devil-linux-discuss — General Mailing List for all discussions

Re: [Devil-Linux-discuss] ntp problem

[Bruce S. <bw...@ar...>]

Yup, that "fixes" it!  :-)

 - BS


> Forgot to mention how to do it:
> 
> Setup -> Services to be started on boot -> IPV6_ROUTING
> 
> Turn this off. Save config. Reboot.
> 
> 
> 
> Philip Peake wrote: 
> > Yes its IPV6 that breaks it.
> > I disables IPV6 routing and it then works ok.
> > 
> > Philip
> > 
> > ---------------
> > Bruce Smith wrote: 
> > > I can confirm that ntpd is broken, with the default config anyway.
> > > 
> > > I did some strace'ing and it's trying to listen on a IPv6 wildcard
> > > address "::". 
> > > 
> > > I'm guessing it's not working because I'm not running IPv6, and I
> > > haven't figured out if how to turn off IPv6 in ntp.conf, or if it's even
> > > possible to turn off IPv6 in ntpd.
> > > 
> > > Anyone with some IPv6 knowledge have any ideas?  
> > > Maybe if I activated IPv6 on eth0?  How do I do that?
> > > 
> > > For now, I guess I'll stick a 'ntpdate' in an hourly cron job to keep my
> > > server's time correct.  But that won't help people who need to run a
> > > real NTP server.
> > > 
> > >  - BS
> > > 
> > > 
> > >   
> > > > Yep, after reboot, and everytime I try to start xntpd.
> > > > I found another guy on the web who was complaining that he notices the same thing when running ntp
> > > > and one of the eth interfaces was down. Mine are up but that's why I rather think it's and ntp bug
> > > > ...
> > > > 
> > > > lsof output:
> > > > 
> > > > COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
> > > > dhcpcd   545   root    4u  IPv4   5090       UDP *:bootpc 
> > > > dnsmasq  684 nobody    4u  IPv4   5796       UDP *:domain 
> > > > dnsmasq  684 nobody    5u  IPv4   5797       TCP *:domain (LISTEN)
> > > > dnsmasq  684 nobody    9u  IPv4   5810       UDP *:filenet-tms 
> > > > dhcpd    771   root    5u  IPv4   6329       UDP *:bootps 
> > > > sshd     901   root    3u  IPv4   7006       TCP esgaroth:ssh (LISTEN)
> > > > smbd    1243   root   18u  IPv4   8570       TCP esgaroth:microsoft-ds (LISTEN)
> > > > smbd    1243   root   19u  IPv4   8571       TCP esgaroth:netbios-ssn (LISTEN)
> > > > nmbd    1247   root    6u  IPv4   8793       UDP *:netbios-ns 
> > > > nmbd    1247   root    7u  IPv4   8794       UDP *:netbios-dgm 
> > > > nmbd    1247   root    8u  IPv4   8796       UDP esgaroth:netbios-ns 
> > > > nmbd    1247   root    9u  IPv4   8797       UDP esgaroth:netbios-dgm  
> > > > 
> > > > as you see no port 123. Also I see no ntp in the process list
> > > > 
> > > > Best regards
> > > > --- Heiko Zuerker <he...@zu...> wrote:
> > > > 
> > > >     
> > > > > Do you get this message after you reboot the box?
> > > > > 
> > > > > What's the output of the following commands:
> > > > > lsof -i tcp:123
> > > > > lsof -i udp:123

Re: [Devil-Linux-discuss] ntp problem

[Philip P. <ph...@vo...>]

Forgot to mention how to do it:

Setup -> Services to be started on boot -> IPV6_ROUTING

Turn this off. Save config. Reboot.



