Tag Archives: redhat

CentOS/Redhat IPSEC and EC2

So it turns out my 5 minute vpn doesn’t work in EC2 because the ESP/AH protocols (50 and 51) are blocked on the AWS network.

This is no big deal tho, as NAT-T allows one to tunnel IPSEC over UDP… however getting it to work on CentOS required a bit of a hack.

If you have already tried setting up an IPSEC vpn, shut it down with ifdown ipsec1 and remove your /etc/racoon/192.168.56.101.conf (or whatever IP yours is).

To start the hack on BOTH boxes, you need to edit /etc/sysconfig/network-scripts/ifup-ipsec. Around line 215 you need to insert nat_traversal force;… like this….

BEFORE:

        case "$IKE_METHOD" in
           PSK)
              cat >> /etc/racoon/$DST.conf << EOF
        my_identifier address;
        proposal {
                encryption_algorithm $IKE_ENC;
                hash_algorithm $IKE_AUTH;
                authentication_method pre_shared_key;
                dh_group $IKE_DHGROUP;
        }
}

AFTER:

        case "$IKE_METHOD" in
           PSK)
              cat >> /etc/racoon/$DST.conf << EOF
        my_identifier address;
        nat_traversal force;
        proposal {
                encryption_algorithm $IKE_ENC;
                hash_algorithm $IKE_AUTH;
                authentication_method pre_shared_key;
                dh_group $IKE_DHGROUP;
        }
}

Again, on both boxes update your /etc/sysconfig/network-scripts/ifcfg-ipsec1 files so that AH is disabled… because AH doesn’t like NAT… like this….


[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
DST=192.168.56.101
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
[root@CentOS2 ~]#

On your iptables policy make sure that UDP 500 and UDP 4500 are permitted and volia.

# tcpdump -n -i eth1 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
20:26:49.257590 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xa), length 116
20:26:49.261076 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xa), length 116
20:26:50.260942 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xb), length 116
20:26:50.262939 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xb), length 116
20:26:51.261298 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xc), length 116
20:26:51.264974 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xc), length 116
20:26:52.262289 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xd), length 116
20:26:52.265488 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xd), length 116
20:26:53.264008 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xe), length 116
20:26:53.267003 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xe), length 116
20:26:54.265655 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0xf), length 116
20:26:54.267264 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0xf), length 116
20:26:55.267459 IP 192.168.56.101.ipsec-nat-t > 192.168.56.102.ipsec-nat-t: UDP-encap: ESP(spi=0x08de7c32,seq=0x10), length 116
20:26:55.269678 IP 192.168.56.102.ipsec-nat-t > 192.168.56.101.ipsec-nat-t: UDP-encap: ESP(spi=0x03787bd0,seq=0x10), length 116
14 packets captured
14 packets received by filter
0 packets dropped by kernel
#

IPSEC VPN Tunnelling over UDP…. done!

RedHat Cluster – How to Disable Fencing

I’ve spent far too long googling how to disable fencing…. I can only guess that because you shouldn’t really disable fencing no-one wants to post a how to… so for the hard of hearing.

Do NOT disable fencing on your RedHat Cluster unless you really know what you’re doing! Fencing is designed to protect your data from corruption, if you disable fencing your data is at RISK, you have been warned!

I however am working on building a GFS DRBD cluster, as far as I can gather DRBD doesn’t need fencing, and the bottom line is my data is personal data not mission critical and if my website goes down due to my disabling fencing then it’s no big deal.

Rant over, here we go….. To disable fencing, create a custom fence agent.

Fence agents are simply scripts in /sbin, I’ve created /sbin/myfence and here are the contents.

