm required 3 programs to be installed, the download from phpmyadmin does not require them... libmcrypt, mcrypt, php-gettext the epel version has some weird htaccess lookalike pop up to log in and the download from the site uses the very nice normal log in screen of phpmyadminso this way I do not get double htaccess prompts, one for my protected directory and one for logging in. the website has 3.5 up. so when I looked at it all, I feel the website download is easy to install and update and works fine as a php program. Felt it might be okay to leave the repos behind on that one. That phpgettext (I assume it is that) causing that pop up is rather annoying too. its really easy to deploy either way. great program. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] help from community
On 4/12/2012 8:51 AM, Markus Falb wrote: On 12.4.2012 14:16, Prabhpal S. Mavi wrote: ... i know these commands but if you will carefully look into logs, you will notice that my server is sending mail not receiving. therefor it has nothing to do with their PTR weather it is correct or in correct. that is according to the logic. ... If the receiving server is doing callback than the logic is reversed, so no, at that point your server turns into the receiver. please read my *whole* message again, not only the part with the commands. Have a look at the links I provided. Markus is spot on. My mail server does reverse lookups to see if the mail server is real or not...in your case it would reject it since the mail server sending it does not equal what the look up says. these rejects are used to prevent spammers. And they also teach us how to set up mail servers correctly. Learning curve, but it is for the best. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 6.2 md0 boot - no boot actually
On 4/11/2012 6:46 PM, aurfalien wrote: Hi all, Taken from this link; https://www.centos.org/modules/newbb/print.php?form=1topic_id=34988forum=55order=ASCstart=0 Seems like I am having the same issue. I assigned my boot loader to be on /dev/md0 rather then the default of /dev/sda1 Does any one have insight to this? Thanks in advance. BTW, I have no swap partition and will do a swap file instead, easier to manage. Do I need swap to boot? - aurf Hey Aurf, Not sure, but this google cache of a 5.x set up might explain and help you out. If your problem is taking a drive out and the other not booting you may not have allowed the initial snyc of the drives to complete...something I would heartily suggest https://webcache.googleusercontent.com/search?oe=utf-8rls=org.mozilla%3Aen-US%3Aofficialclient=firefox-agbv=1sei=yRCGT_7MCqLi0QH6r9DWBwhl=enq=cache:5QBSeA1JCZsJ:http://www.bobhoffman.com/test.html?a=17+bobhoffman.com+cat+/proc/mdstatct=clnk that page shows how a raid 1 mirror was set up with 2 drives and one spare. It goes over taking one out, adding a new one, etcand even making sure that grub is working on both drives. not sure exactly which issue out of all those in that link you posted you are having though. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rhel/centos alternative to logwatch?
Logwatch file shows last upgrade to the code was 2007. The unmatched entries are killing me in the reports. I figure there must be a newer utility centos has in the repo but I cannot find one. Is logwatch the only one that is included? thanks ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rhel/centos alternative to logwatch?
On 4/7/2012 7:49 PM, Joseph L. Casale wrote: Have you tried editing the files in /usr/share/logwatch/default.conf/services/ or /usr/share/logwatch/default.conf/ignore.conf ? Obvisouly not:) And I hope not either... Facilities are provided just for this in /etc/logwatch. The location you refer to will get over written on an update... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Yes, this is my concern. I have been putting together extensive step by step notes and how tos for everything I am doing. I hope soon to be able to put this in an easy to use format or book so others starting from scratch do not take weeks or months to do it..or worse, leave hacker openings. In this regard, the logwatch unmatched are a little much (the imap disconnect, some rbl_client stuff). I thought of going through some walkthrough in changing it, but that seems a bit overboard to help a new person out...but still on the board. I just assumed there was something newer out there. 2007 was the last release notes for the version installed on centos. There is a newer version out there, but that would be off of the base repo and not sure if I want to go that route in the how-to. I think it is important to write all this stuff out for others like me. I literally spent a month trying to bond and bridge my single server into virtual machines. Something was causing a timeout/arp something or another and one VM would always disappear. A whole month. hours a day. Then I found out that there is a LONG standing bug in rhel and fedora that specifically deals with two internal eths bonded together going to a bridge in the same computer, with libvirtd. :( so, a month wasted. Yikes. Having that little bit of knowledge in a how-to manual could save someone the trials and pain I went through. (although, on the plus side, I REALLY know alot about bridge and bonds inside the server now..lol) I will take a look and try to see if it will be easy to change the postfix and dovecot. More than likely I will just tell them what it is and 'good luck' at figuring it out..lol So, thanks for the input. I will stick with logwatch and give it a go. bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rhel/centos alternative to logwatch?
On 4/7/2012 9:37 PM, Joseph L. Casale wrote: I will take a look and try to see if it will be easy to change the postfix and dovecot. More than likely I will just tell them what it is and 'good luck' at figuring it out..lol Only ignore what you encounter and deduce to be not important. Thats the premise on which this works, known bad _or_ unknown items are presented to you for you decide what to do. So, thanks for the input. I will stick with logwatch and give it a go. Its really not that complicated, logwatch is pretty good at what it does. Post back with more questions if they arise... Well. not sure about adding 7.4 yet, but I did go here http://logreporters.sourceforge.net/ I added the postfix and postfix.conf files in their proper /etc/logwatch folders. 7.4, due to licensing, has taken away the awesome postfix reporting that is in 7.3. The files located at the above location will bring it all back..and then some..lol might try 7.4 out though. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rhel/centos alternative to logwatch? [solved]
On 4/7/2012 7:49 PM, Joseph L. Casale wrote: Have you tried editing the files in /usr/share/logwatch/default.conf/services/ or /usr/share/logwatch/default.conf/ignore.conf ? Obvisouly not:) And I hope not either... Facilities are provided just for this in /etc/logwatch. The location you refer to will get over written on an update... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos the previous mail says it all, that upgrade worked. And by putting them where you said i can keep redhats preferred version here is what the newer postfix logwatch looks like.. (rather long as I get a LOT of spam rejected..lol) http://www.politicalgateway.com/postfix.txt a big upgrade over the older version with 5xx rejects and greylisting stats. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rsyslog / rotation, best practices
centos6 in regards to /etc/logrotate.d/syslog the file is in charge of processing /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler If I wanted to make a specific setting just for maillog (since that file gets huge really quick) would I add 1- a new file /etc/logrotate.d/maillog with the parameters just like the other files 2- add parameters in the file it is already located in (/etc/log...d/syslog) 3- logrotate.conf where other settings for btmp and wtmp are located. Which is the 'best practice' or preferred solution to changing the defaults for the files in the logrotate.d/syslog file. Right now I have changed logrotate.conf to go off daily to keep the maillog from getting to huge. I do not know what the default is for size forcing the change, but when it got to 35MB logwatch was not properly accessing it and logrotate in debug mode was saying file too big must be config file. There seems to be no setting for file size to force rotation for the log files in the logrotate.d/syslog file. thanks bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] dns cache rbl lists?