Philip Peake wrote:
> Yes its IPV6 that breaks it.
> I disables IPV6 routing and it then works ok.
>
> Philip
>
> ---------------
> Bruce Smith wrote:
>> I can confirm that ntpd is broken, with the default config anyway.
>>
>> I did some strace'ing and it's trying to listen on a IPv6 wildcard
>> address "::". 
>>
>> I'm guessing it's not working because I'm not running IPv6, and I
>> haven't figured out if how to turn off IPv6 in ntp.conf, or if it's even
>> possible to turn off IPv6 in ntpd.
>>
>> Anyone with some IPv6 knowledge have any ideas?  
>> Maybe if I activated IPv6 on eth0?  How do I do that?
>>
>> For now, I guess I'll stick a 'ntpdate' in an hourly cron job to keep my
>> server's time correct.  But that won't help people who need to run a
>> real NTP server.
>>
>>  - BS
>>
>>
>>   
>>> Yep, after reboot, and everytime I try to start xntpd.
>>> I found another guy on the web who was complaining that he notices the same thing when running ntp
>>> and one of the eth interfaces was down. Mine are up but that's why I rather think it's and ntp bug
>>> ...
>>>
>>> lsof output:
>>>
>>> COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
>>> dhcpcd   545   root    4u  IPv4   5090       UDP *:bootpc 
>>> dnsmasq  684 nobody    4u  IPv4   5796       UDP *:domain 
>>> dnsmasq  684 nobody    5u  IPv4   5797       TCP *:domain (LISTEN)
>>> dnsmasq  684 nobody    9u  IPv4   5810       UDP *:filenet-tms 
>>> dhcpd    771   root    5u  IPv4   6329       UDP *:bootps 
>>> sshd     901   root    3u  IPv4   7006       TCP esgaroth:ssh (LISTEN)
>>> smbd    1243   root   18u  IPv4   8570       TCP esgaroth:microsoft-ds (LISTEN)
>>> smbd    1243   root   19u  IPv4   8571       TCP esgaroth:netbios-ssn (LISTEN)
>>> nmbd    1247   root    6u  IPv4   8793       UDP *:netbios-ns 
>>> nmbd    1247   root    7u  IPv4   8794       UDP *:netbios-dgm 
>>> nmbd    1247   root    8u  IPv4   8796       UDP esgaroth:netbios-ns 
>>> nmbd    1247   root    9u  IPv4   8797       UDP esgaroth:netbios-dgm  
>>>
>>> as you see no port 123. Also I see no ntp in the process list
>>>
>>> Best regards
>>> --- Heiko Zuerker <he...@zu...> wrote:
>>>
>>>     
>>>> Do you get this message after you reboot the box?
>>>>
>>>> What's the output of the following commands:
>>>> lsof -i tcp:123
>>>> lsof -i udp:123
>>>>       
>>
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>> opinions on IT & business topics through brief surveys-and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Devil-linux-discuss mailing list
>> Dev...@li...
>> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>>   
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
>
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>   

Re: [Devil-Linux-discuss] ntp problem

[Philip P. <ph...@vo...>]

Yes its IPV6 that breaks it.
I disables IPV6 routing and it then works ok.

Philip

---------------
Bruce Smith wrote:
> I can confirm that ntpd is broken, with the default config anyway.
>
> I did some strace'ing and it's trying to listen on a IPv6 wildcard
> address "::". 
>
> I'm guessing it's not working because I'm not running IPv6, and I
> haven't figured out if how to turn off IPv6 in ntp.conf, or if it's even
> possible to turn off IPv6 in ntpd.
>
> Anyone with some IPv6 knowledge have any ideas?  
> Maybe if I activated IPv6 on eth0?  How do I do that?
>
> For now, I guess I'll stick a 'ntpdate' in an hourly cron job to keep my
> server's time correct.  But that won't help people who need to run a
> real NTP server.
>
>  - BS
>
>
>   
>> Yep, after reboot, and everytime I try to start xntpd.
>> I found another guy on the web who was complaining that he notices the same thing when running ntp
>> and one of the eth interfaces was down. Mine are up but that's why I rather think it's and ntp bug
>> ...
>>
>> lsof output:
>>
>> COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
>> dhcpcd   545   root    4u  IPv4   5090       UDP *:bootpc 
>> dnsmasq  684 nobody    4u  IPv4   5796       UDP *:domain 
>> dnsmasq  684 nobody    5u  IPv4   5797       TCP *:domain (LISTEN)
>> dnsmasq  684 nobody    9u  IPv4   5810       UDP *:filenet-tms 
>> dhcpd    771   root    5u  IPv4   6329       UDP *:bootps 
>> sshd     901   root    3u  IPv4   7006       TCP esgaroth:ssh (LISTEN)
>> smbd    1243   root   18u  IPv4   8570       TCP esgaroth:microsoft-ds (LISTEN)
>> smbd    1243   root   19u  IPv4   8571       TCP esgaroth:netbios-ssn (LISTEN)
>> nmbd    1247   root    6u  IPv4   8793       UDP *:netbios-ns 
>> nmbd    1247   root    7u  IPv4   8794       UDP *:netbios-dgm 
>> nmbd    1247   root    8u  IPv4   8796       UDP esgaroth:netbios-ns 
>> nmbd    1247   root    9u  IPv4   8797       UDP esgaroth:netbios-dgm  
>>
>> as you see no port 123. Also I see no ntp in the process list
>>
>> Best regards
>> --- Heiko Zuerker <he...@zu...> wrote:
>>
>>     
>>> Do you get this message after you reboot the box?
>>>
>>> What's the output of the following commands:
>>> lsof -i tcp:123
>>> lsof -i udp:123
>>>       
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>   

Re: [Devil-Linux-discuss] ntp problem

[Bruce S. <bw...@ar...>]

I can confirm that ntpd is broken, with the default config anyway.

