Re: Key-Based Authentication -

[Samuel Sieb]

On 2/21/20 4:00 AM, Bob Goodwin wrote:
In doing this is their danger of making an error and locking myself out 
of my computer, if so what to avoid? I've made some catastrophic errors 
in the not very distant past that required a new system re-installation 
and would prefer not repeating that.


You could only lock yourself out if ssh is the only way to access the 
system.  But I assume this is a computer that you normally have console 
access on (graphical interface).

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[John M. Harris Jr]

On Friday, February 21, 2020 7:17:33 PM MST Tim via users wrote:
> Tim:
> 
> >> Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
> >> non-admin user going to set up that listens as a server?  Admin-
> >> users setting up those traditional services ought to know how to
> >> manage firewalls, or they ought not to mess around with those
> >> services.
> 
> 
> Samuel Sieb:
> 
> > There are a variety of things like file sharing (webdav), media
> > sharing (dlna), remote desktop, various 3rd party or proprietary
> > software, etc.
> 
> 
> So, why can't the installation of those applications automatically
> include an appropriate firewall rule?  Better to allow a controlled
> opening, rather than just open-slather.
> 
> -- 
>  
> uname -rsvp
> Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
> 
> Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
> I will only get to see the messages that are posted to the mailing list.

They do come with firewall rules, see /usr/lib/firewalld/services. They aren't 
enabled automatically, of course, because it's up to the end-user whether or 
not it should be available on a given interface.

-- 
John M. Harris, Jr.
Splentity

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[Tim via users]

Tim:
>> Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
>> non-admin user going to set up that listens as a server?  Admin-
>> users setting up those traditional services ought to know how to
>> manage firewalls, or they ought not to mess around with those
>> services.

Samuel Sieb:
> There are a variety of things like file sharing (webdav), media
> sharing (dlna), remote desktop, various 3rd party or proprietary
> software, etc.

So, why can't the installation of those applications automatically
include an appropriate firewall rule?  Better to allow a controlled
opening, rather than just open-slather.

-- 
 
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

[389-users] Looking For Knowledge

[Eugene Poole]

OK, I've got 389-ds all installed and performed the install test.

Now what? How do I get all of the required information concerning my LAN 
into the 389-DS server? Is here a document or tutorial on how to do this?


TIA

Gene

--
Eugene Poole
Woodstock, Georgia
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Re: how to detect hack attempts.

[Ed Greshko]

On 2020-02-22 08:10, George N. White III wrote:
> On Fri, 21 Feb 2020 at 18:42, Ed Greshko  > wrote:
>
> [...]
> FWIW, I have an additional system fully open to the Internet but 
> configured as an IPv6 only system.
> I use a public NAT64/DNS64 service for access to non-IPv6.  Owing to the 
> number of IPv6 addresses, I assume,
> it has never been probed by the ssh script kiddies. 
>
>
> Some bad actor is now or soon will be harvesting IPv6 addresses from forums 
> and mail lists.

Sure, and they will have the one IP address of my outgoing mail server.

Good luck to them finding which of the ~4.72236648287e+21 addresses under my 
control are in use.  :-)


-- 
The key to getting good answers is to ask good questions.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Samuel Sieb]

On 2/21/20 2:46 PM, Patrick O'Callaghan wrote:

That's a good point which I hadn't thought of. I actually only have a
single monitor connected via an HMDI switch to both video outputs. I've
been so used to this I forgot to mention it, but clearly I have to
figure out how to run my desktop off the Nvidia card (I don't mind
losing the IGP so multimonitor isn't important). Do you know if it's
possible to blacklist the IGP? That might be the simplest solution.


You could try blacklisting the Intel one.  You would need to check which 
module it is, but probably "i915".  Or check in your BIOS, you might be 
able to set the other card as primary.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[John M. Harris Jr]

On Thursday, February 20, 2020 11:19:11 PM MST Samuel Sieb wrote:
> You generally have to ask the ISP to switch the
> modem to bridge mode, which I do so I can run my own gateway server.

Actually, you can normally do that yourself.

-- 
John M. Harris, Jr.
Splentity

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[John M. Harris Jr]

On Friday, February 21, 2020 8:07:15 AM MST Tim via users wrote:
> On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
> 
> > Any critical system daemons are 1024 and below.  The reason the high 
> > ports are left open is for user applications to be able to
> > communicate without users having to figure out the firewall.
> 
> 
> Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
> non-admin user going to set up that listens as a server?  Admin-users
> setting up those traditional services ought to know how to manage
> firewalls, or they ought not to mess around with those services.
> 
> Thanks to the forever moving target closed-source things like ICQ, MSN,
> Yahoo messenger (some of which have gone by the way of the dodo), there
> isn't much in the way of Linux-based clients for those kind of things
> that need to have listening ports.
> 
> I can only think of something like bitorrent, which doesn't seem to
> need you to poke holes in your firewall.
> 
> -- 
>  
> uname -rsvp
> Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
> 
> Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
> I will only get to see the messages that are posted to the mailing list.

Most likely, many services, entirely unknowingly, as their own user. I have no 
idea what led the GNOME folks into believing it was a good idea to open up 
EVERYTHING above 1024.

-- 
John M. Harris, Jr.
Splentity

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[George N. White III]

On Fri, 21 Feb 2020 at 18:42, Ed Greshko  wrote:

> [...]
> FWIW, I have an additional system fully open to the Internet but
> configured as an IPv6 only system.
> I use a public NAT64/DNS64 service for access to non-IPv6.  Owing to the
> number of IPv6 addresses, I assume,
> it has never been probed by the ssh script kiddies.
>

Some bad actor is now or soon will be harvesting IPv6 addresses from forums
and mail lists.

