[BlueOnyx:02083] Re: YUM updates: base-console, PAM, CCE, ProFTPd, base-network (+new features)

Thu Aug 13 07:37:29 -05 2009

I had the same problem

Do a 

Yum clean all

Yum update

That fixed it for me

Greats

Steffan

  _____  

Van: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it]
Namens enid vx
Verzonden: donderdag 13 augustus 2009 14:20
Aan: BlueOnyx General Mailing List
Onderwerp: [BlueOnyx:02081] Re: YUM updates: base-console, PAM, CCE,
ProFTPd,base-network (+new features)

Hi, 
when I try "yum update", it gives these dependency error messages.
What should I do?

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * extras: mi.mirror.garr.it
 * BlueOnyx: bb-one.blueonyx.it
 * updates: mi.mirror.garr.it
 * base: mi.mirror.garr.it
 * addons: mi.mirror.garr.it
 * Solarspeed.net: blueonyx.solarspeed.net
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package apr.i386 0:1.2.7-11.el5_3.1 set to be updated
---> Package base-network-locale-de_DE.noarch 0:1.1.0-82BQ27.centos5 set to
be updated
---> Package base-network-glue.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-vsite-locale-ja.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-power-capstone.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package base-network-capstone.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-network-locale-ja.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-power-glue.noarch 0:1.1.0-65BQ15.centos5 set to be updated
---> Package base-vsite-locale-de_DE.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-console-glue.noarch 0:1.1.0-0BX09 set to be updated
---> Package base-console-locale-de_DE.noarch 0:1.1.0-0BX09 set to be
updated
---> Package base-network-ui.noarch 0:1.1.0-82BQ27.centos5 set to be updated
---> Package base-swupdate-ui.noarch 0:1.2.0-1BQ15.centos5 set to be updated
---> Package base-swupdate-locale-de_DE.noarch 0:1.2.0-1BQ15.centos5 set to
be updated
---> Package subversion.i386 0:1.4.2-4.el5_3.1 set to be updated
---> Package base-ssl-locale-de_DE.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package proftpd.i386 0:1.3.2a-1BX3 set to be updated
---> Package sausalito-cce-server.i386 0:0.80.4-1BQ44.centos5 set to be
updated
---> Package base-ssl-capstone.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-vsite-locale-en.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-swupdate-locale-da_DK.noarch 0:1.2.0-1BQ15.centos5 set to
be updated
---> Package base-console-locale-en.noarch 0:1.1.0-0BX09 set to be updated
---> Package base-console-locale-ja.noarch 0:1.1.0-0BX09 set to be updated
---> Package libxml2.i386 0:2.6.26-2.1.2.8 set to be updated
---> Package base-vsite-glue.noarch 0:3.0-132BQ55.centos5 set to be updated
---> Package base-ssl-ui.noarch 0:1.1.0-68BQ13.centos5 set to be updated
---> Package apr-util.i386 0:1.2.7-7.el5_3.2 set to be updated
---> Package base-power-locale-ja.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package base-ssl-locale-da_DK.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-swupdate-capstone.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package pam.i386 0:0.99.6.2-5BX01.centos5 set to be updated
---> Package base-power-locale-de_DE.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package base-swupdate-locale-ja.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package base-vsite-ui.noarch 0:3.0-132BQ55.centos5 set to be updated
---> Package base-vsite-locale-da_DK.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-power-locale-en.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package sausalito-cce-client.i386 0:0.80.4-1BQ44.centos5 set to be
updated
---> Package libxml2-python.i386 0:2.6.26-2.1.2.8 set to be updated
---> Package base-ssl-glue.noarch 0:1.1.0-68BQ13.centos5 set to be updated
---> Package base-power-ui.noarch 0:1.1.0-65BQ15.centos5 set to be updated
---> Package base-vsite-capstone.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-ssl-locale-en.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-network-locale-en.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-swupdate-locale-en.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package base-console-locale-da_DK.noarch 0:1.1.0-0BX09 set to be
updated
---> Package base-swupdate-glue.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package base-network-locale-da_DK.noarch 0:1.1.0-82BQ27.centos5 set to
be updated
---> Package base-console-capstone.noarch 0:1.1.0-0BX09 set to be updated
---> Package base-ssl-locale-ja.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-console-ui.noarch 0:1.1.0-0BX09 set to be updated
---> Package mod_dav_svn.i386 0:1.4.2-4.el5_3.1 set to be updated
---> Package base-power-locale-da_DK.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
--> Processing Dependency: /lib/security/pam_loginuid.so for package:
openssh-server
--> Finished Dependency Resolution
openssh-server-4.3p2-29.el5.i386 from installed has depsolving problems
  --> Missing Dependency: /lib/security/pam_loginuid.so is needed by package
openssh-server-4.3p2-29.el5.i386 (installed)
Error: Missing Dependency: /lib/security/pam_loginuid.so is needed by
package openssh-server-4.3p2-29.el5.i386 (installed)