I did some strace'ing and it's trying to listen on a IPv6 wildcard
address "::". 

I'm guessing it's not working because I'm not running IPv6, and I
haven't figured out if how to turn off IPv6 in ntp.conf, or if it's even
possible to turn off IPv6 in ntpd.

Anyone with some IPv6 knowledge have any ideas?  
Maybe if I activated IPv6 on eth0?  How do I do that?

For now, I guess I'll stick a 'ntpdate' in an hourly cron job to keep my
server's time correct.  But that won't help people who need to run a
real NTP server.

 - BS


> Yep, after reboot, and everytime I try to start xntpd.
> I found another guy on the web who was complaining that he notices the same thing when running ntp
> and one of the eth interfaces was down. Mine are up but that's why I rather think it's and ntp bug
> ...
> 
> lsof output:
> 
> COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
> dhcpcd   545   root    4u  IPv4   5090       UDP *:bootpc 
> dnsmasq  684 nobody    4u  IPv4   5796       UDP *:domain 
> dnsmasq  684 nobody    5u  IPv4   5797       TCP *:domain (LISTEN)
> dnsmasq  684 nobody    9u  IPv4   5810       UDP *:filenet-tms 
> dhcpd    771   root    5u  IPv4   6329       UDP *:bootps 
> sshd     901   root    3u  IPv4   7006       TCP esgaroth:ssh (LISTEN)
> smbd    1243   root   18u  IPv4   8570       TCP esgaroth:microsoft-ds (LISTEN)
> smbd    1243   root   19u  IPv4   8571       TCP esgaroth:netbios-ssn (LISTEN)
> nmbd    1247   root    6u  IPv4   8793       UDP *:netbios-ns 
> nmbd    1247   root    7u  IPv4   8794       UDP *:netbios-dgm 
> nmbd    1247   root    8u  IPv4   8796       UDP esgaroth:netbios-ns 
> nmbd    1247   root    9u  IPv4   8797       UDP esgaroth:netbios-dgm  
> 
> as you see no port 123. Also I see no ntp in the process list
> 
> Best regards
> --- Heiko Zuerker <he...@zu...> wrote:
> 
> > Do you get this message after you reboot the box?
> > 
> > What's the output of the following commands:
> > lsof -i tcp:123
> > lsof -i udp:123

[Devil-Linux-discuss] kernel 2.6 / DL 1.3

[Martin H. <ma...@ho...>]

Hi,

coming back to my initial post for adding kernel 2.6 (making a stable DL
1.3):

Is there a way to speed up the process? Depending on the estimated
release time I am willing to co-sponsor the effort (depending on $$$).

- reason: we are searching for a firewall w/current kernel
-- features: (working!) HA, open-VPN w/ auth at LDAP-server (which is
'behind' the firewall). A graphical interface would be a nice feature
for the customer, but it is not a must, so I can stick with DL,
throughput of min. 30 mbit/s traffic.

Thanks, Martin

Re: [Devil-Linux-discuss] ntp problem

[Bogdan P. <pet...@ya...>]

Yep, after reboot, and everytime I try to start xntpd.
I found another guy on the web who was complaining that he notices the same thing when running ntp
and one of the eth interfaces was down. Mine are up but that's why I rather think it's and ntp bug
...

lsof output:

COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
dhcpcd   545   root    4u  IPv4   5090       UDP *:bootpc 
dnsmasq  684 nobody    4u  IPv4   5796       UDP *:domain 
dnsmasq  684 nobody    5u  IPv4   5797       TCP *:domain (LISTEN)
dnsmasq  684 nobody    9u  IPv4   5810       UDP *:filenet-tms 
dhcpd    771   root    5u  IPv4   6329       UDP *:bootps 
sshd     901   root    3u  IPv4   7006       TCP esgaroth:ssh (LISTEN)
smbd    1243   root   18u  IPv4   8570       TCP esgaroth:microsoft-ds (LISTEN)
smbd    1243   root   19u  IPv4   8571       TCP esgaroth:netbios-ssn (LISTEN)
nmbd    1247   root    6u  IPv4   8793       UDP *:netbios-ns 
nmbd    1247   root    7u  IPv4   8794       UDP *:netbios-dgm 
nmbd    1247   root    8u  IPv4   8796       UDP esgaroth:netbios-ns 
nmbd    1247   root    9u  IPv4   8797       UDP esgaroth:netbios-dgm  

as you see no port 123. Also I see no ntp in the process list

Best regards
--- Heiko Zuerker <he...@zu...> wrote:

> Do you get this message after you reboot the box?
> 
> What's the output of the following commands:
> lsof -i tcp:123
> lsof -i udp:123
> 

--------------------------------
Being in the majority means that most people agree with you; it does not mean that you are right.
--------------------------------


 
____________________________________________________________________________________
Expecting? Get great news right away with email Auto-Check. 
Try the Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html 

Re: [Devil-Linux-discuss] 1.2.13 boot crash

[John H. <jh...@hi...>]

Heiko Zuerker wrote:
> Hey,
>
> 1.2.12 introduced Kernel 2.4.34, which could be the cause of your problems.
> Could you try and boot the 1.2.12, to see if it has the same problem?
>
>   

I downloaded 1.2.13-i586-SMP (versus i686 previously) and all is well.  
This is an old Pentium 233.
Thanks.

~jh

Re: [Devil-Linux-discuss] 1.2.13 boot crash

[<jh...@hi...>]

Sure, I'll try it tonight.
~jh

On Mon, Mar 12, 2007 at 10:08:59AM -0500, Heiko Zuerker wrote:
> Hey,
> 
> 1.2.12 introduced Kernel 2.4.34, which could be the cause of your problems.
> Could you try and boot the 1.2.12, to see if it has the same problem?
> 
> cu
> Heiko
> 
> On Mon, March 12, 2007 09:34, John Hawley wrote:
> > Hello,
> >
> >
> > I've been running v. 1.2.11 for a few months and it worked great.  Nice
> > work on this project.
> >
> > I tried this weekend to update to 1.2.13 for the DST update, but it does
> > not work for me. ... boots off cd, then messages about loading initrd.gz,
> > then at first screen blanking point (video setup?), it reboots.  This
> > would cycle endlessly.
> >
> > Was support for some video chips dropped, perhaps?  The new cd boots fine
> > on another of my old systems.
> >
> >
> > root@jynx:~# lspci
> > 00:00.0 Host bridge: Silicon Integrated Systems [SiS] 530 Host (rev 03)
> > 00:00.1 IDE interface: Silicon Integrated Systems [SiS] 5513 [IDE] (rev
> > d0) 00:01.0 ISA bridge: Silicon Integrated Systems [SiS] SiS85C503/5513
> > (LPC Bridge) (rev b3)
> > 00:01.1 Class ff00: Silicon Integrated Systems [SiS] ACPI
> > 00:01.2 USB Controller: Silicon Integrated Systems [SiS] USB 1.0
> > Controller (rev 11)
> > 00:02.0 PCI bridge: Silicon Integrated Systems [SiS] Virtual PCI-to-PCI
> > bridge (AGP) 00:09.0 Ethernet controller: D-Link System Inc RTL8139
> > Ethernet (rev 10)
> > 00:0a.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
> > 00:0b.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
> > 00:0d.0 Multimedia audio controller: ESS Technology ES1969 Solo-1
> > Audiodrive (rev 01)
> > 01:00.0 VGA compatible controller: Silicon Integrated Systems [SiS]
> > 530/620 PCI/AGP VGA Display Adapter (rev a3)

Re: [Devil-Linux-discuss] 1.2.13 boot crash

[Heiko Z. <he...@zu...>]

Hey,

1.2.12 introduced Kernel 2.4.34, which could be the cause of your problems.
Could you try and boot the 1.2.12, to see if it has the same problem?

cu
Heiko

On Mon, March 12, 2007 09:34, John Hawley wrote:
> Hello,
>
>
> I've been running v. 1.2.11 for a few months and it worked great.  Nice
> work on this project.
>
> I tried this weekend to update to 1.2.13 for the DST update, but it does
> not work for me. ... boots off cd, then messages about loading initrd.gz,
> then at first screen blanking point (video setup?), it reboots.  This
> would cycle endlessly.
>
> Was support for some video chips dropped, perhaps?  The new cd boots fine
> on another of my old systems.
>
>
> root@jynx:~# lspci
> 00:00.0 Host bridge: Silicon Integrated Systems [SiS] 530 Host (rev 03)
> 00:00.1 IDE interface: Silicon Integrated Systems [SiS] 5513 [IDE] (rev
> d0) 00:01.0 ISA bridge: Silicon Integrated Systems [SiS] SiS85C503/5513
> (LPC Bridge) (rev b3)
> 00:01.1 Class ff00: Silicon Integrated Systems [SiS] ACPI
> 00:01.2 USB Controller: Silicon Integrated Systems [SiS] USB 1.0
> Controller (rev 11)
> 00:02.0 PCI bridge: Silicon Integrated Systems [SiS] Virtual PCI-to-PCI
> bridge (AGP) 00:09.0 Ethernet controller: D-Link System Inc RTL8139
> Ethernet (rev 10)
> 00:0a.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
> 00:0b.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
> 00:0d.0 Multimedia audio controller: ESS Technology ES1969 Solo-1
> Audiodrive (rev 01)
> 01:00.0 VGA compatible controller: Silicon Integrated Systems [SiS]
> 530/620 PCI/AGP VGA Display Adapter (rev a3)
>
>
> -------------------------------------------------------------------------
>  Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>  _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>
>