No idea where else to ask this and get a real qualified answer but here. Not exactly pure centos questionbut... I am adding blacklists to my postfix smtpd settings. I have the inkling that after the first lookup for a domain or ip that my dns caches the result and I no longer bother the RBL or RHSBL list owners anymore in that instance. Is that correct? I hate to waste their resources if it is not. thanks, bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] dns cache rbl lists?
On 4/5/2012 12:52 AM, Nataraj wrote: On 04/04/2012 08:48 PM, Bob Hoffman wrote: No idea where else to ask this and get a real qualified answer but here. Not exactly pure centos questionbut... I am adding blacklists to my postfix smtpd settings. I have the inkling that after the first lookup for a domain or ip that my dns caches the result and I no longer bother the RBL or RHSBL list owners anymore in that instance. Is that correct? I hate to waste their resources if it is not. thanks, bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Not exactly. It is whatever TTL they return, though generally short for two reasons, they and you probably want it so that they can quickly remove entries from the blacklist once issues have been resolved. They want to know how often you query the blacklist, because they want to charge a fee if you are a large site with high volume queries. I guess they need to fund their service somehow. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos yea, I am already sending donations..well worth it. they 100,000 or more queries and then you can have access to the lists to download..though that ranges from 250 to 1000 a year, for each oneyikes. Still, well worth it if you have the cash and have a lot of users. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] called a spammer today
thought you would find this interesting... I get a LOT of political spam on one of my mails due to hosting a political site once. I have been slowly blacklisting the bulk companies and 'the net' of private people pushing political spam. There is one guy who has been sending me stuff for years and I just have it go to the junk folder and deleted..forgot about it. New server, new rules. His came today. I wrote his university a nasty letter. I wrote him a nasty letter. (I had contacted him a few times in the years past to make him stop but he never did.) Well, tonight I got home...looked at his spam. Hey, it had his number on it. So I called him and told him to stop...told him why it bothered me. Told him somethings that happened to me in the past, what I like about websites. all sorts of junk, kept talking and making him listen to me.. He was getting impatient but I said 'now you know what it is like to have your uninteresting cr#p come in my mailbox.' He has agreed to stop spamming meI told Him I blacklisted him anyway. I felt really good about that call...I think he will rethink his phone number on spam from now on. lol ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux on/off percentage
On 4/1/2012 8:24 PM, Mark LaPierre wrote: On 03/31/2012 11:31 PM, Min Wang wrote: hi Just wondering if there is any statiscs report of selinxu usages in production environment? I know some still turn it off. thanks. min ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I don't know about any general statistics, but I do know that I have it turned off on my desktop/file server/print server/samba server. I tried to play with it a few time with centos 5 and 6 for my webservers and such, but I ended up disabling it since I did not want it to freak out and cause a fail in a production server. Not very good with it, but it seemed with a webserver that it needed to allow apache and php to have a lot of access...so it did not seem to be worth the chance of a production server going down over some stupid file I changed or uploaded. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SMTP Port 465 - Postfix
On 3/31/2012 7:11 AM, Prabhpal S. Mavi wrote: Hello BoB, Thanks for you kind assistance, your solution opened the SMTP:465 on the postfix server. But when i telnet 587, i can see 220 in response. [root@jet postfix]# telnet localhost 587 Trying ::1... Connected to localhost. Escape character is '^]'. 220 mail.digital-infotech.com ESMTP Postfix (2.6.6) But when i telnet to 465, i do not see 220 in response. is it normal? [root@jet postfix]# telnet localhost 465 Trying ::1... Connected to localhost. Escape character is '^]'. Thanks / Regards On 3/30/2012 12:49 PM, Prabhpal S. Mavi wrote: Hi Dear All, Just updating with the post, following configured Postfix to listen on Port 587. Yet to find out, how to enable 465. submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING port 465 is default for smtps...not smtp smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes open it on your iptables too ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Thanks / Regards Prabhpal S. Mavi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos you have to also add stuff to postfix to properly deal with sasl/ssl connections in the main.cf. Google for a tutorial..there are a few commands that have to be added. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] transition to ip6
On 3/31/2012 6:44 AM, Adam Tauno Williams wrote: We've been running out of IPV4 address and needing to convert someday soon for the last 10 years..., but yet the vast majority of broadband providers and even most ISP's don't support it yet. You've got another couple of months. I believe most U.S. network providers have agreed to a 'flag day' sometime in June 2012. Internal networks / backbones at Comcast and Verizon have been IPv6 for some time now. At least that is what a credible little bird told me. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos yea they did one in june of last year. There has to be a time though for us web admins when are ipaddresses for our websites or phased into ip6... hopefully soon. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SMTP Port 465 - Postfix
On 3/31/2012 7:36 AM, Jonathan Vomacka wrote: I thought port 465 SSL was deprecated and replaced with port 587 TLS? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos from what I read, and what I use.. 25 is the normal smtp port, 587 is an alternative since isps started blocking port 25 smtps uses 465 POPs and IMAPS use the 995 993 regular pop / imap is 110 and 143 or 220 at least my postfix seems to use 465 and the 900s as default for imap,pop, and smtp using encryption. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] my spammer list
On 3/30/2012 7:48 AM, Markus Falb wrote: On 30.3.2012 05:26, Nataraj wrote: The way that I finally got rid of all the residual spam that makes it through greylisting, SPF, spamassassin, clamav is to handout unique mail addresses and use black/whitelists. So for example if I assign an email address for incoming mail from a mailing list and then setup a whitelist entry that only allows that address to receive email from the mailservers that serve that mailing list and then blacklist all other incoming mail to that address it is very effective. But how to tell which mailservers are serving that mailing list? That's the thing SPF or similar is supposed to do, isn't it? Don't tell me you are looking at the MX Records! Incoming and Outgoing Mailservers are not the same necessarily. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos clients...senders...helo... from the logs and the mailings. Usually in the bulk commercial 'legitimate' spammers there entire system is configured correctly, as are their headers, to avoid spamassassin and common mail screenings. From that you slowly whittle them down. From this I have found certain bulk mailers, especially political and real estate, have a certain grouping of outgoing relays...like 'ala'mail.net, 'ala'mode.com, vocus.com, vocsmail.com, etc... and once I got all the others out it was very evident based on the layout of the mail who is sending it...basically like 4 or 5 types... Kinda cool to start seeing the patterns. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SMTP Port 465 - Postfix
On 3/30/2012 12:49 PM, Prabhpal S. Mavi wrote: Hi Dear All, Just updating with the post, following configured Postfix to listen on Port 587. Yet to find out, how to enable 465. submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING port 465 is default for smtps...not smtp smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes open it on your iptables too ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] transition to ip6
