From invite+hiczofgf at facebookmail.com Tue Aug 5 14:39:46 2008 From: invite+hiczofgf at facebookmail.com (Ntoughe Guys-serge) Date: Tue, 5 Aug 2008 07:39:46 -0700 Subject: Check out my Facebook profile Message-ID: <67c285cb1d46093c1401ca935ca313d8@register.facebook.com> I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. Thanks, Ntoughe Here's the link: http://www.facebook.com/p.php?i=1039839368&k=YWL52ZQRVWWM5BFAPK3YVS&r&v=2 ___________________ This e-mail may contain promotional materials. If you do not wish to receive future commercial mailings from Facebook, please click on the link below. Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301. http://www.facebook.com/o.php?u=1021193577&k=384730 -------------- next part -------------- An HTML attachment was scrubbed... URL: From invite+hiczofgf at facebookmail.com Tue Aug 5 14:39:48 2008 From: invite+hiczofgf at facebookmail.com (Ntoughe Guys-serge) Date: Tue, 5 Aug 2008 07:39:48 -0700 Subject: Check out my Facebook profile Message-ID: <09bbf289e173d5b525c335e0904aabb1@register.facebook.com> I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. Thanks, Ntoughe Here's the link: http://www.facebook.com/p.php?i=1039839368&k=Y6MY3XR4R56M5BFAPK3YVS&r&v=2 ___________________ This e-mail may contain promotional materials. If you do not wish to receive future commercial mailings from Facebook, please click on the link below. Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301. http://www.facebook.com/o.php?u=1021193577&k=384730 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jkinz at kinz.org Sat Aug 9 17:50:26 2008 From: jkinz at kinz.org (Jeff Kinz) Date: Sat, 9 Aug 2008 13:50:26 -0400 Subject: Rick Stevens old email script for adding random quotes Message-ID: <20080809175026.GA17537@redline.kinz.org> Hi, Does anyone know where I can get a copy of Rick Steven's old email script for adding random quotes as a sig to an email? Jeff Kinz. -- see, this sig is too boring... From cs at zip.com.au Sat Aug 9 23:36:29 2008 From: cs at zip.com.au (Cameron Simpson) Date: Sun, 10 Aug 2008 09:36:29 +1000 Subject: Rick Stevens old email script for adding random quotes In-Reply-To: <20080809175026.GA17537@redline.kinz.org> Message-ID: <20080809233629.GA18799@cskk.homeip.net> On 09Aug2008 13:50, Jeff Kinz wrote: | Does anyone know where I can get a copy of Rick Steven's old email script | for adding random quotes as a sig to an email? No, but if you have no luck you can use my script: http://www.cskk.ezoshosting.com/cs/css/bin/sig http://www.cskk.ezoshosting.com/cs/css/bin/picksig The first calls the second, which picks the random quote. My muttrc says: set signature="sig|sed 1d|" Configuration for your mailer is an exercise for you. On reinspection, picksig may be over complicated, and could do with a recode. Though it does let me pick signatures with a little keyword control when I want it. Cheers, -- Cameron Simpson DoD#743 http://www.cskk.ezoshosting.com/cs/ First off, using it would be a politically correct action, and PC is a philosophy that myself and several others of the Peevetown population have vowed to destroy in our lifetime. - Vinnie Jordan From dcalhoun at blomand.net Sun Aug 10 01:37:50 2008 From: dcalhoun at blomand.net (Dennis D. Calhoun) Date: Sat, 9 Aug 2008 20:37:50 -0500 Subject: Rick Stevens old email script for adding random quotes In-Reply-To: <20080809175026.GA17537@redline.kinz.org> References: <20080809175026.GA17537@redline.kinz.org> Message-ID: <000001c8fa89$bd3f1270$37bd3750$@net> Your initial effort may or may not bear fruit, however, as Thomas Edison once said, "I have not failed 10,000 times. I have successfully found 10,000 ways that will not work." :) Good luck in your search! -- Dennis D. Calhoun, MCSA -----Original Message----- From: redhat-install-list-bounces at redhat.com [mailto:redhat-install-list-bounces at redhat.com] On Behalf Of Jeff Kinz Sent: Saturday, August 09, 2008 12:50 PM To: Redhat install List Subject: Rick Stevens old email script for adding random quotes Hi, Does anyone know where I can get a copy of Rick Steven's old email script for adding random quotes as a sig to an email? Jeff Kinz. -- see, this sig is too boring... _______________________________________________ Redhat-install-list mailing list Redhat-install-list at redhat.com https://www.redhat.com/mailman/listinfo/redhat-install-list To Unsubscribe Go To ABOVE URL or send a message to: redhat-install-list-request at redhat.com Subject: unsubscribe From karlp at ourldsfamily.com Mon Aug 11 17:42:10 2008 From: karlp at ourldsfamily.com (Karl Pearson) Date: Mon, 11 Aug 2008 11:42:10 -0600 (MDT) Subject: Apache Seems to Hang Message-ID: <857ee80d7f7790a8c87aaa491735232b.squirrel@webmail.ourldsfamily.com> I am having some issues with Apache on my server. It just seems to hang forever some times. I found this article: http://sitening.com/blog/2006/02/03/apache-hangs-due-to-lack-of-entropy/ and read the linked article, but my hardware doesn't support hw_random so I can't use that solution. I did: # service random restart and now Apache seems to be working faster, but it could be a fluke because sometimes it just works okay, and other times it doesn't. Any info or insight would be greatly appreciated. I've thought of just adding a cron job that restarts random every 30 minutes or so... -- Karl L. Pearson karlp at ourldsfamily.com http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- "The constitution doesn't grant us rights any more than a birth certificate gives us life. It's just a piece of paper that tells us what we already know." - John Charles Carter, aka, Charlton Heston, 10/4/23-4/5/08 See http://en.wikipedia.org/wiki/Charleton_Heston#Political_activism --- http://www.bobbarr2008.com/a-real-choice/ - Vote Bob Barr --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- From jkinz at kinz.org Mon Aug 11 19:33:15 2008 From: jkinz at kinz.org (Jeff Kinz) Date: Mon, 11 Aug 2008 15:33:15 -0400 Subject: Apache Seems to Hang In-Reply-To: <857ee80d7f7790a8c87aaa491735232b.squirrel@webmail.ourldsfamily.com> References: <857ee80d7f7790a8c87aaa491735232b.squirrel@webmail.ourldsfamily.com> Message-ID: <20080811193314.GA12465@redline.kinz.org> On Mon, Aug 11, 2008 at 11:42:10AM -0600, Karl Pearson wrote: > I am having some issues with Apache on my server. It just seems to hang > forever some times. I found this article: > > http://sitening.com/blog/2006/02/03/apache-hangs-due-to-lack-of-entropy/ > > and read the linked article, but my hardware doesn't support hw_random so I > can't use that solution. > > I did: > > # service random restart > > and now Apache seems to be working faster, but it could be a fluke because > sometimes it just works okay, and other times it doesn't. > > Any info or insight would be greatly appreciated. I've thought of just adding > a cron job that restarts random every 30 minutes or so... Karl - Without the hardware support I you have found the a good work-around. PS- regarding your 911 page - I worked on an NSA contract in 1985 or so - guess what story one of the old timers told me? :-) The US govt (The NSA) has known how to use commercial aircraft to take out skyscrapers for decades. They even know how to change the planes configurations to make it impossible. Simply don't have any door between the cockpit and the passenger compartment. The crew cabin gets its own exterior door. Lot cheaper then funding DHS and the air marshals too. From ricks at nerd.com Mon Aug 11 22:53:51 2008 From: ricks at nerd.com (Rick Stevens) Date: Mon, 11 Aug 2008 15:53:51 -0700 Subject: Rick Stevens old email script for adding random quotes In-Reply-To: <20080809175026.GA17537@redline.kinz.org> References: <20080809175026.GA17537@redline.kinz.org> Message-ID: I'm in Miami this week, Jeff, but I'll zip it up and send it to you. It's on my desktop system at the office and protected by a VPN I can't get through from here. On Sat, Aug 9, 2008 at 10:50 AM, Jeff Kinz wrote: > Hi, > Does anyone know where I can get a copy of Rick Steven's old email script > for adding random quotes as a sig to an email? > > Jeff Kinz. > -- > > see, this sig is too boring... > > _______________________________________________ > Redhat-install-list mailing list > Redhat-install-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-install-list > To Unsubscribe Go To ABOVE URL or send a message to: > redhat-install-list-request at redhat.com > Subject: unsubscribe > -------------- next part -------------- An HTML attachment was scrubbed... URL: From karlp at ourldsfamily.com Tue Aug 12 15:42:48 2008 From: karlp at ourldsfamily.com (Karl Pearson) Date: Tue, 12 Aug 2008 09:42:48 -0600 (MDT) Subject: Apache Seems to Hang In-Reply-To: <20080811193314.GA12465@redline.kinz.org> References: <857ee80d7f7790a8c87aaa491735232b.squirrel@webmail.ourldsfamily.com> <20080811193314.GA12465@redline.kinz.org> Message-ID: On Mon, 11 Aug 2008, Jeff Kinz wrote: > On Mon, Aug 11, 2008 at 11:42:10AM -0600, Karl Pearson wrote: >> I am having some issues with Apache on my server. It just seems to hang >> forever some times. I found this article: >> >> http://sitening.com/blog/2006/02/03/apache-hangs-due-to-lack-of-entropy/ >> >> and read the linked article, but my hardware doesn't support hw_random so I >> can't use that solution. >> >> I did: >> >> # service random restart >> >> and now Apache seems to be working faster, but it could be a fluke because >> sometimes it just works okay, and other times it doesn't. >> >> Any info or insight would be greatly appreciated. I've thought of just adding >> a cron job that restarts random every 30 minutes or so... > > Karl - Without the hardware support I you have found the a good > work-around. > > PS- regarding your 911 page - I worked on an NSA contract in 1985 or so > - guess what story one of the old timers told me? :-) > > The US govt (The NSA) has known how to use commercial aircraft to take out > skyscrapers for decades. They even know how to change the planes > configurations to make it impossible. Simply don't have any door between > the cockpit and the passenger compartment. The crew cabin gets its own > exterior door. Lot cheaper then funding DHS and the air marshals too. That makes perfect sense. There would still be some vulnerability, but nothing like we see now. Karl > > _______________________________________________ > Redhat-install-list mailing list > Redhat-install-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-install-list > To Unsubscribe Go To ABOVE URL or send a message to: > redhat-install-list-request at redhat.com > Subject: unsubscribe > -- Karl L. Pearson karlp at ourldsfamily.com http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- From Jessica.Blank at take2games.com Mon Aug 18 21:09:22 2008 From: Jessica.Blank at take2games.com (Jessica Blank (T2 NY)) Date: Mon, 18 Aug 2008 17:09:22 -0400 Subject: Entering the 'Installation Number' after the fact Message-ID: <976C191058E3594395DFC6C4B55FCF83B03FAC@TK2NYCEVS01.take2.t2.corp> Hello all, We have three servers that we're setting up, and our licences (hopefully including the Installation Numbers) are on the way, but they have not arrived yet. I am presently, therefore, installing the servers without Installation Numbers. I've read the FAQ at https://www.redhat.com/support/resources/faqs/installation_numbers/ , but it does not seem to say anything about entering Installation Numbers after one has installed the base system, nor is information provided on using another installation number (say, from an unused licence in the corporate pool) and CHANGING the installation number to the permanent value later. Am I just going to have to manually configure my subscriptions? Or is there any way to enter an Installation Number outside of, well, the Installation process? Cheers, Jessica -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jessica Blank - Systems Developer, Take-Two Interactive -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret_stern at machinemanagement.com Wed Aug 20 05:35:30 2008 From: bret_stern at machinemanagement.com (Bret Stern) Date: Tue, 19 Aug 2008 22:35:30 -0700 Subject: Odd behaviour - slow ftp today Message-ID: <200808200635.m7K6ZaEZ026520@mx3.redhat.com> Good August too all. One of my most trustworthy and reliable ftp servers, suddenly has a case of the slows. I looked at the mail messages which get generated nightly about system status, there were a couple entries where some remote sob tried to log into my machine 9997 times. Several days in a row. Accidentally deleted the message with the ip number, so I couldn't add the deny entry to iptables. Any suggestions on where to look for possible traces of ill intent. I've been looking at messages, secure, vsftpd logs, but don't see any concern. Thanks for comments, Bret Stern Machine Management From bret_stern at machinemanagement.com Wed Aug 20 06:45:53 2008 From: bret_stern at machinemanagement.com (Bret Stern) Date: Tue, 19 Aug 2008 23:45:53 -0700 Subject: yum update - kernel panic on boot Message-ID: <200808200645.m7K6jtqU032284@mx3.redhat.com> After performing a yum update, this boot message appears. No volume groups found Unable to find volume group "VolGroup00" Unable to access resume device (/dev/VolGroup00/LogVol01) mount: could not find filesystem '/dev/root' more boot messages ..... kernel panic not syncing Found below thread about this...as a fix. Append an ".img" to initrd-2.6.15-2.2054_FC5 so GRUB can find it. Can I use Knoppix or similar to make these changes? thanks From bob at bobcatos.com Wed Aug 20 13:28:31 2008 From: bob at bobcatos.com (Bob McClure Jr) Date: Wed, 20 Aug 2008 08:28:31 -0500 Subject: yum update - kernel panic on boot In-Reply-To: <200808200645.m7K6jtqU032284@mx3.redhat.com> References: <200808200645.m7K6jtqU032284@mx3.redhat.com> Message-ID: <20080820132831.GA20015@bobcat.bobcatos.com> On Tue, Aug 19, 2008 at 11:45:53PM -0700, Bret Stern wrote: > > After performing a yum update, this boot message appears. > > No volume groups found > Unable to find volume group "VolGroup00" > Unable to access resume device (/dev/VolGroup00/LogVol01) > mount: could not find filesystem '/dev/root' > > more boot messages > ..... > kernel panic not syncing > > > > Found below thread about this...as a fix. > > Append an ".img" to initrd-2.6.15-2.2054_FC5 so GRUB can find it. > > Can I use Knoppix or similar to make these changes? Probably. But why not boot your FC5 disk 1 in rescue mode? - At the boot prompt, put "linux rescue". - Let it mount your root filesystem and its dependents. - At the shell prompt: chroot /mnt/sysimage - Edit /boot/grub/grub.conf as needed, then exit # or ^D from chroot exit # or ^D from rescue mode to reboot - Eject the CD. That said, I've never seen an update farble the grub.conf, so I'd be surprised if the solution is that simple. You may have to rerun the procedure above, but instead of the edit, do a grub-install /dev/hda # assuming that's your boot drive. > thanks Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. bob at bobcatos.com http://www.bobcatos.com For since the creation of the world God's invisible qualities -- his eternal power and divine nature -- have been clearly seen, being understood from what has been made, so that men are without excuse. Romans 1:20 (NIV) From bret_stern at machinemanagement.com Fri Aug 22 16:09:55 2008 From: bret_stern at machinemanagement.com (Bret Stern) Date: Fri, 22 Aug 2008 09:09:55 -0700 Subject: Fedora 9 -aarrrgggghh Message-ID: <200808221609.m7MG9wjJ004582@mx3.redhat.com> After installing Fedora 9, I'm feeling like it's turning into the "Windows babysitting" model. I have been using Fedora 6 for really solid ftp and web services, and really don't like all the changes. Fedora 6 was so solid; it gets pretty boring just watching the servers run ..year..after..year... How 'bout a pep talk on Fedora 9....or I just downloaded FreeBSD, and feel this could be more comfortable for this old timer. It's a good day. Bret Stern From karlp at ourldsfamily.com Fri Aug 22 16:43:52 2008 From: karlp at ourldsfamily.com (Karl Pearson) Date: Fri, 22 Aug 2008 10:43:52 -0600 (MDT) Subject: Fedora 9 -aarrrgggghh In-Reply-To: <200808221609.m7MG9wjJ004582@mx3.redhat.com> References: <200808221609.m7MG9wjJ004582@mx3.redhat.com> Message-ID: On Fri, 22 Aug 2008, Bret Stern wrote: > > After installing Fedora 9, I'm feeling like it's > turning into the "Windows babysitting" model. > > I have been using Fedora 6 for really solid ftp and > web services, and really don't like all the changes. > > Fedora 6 was so solid; it gets pretty boring just watching > the servers run ..year..after..year... > > How 'bout a pep talk on Fedora 9....or I just > downloaded FreeBSD, and feel this could be more > comfortable for this old timer. I install Fedora 8 because it feels comfortable like FC6 did. That might be a solution you can live with. Karl > > It's a good day. > > > Bret Stern > > _______________________________________________ > Redhat-install-list mailing list > Redhat-install-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-install-list > To Unsubscribe Go To ABOVE URL or send a message to: > redhat-install-list-request at redhat.com > Subject: unsubscribe > -- Karl L. Pearson karlp at ourldsfamily.com http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- From karlp at ourldsfamily.com Fri Aug 22 16:55:53 2008 From: karlp at ourldsfamily.com (Karl Pearson) Date: Fri, 22 Aug 2008 10:55:53 -0600 (MDT) Subject: Cycling Passwords Message-ID: I'm curious on your take on systems that require changing passwords on a set schedule, whether it's 90 days or whatever. When I've setup new systems, I instruct the users to select passwords that are cryptic and follow guidelines that make them essentially impossible to crack, such as: Ol10yzZx119xa Once a good password is found, why change it? I know there are a lot of consultants who say you must, but everywhere I've been that requires people to change passwords, I see they have written them on sticky notes and then put them on their monitor, or bookshelf or whereever. I also see the frustration level raise everytime they are trying to get into a system with a customer on the phone, and they have to tell them to wait for their session as they change their password... Since roughly 90% of corporate break-ins are from the inside, having to change the passwords, and then sticking the passwords up, defeats the security purposes for changing passwords. What do you think? Okay, I do have a reason for asking this: 1. convince me I'm wrong, and 2. I have a client that wants it to stop, and I need to know where in Fedora Core 6 that is setup so case I can make the change for them. Their FC6 system is setup so the accounts go to /sbin/nologin so they don't have to change their password for email. But no one has shell access, and a few need it, thus creating the need for passwords to change. TIA -- Karl L. Pearson karlp at ourldsfamily.com http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- From ricks at nerd.com Fri Aug 22 17:09:25 2008 From: ricks at nerd.com (Rick Stevens) Date: Fri, 22 Aug 2008 10:09:25 -0700 Subject: Fedora 9 -aarrrgggghh In-Reply-To: <200808221609.m7MG9wjJ004582@mx3.redhat.com> References: <200808221609.m7MG9wjJ004582@mx3.redhat.com> Message-ID: <48AEF2C5.4050502@nerd.com> Bret Stern wrote: > After installing Fedora 9, I'm feeling like it's > turning into the "Windows babysitting" model. > > I have been using Fedora 6 for really solid ftp and > web services, and really don't like all the changes. > > Fedora 6 was so solid; it gets pretty boring just watching > the servers run ..year..after..year... > > How 'bout a pep talk on Fedora 9....or I just > downloaded FreeBSD, and feel this could be more > comfortable for this old timer. Fedora 9 or 10 will become the new RHEL 6 in time. F9 is a significant change in a lot of baseline technologies, but deals more with the desktop-type of system than servers: a new Xorg release, new versions of Gnome and (and incomplete) KDE, enhanced support for various video and audio cards, (supposedly) easier wireless networking...the list goes on and on. You could have said "Stop the evolution of Fedora" at any point. Many people did. F3 became RHEL4. F6 became RHEL5. Fedora is an evolving beast...sometimes the evolution hits a dead end and it gets backed off. I don't like where F9 went in some areas, and in fact only have it running as a Xen DomU (guest) under an F8 Dom0 on an Opteron for testing purposes. Some of my observations: a) NetworkManager is completely useless (and in fact is counterproductive) if you have anything more than the simplest of networking topologies. It's not configurable in any meaningful way. b) I'm still rather unhappy with the spectacularly confusing PulseAudio system, and it doesn't "play nice" with many applications (Skype, for example). c) I'm not thrilled with the new startup logic (there was NOTHING wrong with inittab and the /etc/rc.d/rcx.d directory tree)...and I don't agree with "changes for the sake of change"). d) KDE is V4.0 and it's MASSIVELY incomplete. 4.1 is around the corner, but 4.0 is SO bad it never should have been released. e) Most proprietary video drivers (are you listening nVidia?) were incompatible with the new Xorg version. This has gotten better in the last few months, but Je-sus! These complaints (and others) have been sent off to the development and design teams. I'm not an official member of the groups, but sort of an interested (and vocal) spectator. As with any evolving thing, not everyone will be pleased with the directions it goes. You can help guide it by getting involved in the developers or testers group. If you don't get involved, you essentially have no cause to complain if it doesn't go the way you want it to in exactly the same way you really don't have a right to bitch about the government unless you get involved and vote. For a rock-solid server, stay with RHEL 5 or CentOS 5. They won't be EOL'd for quite a while and will work well. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer rps2 at nerd.com - - Hosting Consulting, Inc. - - - - Denial. It ain't just a river in Egypt anymore! - ---------------------------------------------------------------------- From ricks at nerd.com Fri Aug 22 18:11:27 2008 From: ricks at nerd.com (Rick Stevens) Date: Fri, 22 Aug 2008 11:11:27 -0700 Subject: Cycling Passwords In-Reply-To: References: Message-ID: <48AF014F.6040608@nerd.com> Karl Pearson wrote: > I'm curious on your take on systems that require changing passwords on a > set schedule, whether it's 90 days or whatever. > > When I've setup new systems, I instruct the users to select passwords > that are cryptic and follow guidelines that make them essentially > impossible to crack, such as: Ol10yzZx119xa > > Once a good password is found, why change it? I know there are a lot of > consultants who say you must, but everywhere I've been that requires > people to change passwords, I see they have written them on sticky notes > and then put them on their monitor, or bookshelf or whereever. I also > see the frustration level raise everytime they are trying to get into a > system with a customer on the phone, and they have to tell them to wait > for their session as they change their password... > > Since roughly 90% of corporate break-ins are from the inside, having to > change the passwords, and then sticking the passwords up, defeats the > security purposes for changing passwords. > > What do you think? > > Okay, I do have a reason for asking this: 1. convince me I'm wrong, and > 2. I have a client that wants it to stop, and I need to know where in > Fedora Core 6 that is setup so case I can make the change for them. > > Their FC6 system is setup so the accounts go to /sbin/nologin so they > don't have to change their password for email. But no one has shell > access, and a few need it, thus creating the need for passwords to change. Any access control system should be tailored to the specific needs of your business. It is entirely possible to make a server or network so secure it's unmanageable. The art of it is balancing security against ease of use and flexibility. We set up PCI-compliant systems (you know, credit card processing), so our attitude towards passwords is "make them complex and change them often". We're driven by the statement: "Just because we're paranoid doesn't mean they AREN'T out to get us!" Since in your case user accounts don't have a shell associated with them, an enforced password rotation schedule would have minimal positive effects. Your root, administrative and any other account with shell access should be put on an enforced rotation. This is only sensible. Our (somewhat paranoid) systems use this: We require our root passwords to be rotated at least every 90 days, but no one's allowed to have them. Root and admin passwords use the following criteria: 1. We use cracklib 2. Minimum of 12 characters 3. Minimum of two upper case characters 4. Minimum of one special character (punctuation mark) 5. Minimum of two decimal digits 6. A given password cannot be reused until at least three others have been used. 7. No minimum lifetime 8. Maximum lifetime of 90 days Our security admin creates passwords on the systems themselves in the standard /etc/passwd and /etc/shadow files, then creates a KeePass file containing them which is put on two FLASH pendrives kept in two different firesafes in two different offsite locations. They're available if we need them, but all administrative work is done by designated personnel using sudo. All of our authentication data (with the exception of root and other admin stuff above) is maintained in LDAP on two, fully redundant LDAP servers. We do lessen the restrictions for normal user accounts: 1. Minimum lifetime is 1 week 2. Maximum lifetime is 365 days 3. Minimum of 8 characters 4. Must have one uppercase character 5. Must have one decimal digit 6. A given password cannot be reused until three others have been used. The LDAP server enforces these requirements via the "ppolicy" overlay and a custom password checking library specifically written for this purpose (they're easy to write). We also make use of the "host" attribute capability of LDAP (if a user tries to authenticate from a machine and that machine is not in a "host" attribute in the user's LDAP entry, they're denied access). The LDAP database also includes the equivalent of the /etc/sudoers file and all machines use the LDAP sudoers data. You can set an attribute in LDAP that will prevent the machines from even looking at a local /etc/sudoers file, which makes circumventing the sudo system more difficult. We have a few admins that do real heavy lifting where having to enter "sudo this" and "sudo that" can be onerous. we allow them to create a root shell via "sudo bash -l". Needless to say, these are highly trusted people. As I said, these are probably more extreme than most systems need, but we have financial data coursing through our systems. With some mods, they may work for you. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer rps2 at nerd.com - - Hosting Consulting, Inc. - - - - We have enough youth, how about a fountain of SMART? - ---------------------------------------------------------------------- From harold at hallikainen.com Fri Aug 22 19:10:23 2008 From: harold at hallikainen.com (Harold Hallikainen) Date: Fri, 22 Aug 2008 12:10:23 -0700 (PDT) Subject: Fedora 9 -aarrrgggghh In-Reply-To: References: <200808221609.m7MG9wjJ004582@mx3.redhat.com> Message-ID: <3712.71.93.35.174.1219432223.squirrel@sujan.hallikainen.org> I've still got Fedora 4 running on my server and am bringing up Fedora 9 on my backup server. After several years of operation, there are a lot of applications and a lot of config files I have to set up on the backup server. Once I get that all figured out, I'll update the online server to Fedora 9. I AM running Fedora 9 on my HP laptop, and it's working well. A while back there was a kernel update that killed it, but I was able to go back to a previous one and have