On Mon, Aug 10, 2009 at 1:09 PM, Michael Stauber <mstauber at blueonyx.it>
wrote:

Hi all,

Tired about those brute force login attempts against your server(s)?

Well, this time we did something against it and extended BlueOnyx with a
default mechanism which detects and blocks those attempts.

Don't worry, it will not conflict with any existing install of APF+BFD,
Dfix,
DenyHosts or similar custom tool that you have aboard, as it uses entirely
different methods. Firewalling offending IPs off is still the best approach,
but our implementation is quicker upon detecting brute force login attempts
and has less overhead.

Now this update is somewhat extensive, so this somewhat longer than usual
message walks you through all need to knows.

The HTML version of this message can be found here:

http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0
<http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articlei
d=37&cntnt01origid=15&cntnt01returnid=54>
&cntnt01articleid=37&cntnt01origid=15&cntnt01returnid=54

---

The following updates for BlueOnyx were released today and are now available
through YUM:

==========
 Package
==========

Updating:
 base-console-capstone
 base-console-glue
 base-console-locale-da_DK
 base-console-locale-de_DE
 base-console-locale-en
 base-console-locale-ja
 base-console-ui
 base-network-capstone
 base-network-glue
 base-network-locale-da_DK
 base-network-locale-de_DE
 base-network-locale-en
 base-network-locale-ja
 base-network-ui
 pam
 proftpd
 sausalito-cce-client
 sausalito-cce-server

Transaction Summary
============================
Install      0 Package(s)
Update      18 Package(s)
Remove       0 Package(s)

These package addresses the following issues:

base-console, pam and sausalito-cce-server:
================================

Feature update: This updates accomplish a few things in one go. Most
importantly it extends BlueOnyx with a basic (but effective) brute force
password discovery attacks protection trough the implentation of pam_abl.

General explanation:
-------------------------

pam_abl provides auto blacklisting of hosts and (optionally!) users
responsible for repeated failed authentication attempts.

Brute force password discovery attacks involve repeated attempts to
authenticate against a service using a dictionary of common passwords. While
it is desirable to enforce strong passwords for users this is not always
possible and in cases where a weak password has been used brute force
attacks
can be effective.

The pam_abl module monitors failed authentication attempts and automatically
blacklists those hosts (and optionally also accounts) that are responsible
for
a configureable numbers of failed attempts. Once a host is blacklisted it is
guaranteed to fail authentication even if the correct credentials are
provided.

Blacklisting is triggered when the number of failed authentication attempts
in
a particular period of time exceeds a predefined limit. Hosts which stop
attempting to authenticate will - after a period of time - be un-blacklisted
automatically.

Detailed explanation:
--------------------------

Our implementation of pam_abl protects pretty much any network service that
uses the pluggable authentication mechanism (PAM). On BlueOnyx that includes
SSH, Telnet, FTP, SMTP-Auth, POP3, IMAP and so on. pam_abl records failed
logins into a temporary database, which is purged periodically. During such
purges old entries with no frequent activity are expired. If someone exceeds
a
certain (configurable) amount of failed logins, then anyone from the
offending
IP will be unable to authenticate - even if they try a valid username and
password combination.