#!/bin/bash
echo "success: myfence $2"
exit 0

Next, change your cluster.conf…

<?xml version="1.0"?>
<cluster alias="linickx" config_version="41" name="linickx">
        <cman expected_votes="1" two_node="1" />

        <clusternodes>
                <clusternode name="CentOS1" nodeid="1" votes="1">
                         <fence>
                                <method name="1">
                                        <device nodename="CentOS1" name="myfence"/>
                                </method>
                        </fence>
                </clusternode>

                <clusternode name="CentOS2" nodeid="2" votes="1">
                        <fence>
                                <method name="2">
                                        <device nodename="CentOS2" name="myfence"/>
                                </method>
                        </fence>
                </clusternode>
        </clusternodes>

        <fencedevices>
                <fencedevice agent="myfence" name="myfence"/>
        </fencedevices>
        <rm/>
</cluster>

If you’re running SELINUX don’t forget to update that! … start with restorecon /sbin/myfence then update your policy.

This is the policy I’ve created…

module fenced 1.0;

require {
        type fenced_t;
        type shell_exec_t;
        class file { read execute };
}

#============= fenced_t ==============
allow fenced_t shell_exec_t:file { read execute };

If you save the above as fenced.te, then run this to install it..

checkmodule -M -m -o fenced.mod fenced.te
semodule_package -o fenced.pp -m fenced.mod
semodule -i fenced.pp

You should now be able to start cman, fencing will start but will return success for any fencing issues without actually doing anything!

Happy non-fencing!

GRE example for CentOS/RHEL

I’m not sure why GRE isn’t in RedHat’s Documentation, but setting up a GRE tunnel between two RedHat boxes is quite straight forward…

On Host1 (192.168.56.101)…

[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-tun0 
DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TYPE=GRE
PEER_OUTER_IPADDR=192.168.56.102
PEER_INNER_IPADDR=192.168.168.2
MY_INNER_IPADDR=192.168.168.1
[root@CentOS1 ~]#

On host2 (192.168.56.102) ….

[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-tun0 
DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TYPE=GRE
PEER_OUTER_IPADDR=192.168.56.101
PEER_INNER_IPADDR=192.168.168.1
MY_INNER_IPADDR=192.168.168.2
[root@CentOS1 ~]#

Bring the interfaces up….

[root@CentOS1 ~]# ifup tun0

.. on host2…

[root@CentOS2 ~]# ifup tun0

And we’re done! … see the proof in the pudding below….

[root@CentOS1 ~]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-05-08-80-3C-00-00-00-00-00-00-00-00  
          inet addr:192.168.168.1  P-t-P:192.168.168.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:168 (168.0 b)  TX bytes:756 (756.0 b)

[root@CentOS1 ~]# ping 192.168.168.2
PING 192.168.168.2 (192.168.168.2) 56(84) bytes of data.
64 bytes from 192.168.168.2: icmp_seq=1 ttl=64 time=1.51 ms
64 bytes from 192.168.168.2: icmp_seq=2 ttl=64 time=2.13 ms
64 bytes from 192.168.168.2: icmp_seq=3 ttl=64 time=2.12 ms

--- 192.168.168.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.511/1.921/2.132/0.289 ms
[root@CentOS1 ~]#

The other end…

[root@CentOS2 ~]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-05-08-80-4C-00-00-00-00-00-00-00-00  
          inet addr:192.168.168.2  P-t-P:192.168.168.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:42 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3528 (3.4 KiB)  TX bytes:4536 (4.4 KiB)

[root@CentOS2 ~]# ping 192.168.168.1
PING 192.168.168.1 (192.168.168.1) 56(84) bytes of data.
64 bytes from 192.168.168.1: icmp_seq=1 ttl=64 time=4.39 ms
64 bytes from 192.168.168.1: icmp_seq=2 ttl=64 time=1.41 ms
64 bytes from 192.168.168.1: icmp_seq=3 ttl=64 time=2.57 ms

--- 192.168.168.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 1.419/2.795/4.393/1.224 ms
[root@CentOS2 ~]#