it work. I like that Fedora 9 is now supporting the internal MMC/SD card reader, since I lost my little USB one somewhere. The network manager seems to work fine for me on managed wireless networks and my DHCP wired network. Last time I tried, it did not work on an ad hoc network, but that may be the wireless card driver I'm using (which is probably out of date) that I pulled from Windows with fwcutter. Harold -- FCC Rules Updated Daily at http://www.hallikainen.com - Advertising opportunities available! From drachels at adelphia.net Sat Aug 23 01:32:25 2008 From: drachels at adelphia.net (Daniel A. Rachels, Sr.) Date: Fri, 22 Aug 2008 20:32:25 -0500 Subject: Cycling Passwords In-Reply-To: Message-ID: <48AF2259.16544.4E4C9D@drachels.adelphia.net> On 22 Aug 2008 at 10:55, Karl Pearson wrote: > I'm curious on your take on systems that require changing passwords on a > set schedule, whether it's 90 days or whatever. > > When I've setup new systems, I instruct the users to select passwords that > are cryptic and follow guidelines that make them essentially impossible to > crack, such as: Ol10yzZx119xa > > Once a good password is found, why change it? I know there are a lot of > consultants who say you must, but everywhere I've been that requires > people to change passwords, I see they have written them on sticky notes > and then put them on their monitor, or bookshelf or whereever. I also see > the frustration level raise everytime they are trying to get into a system > with a customer on the phone, and they have to tell them to wait for their > session as they change their password... > > Since roughly 90% of corporate break-ins are from the inside, having to > change the passwords, and then sticking the passwords up, defeats the > security purposes for changing passwords. > > What do you think? > > Okay, I do have a reason for asking this: 1. convince me I'm wrong, and 2. > I have a client that wants it to stop, and I need to know where in Fedora > Core 6 that is setup so case I can make the change for them. > > Their FC6 system is setup so the accounts go to /sbin/nologin so they > don't have to change their password for email. But no one has shell > access, and a few need it, thus creating the need for passwords to change. > > TIA After retiring from the Army, I could not believe the password situation at the school where I started working as a computer applications teacher. I found that many of the teachers were using their spouses and kids names as passwords. Or just as bad,coaches who rotated their passwords between baseball, football, and basketball. Needless to say on more than one occasion we caught a student logged in on a teacher's computer. When I convinced the technology coordinator to have them start to use strong passwords, we discovered that most started writing them on sticky notes and attaching them to the bottom of their keyboard, and more than one, right on the side of the monitor. Their excuse was always that they were afraid they would forget that complicated password, especially over a long holiday break or summer vacation. And, we of course caught students stealing the teachers passwords and using them, again. We finally started giving classes on how to make very complicated passwords that are actually very easy to remember. For instance, take a significant name that only you know and will never forget and a significant year associated with that name. Spell the name backwards, mix in the year as every other letter, and add some punctuation to finish it out. For example my son's first pet dog was named Boomer and we got him in 1989. Absolutely no one where I work knows about the dog. That info could easily be turned into this password: r1e9m8o9o!B This makes for a nice complicated password that can easily be remembered without writing it down. After just a few slow logins most teachers quickly remember the sequence and can bang it out in just a couple of seconds. Of course we do have to remind them periodically and check to make sure they are following the new guidelines as well as teach any new teachers that are hired. Daniel A. Rachels, Sr. drachels at adelphia.net From micros50 at verizon.net Sat Aug 23 05:21:36 2008 From: micros50 at verizon.net (mylar) Date: Sat, 23 Aug 2008 01:21:36 -0400 Subject: Fedora 9 -aarrrgggghh In-Reply-To: <48AEF2C5.4050502@nerd.com> References: <200808221609.m7MG9wjJ004582@mx3.redhat.com> <48AEF2C5.4050502@nerd.com> Message-ID: <1219468896.8823.4.camel@manhattan.ruffe.edu> On Fri, 2008-08-22 at 10:09 -0700, Rick Stevens wrote: > > d) KDE is V4.0 and it's MASSIVELY incomplete. 4.1 is around the corner, > but 4.0 is SO bad it never should have been released. > This is my biggest gripe about Fedora 9. I installed it on only one machine here and I since I am a KDE user I was anxious to check out the new KDE 4.0. Man... was I DISAPPOINTED. KDE 4.0 is terribly incomplete to the point of being unusable. I decided not to upgrade my main machine until KDE 4.1... which will hopefully have resolved most of the issues that presently make KDE 4.0 so miserable. For now I'm sticking with Fedora 6 on my main machine. -- email-> micros50 at verizon.net "I Speak Mathematics" From wonderer4711 at gmx.de Sat Aug 23 16:15:37 2008 From: wonderer4711 at gmx.de (wonderer) Date: Sat, 23 Aug 2008 18:15:37 +0200 Subject: Cycling Passwords In-Reply-To: References: Message-ID: <48B037A9.70808@gmx.de> Hy, > > Once a good password is found, why change it? Because every password can be "suggested" (Bruteforce). If you cange a password continously it is much harder to bruteforce it in a manner of time. > I know