I imagine some day in the near future there will be a switch to ipv6. I cannot imagine ever remembering the ip address then...crazy. My question, since i have never done ip6 stuff, is what does that mean on my webservers? Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, and configuration files...and copy out my iptables to ip6tables, and change the dns servers? all that does not sound to harsh. anything especially daunting to make that switch (save from someone having to do that on 100 computers really fast!!) -bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] xorg.conf disappear
On 3/29/2012 10:06 AM, Cal Webster wrote: On Thu, 2012-03-29 at 09:57 +0100, Lars Hecking wrote: brick writes: Hi My system is CentOS 6. I need to edit xorg.conf. But it can't be find in /etc/X11. Where is it? How can I get the default setting? /var/log/Xorg.0.log will tell you which configuration Xorg is currently using, which devices are autodetected etc. If you need to change only particular parts of the config, you can drop a .conf file with the corresponding Section into /etc/X11/xorg.conf.d. E.g. if you needed a UK keyboard instead of the default US, you could use something along the lines of # cd /etc/X11/corg.conf.d # cat keyboard.conf Section InputDevice Identifier Keyboard0 Driver kbd Option XkbModel pc105 Option XkbLayout gb EndSection # If you know what you need, adding a separate conf file in /etc/X11/xorg.conf.d/ is the cleanest way to go. If you need some type of custom setup, however, you can generate an xorg.conf using Xorg -configure. The X server must not be running when you do this. ## Go to run level 3 init 3 ## Generate xorg.conf Xorg -configure ## The configuration file will be stored in root user's home (/root) From there you can modify it as needed then move it to /etc/X11/ and init 5 to test. You can test your changes by jumping in and out of run level 5. From Xorg(1) man page: -configure When this option is specified, the Xorg server loads all video driver modules, probes for available hardware, and writes out an initial xorg.conf(5) file based on what was detected. This option currently has some problems on some platforms, but in most cases it is a good way to bootstrap the configuration process. This option is only available when the server is run as root (i.e, with real-uid 0). ./Cal ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I thought it placed a conf file in the home directory of any user who brought up a x window/desktop? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] my spammer list
Hello, Thanks to some nice people on here and other forums I have pretty much finalized my whole mail system on centos 6.x. With all the checks, greylisting, dev/null of any 8+ spam level SA, I still get a few mails. It seems like everytime I enable a new protectant, the mail stops spamming for a few hours...then the spammers decide I am worthy of using better methods against me..and more come. LOL. I am down to just 10-15 a day. Anything that gets through all that I set up now goes to a spammers list that I add to the access file of postfix. http://bobhoffman.com/spammers.html that is the link to my list. I am trying to sort them out into political, real estate, bulk spammers, etc. The worst part is the bulk emailers are not on any black list. It is very hard to find their mail MX until they actually send you one. Many will be blocked, then a new alternate of theirs comes through. I could not find a list of bulk commercial spammers so I thought I would start one. As I progress it will become more defined, but right now a big list with some categories after it. Hope it helps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] my spammer list
On 3/29/2012 11:26 PM, Nataraj wrote: On 03/29/2012 03:00 PM, Bob Hoffman wrote: Hello, Thanks to some nice people on here and other forums I have pretty much finalized my whole mail system on centos 6.x. With all the checks, greylisting, dev/null of any 8+ spam level SA, I still get a few mails. It seems like everytime I enable a new protectant, the mail stops spamming for a few hours...then the spammers decide I am worthy of using better methods against me..and more come. LOL. I am down to just 10-15 a day. Anything that gets through all that I set up now goes to a spammers list that I add to the access file of postfix. http://bobhoffman.com/spammers.html that is the link to my list. I am trying to sort them out into political, real estate, bulk spammers, etc. The worst part is the bulk emailers are not on any black list. It is very hard to find their mail MX until they actually send you one. Many will be blocked, then a new alternate of theirs comes through. I could not find a list of bulk commercial spammers so I thought I would start one. As I progress it will become more defined, but right now a big list with some categories after it. Hope it helps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos You won't be able to track them easily because they hop around from network to network. Sometimes I can recognize them by seeing the same spams repeatedly, also, different IP addresses connecting and guessing passwords for the same list of users. But I rarely get those anymore since I have blocked pop/imap logins from outside of the US. You can report them to spamcop.net and that may help to provide some incentive for ISPs to kick spammers off their network. The way that I finally got rid of all the residual spam that makes it through greylisting, SPF, spamassassin, clamav is to handout unique mail addresses and use black/whitelists. So for example if I assign an email address for incoming mail from a mailing list and then setup a whitelist entry that only allows that address to receive email from the mailservers that serve that mailing list and then blacklist all other incoming mail to that address it is very effective. With a decent whitelist/blacklist tool it's fairly easy to implement. I used to get literally hundreds of spams a day and now I probably average about 2 per week. You can also get on the spamassassin mailing list and add more plugins and work on tuning the spamassassin config. You can also play with sa-learn. For me though the black/whitelisting works quite well. Nataraj ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos mostly down to just the bulk commercial spammers. Usually spam dev/null them but decided to disable spam assassin and go after a nice list. Only got two mails in the last 12 hours, so it is cool. I get lots of political and real estate spammers due to the jobs I have had and my mail being on their lists...a list you can never get off. So listing them was the perfect thing. so without spamassassin, going good so far. Almost nothing. when I get one or two a day I just add them to the list..lol I am happy to not have hundreds a day anymore...so happy. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to restrict reboot/poweroff from non-admins?
On 3/28/2012 10:03 AM, Phil Schaffner wrote: Timo Neuvonen wrote on 03/28/2012 09:17 AM: I just noticed that CentOS (6.2) by default allows any user to reboot/poweroff system without any admin rights, or without any further questions, if using commands 'reboot' or 'poweroff'. But 'shutdown' still requires admin rights. What is the preferred way to restrict any regular user from rebooting / powering off the system (by accident)? IMHO, sudo should be required for this purpose (at least in a system with shared remote access from multiple users, single-user laptops etc may be a different case) OUCH! This seems to qualify as a CentOS bug. I confirm that a normal user can reboot or poweroff the system on 6.2. On RHEL: $ rpm -qa redhat-release\* redhat-release-server-6Server-6.2.0.3.el6.x86_64 $ poweroff poweroff: Need to be root $ reboot reboot: Need to be root Phil ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I was just reading this the other day in a book but cannot find it...there is some command that limits this...not sure if it was just sudo or not... yea, that is scary ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] udev works ok in CentOS 6.x??
On 3/28/2012 10:07 AM, Phil Schaffner wrote: carlopmart wrote on 03/28/2012 09:53 AM: On 03/28/2012 03:51 PM, Phil Schaffner wrote: carlopmart wrote on 03/28/2012 09:27 AM: Then, how can I obtain these uuids?? blkid Phil Doesn't works neither: [root@newc6srv init.d]# blkid /dev/sdb1 [root@newc6srv init.d] What does blkid with no arguments show? How about fdisk -l /dev/sdb? You previously showed that /dev/sdb was a LVM device. Phil ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos /etc/grub.conf? /boot/? lost of info there with uuid stage1, stage2? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] udev works ok in CentOS 6.x??
