Hi all,
sometimes I´m checking status of my server with phpSysInfo, always is all right, but at May 8 I was experienced a "big deviation". My machine was online for 12 days, but net statistics are reseted. I was checked /proc/net/dev and there are reseted net statistics too. How is this possible?
Just before I was experienced this problem I was updating two packages with yum (perl-HTML-Parser.i386 3.56-5.el5 and epel-release.noarch 5-3). In /var/log/messages is nothing about it. At the same day someone attemped to log in to ssh (attack was about 10 hours long, but its impossible to break my server - I´m using private key allowed only from my IP and in AllowUsers is only root) so I don´t know, how is this possible.
Thank you for answers
On Sun, May 11, 2008 at 5:56 AM, happymaster23 happymaster23@gmail.com wrote:
Just before I was experienced this problem I was updating two packages with yum (perl-HTML-Parser.i386 3.56-5.el5 and epel-release.noarch 5-3). In /var/log/messages is nothing about it. At the same day someone attemped to log in to ssh (attack was about 10 hours long, but its impossible to break my server - I´m using private key allowed only from my IP and in AllowUsers is only root) so I don´t know, how is this possible.
Network stats are based on a 32bit number if I recall. When you have passed enough traffic, that number will roll over and begin again.
If you want to monitor traffic, phpsysinfo really isn't the way to do it. Use cacti or mrtg to poll the system periodically and record the stats. It takes into account network rollover.
Thank you for answer,
last number of transefered data that I seen was about three or four gigabytes - this is too low for roll over or not?
I´m not using phpSysInfo for monitoring transfered data and I do not want to monitor them. I was only surprised how it happened.
2008/5/11 Jim Perrin jperrin@gmail.com:
On Sun, May 11, 2008 at 5:56 AM, happymaster23 happymaster23@gmail.com wrote:
Just before I was experienced this problem I was updating two packages
with
yum (perl-HTML-Parser.i386 3.56-5.el5 and epel-release.noarch 5-3). In /var/log/messages is nothing about it. At the same day someone attemped
to
log in to ssh (attack was about 10 hours long, but its impossible to
break
my server - I´m using private key allowed only from my IP and in
AllowUsers
is only root) so I don´t know, how is this possible.
Network stats are based on a 32bit number if I recall. When you have passed enough traffic, that number will roll over and begin again.
If you want to monitor traffic, phpsysinfo really isn't the way to do it. Use cacti or mrtg to poll the system periodically and record the stats. It takes into account network rollover.
-- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sun, May 11, 2008 at 11:34 AM, happymaster23 happymaster23@gmail.com wrote:
Thank you for answer,
last number of transefered data that I seen was about three or four gigabytes - this is too low for roll over or not?
4GB is just about the extent of the 32bit range for the increments used in ifconfig (unless I'm smoking crack, in which case someone else should feel free to correct me).
If you have another box, test this by booting up the test system, and copying a centos dvd to/from it, and watch the counters. After about 4G you should see the number reset itself.
Thank you very much!!!,
you are right - after 4 gigabytes counter was reseted.
2008/5/11 Jim Perrin jperrin@gmail.com:
On Sun, May 11, 2008 at 11:34 AM, happymaster23 happymaster23@gmail.com wrote:
Thank you for answer,
last number of transefered data that I seen was about three or four gigabytes - this is too low for roll over or not?
4GB is just about the extent of the 32bit range for the increments used in ifconfig (unless I'm smoking crack, in which case someone else should feel free to correct me).
If you have another box, test this by booting up the test system, and copying a centos dvd to/from it, and watch the counters. After about 4G you should see the number reset itself.
-- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sun, May 11, 2008 at 5:56 AM, happymaster23 happymaster23@gmail.com wrote:
but its impossible to break my server
These days it's very hard to state that. I would not bet any money on it. The only way to be really sure the server cannot be hacked is to disconnect the network cables (and maybe the power cables too!)
I´m using private key allowed only from my IP and in AllowUsers is only root) so I don´t know, how is this possible.
Consider using AllowUsers to a user other than root and then using "su" for extra protection.
Also consider that if you tell someone exactly what security measures you are taking, that would help them come up with a strategy on how to attack you.
Filipe
Thank you for answer,
you are right, word "impossible" I should write with quotation marks ;), but I think, that if I say that I´m using private key (attacker can discover this very simply) only from my IP (this is, I think, only information saying: "try rader some much less secured machine") and allowed is only root is another sort of informations: "try rader less secured machine". But if you know how this sort of informations can help please be more accurate.
I had a big discussion about logging with another user and using su and I was discovered, that there are two very big sides: one side is convinced that this is big security improvement, but second side saying, that this is vain effort.
2008/5/11 Filipe Brandenburger filbranden@gmail.com:
On Sun, May 11, 2008 at 5:56 AM, happymaster23 happymaster23@gmail.com wrote:
but its impossible to break my server
These days it's very hard to state that. I would not bet any money on it. The only way to be really sure the server cannot be hacked is to disconnect the network cables (and maybe the power cables too!)
I´m using private key allowed only from my IP and in AllowUsers is only root) so I don´t know, how is this possible.
Consider using AllowUsers to a user other than root and then using "su" for extra protection.
Also consider that if you tell someone exactly what security measures you are taking, that would help them come up with a strategy on how to attack you.
Filipe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
on 5-11-2008 2:56 AM happymaster23 spake the following:
Hi all,
sometimes I�m checking status of my server with phpSysInfo, always is all right, but at May 8 I was experienced a "big deviation". My machine was online for 12 days, but net statistics are reseted. I was checked /proc/net/dev and there are reseted net statistics too. How is this possible?
Just before I was experienced this problem I was updating two packages with yum (perl-HTML-Parser.i386 3.56-5.el5 and epel-release.noarch 5-3). In /var/log/messages is nothing about it. At the same day someone attemped to log in to ssh (attack was about 10 hours long, but its impossible to break my server -
Keep fooling yourself. Difficult to breal into-- maybe, but impossible -- I really doubt it. Every server can be broken into. Just some of them aren't worth the time it might take.
Yes, as I have said in my previous post - word "impossible" is not really correct.
2008/5/13 Scott Silva ssilva@sgvwater.com:
on 5-11-2008 2:56 AM happymaster23 spake the following:
Hi all,
sometimes I�m checking status of my server with phpSysInfo, always is all right, but at May 8 I was experienced a "big deviation". My machine was online for 12 days, but net statistics are reseted. I was checked /proc/net/dev and there are reseted net statistics too. How is this possible?
Just before I was experienced this problem I was updating two packages with yum (perl-HTML-Parser.i386 3.56-5.el5 and epel-release.noarch 5-3). In /var/log/messages is nothing about it. At the same day someone attemped to log in to ssh (attack was about 10 hours long, but its impossible to break my server -
Keep fooling yourself. Difficult to breal into-- maybe, but impossible -- I really doubt it. Every server can be broken into. Just some of them aren't worth the time it might take.
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos