[BlueOnyx:02081] Re: YUM updates: base-console, PAM, CCE, ProFTPd, base-network (+new features)
enid vx
enidv11 at gmail.com
Thu Aug 13 07:20:27 -05 2009
Hi,
when I try "yum update", it gives these dependency error messages.
What should I do?
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* extras: mi.mirror.garr.it
* BlueOnyx: bb-one.blueonyx.it
* updates: mi.mirror.garr.it
* base: mi.mirror.garr.it
* addons: mi.mirror.garr.it
* Solarspeed.net: blueonyx.solarspeed.net
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package apr.i386 0:1.2.7-11.el5_3.1 set to be updated
---> Package base-network-locale-de_DE.noarch 0:1.1.0-82BQ27.centos5 set to
be updated
---> Package base-network-glue.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-vsite-locale-ja.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-power-capstone.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package base-network-capstone.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-network-locale-ja.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-power-glue.noarch 0:1.1.0-65BQ15.centos5 set to be updated
---> Package base-vsite-locale-de_DE.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-console-glue.noarch 0:1.1.0-0BX09 set to be updated
---> Package base-console-locale-de_DE.noarch 0:1.1.0-0BX09 set to be
updated
---> Package base-network-ui.noarch 0:1.1.0-82BQ27.centos5 set to be updated
---> Package base-swupdate-ui.noarch 0:1.2.0-1BQ15.centos5 set to be updated
---> Package base-swupdate-locale-de_DE.noarch 0:1.2.0-1BQ15.centos5 set to
be updated
---> Package subversion.i386 0:1.4.2-4.el5_3.1 set to be updated
---> Package base-ssl-locale-de_DE.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package proftpd.i386 0:1.3.2a-1BX3 set to be updated
---> Package sausalito-cce-server.i386 0:0.80.4-1BQ44.centos5 set to be
updated
---> Package base-ssl-capstone.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-vsite-locale-en.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-swupdate-locale-da_DK.noarch 0:1.2.0-1BQ15.centos5 set to
be updated
---> Package base-console-locale-en.noarch 0:1.1.0-0BX09 set to be updated
---> Package base-console-locale-ja.noarch 0:1.1.0-0BX09 set to be updated
---> Package libxml2.i386 0:2.6.26-2.1.2.8 set to be updated
---> Package base-vsite-glue.noarch 0:3.0-132BQ55.centos5 set to be updated
---> Package base-ssl-ui.noarch 0:1.1.0-68BQ13.centos5 set to be updated
---> Package apr-util.i386 0:1.2.7-7.el5_3.2 set to be updated
---> Package base-power-locale-ja.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package base-ssl-locale-da_DK.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-swupdate-capstone.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package pam.i386 0:0.99.6.2-5BX01.centos5 set to be updated
---> Package base-power-locale-de_DE.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package base-swupdate-locale-ja.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package base-vsite-ui.noarch 0:3.0-132BQ55.centos5 set to be updated
---> Package base-vsite-locale-da_DK.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-power-locale-en.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
---> Package sausalito-cce-client.i386 0:0.80.4-1BQ44.centos5 set to be
updated
---> Package libxml2-python.i386 0:2.6.26-2.1.2.8 set to be updated
---> Package base-ssl-glue.noarch 0:1.1.0-68BQ13.centos5 set to be updated
---> Package base-power-ui.noarch 0:1.1.0-65BQ15.centos5 set to be updated
---> Package base-vsite-capstone.noarch 0:3.0-132BQ55.centos5 set to be
updated
---> Package base-ssl-locale-en.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-network-locale-en.noarch 0:1.1.0-82BQ27.centos5 set to be
updated
---> Package base-swupdate-locale-en.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package base-console-locale-da_DK.noarch 0:1.1.0-0BX09 set to be
updated
---> Package base-swupdate-glue.noarch 0:1.2.0-1BQ15.centos5 set to be
updated
---> Package base-network-locale-da_DK.noarch 0:1.1.0-82BQ27.centos5 set to
be updated
---> Package base-console-capstone.noarch 0:1.1.0-0BX09 set to be updated
---> Package base-ssl-locale-ja.noarch 0:1.1.0-68BQ13.centos5 set to be
updated
---> Package base-console-ui.noarch 0:1.1.0-0BX09 set to be updated
---> Package mod_dav_svn.i386 0:1.4.2-4.el5_3.1 set to be updated
---> Package base-power-locale-da_DK.noarch 0:1.1.0-65BQ15.centos5 set to be
updated
--> Processing Dependency: /lib/security/pam_loginuid.so for package:
openssh-server
--> Finished Dependency Resolution
openssh-server-4.3p2-29.el5.i386 from installed has depsolving problems
--> Missing Dependency: /lib/security/pam_loginuid.so is needed by package
openssh-server-4.3p2-29.el5.i386 (installed)
Error: Missing Dependency: /lib/security/pam_loginuid.so is needed by
package openssh-server-4.3p2-29.el5.i386 (installed)
On Mon, Aug 10, 2009 at 1:09 PM, Michael Stauber <mstauber at blueonyx.it>wrote:
> Hi all,
>
> Tired about those brute force login attempts against your server(s)?