On 3/28/2012 11:10 AM, carlopmart wrote: /etc/grub.conf? /boot/? lost of info there with uuid stage1, stage2? What has /etc/grub.conf, /boot, stage1 and stage2 to do here? I don't understand what info you are asking ... look in the grub.conf file, lists uuids of block devices ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] udev works ok in CentOS 6.x??
On 3/28/2012 11:19 AM, carlopmart wrote: On 03/28/2012 05:16 PM, Bob Hoffman wrote: On 3/28/2012 11:10 AM, carlopmart wrote: /etc/grub.conf? /boot/? lost of info there with uuid stage1, stage2? What has /etc/grub.conf, /boot, stage1 and stage2 to do here? I don't understand what info you are asking ... look in the grub.conf file, lists uuids of block devices grub.conf only shows uuid for root device. This host has three scsi disks: sda, sdb and sdc. sda is where is installed and uuid is showed and correct: [root@newc6srv lvm]# ls -la /dev/disk/by-uuid/ total 0 drwxr-xr-x 2 root root 80 Mar 28 13:19 . drwxr-xr-x 4 root root 80 Mar 28 13:19 .. lrwxrwxrwx 1 root root 10 Mar 28 13:19 0faf5e22-ff30-4ab8-a9ac-733c593eec40 - ../../sda1 lrwxrwxrwx 1 root root 10 Mar 28 13:19 37501499-c52d-4a84-9ec8-778adf511ebd - ../../sda2 But I have added two disks: sdb and sdc. is with these disks where uuid doesn't works ls -l /dev/disk/by-uuid lrwxrwxrwx 1 root root 10 Mar 23 00:08 2e55cc65-9c70-4081-9209-070aa4698e18 - ../../dm-1 lrwxrwxrwx 1 root root 10 Mar 23 00:08 2f76b8e6-c86b-455d-bf56-d54c7c5bd084 - ../../sda1 lrwxrwxrwx 1 root root 10 Mar 23 00:08 36992f08-801c-4a88-a3b8-080ab0cc0988 - ../../sdb1 lrwxrwxrwx 1 root root 10 Mar 23 00:08 a712997a-bdbc-4dd6-bdc3-2288d5f8d474 - ../../dm-0 lrwxrwxrwx 1 root root 9 Mar 23 00:08 b68b49aa-24d5-455c-ac9d-fc5dd93386fa - ../../md0 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] postgrey, postfix, tld list
Hello all, I am looking for the correct way to add postgrey to my system but whitelist everything except for com, org, and net domains. Most of my spam is from .info domains. There seems to be no way to only go after certain domains, instead postgrey wants to go after everything except what you whitelist. So my idea was to whitelist .com, .net, .org, .gov, and a few others while greylisting the rest. The syntax for the files want fqdn, email addresses, or domain names. But How do you just add a .TLD? postgrey_whitelist_clients ?? *.com *.net *.org ?? this sound right? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postgrey, postfix, tld list
On 3/25/2012 1:37 PM, Bob Hoffman wrote: Hello all, I am looking for the correct way to add postgrey to my system but whitelist everything except for com, org, and net domains. Most of my spam is from .info domains. There seems to be no way to only go after certain domains, instead postgrey wants to go after everything except what you whitelist. So my idea was to whitelist .com, .net, .org, .gov, and a few others while greylisting the rest. The syntax for the files want fqdn, email addresses, or domain names. But How do you just add a .TLD? postgrey_whitelist_clients ?? *.com *.net *.org ?? this sound right? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos believe I got this working, anyone interested here is what I did so far 1- get the repo rpmforge rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm 2 limit forge to just the packages needed /etc/yum.repos.d/rpmforge.repo add line, just under enabled=1 includepkgs=postgrey perl-net-server perl-parse-syslog perl-BerkeleyDB perl-IO-multiplex 3 yum install postgrey 4 make a new file, /etc/sysconfig/postgrey add OPTIONS=--unix=/var/spool/postfix/postgrey/socket --delay=60 save, close 5 added to /etc/postfix/postgrey_whitelist_clients /^\.com$/ /^\.org$/ /^\.gov$/ /^\.net$/ /^\.mil$/ /^\.edu$/ (this file is full of junk from previous years, considering deleting it all except for above) 6 add to main.cf, above my rbls but under the auth reject stuff so it is last before them (though maybe it could be absolutely last, might be better) check_policy_service unix:postgrey/socket 7 service postgrey start, postfix reload, chkconfig postgrey on ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postgrey, postfix, tld list
On 3/25/2012 3:16 PM, Bob Hoffman wrote: believe I got this working, anyone interested here is what I did so far 1- get the repo rpmforge rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm 2 limit forge to just the packages needed /etc/yum.repos.d/rpmforge.repo add line, just under enabled=1 includepkgs=postgrey perl-net-server perl-parse-syslog perl-BerkeleyDB perl-IO-multiplex 3 yum install postgrey 4 make a new file, /etc/sysconfig/postgrey add OPTIONS=--unix=/var/spool/postfix/postgrey/socket --delay=60 save, close 5 added to /etc/postfix/postgrey_whitelist_clients /^\.com$/ /^\.org$/ /^\.gov$/ /^\.net$/ /^\.mil$/ /^\.edu$/ snip check that...did not whitelist the domains, centos.org got greylisted. Either it is the wrong way to regex that statement within postgrey or there needs to be more added regarding the triplet (ipaddress, domain, sender)...not sure. probably regex is wrong, I am certainly no expert, or even a novice, of it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postgrey, postfix, tld list
On 3/25/2012 4:14 PM, Mailinglist wrote: Just checked my mail server. Getting a lot of .info spam, but I'm thinking a reject .info is in order. :) Regards… ists.centos.org/mailman/listinfo/centos this regex seemed to work /.*\.com$/ /.*\.org$/ /.*\.gov$/ /.*\.net$/ /.*\.mil$/ /.*\.edu$/ postgrey[14740]: action=pass, reason=client whitelist, client_name=mail.centos.org, client_address=72.26.200.202 and it came up on other net, com, etc so, think that is WAI ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] your advice on backup procedure
On 3/24/2012 4:35 AM, Peter Eckel wrote: Hi Bob, I just want to to throw in another alternative to make choice harder ... :-) The scenario... centos server acting as a virtual host. Virtual machines are webservers and dns servers. All on one machine, all running centos 6. Virtual machines are kvm, sitting in lvm storage. My basic setup is quite similar to yours. CentOS 5 machine working as host, several virtual CentOS 5/6 boxes on that host, but additionally there are some Mac OS X and Ubuntu boxes around that also need to be backed up, some of them in remote locations. I have a NAS drive set up in my small datacenter that works as an iSCSI host and serves a LUN for backups. The virtual host machine runs Bacula dir and sd, with the backup volumes on the LUN. All Clients run bacula fd and connect to the server, the ones connecting from the internet use SSL encryption and certificate authentication. I run full backups once a week, and daily incrementals. For the last half year or so, the solution has proven rock-solid, not a single failure. I had to restore several files during that period, and there wasn't any problem at all with that as well. Database backup is done using pre-scripts that perform a database dump and then back up that dump, which is a bit of a downside as other solutions often have database backup plugins, but nothing that could not be solved. After initial setup, configuration is done on the Bacular directory server alone, which saves some amount of maintenance. Backup strategies can be defined in a very flexible way, too. There also is a feature that allows you to define a base system (e.g. a freshly installed CentOS box) and tell the server just to back up differences from that base system, saving large amounts of storage if you have many similar machines to be backed up. Best regards, Peter. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos thanks peter, that was where I was looking at going. I think amanda or bacula (or both) have a mysql backup program as an extra that will perform an incremental. For mysql, it has a bin file system that can be rotated daily, hourly, whatever with a full dump only needed when you want (once a week?) so I would just grab the bin files I think. When I figure this out, perfectly, I should post it all so others can have a backup solution. I have over 40 linux books and not one really goes into backups. They mention them, but no working examples of merit. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wiki - vnc -gerald and walsh, update?