-- 
George N. White III
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Patrick O'Callaghan]

On Fri, 2020-02-21 at 22:20 +, Anthony F McInerney wrote:
> On Fri, 21 Feb 2020 at 22:16, Samuel Sieb  wrote:
> 
> > On 2/21/20 9:31 AM, Patrick O'Callaghan wrote:
> > > For several years I've been using a Windows VM with passthrough
> > > graphics as a gaming platform. It works pretty well, but ties up
> > > machine resources even when idle, so I'm now experimenting with Valve's
> > > Linux version of Steam with the Proton additions to the Wine libraries.
> > > I've disabled the VM, installed the latest proprietary Nvidia drivers,
> > > modified grub appropriately and rebooted. The Nvidia modules are
> > > loaded. The nvidia-settings command shows the GPU.
> > > 
> > > However when I run games under Steam, they are using the internal Intel
> > > GPU, making this configuration essentially unusable for AAA gaming
> > > (i.e. games will start but are unplayably slow). I can find no
> > > documentation on how to change this (whether via a global Steam option
> > > or even individually for each game).
> > 
> > I'm not sure how you expect this to work.  I assume you have another
> > monitor connected to the nvidia card.  But if you're running steam from
> > your regular desktop, the games are going to use the current display
> > which is your Intel one.  If you can get your desktop to display across
> > both video cards, then you could probably run steam on the display you
> > want, but I don't know if that configuration is even supported by Xorg
> > or Wayland.
> > 
> > I wanted to add on top of this, it's more like the old multihead setup's.
> That nothing supports anymore.
> Along with the Wayland vs Xorg pain.
> 
> Generally, when you plug in an external gpu, the igpu is disabled. That's
> the simplest way around all this.

Except that it isn't, because they are both connected (see my answer to
Samuel). That's the problem. Maybe I should just disconnect the video
cable from the IGP?

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Patrick O'Callaghan]

On Fri, 2020-02-21 at 14:15 -0800, Samuel Sieb wrote:
> On 2/21/20 9:31 AM, Patrick O'Callaghan wrote:
> > For several years I've been using a Windows VM with passthrough
> > graphics as a gaming platform. It works pretty well, but ties up
> > machine resources even when idle, so I'm now experimenting with Valve's
> > Linux version of Steam with the Proton additions to the Wine libraries.
> > I've disabled the VM, installed the latest proprietary Nvidia drivers,
> > modified grub appropriately and rebooted. The Nvidia modules are
> > loaded. The nvidia-settings command shows the GPU.
> > 
> > However when I run games under Steam, they are using the internal Intel
> > GPU, making this configuration essentially unusable for AAA gaming
> > (i.e. games will start but are unplayably slow). I can find no
> > documentation on how to change this (whether via a global Steam option
> > or even individually for each game).
> 
> I'm not sure how you expect this to work.  I assume you have another 
> monitor connected to the nvidia card.  But if you're running steam from 
> your regular desktop, the games are going to use the current display 
> which is your Intel one.  If you can get your desktop to display across 
> both video cards, then you could probably run steam on the display you 
> want, but I don't know if that configuration is even supported by Xorg 
> or Wayland.

That's a good point which I hadn't thought of. I actually only have a
single monitor connected via an HMDI switch to both video outputs. I've
been so used to this I forgot to mention it, but clearly I have to
figure out how to run my desktop off the Nvidia card (I don't mind
losing the IGP so multimonitor isn't important). Do you know if it's
possible to blacklist the IGP? That might be the simplest solution.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[Ed Greshko]

On 2020-02-22 06:10, Samuel Sieb wrote:
> On 2/21/20 12:15 PM, home user wrote:
>> (On 2020-0221 10:51pm, Ed wrote)
>>  > BTW, if you do an "ip -6 add show eno1"
>>  > do the numbers a358:d643 appear in the output?
>>
>> -bash.1[~]: ip -6 add show eno1
>> 2: eno1:  mtu 1500 qdisc fq_codel state UP 
>> group default qlen 1000
>>  inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic 
>> noprefixroute
>>     valid_lft 342949sec preferred_lft 342949sec
>>  inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
>>     valid_lft forever preferred_lft forever
>> -bash.2[~]:
>>
>> So the answer is yes.
>
> I don't know what the significance of the "a358:d643" part is, although it's 
> probably related to the first "2001" indicating that you have IPV6 over a 
> tunnel.

I asked about that number since some folks are skittish about revealing their 
actual IP addresses.

And, no, I don't think a tunnel is involved.  Comcast owns  2001:558:6040::/48

My IPv6 address is 2001:b030:112f::140e and, in fact, 2001:b030:112f:::/56 
belongs to me.

I also have a test system which does have a 6in4 tunnel via Hurricane Electric. 
 With the segment
2001:470:67:cce::/64

I gleaned his IPv6 address and, as we all know, there isn't much a need for NAT 
with IPv6.

My network is behind a router based firewall and I do have to configure rules 
to allow access as the
default is "deny".  Based on "probing" his IPv6 address while various things 
were being done yesterday
it was apparent that there was no router FW.

>
>
>> (Ed (11:26pm))
>>  > We shall see how he answers (if he does) my question on "ip add".
>>  > I have my own good reason to suspect he actually is directly connected.
>> Are Ed and I correct?  What is the significance/importance of this?
>
> Unlike most people, you *are* directly connected to the internet, so would do 
> well to have basic security enabled.  Keep the firewall on. :-)
> You're not running anything other than cups that's remotely connectable, so 
> there's not really anything to even check for hacking attempts, since there's 
> nothing to break into.  (cups should be blocked by default by the firewall.)

Actually, when it comes to cupsd...

Host is up.

PORT    STATE    SERVICE
631/tcp filtered ipp

So, yes, he is covered there as well.

FWIW, I have an additional system fully open to the Internet but configured as 
an IPv6 only system.
I use a public NAT64/DNS64 service for access to non-IPv6.  Owing to the number 
of IPv6 addresses, I assume,
it has never been probed by the ssh script kiddies. 


