CentOS

Drown security vulnerability

Protect yourself from drown attack by updating your openssl package.
Redhat patched openssl 1.0.1e

# rpm -q --changelog openssl-1.0.1e-51.el7_2.4.x86_64 | head
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

goto https://drownattack.com/ for more info

puppet 2.7.x complaining about “err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse YAML data for node”

You’ll probably find numerous links that tell you to delete

/var/lib/puppet/yaml/[fqdn].yaml

in puppetmaster, node or both.

None of those solved my problem.

Upgradeing to puppet-2.7.25 didn’t help either .

On my puppet client, in /var/lib/puppet deleting

rm -fr state/ lib/ facts/ client*

at least let me run puppet again, but next run gives that 400 error again …

note to self: get back to this post when I get time to further debugging this really annoying issue

CentOS 7 dhcp + custom ‘search domain’

I’m running CentOS 7 on my workstation these days, like it a lot.
At work our dhcp setup dns search for the domain containing our windows hosts but the Unix and Linux hosts I work with are in an other domain.
In the network manager gui in gnome3 I can’t seem to figure out where to add this second search domain, so I’ve been adding it manually to resolv.conf after each boot …

Got tired of that so i added:

DOMAIN='myDomain.no'

in /etc/sysconfig/network-scripts/ifcfg-eno1 and did a

systemctl restart network.service

problem solved.

thnx superuser.com

UPDATE 30th october 2015:
This does not work at all at my workstation at my new job.
I’m not using NetworkManager any more, not sure if that’s the reason though.

By setting SEARCH in /etc/sysconfig/network instead things got a lot better:

# /etc/sysconfig/network
SEARCH='example.com sub.example.com'

View changelog for a package in Fedora/CentOS/Redhat

A really cool, and handy, feature of rpm is the ability to view the changelog for a package you’ve installed, or recently updated:

$ rpm -q --changelog gnome-shell | less

* Wed Apr 16 2014 Florian Müllner <fmuellner@redhat.com> - 3.8.4-32
- Improve vertical monitor layouts
  Resolves: rhbz#1096186

* Wed Mar 19 2014 Florian Müllner <fmuellner@redhat.com> - 3.8.4-31
- Fix some more background memory leaks
  Resolves: rhbz#1027192

* Wed Mar 12 2014 Ray Strode <rstrode@redhat.com> 3.8.4-30
- Fix automatic shield lifting when smartcard is inserted
  Resolves: #1063488

* Mon Mar 10 2014 Ray Strode <rstrode@redhat.com> 3.8.4-29
- Don't show user list if require smartcard is true
  Resolves: #1063390

proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so) in CentOS 6.5

After updating packages in CentOS 6.5 proftpd started logging

proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so)

It seems the proftp pam module is wrong.
The non working /etc/pam.d/proftpd config look like this:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

When I instead use the following config, which I found on the internet, I got it working again:

#%PAM-1.0M-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so

sources:
syamkumar-linux.blogspot.no
blog.justla.me

CentOS 6.x, fail2ban and proftpd

fail2ban in CentOS 6.x can sometimes be a bit troublesome, at least compared to the Debian/Ubuntu implementation (imho) .
I suspect I’ve solved the CentOS 6.x, fail2ban and proftpd integration different every time I’ve set it up so this tim ‘Ill write it down.
With this configuration I got fail2ban to ban failed proftpd ftp login’s with ‘default’ fail2ban config apart from enabling the proftpd-iptables ‘jail’ in /etc/fail2ban/jail.conf

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=root@localhost]
logpath  = /var/log/secure
maxretry = 4

What did the trick was to have proftpd to log AUTH to /var/log/secure, in the right format.
In /etc/proftpd.conf comment out the default LogFormat auth directive and add your own:

#LogFormat                      auth    "%v [%P] %h %t \"%r\" %s"
ExtendedLog /var/log/secure AUTH auth
LogFormat auth "%v %t "%r" [%h] %s"

There is no such thing as ‘build-essential’ in CentOS

One thing I’ve done for a long time right after installing debian or ubuntu is issuing

# apt-get install build-essential

It’s great because it pulls down the most common stuff needed for ‘everyday’ compiling and meddling with compiling sources and so on.
In CentOS I can’t find any similar package group, but according to centos.org one may achieve pretty much the same with

# install gcc gcc-c++ kernel-devel