On 3/23/2012 11:40 AM, William Hooper wrote: On Thu, Mar 22, 2012 at 11:03 PM, Bob Hoffmanb...@bobhoffman.com wrote: [snip] opened port 5902 in iptables, restarted iptables |INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT [snip] in putty I made a saved session called 'vnc to my server' went to connections, ssh, tunnels in putty explorer added source port, 5902 destination I put in localhost:5902 click add then save the whole session (go back to session page) [snip] Note if you are exclusively using an SSH tunnel to access your VNC, you don't need to open a port for VNC in the firewall. In fact, not opening a direct port for VNC is a good way of enforcing the tunnel to secure the connection. well, that makes sense. And I like that alot. Less ports the better. This is only for my host so I can run virt-manager. Thanks for the great tip. bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] your advice on backup procedure
Hello all, I am down to my last hurdle of my project, backups. I am thinking of three different ways to go and wanted to ask for input on what you think is the better choice. Not asking for 'how to' but more of 'what is best in your experience' The scenario... centos server acting as a virtual host. Virtual machines are webservers and dns servers. All on one machine, all running centos 6. Virtual machines are kvm, sitting in lvm storage. What I want to do.. auto backups of the virtual machines to be stored on the virtual host's extra drives for later download to my home computer. Many backup solutions and programs seem centered on a network of computers with file sharing. I do not have this and don't think I want to go that way on my host. My three thoughts, not sure which one to pursue... (involves certain folders, /home/ (which includes maildir), /var/www/, /mysqlhotcopys and bin files, and maybe a few more. I can rebuild the comp pretty quick and then restore, or maybe just do one big backup of each server, then work on the folders as a solution) 1- Amanda. I do not know much about it or how it would deal with mysql databases, but it look promising. I do not have a NFS in place on any of the installs. 2- rsnyc - some kind of rsync going from the host to each machine, putting it on the host's backup drives. Adding a mysql hotcopy of some kind on the VMs, along with bin files, saved to a special folder that will then be part of the rsync. Once a week full of both rsync and mysqlcopy, then incremental daily. 3- Use kpartx ? and access the lvm the VM is on to rsync internally on the host, ditto above with the mysql copy/bin setup. Number 3 seems like it is the securest way, but obviously not much info out there on it. Number 2 seems like the 'old way' and will require some real work to get it right number 1 looks good, but do not really know anything about it. Which way would you go, or do you have a different way you like better? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] your advice on backup procedure
On 3/23/2012 10:50 PM, Karl Vogel wrote: On Fri, 23 Mar 2012 20:19:41 -0400, Bob Hoffmanb...@bobhoffman.com said: B I am down to my last hurdle of my project, backups. Not asking for 'how B to' but more of 'what is best in your experience'. Some questions: * What's the hardest stuff for you to recreate? I'd have that on both DVD and something network-accessible. * What's your biggest PITA problem (for me, it would be bare-metal restore) vs. your most likely one (I'd assume loss of a MySQL table or a VM)? You mentioned being able to rebuild the host quickly, so if the bare-metal thing isn't a big problem, concentrate on the VMs instead. * What are your priorities? If it's speed of the restore, and you have the IO/network bandwidth and room, then do like another poster said and rsync the VM files after shutting them down. If it's more like history where you want to go back in time to lots of versions, something finer-grained would be in order. B The scenario... centos server acting as a virtual host. Virtual B machines are webservers and dns servers. All on one machine, all running B centos 6. Virtual machines are kvm, sitting in lvm storage. What I B want to do.. auto backups of the virtual machines to be stored on the B virtual host's extra drives for later download to my home computer. Your VMs sound like they start out identical, and then you add stuff to specialize each one. If so, I'd keep these backups: a. one generic bare-bones VM that can be installed with as few commands as possible. b. each change-set you use to specialize for basic DNS, web, etc. c. smaller groups of individual files like DB schemas, web content, mailboxes, etc. This way, any given restore breaks down to (a) plus (one or more b) plus (whatever's appropriate from c). When you get to the individual file backups within a VM, something like this might be all you need: # cd / # find . -depth -type f -newer /etc/BKUP -print | pax -x cpio -wd | gzip -c /path/to/$(date '+%Y/%m%d/%H%M').pax.gz # touch /etc/BKUP B 1- Amanda. I do not know much about it or how it would deal with mysql B databases, but it look promising. I set it up once, but it wasn't a close enough match to what we needed for me to craft an entire backup strategy around it. It's not a trivial thing to install or run, so you'll be spending time finding out how Amanda wants to do things and matching that to your goals. B 2- rsync - some kind of rsync going from the host to each machine, B putting it on the host's backup drives. That's what I use at work, but we're closer to the networked fileservers with remote shares setup. I use the find/pax/touch setup above to handle hourly backups for 800-1000 users, and they're happy little campers when they find out the spreadsheet they created at 6am and mangled around noon isn't completely gone. I am not looking to back up the vms for a easy reinstall, I can do them in less than a 1/2 hour each. The back up is for the webservers so the database and html and some other folders are continually backed up incase of hack or whatever. Still thinking amanda, or bacula as first choice, rsync second, kpartx somehow third. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] control panels, like or dislike?
When I first started using webservers I leased shared hosting. Then I moved to vps. Then to dedicated. In all that I was with various control panels. In almost all cases bugs in those control panels would cause all sorts of issues. (ensim, cpanel, plesk). The load on the server seemed greatly increased (especially with ensim). When I built my first server 4 years ago I decided to heck with control panels. I looked at what I was using the control panel for, mainly for adding users, protecting directories or adding a new website. Seriously, I found the original setup daunting as a step by step is not really available for a new admin. But I did it. Without a control panel. Now my new server went all virtual and still no control panel. I looked at them but just adding one seemed to install a gazillion programs, overtake my system, and seemed to prevent me from updating the servers until the panel was updated. And they seem buggy and insecure. I understand for webhosting it might seem practical to add them, but with the issues and bugs they present the techs on my vps/dedicated sure spent a lot of time on the phone with me. That is costly. Do you use control panels? Why? Like/dislike? For some family and friends who I host a site for I found the setup of an additional server quite easy. A simple one page explanation of adding/deleting ftp, mail, or shell users, protecting directories, etc seems to suffice. I feel control panels are not needed and detract from being a knowledgeable admin. I can see if you are very new to running a centos server it would be helpful, but in the end run it seems to keep people from learning how to manage things. From a tech view, paid by the hour, I imagine those guys and gals love control panel issues... more money for them to fix things. Interested in where anyone else sits on this issue. I read a lot of articles on them but cannot find a solution where I think they would be better to use, at least not yet. I am open-minded about it though... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] wiki - vnc -gerald and walsh, update?