-- 
The key to getting good answers is to ask good questions.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Patrick O'Callaghan]

On Fri, 2020-02-21 at 21:50 +, Patrick O'Callaghan wrote:
> On Fri, 2020-02-21 at 19:19 +, Israel Bermudez via users wrote:
> > If you are using rpmfusion they have a guide on their website for the 
> > Nvidia driver installation.
> > 
> > I am using the rpmfusion repo and I utilize their guide you will have to 
> > install both 32bit and 64bit drivers.
> > 
> > Our only difference is the use of steam. I use Lutris but at the end of the 
> > day, they are both using wine.
> > 
> > So far the rpmfusion method has been and install once and forget. 
> > Everything gets done through dnf upgrades.
> > 
> > I've been running WOW like this for the past 3 years without a single 
> > problem.
> > 
> 
> That's a clue. I'll look at the RPMfusion site and check out whether I
> have to install 32-bit Nvidia blobs as well. I didn't think this would
> be necessary for the kernel modules, but I guess some libraries would
> be affected to that could be the problem.

I don't think the problem is with libraries. This is what I currently
have installed:

$ rpm -qa \*nvidia\*
xorg-x11-drv-nvidia-libs-440.59-1.fc31.x86_64
kmod-nvidia-5.4.20-200.fc31.x86_64-440.59-1.fc31.x86_64
xorg-x11-drv-nvidia-kmodsrc-440.59-1.fc31.x86_64
xorg-x11-drv-nvidia-libs-440.59-1.fc31.i686   <--*
nvidia-settings-440.59-1.fc31.x86_64
xorg-x11-drv-nvidia-440.59-1.fc31.x86_64
akmod-nvidia-440.59-1.fc31.x86_64
xorg-x11-drv-nvidia-cuda-libs-440.59-1.fc31.x86_64

The 32-bit Nvidia library is there.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Anthony F McInerney]

On Fri, 21 Feb 2020 at 22:16, Samuel Sieb  wrote:

> On 2/21/20 9:31 AM, Patrick O'Callaghan wrote:
> > For several years I've been using a Windows VM with passthrough
> > graphics as a gaming platform. It works pretty well, but ties up
> > machine resources even when idle, so I'm now experimenting with Valve's
> > Linux version of Steam with the Proton additions to the Wine libraries.
> > I've disabled the VM, installed the latest proprietary Nvidia drivers,
> > modified grub appropriately and rebooted. The Nvidia modules are
> > loaded. The nvidia-settings command shows the GPU.
> >
> > However when I run games under Steam, they are using the internal Intel
> > GPU, making this configuration essentially unusable for AAA gaming
> > (i.e. games will start but are unplayably slow). I can find no
> > documentation on how to change this (whether via a global Steam option
> > or even individually for each game).
>
> I'm not sure how you expect this to work.  I assume you have another
> monitor connected to the nvidia card.  But if you're running steam from
> your regular desktop, the games are going to use the current display
> which is your Intel one.  If you can get your desktop to display across
> both video cards, then you could probably run steam on the display you
> want, but I don't know if that configuration is even supported by Xorg
> or Wayland.
>
> I wanted to add on top of this, it's more like the old multihead setup's.
That nothing supports anymore.
Along with the Wayland vs Xorg pain.

Generally, when you plug in an external gpu, the igpu is disabled. That's
the simplest way around all this.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Samuel Sieb]

On 2/21/20 9:31 AM, Patrick O'Callaghan wrote:

For several years I've been using a Windows VM with passthrough
graphics as a gaming platform. It works pretty well, but ties up
machine resources even when idle, so I'm now experimenting with Valve's
Linux version of Steam with the Proton additions to the Wine libraries.
I've disabled the VM, installed the latest proprietary Nvidia drivers,
modified grub appropriately and rebooted. The Nvidia modules are
loaded. The nvidia-settings command shows the GPU.

However when I run games under Steam, they are using the internal Intel
GPU, making this configuration essentially unusable for AAA gaming
(i.e. games will start but are unplayably slow). I can find no
documentation on how to change this (whether via a global Steam option
or even individually for each game).


I'm not sure how you expect this to work.  I assume you have another 
monitor connected to the nvidia card.  But if you're running steam from 
your regular desktop, the games are going to use the current display 
which is your Intel one.  If you can get your desktop to display across 
both video cards, then you could probably run steam on the display you 
want, but I don't know if that configuration is even supported by Xorg 
or Wayland.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[Samuel Sieb]

On 2/21/20 12:15 PM, home user wrote:

(On 2020-0221 10:51pm, Ed wrote)
 > BTW, if you do an "ip -6 add show eno1"
 > do the numbers a358:d643 appear in the output?

-bash.1[~]: ip -6 add show eno1
2: eno1:  mtu 1500 qdisc fq_codel state 
UP group default qlen 1000
     inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic 
noprefixroute

    valid_lft 342949sec preferred_lft 342949sec
     inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
    valid_lft forever preferred_lft forever
-bash.2[~]:

So the answer is yes.


I don't know what the significance of the "a358:d643" part is, although 
it's probably related to the first "2001" indicating that you have IPV6 
over a tunnel.



(responding to related comments)
(Samuel (11:19pm))
 > But most people don't realize that their ISP modem is also a router.
I don't think my modem is also a router, but I'm not sure.  It's an 
Arris model TM822G, self-purchased (not rented from the ISP).  So I'm 
inclined to agree with Ed...


After checking the modem manual, I agree.


(Ed (11:26pm))
 > We shall see how he answers (if he does) my question on "ip add".
 > I have my own good reason to suspect he actually is directly connected.
Are Ed and I correct?  What is the significance/importance of this?


Unlike most people, you *are* directly connected to the internet, so 
would do well to have basic security enabled.  Keep the firewall on. :-)
You're not running anything other than cups that's remotely connectable, 
so there's not really anything to even check for hacking attempts, since 
there's nothing to break into.  (cups should be blocked by default by 
the firewall.)