>
> Well, this time we did something against it and extended BlueOnyx with a
> default mechanism which detects and blocks those attempts.
>
> Don't worry, it will not conflict with any existing install of APF+BFD,
> Dfix,
> DenyHosts or similar custom tool that you have aboard, as it uses entirely
> different methods. Firewalling offending IPs off is still the best
> approach,
> but our implementation is quicker upon detecting brute force login attempts
> and has less overhead.
>
> Now this update is somewhat extensive, so this somewhat longer than usual
> message walks you through all need to knows.
>
> The HTML version of this message can be found here:
>
>
> http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=37&cntnt01origid=15&cntnt01returnid=54
>
> ---
>
> The following updates for BlueOnyx were released today and are now
> available
> through YUM:
>
> ==========
> Package
> ==========
>
> Updating:
> base-console-capstone
> base-console-glue
> base-console-locale-da_DK
> base-console-locale-de_DE
> base-console-locale-en
> base-console-locale-ja
> base-console-ui
> base-network-capstone
> base-network-glue
> base-network-locale-da_DK
> base-network-locale-de_DE
> base-network-locale-en
> base-network-locale-ja
> base-network-ui
> pam
> proftpd
> sausalito-cce-client
> sausalito-cce-server
>
> Transaction Summary
> ============================
> Install 0 Package(s)
> Update 18 Package(s)
> Remove 0 Package(s)
>
>
> These package addresses the following issues:
>
> base-console, pam and sausalito-cce-server:
> ================================
>
> Feature update: This updates accomplish a few things in one go. Most
> importantly it extends BlueOnyx with a basic (but effective) brute force
> password discovery attacks protection trough the implentation of pam_abl.
>
> General explanation:
> -------------------------
>
> pam_abl provides auto blacklisting of hosts and (optionally!) users
> responsible for repeated failed authentication attempts.
>
> Brute force password discovery attacks involve repeated attempts to
> authenticate against a service using a dictionary of common passwords.
> While
> it is desirable to enforce strong passwords for users this is not always
> possible and in cases where a weak password has been used brute force
> attacks
> can be effective.
>
> The pam_abl module monitors failed authentication attempts and
> automatically
> blacklists those hosts (and optionally also accounts) that are responsible
> for
> a configureable numbers of failed attempts. Once a host is blacklisted it
> is
> guaranteed to fail authentication even if the correct credentials are
> provided.
>
> Blacklisting is triggered when the number of failed authentication attempts
> in
> a particular period of time exceeds a predefined limit. Hosts which stop
> attempting to authenticate will - after a period of time - be
> un-blacklisted
> automatically.
>
> Detailed explanation:
> --------------------------
>
> Our implementation of pam_abl protects pretty much any network service that
> uses the pluggable authentication mechanism (PAM). On BlueOnyx that
> includes
> SSH, Telnet, FTP, SMTP-Auth, POP3, IMAP and so on. pam_abl records failed
> logins into a temporary database, which is purged periodically. During such
> purges old entries with no frequent activity are expired. If someone
> exceeds a
> certain (configurable) amount of failed logins, then anyone from the
> offending
> IP will be unable to authenticate - even if they try a valid username and
> password combination.
>
> Please note: pam_abl is not a firewall. It just ties into the autentication
> mechanism that all services use and blocks on that level. So if you already
> have some brute force detection mechanism, then this update will not
> conflict
> with it.
>
> The most visible aspects of this new update are the two new GUI pages under
> "Server Manegement" / "Security". They are called "Failed Logins" and
> "Login
> Manager".