Here we show the tunnelled packets…

[root@CentOS1 ~]# tcpdump -n -i eth1 proto 47
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:45:59.429315 IP 192.168.56.102 > 192.168.56.101: GREv0, length 88: IP 192.168.168.2 > 192.168.168.1: ICMP echo request, id 55053, seq 7, length 64
13:45:59.429315 IP 192.168.56.101 > 192.168.56.102: GREv0, length 88: IP 192.168.168.1 > 192.168.168.2: ICMP echo reply, id 55053, seq 7, length 64
13:46:00.530528 IP 192.168.56.102 > 192.168.56.101: GREv0, length 88: IP 192.168.168.2 > 192.168.168.1: ICMP echo request, id 55053, seq 8, length 64
13:46:00.530686 IP 192.168.56.101 > 192.168.56.102: GREv0, length 88: IP 192.168.168.1 > 192.168.168.2: ICMP echo reply, id 55053, seq 8, length 64
13:46:01.418447 IP 192.168.56.102 > 192.168.56.101: GREv0, length 88: IP 192.168.168.2 > 192.168.168.1: ICMP echo request, id 55053, seq 9, length 64
13:46:01.418526 IP 192.168.56.101 > 192.168.56.102: GREv0, length 88: IP 192.168.168.1 > 192.168.168.2: ICMP echo reply, id 55053, seq 9, length 64

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@CentOS1 ~]#

Since we can see the ICMP packets inside the GRE tunnel that show’s us that GRE is in clear text… to add some security setup a simple IPSEC VPN :)

Reference: http://juliano.info/en/Blog:Memory_Leak/Bridges_and_tunnels_in_Fedora

Security updates only for Fedora 7 / RHEL & Centos 5

I found this on redhat.com the other day….

It is now possible to limit yum to install security updates only. To do so, simply install the yum-security plugin and run the following command:

yum update –security

Hopefully this will allow fedora users to have the option of running a “stable” install :)

USB Networking with Fedora 7 & n800

There are times where you cannot use WiFi, for example my workplace’s WLAN uses LEAP, which maemo doesn’t support. I found that setting up USB networking on my n800 was a bit of a pain since there isn’t a single document… if you check my del.icio.us feed you’ll see I bookmarked all I could find with a usbnet tag.

These are the steps I ran through to enable usb networking between my nokia n800 and my fedora 7 laptop.

First we’ll start with the basic setup… I’ll assume you’ve read a getting started article similar to mine and already have root & xterm. By default n800 has a usb interface configured, you just need to enable it, so on your n800 type:

sudo gainroot
insmod /mnt/initfs/lib/modules/2.6.18-omap1/g_ether.ko
ifup usb0

The default settings add an interface with a static ip of 192.168.2.15/24 with a default gateway of 192.168.2.14.

Now lets set up something similar on Fedora, you need to create a file in /etc/sysconfig/network-scripts called ifcfg-usb0 with the following…

DEVICE=usb0
BOOTPROTO=static
IPADDR=192.168.2.14
BROADCAST=192.168.2.255
NETMASK=255.255.255.0
NETWORK=192.168.2.0
ONBOOT=no
MII_NOT_SUPPORTED=no

Now plug the usb cable into both devices, and on your fedora box (as root) type

ifup usb0

You now have connectivity, of course if you have a default fedora install pinging 192.168.2.15 will fail because of the firewall, it is probably best to temporarily disable the firewall (/etc/init.d/iptables stop) to see if it works, if so move onto configuring your firewall correctly (/etc/init.d/iptables start starts it again) :) You may also get usb conflicts, you can try

rmmod uhci_hcd

but it will disable any USB devices, you have been warned.

With this basic connectivity setup you’ll have two issues; you only have connectivity between fedora & n800 nothing else works, and opening any application on n800 causes it to try and connect to your wifi, so lets look at those….

I’m going to assume you used system-config-securitylevel to configure your firewall, its worth noting that any changes you make now will be overwritten by any future use of system-config-securitylevel so it’s probably best to take a backup of /etc/sysconfig/ipatbles now and later when you’re finished.