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[Samuel Sieb]

On 2/21/20 7:07 AM, Tim via users wrote:

On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:

Any critical system daemons are 1024 and below.  The reason the high
ports are left open is for user applications to be able to
communicate without users having to figure out the firewall.


Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
non-admin user going to set up that listens as a server?  Admin-users
setting up those traditional services ought to know how to manage
firewalls, or they ought not to mess around with those services.


There are a variety of things like file sharing (webdav), media sharing 
(dlna), remote desktop, various 3rd party or proprietary software, etc.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Patrick O'Callaghan]

On Fri, 2020-02-21 at 21:24 +, Anthony F McInerney wrote:
> On Fri, 21 Feb 2020 at 17:32, Patrick O'Callaghan 
> wrote:
> 
> > For several years I've been using a Windows VM with passthrough
> > graphics as a gaming platform. It works pretty well, but ties up
> > machine resources even when idle, so I'm now experimenting with Valve's
> > Linux version of Steam with the Proton additions to the Wine libraries.
> > I've disabled the VM, installed the latest proprietary Nvidia drivers,
> > modified grub appropriately and rebooted. The Nvidia modules are
> > loaded. The nvidia-settings command shows the GPU.
> > 
> > However when I run games under Steam, they are using the internal Intel
> > GPU, making this configuration essentially unusable for AAA gaming
> > (i.e. games will start but are unplayably slow). I can find no
> > documentation on how to change this (whether via a global Steam option
> > or even individually for each game).
> > 
> > For the record, Linux Steam is a 32-bit executable, but I don't think
> > this should affect anything (my machine is 64-bit).
> > 
> > Has anyone done this successfully on Fedora? There are any number of
> > Google hits on similar themes, but mainly focussed on Ubuntu, which is
> > what Valve are mostly aiming at.
> > 
> > poc
> > 
> > I believe you will need the optimus / bumblebee stuff for this.
> 
> https://docs.fedoraproject.org/en-US/quick-docs/bumblebee/
> 
> Now, these docs seem dated, and for my laptop, I haven't had much success,
> if there are better docs for this situation i'd like to see them. (I'll
> quickly admit i haven't googled it for a while)

I've seen Bumblebee mentioned on this list, but AFAIK this is only
relevant to laptops (the above URL seems to confirm this). Mine is a
desktop system with a discrete add-on GPU card as well as as Intel IGP
.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Patrick O'Callaghan]

On Fri, 2020-02-21 at 19:19 +, Israel Bermudez via users wrote:
> If you are using rpmfusion they have a guide on their website for the Nvidia 
> driver installation.
> 
> I am using the rpmfusion repo and I utilize their guide you will have to 
> install both 32bit and 64bit drivers.
> 
> Our only difference is the use of steam. I use Lutris but at the end of the 
> day, they are both using wine.
> 
> So far the rpmfusion method has been and install once and forget. Everything 
> gets done through dnf upgrades.
> 
> I've been running WOW like this for the past 3 years without a single problem.
> 

That's a clue. I'll look at the RPMfusion site and check out whether I
have to install 32-bit Nvidia blobs as well. I didn't think this would
be necessary for the kernel modules, but I guess some libraries would
be affected to that could be the problem.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Patrick O'Callaghan]

On Fri, 2020-02-21 at 11:56 -0700, Joe Zeff wrote:
> On 02/21/2020 10:31 AM, Patrick O'Callaghan wrote:
> > I've disabled the VM, installed the latest proprietary Nvidia drivers,
> > modified grub appropriately and rebooted. The Nvidia modules are
> > loaded. The nvidia-settings command shows the GPU.
> 
> How did you install nVidia?  If you used the binary blob from the OEM, 
> you're going to have to do it again for every kernel update.  If you 
> followed the rpmfusion method, you shouldn't have had to modify grub. 
> There may be something odd going on there that's affecting this.  I'm no 
> expert, but I did use nVidia cards for about a decade so this jumps out 
> at me.

I used the akmod method from rpmfusion. I mentioned the grub edits
merely because I had had to change grub for my GPU passthrough system
(basically blacklisting Nvidia and Nouveau, and including some vfio
options). The edits were to restore the normal grub setup. I don't
think this is the issue.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Anthony F McInerney]

On Fri, 21 Feb 2020 at 17:32, Patrick O'Callaghan 
wrote:

> For several years I've been using a Windows VM with passthrough
> graphics as a gaming platform. It works pretty well, but ties up
> machine resources even when idle, so I'm now experimenting with Valve's
> Linux version of Steam with the Proton additions to the Wine libraries.
> I've disabled the VM, installed the latest proprietary Nvidia drivers,
> modified grub appropriately and rebooted. The Nvidia modules are
> loaded. The nvidia-settings command shows the GPU.
>
> However when I run games under Steam, they are using the internal Intel
> GPU, making this configuration essentially unusable for AAA gaming
> (i.e. games will start but are unplayably slow). I can find no
> documentation on how to change this (whether via a global Steam option
> or even individually for each game).
>
> For the record, Linux Steam is a 32-bit executable, but I don't think
> this should affect anything (my machine is 64-bit).
>
> Has anyone done this successfully on Fedora? There are any number of
> Google hits on similar themes, but mainly focussed on Ubuntu, which is
> what Valve are mostly aiming at.
>
> poc
>
> I believe you will need the optimus / bumblebee stuff for this.

https://docs.fedoraproject.org/en-US/quick-docs/bumblebee/

Now, these docs seem dated, and for my laptop, I haven't had much success,
if there are better docs for this situation i'd like to see them. (I'll
quickly admit i haven't googled it for a while)
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[home user]

(On 2020-0221 10:51pm, Ed wrote)
> BTW, if you do an "ip -6 add show eno1"
> do the numbers a358:d643 appear in the output?

