Discuss February 2008

discuss@lists.centos.org

286 participants
340 discussions

Help with authenticating against Active Directory.
by Milton Calnek 01 Feb '08

01 Feb '08

Hello all, I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins. I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id. Is anyone else doing this? My smb.conf and nsswitch.conf files are below. TIA -- Milton Calnek BSc, A/Slt(Ret.) milton(a)calnek.com 306-717-8737 smb.conf [global] workgroup = example_com realm = example.COM server string = %h server (Samba %v) security = ADS map to guest = Bad Password passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . log level = 2 winbind:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No wins server = ldap ldap ssl = no panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = ldap:ldap://ldap.example.com:3268 ldap admin dn = cn=Manager,dc=example,dc=COM ldap idmap suffix = ou=Idmap ldap suffix = dc=example,dc=COM template homedir = /home/%U template shell = /bin/bash winbind separator = + winbind use default domain = Yes winbind nested groups = Yes invalid users = root nsswitch.confpasswd: files compat winbind shadow: files compat group: files compat winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

6 10

Unknown rootkit causes compromised servers
by Johnny Hughes 01 Feb '08

01 Feb '08

Here is the applicable article: http://www.linux.com/feature/125548 There are links in the above article that explain tests for the system and what is currently known about the rootkit. Apparently initial access is NOT via any vulnerability but just guessed root passwords. There are currently 2 methods to see if you are infected: 1. In some cases, the root kit causes you to not be able to create directories starting with a number ... so as root do: mkdir 1 If it gives you an error similar to this, you are probably infected: mkdir: cannot create directory `1': No such file or directory 2. Run this command for several minutes while you have windows users connecting to your web server: tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'" If you get output from this script, you may be infected. ======================================================== More info: http://blog.cpanel.net/?p=31 http://www.cpanel.net/security/notes/random_js_toolkit.html http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3 http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html http://www.webhostingtalk.com/showthread.php?t=651748 ========================================================== This does not seem to be caused by a specific vulnerability that CentOS or RHEL or cPanel has, but rather it seems to be caused by compromised root passwords. There are several recommendations in the above links to prevent becoming infected as well as what to do if you are infected. While there does not seem to be anything that the CentOS Development Team can "FIX" in relation to this issue ... I thought I would put the information out so that people can test their machines and take action as necessary. Thanks, Johnny Hughes

15 25

pxeos tool in system-config-netboot missing in CentOS
by vincenzo romero 01 Feb '08

01 Feb '08

Hello all, Since the "pxeos" utility is missing per Bug #0002304, http://bugs.centos.org/view.php?id=2304 which is required for me to setup a PXE server; which I'd like to in CentOS; Question: ... I am unable to find source for this; seems like the bug means that this was an oversight; perhaps the source is available somewhere and I can simply compile? If anyone is familiar where I can find this (a link/URL), a pointer would be greatly appreciated. -- best, Vince

1 0

swapping on centos 5.1
by Jerry Geis 01 Feb '08

01 Feb '08

Hi all, I used to use centos 4.5 on an AMD 4800+ with 2GIG ram. Now I use centos 5.1 on AMD 6400+ with 4GIG RAM. The system responsiveness is different between the two. I noticed that centos 5.1 seems to be swapping programs out of memory at times resulting in slowness (perceived by me). I played with swappiness (/proc/sys/vm/) setting to 10, then 1 then 0. Still resulted in the same perceived slowness. Today I did swapoff -a and now the system obviously does not swap anything out all all. I thought thats what swappiness of 0 would have done. Are others experiencing this also? The perceived slowness maks the older system with less RAM and slower CPU "seem" faster. Any suggestions on other things to try? Jerry