To GeraldClark and PjWelsh, I have centos 6 and used your guide to get it going with vnc. First of all thanks for putting that up, so many techs told me I did not have to install a desktop to make it work and they were so wrong. http://wiki.centos.org/HowTos/VNC-Server Using centos 6 I found some differences and wanted to post them here to see if anything helps clear it all up. I acutally installed x windows system and 'desktop' groups since that is what worked with my ipmi card. I installed tigervnc-server as root, ran vncpasswd as root, got a password. started/stopped just like it said to, so far so good. opened port 5902 -A INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT in /etc/sysconfig/vncservers I added root and had to take out -localhost or I could never connect via vncviewer, completely blocked unless both were taken out. I imagine there is some setting somehow in vncviewer but I cannot find it. I am assuming I am still unencrypted in my connection due to this. now it gets weird, perhaps due to me installing x windows system...here is my startx file, completely different than the one you posted...and I changed nothing and it worked. #!/bin/sh [ -r /etc/sysconfig/i18n ] . /etc/sysconfig/i18n export LANG export SYSFONT vncconfig -iconic unset SESSION_MANAGER unset DBUS_SESSION_BUS_ADDRESS OS=`uname -s` if [ $OS = 'Linux' ]; then case $WINDOWMANAGER in *gnome*) if [ -e /etc/SuSE-release ]; then PATH=$PATH:/opt/gnome/bin export PATH fi ;; esac fi if [ -x /etc/X11/xinit/xinitrc ]; then exec /etc/X11/xinit/xinitrc fi if [ -f /etc/X11/xinit/xinitrc ]; then exec sh /etc/X11/xinit/xinitrc fi [ -r $HOME/.Xresources ] xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 80x24+10+10 -ls -title $VNCDESKTOP Desktop twm My issue still revolves around the actual encryption. There seems to be nothing in vncviewer allowing it. There is something in your post about the ssh, but it references only another vnc server. so, is the only way to get an ssh connection is to download a windows vncserver, and connect with that to the vncserver on my linux box? (box is on the internet, not local) anyway, this helpful how to really saves a lot of time, really debunked a lot of myths about not needing a desktop installed (which was really furstrating trying to make it work without one). Centos 6 is a bit different in that one file...and it would be great to know how to connect though ssh with a viewer. still, it freaking works!! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wiki - vnc -gerald and walsh, update?
On 3/22/2012 10:26 PM, Bob Hoffman wrote: To GeraldClark and PjWelsh, I have centos 6 and used your guide to get it going with vnc. First of all thanks for putting that up, so many techs told me I did not have to install a desktop to make it work and they were so wrong. http://wiki.centos.org/HowTos/VNC-Server so this is what I did in centos 6 tonight to make it work for me... as root yum install tigervnc-server ran vncpasswd, added a password /etc/sysconfig/vncservers, uncommented line 18 and 19, added root started and stopped, service vncserver start / stop opened port 5902 in iptables, restarted iptables |INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT service vncserver start downloaded tigervnc from source forge download putty in putty I made a saved session called 'vnc to my server' went to connections, ssh, tunnels in putty explorer added source port, 5902 destination I put in localhost:5902 click add then save the whole session (go back to session page) open a putty session (click open), making sure it was my vnc session logged into server opened tigervnc put in localhost:5902 and hit ok. I was in like flynn... awesome. so much faster than ipmi | ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wiki - vnc -gerald and walsh, update?
On 3/22/2012 11:03 PM, Bob Hoffman wrote: On 3/22/2012 10:26 PM, Bob Hoffman wrote: To GeraldClark and PjWelsh, I have centos 6 and used your guide to get it going with vnc. First of all thanks for putting that up, so many techs told me I did not have to install a desktop to make it work and they were so wrong. http://wiki.centos.org/HowTos/VNC-Server so this is what I did in centos 6 tonight to make it work for me... as root yum install tigervnc-server ran vncpasswd, added a password /etc/sysconfig/vncservers, uncommented line 18 and 19, added root started and stopped, service vncserver start / stop opened port 5902 in iptables, restarted iptables |INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT service vncserver start downloaded tigervnc from source forge download putty in putty I made a saved session called 'vnc to my server' went to connections, ssh, tunnels in putty explorer added source port, 5902 destination I put in localhost:5902 click add then save the whole session (go back to session page) open a putty session (click open), making sure it was my vnc session logged into server opened tigervnc put in localhost:5902 and hit ok. I was in like flynn... awesome. so much faster than ipmi AS a last addition. I added this to my existing system too. It has many virtual machines. I had the error Starting VNC server: 2:root A VNC server is already running as :2 after many reinstalls and many attempts and seeing 1,000s of posts from people freaking out, I took the initiative and thought that libvirt was conflicting. I changed the number to 8 in the /sysconfig/vncserver fileand then it worked easily. Not sure what will happen if you select 2, 3, etcand then add some virtual machines. I see conflicts ahead. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] postfix spam question for the gurus
Hello, I have a question about postfix. I have a few webservers, each with their own mailing system. Obviously manually adding items can be quite tedious going from one to another to another. I am in the process of making a list of domains (commercial spammers) that bother me. My idea is to use the access file to reject them. My question is this... Can I make a text page on one of my html servers that lists all these bums and reference that file in the postfix smtpd restrictions (probably as regex or prce instead of hash)? This way I only have to make one big page of them. And I can add a 'you be blocked m.f. because of spamming me on the page so they can learn how to get unlisted. can this be done or do I need to make my own rbl list (obvously limited to just my sites).? I would think I could just reference a remote file as easily as a local file? -thanks bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed[Solution that works]
*Nataraj*
/Tue Mar 13 02:01:36 EDT 2012/ wrote:
On 03/12/2012 10:06 PM, Nataraj wrote:
/ On 03/12/2012 09:08 PM, Ron Loftin wrote:
// I'm going to chuck in my 2 cents worth here, as I've been using Postfix
// as a first-line filter for some years now.