-bash.1[~]: ip -6 add show eno1
2: eno1:  mtu 1500 qdisc fq_codel state 
UP group default qlen 1000
    inet6 2001:558:6040:5d:9d66:dfa1:a358:d643/128 scope global dynamic 
noprefixroute

   valid_lft 342949sec preferred_lft 342949sec
    inet6 fe80::3285:a9ff:fe97:537e/64 scope link noprefixroute
   valid_lft forever preferred_lft forever
-bash.2[~]:

So the answer is yes.

(responding to related comments)
(Samuel (11:19pm))
> But most people don't realize that their ISP modem is also a router.
I don't think my modem is also a router, but I'm not sure.  It's an 
Arris model TM822G, self-purchased (not rented from the ISP).  So I'm 
inclined to agree with Ed...

(Ed (11:26pm))
> We shall see how he answers (if he does) my question on "ip add".
> I have my own good reason to suspect he actually is directly connected.
Are Ed and I correct?  What is the significance/importance of this?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: http failing on boot

[Jack Craig]

whats in /var/log/httpd/access_log  ???

maybe ..

cat /var/log/httpd/access_log

35.185.73.152 - - [21/Feb/2020:09:14:33 -0800] "GET /robots.txt HTTP/1.0"
301 250 "-" "ZoominfoBot (zoominfobot at zoominfo dot com)"
35.185.73.152 - - [21/Feb/2020:09:14:34 -0800] "GET /robots.txt HTTP/1.1"
404 208 "-" "ZoominfoBot (zoominfobot at zoominfo dot com)"
35.185.73.152 - - [21/Feb/2020:09:14:34 -0800] "GET / HTTP/1.0" 301 240 "-"
"ZoominfoBot (zoominfobot at zoominfo dot com)"
35.185.73.152 - - [21/Feb/2020:09:14:34 -0800] "GET /robots.txt HTTP/1.0"
404 208 "-" "ZoominfoBot (zoominfobot at zoominfo dot com)"
35.185.73.152 - - [21/Feb/2020:09:14:34 -0800] "GET / HTTP/1.0" 200 1154
"-" "ZoominfoBot (zoominfobot at zoominfo dot com)"
35.185.73.152 - - [21/Feb/2020:09:22:52 -0800] "GET /robots.txt HTTP/1.0"
301 246 "-" "ZoominfoBot (zoominfobot at zoominfo dot com)"
35.185.73.152 - - [21/Feb/2020:09:22:52 -0800] "GET / HTTP/1.0" 301 236 "-"
"ZoominfoBot (zoominfobot at zoominfo dot com)"
194.33.127.25 - - [21/Feb/2020:09:27:02 -0800] "GET / HTTP/1.1" 200 1154
"-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
128.14.134.170 - - [21/Feb/2020:09:27:26 -0800] "GET / HTTP/1.1" 200 1154
"-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.113 Safari/537.36"
18.219.84.33 - - [21/Feb/2020:10:26:27 -0800] "GET / HTTP/1.1" 301 236 "-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/78.0.3904.87 Safari/537.36"

On Fri, Feb 21, 2020 at 1:20 AM Scott van Looy via users <
users@lists.fedoraproject.org> wrote:

> This is probably something super simple, but…
>
> My httpd is failing on boot.
>
> The server has 3x adaptors, all are static IPs and don’t require DHCP or
> anything. Addresses, etc are specified in the config files. All are present
> once boot has ended. All are managed by NetworkManager, yet I get this
> error in the log
>
> Feb 21 07:40:15  systemd[1]: Starting The Apache HTTP Server...
> Feb 21 07:40:16  httpd[1012]: [Fri Feb 21 07:40:16.208953 2020]
> [so:warn] [pid 1012:tid 140114180026688] AH01574: module ssl_module is
> already loaded, skipping
> Feb 21 07:40:16  httpd[1012]: (99)Cannot assign requested address:
> AH00072: make_sock: could not bind to address :80
> Feb 21 07:40:16  httpd[1012]: no listening sockets available,
> shutting down
> Feb 21 07:40:16  httpd[1012]: AH00015: Unable to open logs
> Feb 21 07:40:16  systemd[1]: httpd.service: Main process exited,
> code=exited, status=1/FAILURE
> Feb 21 07:40:16  systemd[1]: httpd.service: Failed with result
> 'exit-code'.
> Feb 21 07:40:16  systemd[1]: Failed to start The Apache HTTP
> Server.
>
> It’s like httpd is starting too early.
>
> Looking at the service info I can see it’s supposed to start after
> network.target. Looking at its critical chain using systemd-analyze it
> seems to be doing this correctly. I’m kinda at a loss. Does anyone have any
> suggestions as to what I can try?
>
> Scott
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Israel Bermudez via users]

If you are using rpmfusion they have a guide on their website for the Nvidia 
driver installation.

I am using the rpmfusion repo and I utilize their guide you will have to 
install both 32bit and 64bit drivers.

Our only difference is the use of steam. I use Lutris but at the end of the 
day, they are both using wine.

So far the rpmfusion method has been and install once and forget. Everything 
gets done through dnf upgrades.

I've been running WOW like this for the past 3 years without a single problem.

Best regards,

Israel Bermudez

--

ProtonMail (Highly Secured): israel.bermu...@protonmail.ch

Gmail (Unsecured): isra.b...@gmail.com

‐‐‐ Original Message ‐‐‐
On Friday, February 21, 2020 12:31 PM, Patrick O'Callaghan 
 wrote:

> For several years I've been using a Windows VM with passthrough
> graphics as a gaming platform. It works pretty well, but ties up
> machine resources even when idle, so I'm now experimenting with Valve's
> Linux version of Steam with the Proton additions to the Wine libraries.
> I've disabled the VM, installed the latest proprietary Nvidia drivers,
> modified grub appropriately and rebooted. The Nvidia modules are
> loaded. The nvidia-settings command shows the GPU.
> 

> However when I run games under Steam, they are using the internal Intel
> GPU, making this configuration essentially unusable for AAA gaming
> (i.e. games will start but are unplayably slow). I can find no
> documentation on how to change this (whether via a global Steam option
> or even individually for each game).
> 

> For the record, Linux Steam is a 32-bit executable, but I don't think
> this should affect anything (my machine is 64-bit).
> 

> Has anyone done this successfully on Fedora? There are any number of
> Google hits on similar themes, but mainly focussed on Ubuntu, which is
> what Valve are mostly aiming at.
> 

> poc
> 

> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org



signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Using Steam with Fedora

[Joe Zeff]

On 02/21/2020 10:31 AM, Patrick O'Callaghan wrote:

I've disabled the VM, installed the latest proprietary Nvidia drivers,
modified grub appropriately and rebooted. The Nvidia modules are
loaded. The nvidia-settings command shows the GPU.