>
> "Login Manager" allows you to configure the settings of pam_abl. Like how
> long
> entries without recent activity remain in the database before they are
> purged
> from it. And more importantly: How many failed authentication attempts
> trigger
> a lock out of the offending host or (optionally) user. Generally you should
> only block hosts - this is the default.
>
> The "Failed Logins" page shows a list of hosts that had failed password
> attempts. It also shows how many failed login attempts they had, if they
> are
> currently blocked, or if they (still - or again) are able to login. Like
> said:
> Bans are temporary and expire after one hour of no further activity from
> that
> host.
>
> That page also shows you a list of usernames that were used during the
> failed
> login attempts.
>
> And of course the page allows you to reset all host and/or user bans.
>
> Built in safeguards:
> -----------------------
>
> Of course any mechanism to restrict access to the server has the potentical
> to
> backfire. Users could lock themselves out because they repeatedly login
> with
> the wrong username and/or password. However, we set reasonable defaults, so
> this should be a rare event. Of course you can change the default values
> through the GUI, or could disable the automatic temporary blocking in
> general.
>
> At the worst you could lock yourself out, too. So we built in a few
> safeguards
> which allow you to do something about that - even if you locked yourself
> out.
>
> Safeguard #1: Regardless if pam_abl has your IP address blocked or not, you
> will always be able to login to the GUI interface with the servers admin
> account. From there you can use the buttons on the "Failed Logins" page to
> reset all blocks - or just the one involving your IP.
>
> Safeguard #2: If the server is rebooted, the pam_abl database and all
> blocks
> are reset.
>
> Safeguard #3: If you still have acces to the command line of the server
> (from
> another IP or from a "root" session that is still open), then simply run
> "/etc/init.d/pam_abl stop" to manually initiate a flush of the pam_abl
> database.
>
> Command line usage:
> --------------------------
>
> The following new commands allow you to receive a bit more information
> about
> pam_abl on the command line:
>
> /etc/init.d/pam_abl
>
> Options: start|stop|status|purge
>
> start or stop: Flush the databases, delete all blocks and erase the failed
> login history.
>
> status: Shows detailed information about all recorded events - including
> date
> and time stamps.
>
> purge: Allows to manually expire events from the database which are older
> than
> the defined record keeping settings.
>
> /usr/bin/pam_abl
>
> Command line tool of pam_abl. Run it with the -h switch to see all
> available
> options.
>
>
>
> ProFTPd:
> =======
>
> This update brings ProFTPd to the latest version. Additionally we had to
> modify the autehtication mechanisms of ProFTP a little to make it work with
> pam_abl. Unfortunately this breaks ProFTPd's built in support for
> authentication against LDAP or MySQL. But as those aren't used by default
> on
> BlueOnyx we considered that acceptable.
>
> Our new ProFTPd also has the custom module mod_ban now compiled in by
> default.
>
> The mod_ban module is designed to add dynamic "ban" lists to proftpd. A ban
> prevents the banned user, host, or class from logging in to the server; it
> does not prevent the banned user, host, or class from connecting to the
> server. mod_ban is not a firewall. The module also provides automatic bans
> that are triggered based on configurable criteria.
>
> Beyond the protection that pam_abl already provides, mod_ban adds another
> layer of security that can be finely tuned.
>
> To edit the mod_ban settings see /etc/proftpd.conf
>
> Caveats:
> -----------
>
> This ProFTPd update is potentially troublesome, because we had to rewrite
> sections of /etc/proftpd.conf in order to make things happen.
>
> The most straightforward way to do this was to simply replace the existing
> /etc/proftpd.conf with a new one and then simply add the required
> VirtualHost
> containers back with the help of the script
> /usr/sausalito/sbin/fixproftpd_conf.pl.
>
> If you manually made any changes to your ProFTPd configuration, those will
> unfortunately get lost during the upgrade. However, a copy of your old
> proftpd.conf will be kept as /etc/proftpd.conf.pre-1.3.2a
>
>
>
> base-network:
> ===========
>
> The GUI page from which you can configure your servers host- and domain
> name,
> DNS and network related settings had issues when you had more than two
> network
> cards.
>
> These bugs then prevented you from saving the changes.
>
> That problem has been fixed.
>
>
> --
> With best regards
>
> Michael Stauber
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090813/2f8fc8db/attachment.html>
More information about the Blueonyx
mailing list