similar to: reliable source for snort packages to centos 5/6 64bit?

I think, this SIG would/should care about hardening CentOS itself as a system not a complete environment (proxies, firewalls, etc.) The examples of the opener show this. Something else could be integrity checking possibly. I imagine a tool/script that could apply hardening stuff. Regards Tim Am 22. April 2015 09:23:52 MESZ, schrieb Eero Volotinen <eero.volotinen at iki.fi>: >Sounds

Sorry about a bit offtopic, but I am looking reliable (not free) secondary dns provider. -- Eero

Well. Centos 5 is really near of it's end of life. There is not much updates to kernel or openswan. You should at least try latest openswan version. Your issue looks like a bit network problem. -- Eero 2016-02-10 8:34 GMT+02:00 John Cenile <jcenile1983 at gmail.com>: > So lowering the keylife / ikelifetime didn't solve the problem. I've > enabled debugging and I'll

As I said though, there's no lost ICMP packets, even when the IPSec tunnel drops out. I do notice a lot of these errors in the secure log though, would this be any indication of a problem? (I'm grepping for this specific error, they're not the only messages in there). Feb 11 14:18:10 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA payload: PROTO_IPSEC_ESP

in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5 -- Eero 2015-04-16 21:02 GMT+03:00 Eero Volotinen <eero.volotinen at iki.fi>: > well. this hack solution might work: > http://www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__centos_5/index.html > > -- > Eero > > 2015-04-16 17:30 GMT+03:00 Leon Fauster <leonfauster at

FYI Kris ----- Forwarded message from Kris Kennaway <kris@FreeBSD.org> ----- X-Original-To: kkenn@localhost Delivered-To: kkenn@localhost.obsecurity.org Delivered-To: kris@freebsd.org Delivered-To: ports-committers@freebsd.org From: Kris Kennaway <kris@FreeBSD.org> Date: Thu, 17 Apr 2003 14:45:03 -0700 (PDT) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org,

SELinux? On 22 April 2015 at 09:11, John R Pierce <pierce at hogranch.com> wrote: > On 4/21/2015 11:34 PM, Eero Volotinen wrote: > >> apply also ideas from this document: >> https://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.130 >> > > that should be your baseline. I suspect you'll find all the things you > mentioned are discussed in

Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution. -- Eero 2015-04-17 14:15 GMT+03:00 Johnny Hughes <johnny at centos.org>: > On 04/16/2015 05:00 PM, Eero Volotinen wrote: > > in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5 > > > > -- >

The cheapest sollution is probably compiling a private openssl somewhere on the system and then compiling apache using that private openssl version instead of the default system-wide one. Regards, Dennis On 17.04.2015 13:20, Eero Volotinen wrote: > Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 > and tlsv1.2 and then re-encrypts traffic with tls1.0 might be

So lowering the keylife / ikelifetime didn't solve the problem. I've enabled debugging and I'll see what it says. Unfortunately we can't (easily) upgrade CentOS, do you believe that would make a huge difference though? Are the newer versions of OpenSwan *that *much more reliable? On 10 February 2016 at 04:58, Eero Volotinen <eero.volotinen at iki.fi> wrote: > Centos 5

Package: logcheck-database Hey, I created a logcheck ignore file for Snort with stuff I don't particularly want to see every day. The one line with the warning in it is questionable, so leave it in or out at your discretion. Also, my regex skills are not as good as they could be, so there are probably mistakes, or things that could be simplified more. Rules are below: ^\w{3} [

On 04/16/2015 05:00 PM, Eero Volotinen wrote: > in fact: modgnutls provides easy way to get tlsv1.2 to rhel 5 > > -- > Eero > If you do that, then you are at the mercy of Mr. Bergmann to provide updates for all security issues for openssl. Has he updated his RPMs since 2014-11-19 23:57:58? Does his patch work on the latest RHEL/CentOS EL5 openssl-0.9.8 package? The answer right

Am 16.04.2015 um 11:46 schrieb Leon Fauster <leonfauster at googlemail.com>: > Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen at iki.fi>: >> Is there any nice way to get tlsv1.2 support to centos 5? >> upgrading os to 6 is not option available. > > > Unfortunately not. https://bugzilla.redhat.com/show_bug.cgi?id=1066914 -- LF

Ladies/Gents, /etc/init.d/snortd more snortd #!/bin/sh # Description: start up script for snort # chkconfig: 2345 40 60 # # Source function library. . /etc/rc.d/init.d/functions # case "$1" in # 'start') echo "Starting up Snort..." /prod/snort/bin/snort -c /prod/snort/etc/snort.conf -D -g snort -u snort -i eth0 -l /var/log/snort echo "Done." ;; #

Sounds like a bit basic stuff? How about hardening ciphers, two factor authentication, snort, web application firewall and scap scanning? Eero 22.4.2015 10.14 ap. "Andrew Holway" <andrew.holway at gmail.com> kirjoitti: > SELinux? > > On 22 April 2015 at 09:11, John R Pierce <pierce at hogranch.com> wrote: > > > On 4/21/2015 11:34 PM, Eero Volotinen wrote:

Is there any good rpm source for latest spamassassin for centos/rhel ? Currently using from dag's, but is is a bit old version nowdays. -- Eero

How about using gnutls? Eero 16.4.2015 12.46 ip. "Leon Fauster" <leonfauster at googlemail.com> kirjoitti: > Am 16.04.2015 um 11:43 schrieb Eero Volotinen <eero.volotinen at iki.fi>: > > Is there any nice way to get tlsv1.2 support to centos 5? > > upgrading os to 6 is not option available. > > > Unfortunately not. > > -- > LF > > >

I've been prowling through the FreeBSD and Snort list archives in search of information on setting up snort on a FreeBSD bridge(4) that logs to a remote postgres box via a third interface (hme0) Snort is being started with the following command: /usr/local/bin/snort -A full -D -e -d -s -i fxp0 -c /usr /local/etc/snort.conf Where fxp0 and fxp1 are in the bridge output from sysctl:

I generated according to the docs . Which produced my server.secrets as below used the command ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets : RSA { # RSA 3328 bits ***.**.net Fri Apr 1 15:39:32 2016 # for signatures only, UNSAFE FOR ENCRYPTION

IPSec is very complex with certificates. try first with PSK authentication and then with certificates -- Eero 2016-04-01 20:21 GMT+03:00 Glenn Pierce <glennpierce at gmail.com>: > I generated according to the docs . Which produced > my server.secrets as below > > used the command > > ipsec newhostkey --configdir /etc/ipsec.d --output >