How did you install nVidia?  If you used the binary blob from the OEM, 
you're going to have to do it again for every kernel update.  If you 
followed the rpmfusion method, you shouldn't have had to modify grub. 
There may be something odd going on there that's affecting this.  I'm no 
expert, but I did use nVidia cards for about a decade so this jumps out 
at me.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Using Steam with Fedora

[Patrick O'Callaghan]

For several years I've been using a Windows VM with passthrough
graphics as a gaming platform. It works pretty well, but ties up
machine resources even when idle, so I'm now experimenting with Valve's
Linux version of Steam with the Proton additions to the Wine libraries.
I've disabled the VM, installed the latest proprietary Nvidia drivers,
modified grub appropriately and rebooted. The Nvidia modules are
loaded. The nvidia-settings command shows the GPU.

However when I run games under Steam, they are using the internal Intel
GPU, making this configuration essentially unusable for AAA gaming
(i.e. games will start but are unplayably slow). I can find no
documentation on how to change this (whether via a global Steam option
or even individually for each game).

For the record, Linux Steam is a 32-bit executable, but I don't think
this should affect anything (my machine is 64-bit).

Has anyone done this successfully on Fedora? There are any number of
Google hits on similar themes, but mainly focussed on Ubuntu, which is
what Valve are mostly aiming at.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[George N. White III]

On Fri, 21 Feb 2020 at 11:08, Tim via users 
wrote:

> On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
> > Any critical system daemons are 1024 and below.  The reason the high
> > ports are left open is for user applications to be able to
> > communicate without users having to figure out the firewall.
>
> Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
> non-admin user going to set up that listens as a server?  Admin-users
> setting up those traditional services ought to know how to manage
> firewalls, or they ought not to mess around with those services.
>

The linux user base is so diverse that talking about the average user
isn't very useful.  Before retiring I worked with scientists whose computer
background included those who started out with Fortran on mainframes
(CDC) that had minimal security and no internet, biologists replacing
Windows (7) with linux, and numerical modellers who are focused on
intricate computations.  All these groups have no background in system
administration or security.


> Thanks to the forever moving target closed-source things like ICQ, MSN,
> Yahoo messenger (some of which have gone by the way of the dodo), there
> isn't much in the way of Linux-based clients for those kind of things
> that need to have listening ports.
>

In the scientific community there is a trend towards services to perform
calculations on a robust "server" using a GUI client (browser or Java
app) on a laptop.  "Notebook" in a browser applications like Jupyter and
Rstudio Server have large user bases.

-- 
George N. White III
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Bruno Wolff III]

On Fri, Feb 21, 2020 at 07:00:51 -0500,
 Bob Goodwin  wrote:
I've been reading the thread about detecting hack attempts and I am 
interested in in setting up "key based authentication" as described 
[perhaps] in "https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html;


Suggestions, thoughts?


I like to require both a key and a password. (Key first to prevent password 
guessing without access to a valid key.) I use a seperate key for each 
device. It's not quite 2 factor, since the keys can be copied from a 
compromised device. But it still provides protection in some cases where 
just using a password could fail.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[SternData]

OSSEC, perhaps?

On 2/20/20 1:46 PM, home user wrote:
> (F-30; Gnome; stand-alone home workstation)
> 
> Sometime last year, I saw an article that talked about a tool that
> quickly and easily shows attempts to hack in to a computer.  I think it
> was either in the Fedora magazine or Gnome's website.  I've since made
> multiple attempts to find that article, but failed.  I'm needing to
> check for hack-in attempts (something I suppose I should do
> quazi-periodically anyway). What is the tool/application to do that?  If
> such a tool/application does not exist, then what is the best way for me
> to do that?
> 
> thanks,
> Bill.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: how to detect hack attempts.

[Tim via users]

On Thu, 2020-02-20 at 21:34 -0800, Samuel Sieb wrote:
> Any critical system daemons are 1024 and below.  The reason the high 
> ports are left open is for user applications to be able to
> communicate without users having to figure out the firewall.

Beyond the usual (HTTP, mail, DNS servers, etc), what is the average
non-admin user going to set up that listens as a server?  Admin-users
setting up those traditional services ought to know how to manage
firewalls, or they ought not to mess around with those services.

Thanks to the forever moving target closed-source things like ICQ, MSN,
Yahoo messenger (some of which have gone by the way of the dodo), there
isn't much in the way of Linux-based clients for those kind of things
that need to have listening ports.

I can only think of something like bitorrent, which doesn't seem to
need you to poke holes in your firewall.

-- 
 
uname -rsvp
Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Tom Horsley]

On Fri, 21 Feb 2020 08:17:27 -0600
Richard Shaw wrote:

> It will check that you have correct permissions in ~/.ssh before copying
> the public key over to the remote system. If course you'll need to leave
> password auth turned on until you complete this.