//
/pbl.spamhaus.org (dynamic IP address RBL) is generally quite safe for
most sites to use from postfix. The rest of the spamhaus RBL's such as
the combination that you get from zen.spamhaus.org are mostly safe
(better than all others that I've tried), but not 100%. Most others
that I've tried I have gotten a fair number of false positives over time
(This includes dul.dnsbl.sorbs.net, the sorbs dynamic IP RBL). Many
people feel that most other RBL's need to be used with a scoring
mechanism, such as that provided by spamassasin, instead of directly
from postfix to avoid getting too many false positives.
Nataraj
I changed it a bit since then. I found that sleep 1, when talking to my other
VM that had
sleep 1, caused one mail to just get lost, so I dropped it.
My brother travels a lot and I found the client restrictions would not allow him
to send mail since the wi-fi he would connect to was not figured correctly
causing
100% mail send failure. So I left client restrictions empty, but I force ssl
and user auth
only anyway.
for the rbl lists I tried to pick those that had a notice page and a remove
page.
This way a blocked user can try to figure out why.
Here is a bit from my logwatch, with 8 hours of non blocked spam and 16 hours
since blocking it
6098 rejected, 429 accepted (most of those 429 were before the change)
Since 12 noon yesterday I have received 17 junk mails, all but two tagged by
spamasassin.
BIG DIFFERENCE.
Below is the logwatch section, followed by my final set up (at least so far).
1.062M Bytes accepted 1,113,084
1007.732K Bytes delivered1,031,918
429 Accepted 6.57%
6098 Rejected 93.43%
6527 Total100.00%
4 Reject relay denied0.07%
340 Reject HELO/EHLO 5.58%
1749 Reject unknown user 28.68%
1 Reject recipient address 0.02%
3 Reject sender address 0.05%
4001 Reject RBL65.61%
6098 Total Rejects100.00%
8 4xx Reject relay denied0.84%
318 4xx Reject HELO/EHLO 33.23%
39 4xx Reject unknown user4.08%
81 4xx Reject recipient address 8.46%
511 4xx Reject sender address 53.40%
957 Total 4xx Rejects100.00%
3534 Connections made
419 Connections lost
3533 Disconnections
429 Removed from queue
137 Delivered
10 Sent via SMTP
1 Bounce (remote)
1 DSNs undeliverable
22 Connection failure (outbound)
23 Timeout (inbound)
1 RBL lookup error
35 Excessive errors in SMTP commands dialog
802 Hostname verification errors
89 Address is deliverable (sendmail -bv)
194 Address is undeliverable (sendmail -bv)
4 Enabled PIX workaround
9 SASL authenticated messages
7 Postfix start
7 Postfix stop
4 Postfix refresh
# for SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_unknown_hostname,
reject_non_fqdn_hostname
reject_rbl_client zen.spamhaus.org,
reject_rbl_client truncate.gbudb.net,
Re: [CentOS] postfix and spam, I am impressed[Solution that works]
*Nataraj* /Tue Mar 13 13:17:32 EDT 2012 wrote == / snip Also anyone using rbl's should also review the RBL's policy. Most RBL's charge a license fee for high volume queries and will cut you off if you violate their policy. snip snip our logwatch format is very nice, that does not appear to be the standard CentOS included logwatch. Have you customized it alot yourself? snip snip Is this just a personal mail server or are you serving a large user base? snip = You can also work out something with the RBLs if you are large enough, to download their database in some way, and update through that method, while somehow using your own files/database through postfix (or whatever mail server) The logwatch format looks groovy for two reasons, 1- it is centos 6 version, 2- it is on HIGH detail (or 10, whichever you prefer) This is just one address on a personal server. Just me. This is an address I have had since 2002 and was quite active online. My other address is from 1997 and it is insane the amount of junk. Still getting a small amount through. My next step is to get procmail to /dev/null according to spam-level from spamassassin...so I may have it set at 5 to tag as spam, but procmail can look at the level somehow and if I say 'greater than 15' /devnull. will figure it out. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] postfix and spam, I am impressed
I have had the same email address since 1997 (when microsoft stole bob.com from me thanks to network solutions...) In the early days I of course was free with my email and used it everwhere. Fast forward to 2012, some 15 years later. woof..the amount of spam sent to me has always just kept getting worse and worse. On my centos 5 server I just used sendmail with spamassassin and it killed a lot. Still, 100s, sometimes more made it through. Then thunderbird would weed out more, learned as it went... Still, had an inbox with a lot of junk. Now I have set up a centos 6 box using postfix. Today I decided to try to add smtpd restrictions. After a lot of reading and testing I 'seem' to be doing incredible. I wanted to share my current working postfix smtpd restrictions area so that others who are interested can start with it. I just added the helo and sender restrictions and have noticed no problems yet. There were many things some sites said to add, but they killed some very legitimate mail. So...yesterday a few hundred mails in my box as usual. Plus I set up procmail to not delete spam so I could test. That gave me hundreds more 30 minutes since putting this up I went from 1 every few seconds to 1 in 30 minutes. And that was tagged by spamassassin as spam. 1. Not sure if this setup is perfect, but it is working quite well. Yes, the mail takes a few seconds longer and there is probably more I could do, but this ROCKS!!! smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_client_restrictions = permit_mynetworks,permit smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client dnsbl.njabl.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, sleep 1, permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, permit ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cron marks mailto value as UNSAFE
On Mar 12, 2012, at 12:03 PM, James B. Byrne wrote: / CentOS-6.2 // // We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 // host. The MAILTO variable is set tosupport at harte-lyne.ca http://lists.centos.org/mailman/listinfo/centos // in both instances. On the CentOS-6 host instead of // receiving the mail with the output we see this in // /var/log/cron instead: // // Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE // (support at harte-lyne.ca http://lists.centos.org/mailman/listinfo/centos ) // // The CentOS-5 host uses Sendmail as the MTA, the CentOS-6 // uses Postfix. We can send mail tosupport at harte-lyne.ca http://lists.centos.org/mailman/listinfo/centos // from the command line on both hosts. // // The permissions of the files in /var/spool/cron are: // # ll /var/spool/cron // total 12 // -rw---. 1 root root 34 Mar 9 16:41 root // -rw---. 1 root root 4245 Mar 12 14:53 theheart // // Selinux is set to Permissive (for the time being): // // # sestatus // SELinux status: enabled // SELinuxfs mount:/selinux // Current mode: permissive // Mode from config file: permissive // Policy version: 24 // Policy from config file:targeted // // What is causing cron to complain. What is unsafe and how // do I rectify this? / Not sure if you are just trying to use root or using an alias, but I found several instances in the manual that said I MUST send root mail to an alias when using certian aspects of postifx/procmail, etc... something to do with the delivery. Not sure if this has anything to do with it, but I would try adding root:some other user in the /etc/aliases file then run 'newaliases' then try something. hope this helps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] postfix and spam, I am impressed