-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

[Devil-Linux-discuss] 1.2.13 boot crash

[<jh...@hi...>]

Hello,

I've been running v. 1.2.11 for a few months and it worked great.  Nice work on this project.

I tried this weekend to update to 1.2.13 for the DST update, but it does not work for me.
... boots off cd, then messages about loading initrd.gz, then at first screen blanking point (video setup?), it reboots.  This would cycle endlessly.

Was support for some video chips dropped, perhaps?  The new cd boots fine on another of my old systems.


root@jynx:~# lspci
00:00.0 Host bridge: Silicon Integrated Systems [SiS] 530 Host (rev 03)
00:00.1 IDE interface: Silicon Integrated Systems [SiS] 5513 [IDE] (rev d0)
00:01.0 ISA bridge: Silicon Integrated Systems [SiS] SiS85C503/5513 (LPC Bridge) (rev b3)
00:01.1 Class ff00: Silicon Integrated Systems [SiS] ACPI
00:01.2 USB Controller: Silicon Integrated Systems [SiS] USB 1.0 Controller (rev 11)
00:02.0 PCI bridge: Silicon Integrated Systems [SiS] Virtual PCI-to-PCI bridge (AGP)
00:09.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
00:0a.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
00:0b.0 Ethernet controller: D-Link System Inc RTL8139 Ethernet (rev 10)
00:0d.0 Multimedia audio controller: ESS Technology ES1969 Solo-1 Audiodrive (rev 01)
01:00.0 VGA compatible controller: Silicon Integrated Systems [SiS] 530/620 PCI/AGP VGA Display Adapter (rev a3)

Re: [Devil-Linux-discuss] ntp problem

[Heiko Z. <he...@zu...>]

On Sun, March 11, 2007 11:26, Bogdan Petrisor wrote:
> Hello all,
>
>
> Did anybody experienced problems with ntpd similar to this:
>
>
> Mar 11 11:55:38 src@esgaroth ntpdate[7253]: step time server
> 216.27.160.99 offset -0.019538 sec
> Mar 11 11:55:40 src@esgaroth jk_socketd[7512]: listening on socket
> /jail/NTPD/dev/log with rates
> [2048:4096]/10
> Mar 11 11:55:40 src@esgaroth ntpd[7515]: ntpd 4.2.4@1.1437-o Thu Mar  1
> 06:34:22 UTC 2007 (1)
> Mar 11 11:55:40 src@esgaroth ntpd[7515]: signal_no_reset: signal 13 had
> flags 4000000 Mar 11 11:55:40 src@esgaroth ntpd[7515]:
> set_process_priority: Leave priority alone: priority_done
> is <2> Mar 11 11:55:40 src@esgaroth ntpd[7515]: precision = 2.000 usec
> Mar 11 11:55:40 src@esgaroth ntpd[7515]: ntp_io: estimated max
> descriptors: 1024, initial socket
> boundary: 16
> Mar 11 11:55:40 src@esgaroth ntpd[7515]: Listening on interface #0
> wildcard, 0.0.0.0#123 Disabled Mar 11 11:55:40 src@esgaroth ntpd[7515]:
> bind() fd 17, family 10, port 123, scope 0, addr ::,
> in6_is_addr_multicast=0 flags=129 fails: Address already in use Mar 11
> 11:55:40 src@esgaroth ntpd[7515]: unable to bind to wildcard socket
> address :: - another process may be running - EXITING
>
>> From a couple of google searches it seems like this could be a ntp bug
>> but I just wanted to know
> if anybody has seen this problem and found any workaround.
>
> Best regards
>
>
>
> --------------------------------
> Being in the majority means that most people agree with you; it does not
> mean that you are right. --------------------------------

Do you get this message after you reboot the box?