That's the important bit. You can leave password enabled
while testing public keys and only disable it when you verify
the public key setup works. At home, I have a sshd_config
file that enables highly insecure access just for my local
network, and requires public key for outside connections.
Here's the magic bit at the end of the file:

Match Address 127.0.0.1,192.168.1.*
Banner /etc/nohamster.txt
GSSApiAuthentication yes
KerberosAuthentication no
PasswordAuthentication yes
KbdInteractiveAuthentication no
PermitRootLogin yes
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Richard Shaw]

On Fri, Feb 21, 2020 at 6:05 AM Bob Goodwin  wrote:

> I've been reading the thread about detecting hack attempts and I am
> interested in in setting up "key based authentication" as described
> [perhaps] in
> "
> https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html
> "
>
> In doing this is their danger of making an error and locking myself out
> of my computer, if so what to avoid? I've made some catastrophic errors
> in the not very distant past that required a new system re-installation
> and would prefer not repeating that.
>
> Suggestions, thoughts?
>

Besides the other suggestions, for the more "mechanical" part of the
process I highly recommend ssh-copy-id.

It will check that you have correct permissions in ~/.ssh before copying
the public key over to the remote system. If course you'll need to leave
password auth turned on until you complete this.

Thanks,
Richard
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Earl A Ramirez]

On Fri, 21 Feb 2020, 12:51 Frank Pikelner,  wrote:

> Take care with " backdoors", not a good idea. Port scanners ie "nmap"
> will find obfuscated servers running on different ports.
>
> On Fri, Feb 21, 2020 at 7:21 AM Michal Schorm  wrote:
> >
> > > In doing this is their danger of making an error and locking myself out
> > > of my computer, if so what to avoid?
> >
> > You can use dummy account for that, on both ends.
> >
> > You can force SSH (client) to only use keyes, instead of passwords.
> >
> > You can run SSH in a container, to learn how to set it up. If you
> > break thy system inside of the container, you can just restart it and
> > try again.
> >
> > You can try (never did this one) to run another SSH server on
> > different port - as a "backdoor". (Allow that port in firewall)
> >
> > Once you are confident, you can start using your intended client,
> > still with dummy server (either in a container or a dummy user
> > account).
> > After everything will work, you can attempt to switch to "production".
> >
> > If you are locking root account, set sudo permissions to another user
> account.
> >
> > Restart both devices on both ends (at once) to make sure you have
> > correct permanent configuration.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > Michal Schorm
> > Software Engineer
> > Core Services - Databases Team
> > Red Hat
> >
> > --
> >
> > On Fri, Feb 21, 2020 at 1:05 PM Bob Goodwin 
> wrote:
> > >
> > > I've been reading the thread about detecting hack attempts and I am
> > > interested in in setting up "key based authentication" as described
> > > [perhaps] in
> > > "
> https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html
> "
> > >
> > > In doing this is their danger of making an error and locking myself out
> > > of my computer, if so what to avoid? I've made some catastrophic errors
> > > in the not very distant past that required a new system re-installation
> > > and would prefer not repeating that.
> > >
> > > Suggestions, thoughts?
> > >
> > > Bob
> > >
> > > --
> > > Bob Goodwin - Zuni, Virginia,
> > > Fedora Linux-31 XFCE
> > > ___
>

You can enable 2FA as well, add AllowUsers to your sshd_config for
additional security.

Details on 2FA and Fedora can be found here
https://fedoramagazine.org/two-factor-authentication-ssh-fedora/


>
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Frank Pikelner]

Take care with " backdoors", not a good idea. Port scanners ie "nmap"
will find obfuscated servers running on different ports.

On Fri, Feb 21, 2020 at 7:21 AM Michal Schorm  wrote:
>
> > In doing this is their danger of making an error and locking myself out
> > of my computer, if so what to avoid?
>
> You can use dummy account for that, on both ends.
>
> You can force SSH (client) to only use keyes, instead of passwords.
>
> You can run SSH in a container, to learn how to set it up. If you
> break thy system inside of the container, you can just restart it and
> try again.
>
> You can try (never did this one) to run another SSH server on
> different port - as a "backdoor". (Allow that port in firewall)
>
> Once you are confident, you can start using your intended client,
> still with dummy server (either in a container or a dummy user
> account).
> After everything will work, you can attempt to switch to "production".
>
> If you are locking root account, set sudo permissions to another user account.
>
> Restart both devices on both ends (at once) to make sure you have
> correct permanent configuration.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Michal Schorm
> Software Engineer
> Core Services - Databases Team
> Red Hat
>
> --
>
> On Fri, Feb 21, 2020 at 1:05 PM Bob Goodwin  wrote:
> >
> > I've been reading the thread about detecting hack attempts and I am
> > interested in in setting up "key based authentication" as described
> > [perhaps] in
> > "https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html;
> >
> > In doing this is their danger of making an error and locking myself out
> > of my computer, if so what to avoid? I've made some catastrophic errors
> > in the not very distant past that required a new system re-installation
> > and would prefer not repeating that.
> >
> > Suggestions, thoughts?
> >
> > Bob
> >
> > --
> > Bob Goodwin - Zuni, Virginia,
> > Fedora Linux-31 XFCE
> > ___
> > users mailing list -- users@lists.fedoraproject.org
> > To unsubscribe send an email to users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: http failing on boot

[fedora]

On 21/02/2020 10.19, Scott van Looy via users wrote:

This is probably something super simple, but…

My httpd is failing on boot.

The server has 3x adaptors, all are static IPs and don’t require DHCP or 
anything. Addresses, etc are specified in the config files. All are 
present once boot has ended. All are managed by NetworkManager, yet I 
get this error in the log


Feb 21 07:40:15  systemd[1]: Starting The Apache HTTP Server...
Feb 21 07:40:16  httpd[1012]: [Fri Feb 21 07:40:16.208953 2020] 
[so:warn] [pid 1012:tid 140114180026688] AH01574: module ssl_module is 
already loaded, skipping
Feb 21 07:40:16  httpd[1012]: (99)Cannot assign requested 
address: AH00072: make_sock: could not bind to address :80
Feb 21 07:40:16  httpd[1012]: no listening sockets available, 
shutting down

Feb 21 07:40:16  httpd[1012]: AH00015: Unable to open logs
Feb 21 07:40:16  systemd[1]: httpd.service: Main process exited, 
code=exited, status=1/FAILURE
Feb 21 07:40:16  systemd[1]: httpd.service: Failed with result 
'exit-code'.

