[CentOS] MySQL on Centos 7 (armv7)
Dear Community I am trying to install MySQL 5.6 on a Raspberry PI 3B. Using my normal procedure by downloading the yum repo rpm and installing MySQL through that is not working. There is no rpm information for arm7. Can anyone please point me in a direction where I can find a procedure on how to install MySQL 5.6 on Centos 7 running on a PI3? Kind Regards, Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Securing RPC
Dear Community I hope you are all doing well. Recently I have been receiving several complaints from our service provider. Please see the complaint below: A public-facing device on your network, running on IP address XXX.XXX.XXX.XXX, operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the attack target. Please consider reconfiguring this server in one or more of these ways: 1. Adding a firewall rule to block all access to this host's UDP port 111 at your network edge (it would continue to be available on TCP port 111 in this case). 2. Adding firewall rules to allow connections to this service (on UDP port 111) from authorized endpoints but block connections from all other hosts. 3. Disabling the port mapping service entirely (if it is not needed). Unfortunately, I cannot disable NFS which lies at the root of this problem. In addition, I am struggling to find a proper tutorial of moving NFS from udp over to tcp. May I kindly ask you to point me in a direction or provide me with ideas on how to nail this thing in the Kind Regards Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Dear Members Thank you for your replies. @Anthony K. -- One of the articles that I have read mentioned that the file gets read from the top to bottom and apply the rules accordingly. In addition the article also explained that if there is no matching rule, the default policy will be applied. The writer suggested that rules with the highest chance to match should be in the beginning of the tables. Therefore, I added them the top with the assumption that one would like to drop non-standard packets as early as possible. @Paul. I totally agree with you. My main objective is to master concepts related to iptables. I never had to deal with iptables in the past, however the landscape I find myself in, is changing and I realised the need to develop the skill set. @l...@avc.su. I was able to track down the book you have mentioned and downloaded a copy. Thank you once again to all. I have learned a lot from you replies. Have an awesome week further. Kind Regards Leon On Wed, Jun 29, 2016 at 5:41 PM, l...@avc.su <l...@avc.su> wrote: > Hello Leon. > > In addition to everything else mentioned in this thread, I'd recommend you > a great book on the topic. > "Attack Detection and Response with iptables, psad, and fwsnort by Michael > Rash" > It contains a really nice and detailed guide on iptables and most common > attacks, nmap, psad and snort. > > Regarding your config, I'd like to point several things: > 1. You're not dropping packets in status 'INVALID' on top of your script, > which is strange regarding you have 3 rules to detect other non-standard > behavior; > 2. Since you're blocking outgoing UDP, you should be certain that all UDP > services are set up to use TCP instead and add corresponding rules for > them. I'm talking about DNS queries and NTP time sync requests (as most > common, but not limited to). These services using UDP, but you disabled it > and haven't created outgoing rule for DNS over TCP or NTP using TCP. You > can't do DNS queries, and it's almost always painful for any service you're > running on your server; > 3. Seems strange that you haven't added SMTP to the list of allowed > outgoing connections. > > > > 29.06.2016, 13:01, "Leon Vergottini" <le...@cornerstone.ac.za>: > > Dear Members > > > > I hope you are all doing well. > > > > I am busy teaching myself iptables and was wondering if I may get some > > advise. The scenario is the following: > > > > 1. Default policy is to block all traffic > > 2. Allow web traffic and SSH > > 3. Allow other applications > > > > I have come up with the following: > > > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save > > > > # DEFAULT FIREWALL POLICY > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT DROP > > > > # -- > > # INPUT CHAIN RULES > > # -- > > > > # MOST COMMON ATTACKS > > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # SSH > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > > # WEB SERVICES > > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > > > # EMAIL > > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > > > # OTHER APPLICATIONS > > iptables -A INPUT -p tcp -m tcp --dport X -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport X -j ACCEPT > > > > # -- > > # OUTPUT CHAIN RULES > > # -- > > # UDP > > iptables -A OUTPUT -p udp -j DROP > > > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > > iptables -A OUTPUT -i lo -j ACCEPT > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # SSH > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > > # WEB SERVICES > > iptables -A INPUT
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Dear Members I hope you are all doing well. I am busy teaching myself iptables and was wondering if I may get some advise. The scenario is the following: 1. Default policy is to block all traffic 2. Allow web traffic and SSH 3. Allow other applications I have come up with the following: #!/bin/bash # RESET CURRENT RULE BASE iptables -F service iptables save # DEFAULT FIREWALL POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # -- # INPUT CHAIN RULES # -- # MOST COMMON ATTACKS iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # WEB SERVICES iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # EMAIL iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # OTHER APPLICATIONS iptables -A INPUT -p tcp -m tcp --dport X -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport X -j ACCEPT # -- # OUTPUT CHAIN RULES # -- # UDP iptables -A OUTPUT -p udp -j DROP # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS iptables -A OUTPUT -i lo -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # WEB SERVICES iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # EMAIL iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # OTHER APPLICATIONS iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT # -- # SAVE & APPLY # -- service iptables save service iptables restart To note: 1. The drop commands at the beginning of each chain is for increase performance. It is my understanding that file gets read from top to bottom and applied accordingly. Therefore, applying them in the beginning will increase the performance by not reading through all the rules only to apply the default policy. 2. I know the above point will not really affect the performance, so it is more of getting into a habit of structuring the rules according to best practice, or at least establishing a pattern for myself. How secure is this setup? Is there any mistakes or things that I need to look out for? Thank you in advance for your feedback. Kind Regards Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Login "error" message
Dear Community I have been receiving the below each time when I log into one of my servers using ssh. declare -x G_BROKEN_FILENAMES="1" declare -x HISTCONTROL="ignoredups" declare -x HISTSIZE="1000" declare -x HOME="/home/" declare -x HOSTNAME="CentOS-66-64-minimal" declare -x LANG="en_US.UTF-8" declare -x LESSOPEN="||/usr/bin/lesspipe.sh %s" declare -x LOGNAME=“" declare -x LS_COLORS="rs=0:di=38;5;27:ln=38;5;51:mh=44;38;5;15:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=05;48;5;232;38;5;15:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;34:*.tar=38;5;9:*.tgz=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.Z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lz=38;5;9:*.xz=38;5;9:*.bz2=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.bz=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.rar=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.axv=38;5;13:*.anx=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.axa=38;5;45:*.oga=38;5;45:*.spx=38;5;45:*.xspf=38;5;45:" declare -x MAIL="/var/spool/mail/" declare -x OLDPWD declare -x PATH="/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home//bin:/opt/current/maven/bin:/opt/current/java/bin" declare -x PWD="/home/" declare -x SHELL="/bin/bash" declare -x SHLVL="1" declare -x TERM="xterm-256color" declare -x USER=“" -bash: PATH: command not found I have tried to rectify the issue using the usermod and chsh commands with no success. Is there anything else that I can do to get rid of this message? Kind Regards Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