on/Mon Mar 12 18:39:23 EDT 2012 Jure Pecar wrote /== /On Mon, 12 Mar 2012 17:12:13 -0400 /Bob Hoffmanbob at bobhoffman.com http://lists.centos.org/mailman/listinfo/centos wrote: // On my centos 5 server I just used sendmail with spamassassin and it /// killed a lot. Still, 100s, sometimes more made it through. Then /// thunderbird would weed out more, learned as it went... /// Still, had an inbox with a lot of junk. / /Maybe you should read somehttp://www.acme.com/mail_filtering/ ... altough /from 2005, one of the best sendmail writeups I'm aware of. // Now I have set up a centos 6 box using postfix. Today I decided to try /// to add smtpd restrictions. After a lot of reading and testing I 'seem' /// to be doing incredible. / /I've switched to postfix back in 2001 and yes, it is amazing. Now that /you're free of spam, you can dive into policyd and various content /filtering schemes available. It's amazing how far email has come, yet it's /even more amazing that none of the major linux distros have everything in /one place, well integrated and polished and we poor sysadmins still have to /stich solutions together ... heck, I still have to patch sasl for it to /auth against crypted passwords ... maybe I should stop before I start /ranting ;) = yea, it would only accept normal passwords, but I figured since it was using tls/ssl that the whole shebang was encypted anyway so it should be fine, right? Also, still getting spam of course, nut a smidgeon compared to before. I would say 99.9% is being tagged by spam assassin as [spam]. Still afraid of false positives so gonna watch for a while with spamassassin before I dev null them buggers. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Programs on/off on virtual host machine
been playing with my host machine and thought some might want to see what I have on and the full list of chkconfig I have installed desktop and x windows system to bring up a desktop when I want one with startx. I turned 'off' quite a bit and yum removed quite a bit. These set of programs still allow full use as a host so far, including the startx desktop. Always afraid to remove or disable something because you 'never know' what might happen. After two reboots this works. This is only the chkconfig list, there are other programs that do not list in chkconfig I guess, but this is just for chkconfig. standalone virtual host, no network file share and all that. Removing or disabling many of the programs like rpc stuff has seriously taken out a lot of the errors in the logs. [root@main ~]# chkconfig --list |grep 3:on abrt-ccpp 0:off 1:off 2:off 3:on4:off 5:on6:off abrt-oops 0:off 1:off 2:off 3:on4:off 5:on6:off abrtd 0:off 1:off 2:off 3:on4:off 5:on6:off acpid 0:off 1:off 2:on3:on4:on5:on6:off auditd 0:off 1:off 2:on3:on4:on5:on6:off cgconfig0:off 1:off 2:on3:on4:on5:on6:off cpuspeed0:off 1:on2:on3:on4:on5:on6:off crond 0:off 1:off 2:on3:on4:on5:on6:off haldaemon 0:off 1:off 2:off 3:on4:on5:on6:off ip6tables 0:off 1:off 2:on3:on4:on5:on6:off iptables0:off 1:off 2:on3:on4:on5:on6:off irqbalance 0:off 1:off 2:off 3:on4:on5:on6:off ksm 0:off 1:off 2:off 3:on4:on5:on6:off ksmtuned0:off 1:off 2:off 3:on4:on5:on6:off libvirt-guests 0:off 1:off 2:off 3:on4:on5:on6:off libvirtd0:off 1:off 2:off 3:on4:on5:on6:off lvm2-monitor0:off 1:on2:on3:on4:on5:on6:off mcelogd 0:off 1:off 2:off 3:on4:off 5:on6:off mdmonitor 0:off 1:off 2:on3:on4:on5:on6:off messagebus 0:off 1:off 2:on3:on4:on5:on6:off network 0:off 1:off 2:on3:on4:on5:on6:off ntpd0:off 1:off 2:on3:on4:on5:on6:off portreserve 0:off 1:off 2:on3:on4:on5:on6:off postfix 0:off 1:off 2:on3:on4:on5:on6:off rsyslog 0:off 1:off 2:on3:on4:on5:on6:off sshd0:off 1:off 2:on3:on4:on5:on6:off sysstat 0:off 1:on2:on3:on4:on5:on6:off udev-post 0:off 1:on2:on3:on4:on5:on6:off yum-cron0:off 1:off 2:on3:on4:on5:on6:off full list [root@main ~]# chkconfig --list NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off abrt-ccpp 0:off 1:off 2:off 3:on4:off 5:on6:off abrt-oops 0:off 1:off 2:off 3:on4:off 5:on6:off abrtd 0:off 1:off 2:off 3:on4:off 5:on6:off acpid 0:off 1:off 2:on3:on4:on5:on6:off atd 0:off 1:off 2:off 3:off 4:off 5:off 6:off auditd 0:off 1:off 2:on3:on4:on5:on6:off autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off avahi-daemon0:off 1:off 2:off 3:off 4:off 5:off 6:off certmonger 0:off 1:off 2:off 3:off 4:off 5:off 6:off cgconfig0:off 1:off 2:on3:on4:on5:on6:off cgred 0:off 1:off 2:off 3:off 4:off 5:off 6:off cpuspeed0:off 1:on2:on3:on4:on5:on6:off crond 0:off 1:off 2:on3:on4:on5:on6:off dnsmasq 0:off 1:off 2:off 3:off 4:off 5:off 6:off ebtables0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off haldaemon 0:off 1:off 2:off 3:on4:on5:on6:off ip6tables 0:off 1:off 2:on3:on4:on5:on6:off iptables0:off 1:off 2:on3:on4:on5:on6:off irqbalance 0:off 1:off 2:off 3:on4:on5:on6:off iscsi 0:off 1:off 2:off 3:off 4:off 5:off 6:off iscsid 0:off 1:off 2:off 3:off 4:off 5:off 6:off kdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off ksm 0:off 1:off 2:off 3:on4:on5:on6:off ksmtuned0:off 1:off 2:off 3:on4:on5:on6:off libvirt-guests 0:off 1:off 2:off 3:on4:on5:on6:off libvirtd0:off 1:off 2:off 3:on4:on5:on6:off lvm2-monitor0:off 1:on2:on3:on4:on5:on6:off mcelogd 0:off 1:off 2:off 3:on4:off
[CentOS] restrict postfix to only certain users getting incoming mail
Perhaps I am trying to do the impossible. centos6, spamassassin, procmail, dovecot, postfix. Postfix, by default, accepts all incoming mail to any user listed in the shadow/passwd and alias files. I cannot find a way to stop that without manually blocking each non wanted user (like nobody, apache) without killing local delivery. For most of the users listed in those files, who cares. However for one, root, this is a massive issue. Root gets a lot of mail from errors on the system. Preventing local delivery (or through the alias file, delivery through root to another user) makes root never receive those important mails. Not preventing root from incoming mails means r...@example.com can be slammed with spam. Local and external mail all seem to go through all of the programs (postfix, procmail, spamassassin, dovecot). Local delivery of mails is needed for root. What I would like is to just tell postfix to only allow incoming mail for user1 and user2 and reject all...but only from external sources, not locally sent mail. Postfix does seem to allow you to limit who can send mail out of the server though... I have 2 books on postfix here and spent many days online but I do not see the solution short of /dev/null or reject of all mail, local or external, of root. perplexed. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