So as root type:

iptables -I RH-Firewall-1-INPUT 2 -i usb -j ACCEPT
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 1 -s 192.168.2.0/24 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -s 192.168.2.0/24 -j MASQUERADE
/etc/init.d/iptables save

This will allow all connectivity in from the usb interface allowing the n800 to send packets into the fedora box whilst the firewall is running, it will also NAT any traffic from the usb network hiding the n800 behind fedora so that you get onward connectivity. To get the NAT to work you need to enable ip forwarding, this allows fedora to pass pakets between interfaces, to do that type

echo 1 > /proc/sys/net/ipv4/ip_forward

and to get it to survive a reboot update /etc/sysctl.conf with

net.ipv4.ip_forward = 1

The final part is to enable name resolution (DNS), on n800, I updated /etc/resolv.conf with the opendns servers…

nameserver 208.67.222.222
nameserver 208.67.220.220

All things being equal you should now be able to ping www.google.com from your n800 :cool:

To get applications to connect, I found on the latest version of ITOS that the DUMMY IAP didn’t work, so I stumbled across this solution.

Create an “ad hoc” wifi connection with static IPs… anything it doesn’t matter, and when that’s connected in xterm (as root) type ifconfig wlan0 down , you should now be able to connect to the web with your browser / skype etc over your usb network… sweet!

Smolt RPM for CentOS, RHEL, etc

I after installing Fedora7 I thought I’d take a look at the stats the project had gathered, I saw some centos devices, but couldn’t find a rpm.

I’ve had a go at building one, it mostly works (this is my nagios box), it’s a rebuild of the f7 source, I have to frig about with the spec file, so I’ve published my source rpm here, search for Nick in the .spec file, you’ll see my bodge.

The smolt rpms are in my yum repo, feel free to download the packages and have a go.

HTTP Compression on Redhat / CentOS / Fedora

I was doing some testing on my server the other day, and realised that http compression within apache (httpd) was not enabled by default. Further digging showed me that mod_defate was what I needed, and infact it was installed by default on my CentOS box.

How to enable mod_default on Centos: Create /etc/httpd/conf.d/deflate.conf with the following contents

     # Insert filter
     SetOutputFilter DEFLATE

     # Netscape 4.x has some problems...
     BrowserMatch ^Mozilla/4 gzip-only-text/html

     # Netscape 4.06-4.08 have some more problems
     BrowserMatch ^Mozilla/4.0[678] no-gzip

     # MSIE masquerades as Netscape, but it is fine
     BrowserMatch bMSIE !no-gzip !gzip-only-text/html

     # Don't compress images
     SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary

        # Don't compress already compressed stuff !
        SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
        SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary

     # Make sure proxies don't deliver the wrong content
     Header append Vary User-Agent env=!dont-vary

        # Log Stuff !
#        DeflateFilterNote Input input_info
#        DeflateFilterNote Output output_info
#        DeflateFilterNote Ratio ratio_info
#        LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate
#        CustomLog /var/log/httpd/deflate_log deflate

restart httpd (/etc/init.d/httpd restart) and your done :-)

References:

Intel 3945ABG Wireless / WiFi Card on CentOS 5

I’ve taken to using CentOS on my servers, and fedora on my Laptop. New job, means new laptop, and to avoid fedora update hell, I thought I’d try CentOS on my laptop.

All seems good other than my wifi card not being detected, and for some reason googling for “centos 5 intel 3945” didn’t provide a working anserwer, actually I found the answer by googling for “supplementary disk centos 5” which finds this thread that says…

Install dag’s repo (this rpm), and then install dkms-ipw3945 (yum will pick up the dependancies)

yum install dkms-ipw3945

Next enable network manager…

chkconfig --level 345 NetworkManager on
chkconfig --level 345 NetworkManagerDispatcher on

reboot (seriously) and when you next log in you’ll get a little icon in you system tray where you can manage your WiFi :)

A Linux / Command line: how to upload to wordpress wp-plugins.org via subversion ( SVN )

Could that title get any longer !