Feb 21 07:40:16  systemd[1]: Failed to start The Apache HTTP Server.

It’s like httpd is starting too early.

Looking at the service info I can see it’s supposed to start after 
network.target. Looking at its critical chain using systemd-analyze it 
seems to be doing this correctly. I’m kinda at a loss. Does anyone have 
any suggestions as to what I can try?


Scott

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Hi Scott
try to start it after network-online.

In /lib/systemd/system/httpd.service or in 
/etc/systemd/system/httpd.service:



After=network-online.target remote-fs.target nss-lookup.target 
httpd-init.service




It has helped here...

suomi
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Frank Pikelner]

Key based authentication works well in small environments, you
generate the keys (recommend you consider ed25519 instead of RSA,
etc), distribute them across the servers (public keys) and update the
authorized keys file. On the server side you configure SSHD to use
keys vs. passwords (disable password based authentication). As long as
you do not lose the keys you are good. If you have console access to
the server, then you can always reconfigure SSHD back to passwords in
the event you lose your keys. For larger environments, this may not be
the ideal choice and you may want to consider ssh certificates (not
the same as x.509 certificates).

If you are going to be using ssh certificate authentication (highly
recommended) you will need to ensure the certificates do not expire
and so need to renew them ahead of time. As long as you have console
access to the remote server (most cloud providers have this) you can
always reconfigure sshd to allow yourself back in in the event the
certificates have expired. As you will be issuing the certs, you have
control on their duration.

Frank

On Fri, Feb 21, 2020 at 7:05 AM Bob Goodwin  wrote:
>
> I've been reading the thread about detecting hack attempts and I am
> interested in in setting up "key based authentication" as described
> [perhaps] in
> "https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html;
>
> In doing this is their danger of making an error and locking myself out
> of my computer, if so what to avoid? I've made some catastrophic errors
> in the not very distant past that required a new system re-installation
> and would prefer not repeating that.
>
> Suggestions, thoughts?
>
> Bob
>
> --
> Bob Goodwin - Zuni, Virginia,
> Fedora Linux-31 XFCE
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Key-Based Authentication -

[Michal Schorm]

> In doing this is their danger of making an error and locking myself out
> of my computer, if so what to avoid?

You can use dummy account for that, on both ends.

You can force SSH (client) to only use keyes, instead of passwords.

You can run SSH in a container, to learn how to set it up. If you
break thy system inside of the container, you can just restart it and
try again.

You can try (never did this one) to run another SSH server on
different port - as a "backdoor". (Allow that port in firewall)

Once you are confident, you can start using your intended client,
still with dummy server (either in a container or a dummy user
account).
After everything will work, you can attempt to switch to "production".

If you are locking root account, set sudo permissions to another user account.

Restart both devices on both ends (at once) to make sure you have
correct permanent configuration.














--

Michal Schorm
Software Engineer
Core Services - Databases Team
Red Hat

--

On Fri, Feb 21, 2020 at 1:05 PM Bob Goodwin  wrote:
>
> I've been reading the thread about detecting hack attempts and I am
> interested in in setting up "key based authentication" as described
> [perhaps] in
> "https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html;
>
> In doing this is their danger of making an error and locking myself out
> of my computer, if so what to avoid? I've made some catastrophic errors
> in the not very distant past that required a new system re-installation
> and would prefer not repeating that.
>
> Suggestions, thoughts?
>
> Bob
>
> --
> Bob Goodwin - Zuni, Virginia,
> Fedora Linux-31 XFCE
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Key-Based Authentication -

[Bob Goodwin]

I've been reading the thread about detecting hack attempts and I am 
interested in in setting up "key based authentication" as described 
[perhaps] in 
"https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-ssh-configuration-keypairs.html;


In doing this is their danger of making an error and locking myself out 
of my computer, if so what to avoid? I've made some catastrophic errors 
in the not very distant past that required a new system re-installation 
and would prefer not repeating that.


Suggestions, thoughts?

Bob

--
Bob Goodwin - Zuni, Virginia,
Fedora Linux-31 XFCE
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

http failing on boot

[Scott van Looy via users]

This is probably something super simple, but…

My httpd is failing on boot.

The server has 3x adaptors, all are static IPs and don’t require DHCP or 
anything. Addresses, etc are specified in the config files. All are present 
once boot has ended. All are managed by NetworkManager, yet I get this error in 
the log

Feb 21 07:40:15  systemd[1]: Starting The Apache HTTP Server...
Feb 21 07:40:16  httpd[1012]: [Fri Feb 21 07:40:16.208953 2020] 
[so:warn] [pid 1012:tid 140114180026688] AH01574: module ssl_module is already 
loaded, skipping
Feb 21 07:40:16  httpd[1012]: (99)Cannot assign requested address: 
AH00072: make_sock: could not bind to address :80
Feb 21 07:40:16  httpd[1012]: no listening sockets available, shutting 
down
Feb 21 07:40:16  httpd[1012]: AH00015: Unable to open logs
Feb 21 07:40:16  systemd[1]: httpd.service: Main process exited, 
code=exited, status=1/FAILURE
Feb 21 07:40:16  systemd[1]: httpd.service: Failed with result 
'exit-code'.
Feb 21 07:40:16  systemd[1]: Failed to start The Apache HTTP Server.

It’s like httpd is starting too early.

Looking at the service info I can see it’s supposed to start after 
network.target. Looking at its critical chain using systemd-analyze it seems to 
be doing this correctly. I’m kinda at a loss. Does anyone have any suggestions 
as to what I can try?

Scott


signature.asc
Description: Message signed with OpenPGP
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org