there are a lot of consultants who say you must, but everywhere > I've been that requires people to change passwords, I see they have > written them on sticky notes and then put them on their monitor, or > bookshelf or whereever. I also see the frustration level raise > everytime they are trying to get into a system with a customer on the > phone, and they have to tell them to wait for their session as they > change their password... On the one hand there is the technical problem of changing the password. On the other hand you have the social problem that people are dumb (sorry, it is so techincaly spoken). If you want better technical barriers to get in a system like SmartCards or USB Tokens then there was the problem that people losse them or other "social problems arround technical". > > > Okay, I do have a reason for asking this: 1. convince me I'm wrong, > and 2. I have a client that wants it to stop, and I need to know where > in Fedora Core 6 that is setup so case I can make the change for them. If you Client wants that then I would hardly suggest that he will sign a paper where ALL responsibilitys in case of an emergancy was fully on HIS side and that HE decides that to be changed. I think it would be better to make a short (1-2h) briefing over password security and make ALL employees cut of this sticky notes stuff. best regards Henrik P.S.: I thought since Virus-Scanners and SPAM-Attacks these days this very old discussions was over. I have to change my mind. From bret_stern at machinemanagement.com Sat Aug 23 17:10:35 2008 From: bret_stern at machinemanagement.com (Bret Stern) Date: Sat, 23 Aug 2008 10:10:35 -0700 Subject: Fedora 9 -aarrrgggghh In-Reply-To: Message-ID: <200808231710.m7NHAfwq022953@mx3.redhat.com> > -----Original Message----- > From: redhat-install-list-bounces at redhat.com > [mailto:redhat-install-list-bounces at redhat.com] On Behalf Of > Karl Pearson > Sent: Friday, August 22, 2008 9:44 AM > To: redhat-install-list at redhat.com > Subject: Re: Fedora 9 -aarrrgggghh > > On Fri, 22 Aug 2008, Bret Stern wrote: > > > > > After installing Fedora 9, I'm feeling like it's turning into the > > "Windows babysitting" model. > > > > I have been using Fedora 6 for really solid ftp and web > services, and > > really don't like all the changes. > > > > Fedora 6 was so solid; it gets pretty boring just watching > the servers > > run ..year..after..year... > > > > How 'bout a pep talk on Fedora 9....or I just downloaded > FreeBSD, and > > feel this could be more comfortable for this old timer. > > I install Fedora 8 because it feels comfortable like FC6 did. > > That might be a solution you can live with. > > Karl I'll take a look at Fedora 8. Is it essentially the last Fedora progression before the big Fedora 9 (analogy XP to Vista like) change? It's just a real bitch to keep up with all this, especially with all life's distractions. (I just got a new backhoe). Thanks for all the replies..this list has a great bunch of contributors. > > > > > It's a good day. > > > > > > Bret Stern > > > > _______________________________________________ > > Redhat-install-list mailing list > > Redhat-install-list at redhat.com > > https://www.redhat.com/mailman/listinfo/redhat-install-list > > To Unsubscribe Go To ABOVE URL or send a message to: > > redhat-install-list-request at redhat.com > > Subject: unsubscribe > > > > -- > Karl L. Pearson > karlp at ourldsfamily.com > http://consulting.ourldsfamily.com > --- > My Thoughts on Terrorism In America right after 9/11/2001: > http://www.ourldsfamily.com/wtc.shtml > --- > The world is a dangerous place to live... not because of > the people who are evil, but because of the people who > don't do anything about it. > - Albert Einstein > --- > "To mess up your Linux PC, you have to really work at it; > to mess up a microsoft PC you just have to work on it." > --- > > _______________________________________________ > Redhat-install-list mailing list > Redhat-install-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-install-list > To Unsubscribe Go To ABOVE URL or send a message to: > redhat-install-list-request at redhat.com > Subject: unsubscribe From karlp at ourldsfamily.com Sat Aug 23 20:01:22 2008 From: karlp at ourldsfamily.com (Karl Pearson) Date: Sat, 23 Aug 2008 14:01:22 -0600 (MDT) Subject: Fedora 9 -aarrrgggghh In-Reply-To: <200808231710.m7NHAfwq022953@mx3.redhat.com> References: <200808231710.m7NHAfwq022953@mx3.redhat.com> Message-ID: On Sat, 23 Aug 2008, Bret Stern wrote: >> -----Original Message----- >> From: redhat-install-list-bounces at redhat.com >> [mailto:redhat-install-list-bounces at redhat.com] On Behalf Of >> Karl Pearson >> Sent: Friday, August 22, 2008 9:44 AM >> To: redhat-install-list at redhat.com >> Subject: Re: Fedora 9 -aarrrgggghh >> >> On Fri, 22 Aug 2008, Bret Stern wrote: >> >>> >>> After installing Fedora 9, I'm feeling like it's turning into the >>> "Windows babysitting" model. >>> >>> I have been using Fedora 6 for really solid ftp and web >> services, and >>> really don't like all the changes. >>> >>> Fedora 6 was so solid; it gets pretty boring just watching >> the servers >>> run ..year..after..year... >>> >>> How 'bout a pep talk on Fedora 9....or I just downloaded >> FreeBSD, and >>> feel this could be more comfortable for this old timer. >> >> I install Fedora 8 because it feels comfortable like FC6 did. >> >> That might be a solution you can live with. >> >> Karl > > > I'll take a look at Fedora 8. Is it essentially the > last Fedora progression before the big Fedora 9 > (analogy XP to Vista like) change? >From what Rick said, I would suggest