Hopefully you get the point, sometimes you need different tools for different jobs, if you want a full development platform with SVN support I suggest you take a look at eclipse (with subclipse ) but what if you already have done the development and you just want to do a quick upload.

My phpbb_recent_topics plugin is hosted here, and when the nice guys at wordpress gave me an svn account, I just wanted a quick way to upload what I’ve done. Now I must stress this may not be the “proper” way to use svn (there’s a book for that) but it is enough to achieve what we want, a straight forward upload.

I’m using redhat, so the 1st step was to install dag’s subversion rpm , I also needed to setup an “editor” variable for commenting.

SVN_EDITOR=vi
export SVN_EDITOR

Then, I went into a directory onto my server, and downloaded a copy of the existing subversion directory structure.

[nick@SERVER wp_plugins]$ svn checkout https://svn.wp-plugins.org/phpbb-recent-topics/
A    phpbb-recent-topics/trunk
A    phpbb-recent-topics/branches
A    phpbb-recent-topics/tags
Checked out revision 9232.
[nick@SERVER wp_plugins]$

My plugin (at the time) was on version 1, so my 1st steps were to create a version 1 tag, add it to svn, get the stable copy of my plugin, add that to svn.

[nick@SERVER wp_plugins]$ cd phpbb-recent-topics/
[nick@SERVER phpbb-recent-topics]$ ls
branches  tags  trunk
[nick@SERVER phpbb-recent-topics]$ cd tags/
[nick@SERVER tags]$ mkdir 0.1
[nick@SERVER tags]$ cd ..
[nick@SERVER wp_plugins]$ svn add phpbb-recent-topics/tags/*
A         phpbb-recent-topics/tags/0.1
[nick@SERVER wp_plugins]$ cd phpbb-recent-topics/tags/0.1/
[nick@SERVER 0.1]$ wget http://www.linickx.com/files/php/phpbb_recent_topics.txt
[nick@SERVER 0.1]$ mv phpbb_recent_topics.txt phpbb_recent_topics.php
[nick@SERVER 0.1]$ svn add phpbb_recent_topics.php
A         phpbb_recent_topics.php
[nick@SERVER 0.1]$

Finally I updated everything, and uploaded (committed) my files.

[nick@SERVER 0.1]$ cd ../../../
[nick@SERVER wp_plugins]$ svn update phpbb-recent-topics/
At revision 9232.
[nick@SERVER wp_plugins]$ svn --username linickx commit phpbb-recent-topics/
Adding         phpbb-recent-topics/tags/0.1
Adding         phpbb-recent-topics/tags/0.1/phpbb_recent_topics.php
Transmitting file data .......
Committed revision 9233.
[nick@SERVER wp_plugins]$

Remember this doesn’t publish your plugin on wordpress.org, to do that you need a valid readme.txt in the trunk directory, but as you can see once you’ve created all the files on your local box, it’s just a few commands to get your work uploaded.

Did you notice that the wordpress svn supports SSL ?

How to Migrate from White Box Linux 4 to CentOS 4.4

There are somethings that you just never get round to, my nagios box was still running whitebox linux, and I’ve finally gotten round “upgrading” it to CentOS… yeah ok, upgrade is arguable, but you get my point.

First off a warning: Don’t do this ! All the documentation, for CentOS, RHEL, Fedora, any redhat linux all say, clean installs are the best way, and upgrades are not advised…. therefore I offer no support or warranty that this will work, in fact, I you advise you to read this post, but step away from your consoles !