What's the output of the following commands:
lsof -i tcp:123
lsof -i udp:123


-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

[Devil-Linux-discuss] ntp problem

[Bogdan P. <pet...@ya...>]

Hello all,

Did anybody experienced problems with ntpd similar to this:

Mar 11 11:55:38 src@esgaroth ntpdate[7253]: step time server 216.27.160.99 offset -0.019538 sec
Mar 11 11:55:40 src@esgaroth jk_socketd[7512]: listening on socket /jail/NTPD/dev/log with rates
[2048:4096]/10
Mar 11 11:55:40 src@esgaroth ntpd[7515]: ntpd 4.2.4@1.1437-o Thu Mar  1 06:34:22 UTC 2007 (1)
Mar 11 11:55:40 src@esgaroth ntpd[7515]: signal_no_reset: signal 13 had flags 4000000
Mar 11 11:55:40 src@esgaroth ntpd[7515]: set_process_priority: Leave priority alone: priority_done
is <2>
Mar 11 11:55:40 src@esgaroth ntpd[7515]: precision = 2.000 usec
Mar 11 11:55:40 src@esgaroth ntpd[7515]: ntp_io: estimated max descriptors: 1024, initial socket
boundary: 16
Mar 11 11:55:40 src@esgaroth ntpd[7515]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Mar 11 11:55:40 src@esgaroth ntpd[7515]: bind() fd 17, family 10, port 123, scope 0, addr ::,
in6_is_addr_multicast=0 flags=129 fails: Address already in use
Mar 11 11:55:40 src@esgaroth ntpd[7515]: unable to bind to wildcard socket address :: - another
process may be running - EXITING 

>From a couple of google searches it seems like this could be a ntp bug but I just wanted to know
if anybody has seen this problem and found any workaround.

Best regards


--------------------------------
Being in the majority means that most people agree with you; it does not mean that you are right.
--------------------------------


 
____________________________________________________________________________________
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html 

Re: [Devil-Linux-discuss] S-ATA support and/or newer kernel

[Heiko Z. <he...@zu...>]

On Tue, March 6, 2007 07:42, Martin Hotze wrote:
>

> Hello,
>
>
> some time ago I asked for S-ATA support. IMHO this problem can be solved
> by using a 2.6 kernel.
>
> We are running more and more into the problem of having no IDE drives
> but S-ATA drives, so we either have to workaround or use different
> solutions.
>
> So is there a foreseeable estimate for the 2.6 kernel (or a support for
> S-ATA drives)?

Serge was working on the DL 1.3 (which uses Kernel 2.6) and created a list
of things which have to be fixed.
Time is a bit of a problem right now, so it would be helpfull if more
people would grab the dev environment and help working on it.

-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

[Devil-Linux-discuss] S-ATA support and/or newer kernel

[Martin H. <ma...@ho...>]

Hello,

some time ago I asked for S-ATA support.
IMHO this problem can be solved by using a 2.6 kernel.

We are running more and more into the problem of having no IDE drives
but S-ATA drives, so we either have to workaround or use different
solutions.

So is there a foreseeable estimate for the 2.6 kernel (or a support for
S-ATA drives)?

Thanks, Martin

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Heiko Z. <he...@zu...>]

On Mon, March 5, 2007 11:55, Bruce Smith wrote:
>> A newer version of DL is not on the FTP server in the testing
>> directory.
>
> "not"?  :-)

crap....

A newer version of DL is NOW on the FTP server in the testing directory.

-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Bruce S. <bw...@ar...>]

> A newer version of DL is not on the FTP server in the testing directory.

"not"?  :-)

 - BS

Re: [Devil-Linux-discuss] Request: apache version 2.2.4

[Heiko Z. <he...@zu...>]

On Mon, March 5, 2007 10:05, Peter Jannesen wrote:
> Hi,
>
>
> Version apache-httpd 2.2.3 has a nasty bug in mod_proxy that makes it
> unusable (it tring to use a closed connection to the backend server).
> Version 2.2.4 is release some time a go and according to the change log
> this bug is fixed. Are there any planes to update apache httpd to 2.2.4 in
> the near future?

It will be included in the next release.


-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Heiko Z. <he...@zu...>]

On Sun, March 4, 2007 12:15, Heiko Zuerker wrote:
> OOPS sorry for that (small typo, big effect).
> I'm going to compile a new version and upload it into the testing
> directory on the ftp server tomorrow.

A newer version of DL is not on the FTP server in the testing directory.
It should contain all the iptables modules.