this is the case. > > It's just a real bitch to keep up with all this, especially > with all life's distractions. (I just got a new backhoe). > > Thanks for all the replies..this list has a great bunch > of contributors. Might I suggest taking a look at Linux Mint, which is a very solid distribution, other than being based on the Debian tree, and even more like Ubuntu. It uses the Ubuntu repositories, but doesn't maintain the 'only free; only open-source' policy of Ubuntu. I also like very much PCLinuxOS, which is a redhat derivative, except v2008 isn't out yet, so it's not as compatible with newer hardware as Mint is. That will change once PCLOS2008 is released (no idea or news when). Karl > > >> >>> >>> It's a good day. >>> >>> >>> Bret Stern >>> >>> _______________________________________________ >>> Redhat-install-list mailing list >>> Redhat-install-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/redhat-install-list >>> To Unsubscribe Go To ABOVE URL or send a message to: >>> redhat-install-list-request at redhat.com >>> Subject: unsubscribe >>> >> >> -- >> Karl L. Pearson >> karlp at ourldsfamily.com >> http://consulting.ourldsfamily.com >> --- >> My Thoughts on Terrorism In America right after 9/11/2001: >> http://www.ourldsfamily.com/wtc.shtml >> --- >> The world is a dangerous place to live... not because of >> the people who are evil, but because of the people who >> don't do anything about it. >> - Albert Einstein >> --- >> "To mess up your Linux PC, you have to really work at it; >> to mess up a microsoft PC you just have to work on it." >> --- >> >> _______________________________________________ >> Redhat-install-list mailing list >> Redhat-install-list at redhat.com >> https://www.redhat.com/mailman/listinfo/redhat-install-list >> To Unsubscribe Go To ABOVE URL or send a message to: >> redhat-install-list-request at redhat.com >> Subject: unsubscribe > > _______________________________________________ > Redhat-install-list mailing list > Redhat-install-list at redhat.com > https://www.redhat.com/mailman/listinfo/redhat-install-list > To Unsubscribe Go To ABOVE URL or send a message to: > redhat-install-list-request at redhat.com > Subject: unsubscribe > -- Karl L. Pearson karlp at ourldsfamily.com http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- From redhat at billoblog.com Thu Aug 28 12:45:47 2008 From: redhat at billoblog.com (redhat at billoblog.com) Date: Thu, 28 Aug 2008 08:45:47 -0400 (EDT) Subject: Does the default configuration for redhat limit outgoing TCP? Message-ID: I help administer a small research network containing machines using MacOS X, Mandriva Linux, and SUSe Linux for the most part, with a few Windows boxes thrown in. I have been playing with Linux for quite awhile, but am completely stumped with this one. Most of my experience is with Mandriva rather than Red Hat, and I'm hoping this is a Red Hat configuration issue. A user brought in a Red Hat box. /etc/redhat-release gives: LSB_VERSION="1.3" Red Hat Enterprise Linux AS release 3 (Taroon Update 4) SGI ProPack 3SP6 for Linux, Build 306rp37-0508301842 uname -a gives: Linux mymachine.mynetwork.com 2.4.21-sgi306rp21 #1 SMP Tue Aug 30 18:51:36 PDT 2005 ia64 ia64 ia64 GNU/Linux My problem is this: I cannot get any of the tcp-based clients to work for any addresses outside my local domain. They work fine inside my local domain. The local domain is behind a firewall that does network address translation. Here's what I've found: 1) It affects all tcp clients I try-- ssh, telnet, mozilla. 2) UDP works OK -- I can ping the outside world 3) Changing the ip address of the box to another one within the local domain does not help 4) No other linux, windows or mac box has a problem 5) My firewall (and there is one) filters on the basis of ip address, not mac address, and does not have any rule that targets this machine. 6) Iptables is turned off, or at least that's what it says when I do "/ etc/init.d/iptables stop." 7) I can ssh, telnet, etc. within the local domain 8) I can ssh *into* the box (the sshd server works fine) from within the local network. I can also do an ssh tunnel using port forwarding through the firewall (though that looks local to the machine). I can do Xforwarding and open an xterm on a machine out in the world. 8) nc is also stumped. It can connect to a port on the back of the firewall, but can't get past it. Thus, for instance, on the Mandriva box I get: mandriva_box% nc -v www.google.com 80 DNS fwd/rev mismatch: www.l.google.com != yo-in-f99.google.com ... www.l.google.com [64.233.169.99] 80 (http) open but on the Red Hat box I get: redhat box% nc -v www.google.com 80 DNS fwd/rev mismatch: www.l.google.com != yo-in-f104.google.com ... I *cannot* find any rules in my firewall that would do this. As I noted, this problem is specific to *this* machine -- none of the other machines behind the firewall. Changing the ip address of this machine to that of a machine that is not having the problem does not help. I'm hoping there's some Red Hat security configuration that limits TCP traffic. I am not all that familiar with the Red Hat configuration tools. I *did* turn off the firewall using redhat-config- securitylevels, but that did not change anything. Any ideas would be greatly appreciated. We in the lab have broken into two groups -- those who are convinced it's the firewall, even though nobody can see any problems with it, and those who are convinced it must be configuration issue on the Red Hat box, even though we can't find a configuration file that says "don't allow TCP anywhere outside the local domain." Thanks! billo