4 3

Re: [CentOS] General questions about security
by Les Bell 01 Feb '08

01 Feb '08

Niki Kovacs <contact(a)kikinovak.net> wrote: >> I wonder where to begin. << Policy. It's a drag, writing policies, but without policies, you're in the "Ready! Fire! Aim!" school of security. The top tier of policy is the "Enterprise Security Policy", which establishes the security function, roles, responsibilities, budget, etc. It also gives the power to enforce penalties for breaches of policies. At the next tier, you have system- and issue-specific policies, such as the "Use of corporate email" policy, the "Inappropriate content in the workplace" policy. You may then move down to standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user accounts, resetting passwords, etc.). Everything then flows from a Threats and Risk Assessment. Identify the information assets of the enterprise, value them. Then identify the possible threats, essentially giving them a likelihood of occurring. This is then plugged into a risk matrix: high value asset with almost certain likelihood of compromise = extreme risk; insignificant value asset with rare likelihood of compromise = low risk. Obviously, you focus on the high risk stuff first. You then put in place controls to mitigate the risk. For some things, you can't mitigate (e.g. data centre hit by asteroid and now a smoking hole in the ground); those you push over into Disaster Recovery Planning and deal with through relocation, equipment replacement, off-site backups, etc. Your controls could be technical (firewalls, proxies, authentication and authorization/access control, etc.), physical (locked doors, fences, alarms) and administrative (policies/procedures/standards, pre-employment screening, job rotation, segregation of duties, etc.). ISO 27001/27002 are a good guide in this area, or if you're US Gummint, check out the NIST SP800-series publications. >> I would say first thing is get a series of "auditing" tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? << Actually, tools like nmap, Nessus, etc. come in quite late in the day, for assurance that things are configured correctly. You can usually get much better bang from the buck from an internal audit first (it's amazing how often things are documented as being one way, when actually they're configured a completely different way). >> Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? << If you want a rapid overview of Linux security, I recommend the book "Real World Linux Security" by Bob Toxen. If you want a rapid overview of the business aspects of security, I'd recommend you investigate Security+, which is an entry-level security certification - a course or even just a study guide would help you. I'll let others comment on SELinux - I've worked with it, but my experience is definitely atypical. A closing quote, which I think comes from the old edition of the "Official (ISC)² Guide to the CISSP CBK", but is probably the key point: "Technical specialists are not the right people to decide how the organization approaches security and what security measures should be implemented. Companies which deal with security at the administrator level do not view security in broad enough terms. Senior management is not sufficiently involved and aware, proper risk management is not performed, security is under-funded and there is no planning and procedures to deal with unanticipated events." In other words, your top priority in security should be to obtain senior management backing. Without that, you'll just be spinning your wheels. And always remember: you can secure the technology fairly easily - it's the *people* that are the weakest link. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909

3 2

Re: [CentOS] General questions about security
by Les Bell 01 Feb '08

01 Feb '08

Niki Kovacs <contact(a)kikinovak.net> wrote: >> Thanks for your very detailed response. << Trust me when I say: that wasn't detailed. Nowhere near it. >> - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough << You can go light on all that policy stuff, especially in a small business environment, but you need to give it at least superficial consideration. Until you do, you can't answer those questions, and we certainly can't. Would, say, a web site defacement cause your organization significant embarrassment? Would it cost you your job? Could borrowers' personal information be compromised? Are you storing information like SSN's? At what point does the benefit exceed the costs? The hassle is worth it for defense/government applications involving classified data, obviously. Probably not worth it for a web-surfing home desktop. You're somewhere - where? - in between. Only you can know, and it depends on business considerations. Remember: "Ready! Fire! Aim!". One easy out: the "due diligence" approach. Find out what other libraries are doing, and do the same or better. The Koha, OpenBiblio and other mailing lists could be a help here. I'll let others clue you in on various web vulnerabilities - SQL injection, command injection, cross-site scripting, overflows, etc. - as well as tools like Nessus, Nikto, etc. for vuln scanning. However, your top priority here should be proactive patch management and intrusion detection techniques such as log file monitoring/analysis. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909

1 0

General questions about security
by Niki Kovacs 01 Feb '08

01 Feb '08

Hi, I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries. I wonder where to begin. I would say first thing is get a series of "auditing" tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good "reasonable" set of rules for a web server, for example? Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject. Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD Any suggestions? Niki

2 1

loopback network device
by Jordi Prats 01 Feb '08

01 Feb '08

Hi all, It's possible to create an alias of a device? Something like a device loN that all it's traffic is send to ethN, so ethN and loN are equivalent. It's for a bridged setup, i'm not trying to setup another IP on a device. Thanks! Jordi -- ...................................................................... __ / / Jordi Prats C E / S / C A Dept. de Sistemes /_/ Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · jprats(a)cesca.es ......................................................................

2 1

rsync and swapping
by Jerry Geis 01 Feb '08

01 Feb '08

hi all, I use rsync to copy/backup ALL my stuff to another disk. When I run this seems like my machine (4 GIG ram centos 5.1) now begins to swap out more programs. Is there a way to reduce that swapping? I am running with echo 1 > /proc/sys/vm/swappiness I simply mount /dev/sdc1 /mnt/backup; mkdir /mnt/backup/month.day.year then rsync -a /home /mnt/backup/mon.day.year This is approximately 102G of data. Thanks for any suggestions. Jerry

14 20

Problems to install java plugin in CentOS 5.1 x86_64
by Sergio Belkin 01 Feb '08

01 Feb '08

Hi! I've tried to install java plugin as is in http://www.howtoforge.com/installation-guide-centos5.1-desktop-p7 but with no success. All steps seems to go well, with no error messages, but Firefox says that there is no java plugin. Please, tell me what could be wrong? Thanks in advance!! -- Sergio Belkin ----------------------------------------

3 5

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss February 2008