-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

[Devil-Linux-discuss] Request: apache version 2.2.4

[Peter J. <P.J...@vi...>]

Hi,
=20
Version apache-httpd 2.2.3 has a nasty bug in mod_proxy that makes it
unusable (it tring to use a closed connection to the backend server).
Version 2.2.4 is release some time a go and according to the change log
this bug is fixed. Are there any planes to update apache httpd to 2.2.4
in the near future?
=20
Thanks,
-- Peter

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Bruce S. <bw...@ar...>]

> > A better solution (IMO) would be a modification to openssh so it shuts
> > down an IP for a [configurable] period of time, after a [configurable]
> > number of bad authentication attempts.  I even suggested that to one of
> > the openssh developers I once had a small email thread with.
> 
> You are not talking approximately about this: denyhosts.sourceforge.net
> 
> I considered it, but I don't like any extra daemons lurking there 
> (watching ssh log for bad login attempts).
> 
> It can also act as an wrapper, so it will control openssh daemon. It 
> restarts it if it has to block an IP, or something.
> 
> iptables, even with the scp problem you discussed above, is independent, 
> protocol neutral, wrapper/daemon-free solution.  I like it that way, and 
> I do understand it is a matter of taste.

I agree.

I've looked at ssh "wrappers", but I also don't like the extra daemons
or cron jobs running.  Especially since a non-standard port + ssh-keys
works great for me.

I really don't think we'll see ssh brute force bots looking at
non-standard ports for a LONG time (not until everyone stops using 22).
With 64K ports available, that's a LOT of extra scanning to do.

 - BS

Re: [Devil-Linux-discuss] =?iso-8859-1?q?Bugreport_for=091=2E2=2E13?= =?iso-8859-1?q?=3A=09/usr/lib/iptables/libipt=5Frecent=2Eso_is_still_miss?= =?iso-8859-1?q?ing?=

[Martin G. <sou...@gl...>]

On Sunday 04 March 2007 09:54, Bruce Smith wrote:
> > I'm not commenting on the problem here, but a possible enhancement for
> > the default firewall script of DL.  See below:
> >
> > # Rate limit ssh connection attempts to 3 per 5 minutes per IP.
> > iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
> >    --state NEW -m recent --set
> > iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
> >    --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
> >
> > This one does not create an additional queue like most other solutions
> > for this common problem.  I've found these 2 lines at the end of
> > firewall script to be rather effective, yet problemless.
> >
> > No more brute-force-attack-trash in ssh log files.  You might want to
> > increase 300 seconds to 1800 for 30 minutes.
>
> I've done similar things in some of my firewall scripts to combat the
> brute-force ssh attacks.
>
> The main problem occurs if you do a lot of scp's.  Each scp initiates a
> new ssh connection, and you end up locking yourself out for the time
> period.
>
> The best way I've found to harden ssh against the brute-force attacks is
> to have ssh listen on a high/non-standard port number, and do not allow
> password authentication (ssh keys only).
>
> I've never had a brute force attacker find one of my non-standard ssh
> ports, and even if they did, they could never login because they are
> trying passwords (which I don't allow).
>
> A better solution (IMO) would be a modification to openssh so it shuts
> down an IP for a [configurable] period of time, after a [configurable]
> number of bad authentication attempts.  I even suggested that to one of
> the openssh developers I once had a small email thread with.
>

While we ae on the topic of blocking ssh attacks, I found this article which 
lists the pros and cons of various methods - 
http://www.la-samhna.de/library/brutessh.html

I currently use sshblock on a number of my machines and it is configurable and 
works very well - the only issue is that ssh has to be built with 
tcp_wrappers support (not currently in Devil).

Is there any way of getting tcp_wrappers into DL?

Thx

Martin

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Kari M. <kar...@tr...>]

Bruce Smith wrote:
>> I'm not commenting on the problem here, but a possible enhancement for 
>> the default firewall script of DL.  See below:
>>
>> # Rate limit ssh connection attempts to 3 per 5 minutes per IP.
>> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>>    --state NEW -m recent --set
>> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>>    --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
>>
>> This one does not create an additional queue like most other solutions 
>> for this common problem.  I've found these 2 lines at the end of 
>> firewall script to be rather effective, yet problemless.
>>
>> No more brute-force-attack-trash in ssh log files.  You might want to 
>> increase 300 seconds to 1800 for 30 minutes.
> 
> I've done similar things in some of my firewall scripts to combat the
> brute-force ssh attacks.
> 
> The main problem occurs if you do a lot of scp's.  Each scp initiates a
> new ssh connection, and you end up locking yourself out for the time
> period.

Mmm..  So true.  I haven't seen it happen, but that is a limitation.

Architecture change would limit damages here: only push a semaphore to 
the remote servers containing a timestamp when they will begin a pull of 
files from a central sharepoint.  It is more complicated, but the world 
is :-)

On sharepoint you obviously don't have those two iptables lines in fw 
script.

> The best way I've found to harden ssh against the brute-force attacks is
> to have ssh listen on a high/non-standard port number, and do not allow
> password authentication (ssh keys only).  

Agree.  Nowadays I default to ssh-keys-only setup.