But, if you think it might be a laugh, the centos documentation is a bit old, and not 100% correct, so here is what I did. First up (as root – obviously), clear out your yum cache,and install the CentOS gpg key.

yum clean all
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4

Next, install some base centos packages, take not that some need to be forced on

rpm -Uvh --nodeps http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/centos-release-4-4.2.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-elementtree-1.2.6-4.2.1.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-sqlite-1.1.7-1.2.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/sqlite-3.3.3-1.2.i386.rpm
rpm -Uvh --force http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-urlgrabber-2.9.8-2.noarch.rpm
rpm -Uvh --nodeps http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/yum-2.4.3-1.c4.noarch.rpm

finally remove the whitebox rpm db.

rpm -ev rpmdb-whitebox

Move any “whitebox” mirrors still in /etc/yum.repos.d and

yum install rpmdb-CentOS

Once you have that sorted, you can complete the upgrade with

yum update
reboot

& cross your fingers ;)
If you come across the following warnings while using yum: Warning, could not load sqlite, falling back to pickle , I found…

yum install python-sqlite

Fixed the problem. And there we have it, all my boxes are now running CentOS – yay – just in time to look at the CentOS 5 upgrade ;)

Dependency Problems ?
If a whitebox rpm is newer than the CentOS one, it won’t get upgraded, this might cause problems when installing new packages via yum. To solve the problem download the rpm manually from http://www.centos.org/modules/tinycontent/index.php?id=13 and force an upgrade

rpm --force -Uvh Something-CentOS.rpm

UPDATE: If you’re using something like Root Kit Hunter, you will notice a load of md5 hashes fail, these are whitebox rpm’s that didn’t need upgrading, to correct the problem you need to replace these with CentOS versions.. example rkhunter output:

/sbin/init  [ BAD ]

Find which rpm, init belongs to

# rpm -q --whatprovides /sbin/init
SysVinit-2.85-34.3

and upgrade it

wget http://www.mirrorservice.org/sites/mirror.centos.org/4.4/os/i386/CentOS/RPMS/SysVinit-2.85-34.3.i386.rpm
rpm --force -Uvh SysVinit-2.85-34.3.i386.rpm

DenyHosts – Protecting against SSH Brute Force Attacks

If you look after a remote linux box, the chances are you use SSH, in order to connect to it you may even have to leave PORT 22 open to the whole Internet !

There are some basic security steps that you can do to protect SSH, such as block the root user from logging in, and force users to use STRONG authentication.

Even after you’ve done all you can, logwatch will report that people are still wasting your time & resource by trying to break in ! This is where DenyHosts step in, it’s a small script (daemon) that keeps an eye on your SSH log file, if it spots someone trying to Brute Force Attack your SSH accounts, it adds them to hosts.deny (it’s like a firewall for some applications) and stops them from being able to connect.

I’m using redhat, so a pre-built rpm is available, if you already have DAG setup, you can use…

yum install denyhosts

I then had to run through the following steps (as root).

mkdir /usr/share/denyhosts
mkdir /usr/share/denyhosts/data/
echo '127.0.0.1' > /usr/share/denyhosts/data/allowed-hosts
cd /usr/share/denyhosts
cp /usr/share/doc/denyhosts-2.6/denyhosts.cfg-dist ./denyhosts.cfg
cp /usr/share/doc/denyhosts-2.6/daemon-control-dist ./daemon-control
chmod 700 /usr/share/denyhosts/daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
ln -s /usr/share/denyhosts/denyhosts.cfg /etc/denyhosts.cfg
/sbin/chkconfig denyhosts on

once you’ve charged through that marathon, in /etc/denyhosts.cfg you may want to take a look (and change) the following settings (Variables)

PURGE_DENY =
ADMIN_EMAIL =
SMTP_FROM = DenyHosts <nobody@localhost>

finally once you’re happy, start the DenyHosts service

/etc/init.d/denyhosts start

Now you’re logwatch report will show how may tries they had, and then Denied !

Refused incoming connections: 1.2.3.4  (some.name.com ): 2 Time(s)

Of course one option commonly suggested is to change the SSH port number from 22 to something else, where as this will reduce the amount of attacks on the service, it does absolutely nothing to protect it; of course you could do both, it’s all a matter of choice :)