Please note: pam_abl is not a firewall. It just ties into the autentication
mechanism that all services use and blocks on that level. So if you already
have some brute force detection mechanism, then this update will not
conflict
with it.

The most visible aspects of this new update are the two new GUI pages under
"Server Manegement" / "Security". They are called "Failed Logins" and "Login
Manager".

"Login Manager" allows you to configure the settings of pam_abl. Like how
long
entries without recent activity remain in the database before they are
purged
from it. And more importantly: How many failed authentication attempts
trigger
a lock out of the offending host or (optionally) user. Generally you should
only block hosts - this is the default.

The "Failed Logins" page shows a list of hosts that had failed password
attempts. It also shows how many failed login attempts they had, if they are
currently blocked, or if they (still - or again) are able to login. Like
said:
Bans are temporary and expire after one hour of no further activity from
that
host.

That page also shows you a list of usernames that were used during the
failed
login attempts.

And of course the page allows you to reset all host and/or user bans.

Built in safeguards:
-----------------------

Of course any mechanism to restrict access to the server has the potentical
to
backfire. Users could lock themselves out because they repeatedly login with
the wrong username and/or password. However, we set reasonable defaults, so
this should be a rare event. Of course you can change the default values
through the GUI, or could disable the automatic temporary blocking in
general.

At the worst you could lock yourself out, too. So we built in a few
safeguards
which allow you to do something about that - even if you locked yourself
out.

Safeguard #1: Regardless if pam_abl has your IP address blocked or not, you
will always be able to login to the GUI interface with the servers admin
account. From there you can use the buttons on the "Failed Logins" page to
reset all blocks - or just the one involving your IP.

Safeguard #2: If the server is rebooted, the pam_abl database and all blocks
are reset.

Safeguard #3: If you still have acces to the command line of the server
(from
another IP or from a "root" session that is still open), then simply run
"/etc/init.d/pam_abl stop" to manually initiate a flush of the pam_abl
database.

Command line usage:
--------------------------

The following new commands allow you to receive a bit more information about
pam_abl on the command line:

/etc/init.d/pam_abl

Options: start|stop|status|purge

start or stop: Flush the databases, delete all blocks and erase the failed
login history.

status: Shows detailed information about all recorded events - including
date
and time stamps.

purge: Allows to manually expire events from the database which are older
than
the defined record keeping settings.

/usr/bin/pam_abl

Command line tool of pam_abl. Run it with the -h switch to see all available
options.

ProFTPd:
=======

This update brings ProFTPd to the latest version. Additionally we had to
modify the autehtication mechanisms of ProFTP a little to make it work with
pam_abl. Unfortunately this breaks ProFTPd's built in support for
authentication against LDAP or MySQL. But as those aren't used by default on
BlueOnyx we considered that acceptable.

Our new ProFTPd also has the custom module mod_ban now compiled in by
default.

The mod_ban module is designed to add dynamic "ban" lists to proftpd. A ban
prevents the banned user, host, or class from logging in to the server; it
does not prevent the banned user, host, or class from connecting to the
server. mod_ban is not a firewall. The module also provides automatic bans
that are triggered based on configurable criteria.

Beyond the protection that pam_abl already provides, mod_ban adds another
layer of security that can be finely tuned.

To edit the mod_ban settings see /etc/proftpd.conf

Caveats:
-----------

This ProFTPd update is potentially troublesome, because we had to rewrite
sections of /etc/proftpd.conf in order to make things happen.

The most straightforward way to do this was to simply replace the existing
/etc/proftpd.conf with a new one and then simply add the required
VirtualHost
containers back with the help of the script
/usr/sausalito/sbin/fixproftpd_conf.pl.

If you manually made any changes to your ProFTPd configuration, those will
unfortunately get lost during the upgrade. However, a copy of your old
proftpd.conf will be kept as /etc/proftpd.conf.pre-1.3.2a

base-network:
===========

The GUI page from which you can configure your servers host- and domain
name,
DNS and network related settings had issues when you had more than two
network
cards.

These bugs then prevented you from saving the changes.

That problem has been fixed.

--
With best regards

Michael Stauber

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090813/df0b26fb/attachment.html>