> I've never had a brute force attacker find one of my non-standard ssh
> ports, and even if they did, they could never login because they are
> trying passwords (which I don't allow).
> 
> A better solution (IMO) would be a modification to openssh so it shuts
> down an IP for a [configurable] period of time, after a [configurable]
> number of bad authentication attempts.  I even suggested that to one of
> the openssh developers I once had a small email thread with.

You are not talking approximately about this: denyhosts.sourceforge.net

I considered it, but I don't like any extra daemons lurking there 
(watching ssh log for bad login attempts).

It can also act as an wrapper, so it will control openssh daemon. It 
restarts it if it has to block an IP, or something.

iptables, even with the scp problem you discussed above, is independent, 
protocol neutral, wrapper/daemon-free solution.  I like it that way, and 
I do understand it is a matter of taste.

>  - BS

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Heiko Z. <he...@zu...>]

OOPS sorry for that (small typo, big effect).
I'm going to compile a new version and upload it into the testing
directory on the ftp server tomorrow.

Heiko

On Sun, March 4, 2007 05:39, Vesselin Kostadinov wrote:
> Sorry to bother you again with this but libipt_recent.so is not there
> despite of the announced "addition of missing iptables modules". The
> problem was introduced in 1.2.12.
>
> To reproduce it execute:
>
>
> #/sbin/modprobe ipt_recent
> #iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
>
>
> (the last command is just to illustrate the problem, it is not part of
> the normal firewall script)
>
> The error message is:
>
>
> iptables v1.3.7: Couldn't load match
> `recent':/usr/lib/iptables/libipt_recent.so: cannot open shared object
> file:
> No such file or directory
>
>
> Note that the actual kernel module ipt_recent is there:
>
>
> /lib/modules/2.4.34-grsec/kernel/net/ipv4/netfilter/ipt_recent.o
>
>
> The missing file seems to be a library that is needed by this module.
>
>
>
> Regards
>
>
> Vesselin
>
>
> -------------------------------------------------------------------------
>  Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>  _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>
>


-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Bruce S. <bw...@ar...>]

> I'm not commenting on the problem here, but a possible enhancement for 
> the default firewall script of DL.  See below:
> 
> # Rate limit ssh connection attempts to 3 per 5 minutes per IP.
> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>    --state NEW -m recent --set
> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>    --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
> 
> This one does not create an additional queue like most other solutions 
> for this common problem.  I've found these 2 lines at the end of 
> firewall script to be rather effective, yet problemless.
> 
> No more brute-force-attack-trash in ssh log files.  You might want to 
> increase 300 seconds to 1800 for 30 minutes.

I've done similar things in some of my firewall scripts to combat the
brute-force ssh attacks.

The main problem occurs if you do a lot of scp's.  Each scp initiates a
new ssh connection, and you end up locking yourself out for the time
period.

The best way I've found to harden ssh against the brute-force attacks is
to have ssh listen on a high/non-standard port number, and do not allow
password authentication (ssh keys only).  

I've never had a brute force attacker find one of my non-standard ssh
ports, and even if they did, they could never login because they are
trying passwords (which I don't allow).

A better solution (IMO) would be a modification to openssh so it shuts
down an IP for a [configurable] period of time, after a [configurable]
number of bad authentication attempts.  I even suggested that to one of
the openssh developers I once had a small email thread with.

 - BS

Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

[Kari M. <kar...@tr...>]

Vesselin Kostadinov wrote:
> Sorry to bother you again with this but libipt_recent.so is not there despite 
> of the announced "addition of missing iptables modules". The problem was 
> introduced in 1.2.12.
> 
> To reproduce it execute:
> 
> #/sbin/modprobe ipt_recent
> #iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
> 
> (the last command is just to illustrate the problem, it is not part of the 
> normal firewall script)

I'm not commenting on the problem here, but a possible enhancement for 
the default firewall script of DL.  See below:


# Rate limit ssh connection attempts to 3 per 5 minutes per IP.
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
   --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
   --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP


This one does not create an additional queue like most other solutions 
for this common problem.  I've found these 2 lines at the end of 
firewall script to be rather effective, yet problemless.

No more brute-force-attack-trash in ssh log files.  You might want to 
increase 300 seconds to 1800 for 30 minutes.

..and yes, the 2 lines above require a working ipt_recent.


> The error message is:
> 
> iptables v1.3.7: Couldn't load match 
> `recent':/usr/lib/iptables/libipt_recent.so: cannot open shared object file: 
> No such file or directory
> 
> Note that the actual kernel module ipt_recent is there:
> 
> /lib/modules/2.4.34-grsec/kernel/net/ipv4/netfilter/ipt_recent.o
> 
> The missing file seems to be a library that is needed by this module.
> 
> 
> Regards 
> 
> Vesselin