store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Wed Apr 23, 2014 7:48 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 58 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: IPtables GRSEC FC4
Unread postPosted: Sat Apr 08, 2006 12:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri Feb 04, 2005 6:02 pm
Posts: 118
Location: S.E.U.S.
Scott, will you be compiling iptables Filters into the kernel for FC 4?

It appears not to be compiled in the current kernel available in ASL testing.
Quote:
/sbin/iptables -t filter -L
iptables v1.3.0: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


rpm -qa | grep iptables
iptables-1.3.0-2

Thanks

_________________
If a man lives with two poems,
he shall be unfaithful to one.
by Mark Strand


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Apr 08, 2006 1:09 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
netfilter is built into every kernel we build (we wrote a book about it after all :P). Are you on a 1and1 box? The message is telling you what the issue is, the iptable_filter and/or the ip_tables kernel modules arent loaded. Normally this occurs on demand, and it doesnt involve any user interaction to load. If you're on a 1and1 box, Im guessing that they've continued their legacy of internal OS damage that we need to create some exceptions for.


Top
 Profile  
 
 Post subject: 1and1
Unread postPosted: Sat Apr 08, 2006 1:19 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri Feb 04, 2005 6:02 pm
Posts: 118
Location: S.E.U.S.
Didn't mean to suggest this is a "fault" caused by ASL. Forgive me.

Yes, this is a 1and1 box.

I ran the /sbin/iptables -t filter -L and got the message listed, and also tried

/sbin/iptables -A INPUT -s xx.xxx.x.x/xx -j DROP and received the same notice.

iptables v1.3.0: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Yeah, for 1and1 again. :shock:

_________________
If a man lives with two poems,
he shall be unfaithful to one.
by Mark Strand


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Apr 08, 2006 2:07 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
well the good news is that you could install it without having to do anything weird, do you know if they had the standard FC4 kernel on the system, or did they put their own on there? Were there any error messages during the installation?


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Apr 08, 2006 4:37 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri Feb 04, 2005 6:02 pm
Posts: 118
Location: S.E.U.S.
scott wrote:
well the good news is that you could install it without having to do anything weird, do you know if they had the standard FC4 kernel on the system, or did they put their own on there? Were there any error messages during the installation?

Hope I understand you for a correct response.

The original kernel was an FC4 from fedora. At least it was reflected as so when checking the original kernel.

Install insmod? Tried that with the default yum.repox.xxxxx as well as the channels added to yum.conf.art.

The yum install insmod reports: nothing to install.

In reference to errors; I received several dependency errors on the initial yum update after setup and before adding ASL and other atomicrocketturtle channels but no errors after doing so.

So tell us please; when is AtomicCorp gonna build an OS that is as efficiently controlled and maintained as with the modifications you currently offer us? :roll:

_________________
If a man lives with two poems,
he shall be unfaithful to one.
by Mark Strand


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Apr 08, 2006 4:38 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri Feb 04, 2005 6:02 pm
Posts: 118
Location: S.E.U.S.
scott wrote:
well the good news is that you could install it without having to do anything weird, do you know if they had the standard FC4 kernel on the system, or did they put their own on there? Were there any error messages during the installation?

Hope I understand you for a correct response.

The original kernel was an FC4 from fedora. At least it was reflected as so when checking the original kernel.

Install insmod? Tried that with the default yum.repox.xxxxx as well as the channels added to yum.conf.art.

The yum install insmod reports: nothing to install.

In reference to errors; I received several dependency errors on the initial yum update after setup and before adding ASL and other atomicrocketturtle channels but no errors after doing so.

So tell us please; when is AtomicCorp gonna build an OS that is as efficiently controlled and maintained as with the modifications you currently offer us? :roll:

_________________
If a man lives with two poems,
he shall be unfaithful to one.
by Mark Strand


Top
 Profile  
 
 Post subject:
Unread postPosted: Sun Apr 09, 2006 10:13 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
Ah so they are rolling the standard FC4 kernel now? I dont suppose you have a log of any of the output when you installed it do you?

As a side note, ther e is a new ASL release (2.6.14.6) in the asl-testing channel, although there is no difference in the way it creates its dependency table and the way the 2.6.11 version does.

Im not sure I understand your last question there, ASL does work with an uncustomized version of FC4 now. This could be something in the nature of the way 1and1 has modified the OS, in which case we'll support it, we just need more details.

insmod should already be installed, unless they removed it. You shouldnt normally have to do this on any unmodified fedora distribution, but you can try running the insmod commands manually (we'll use modprobe instead of insmod, it will do automatic module dependency resolution.. assuming they didnt break it!):

modprobe iptable_filter

You can look at the loaded modules with:
lsmod

You should see iptable_filter, and ip_tables loaded into the kernel


Top
 Profile  
 
 Post subject: Same methods, different results
Unread postPosted: Mon Apr 10, 2006 11:45 am 
Offline
Forum Regular
Forum Regular

Joined: Fri Feb 04, 2005 6:02 pm
Posts: 118
Location: S.E.U.S.
Both servers installations of Plesk 8/FC4 were performed exactly the same, yet; the setups are obviously different for some reason.

Results from Server 1

# /sbin/modprobe iptable_filter
FATAL: Module iptable_filter not found.

# /sbin/lsmod
Module Size Used by
binfmt_misc 12168 1
dm_mod 59512 0
thermal 13864 0
processor 25284 1 thermal
fan 4772 0
floppy 63172 0
generic 4836 0 [permanent]
ide_generic 1504 0 [permanent]

Results from Server 2 - exact steps in re-image as with Server 1.

# /sbin/modprobe iptable_filter
FATAL: Could not load /lib/modules/2.6.16-rc6-060319a/modules.dep: No such file or directory

# /sbin/lsmod
Opening /proc/modules: No such file or directory

We installed the kernel from ASL testing and the following information is duplicated before the ASL kernel and afterward.

I'm at a loss to understand this. Is this a 1and1 thing, . . . again? Back to the beginning, I suppose.

About the logs, unless there is a copy still on the server somewhere I do not have one. If there is an archive, point me to it and I'll be happy to provide it.

_________________
If a man lives with two poems,
he shall be unfaithful to one.
by Mark Strand


Top
 Profile  
 
 Post subject:
Unread postPosted: Mon Apr 10, 2006 9:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
Damn it, they're still meddling with the kernel. Why the hell they do that is completely beyond me. Back with the 2.4 kernels I could understand it, they were using the xfs file system and that wasnt available in RH9.

That second kernel error tells met hey didnt even do the module support correctly. On a scale of 1 to 10 as far as screwing up the system goes, thats about an 8.

Catch me online sometime, so we can debug this together. I'd like to write a script to work as a 1and1 installer.

As a side note, are they still ruining the file system too?


Top
 Profile  
 
 Post subject: VAR vs HOME
Unread postPosted: Mon Apr 10, 2006 10:58 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri Feb 04, 2005 6:02 pm
Posts: 118
Location: S.E.U.S.
In short . .What was once /home/httpd/vhosts is now /var/www/vhosts

_________________
If a man lives with two poems,
he shall be unfaithful to one.
by Mark Strand


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Apr 11, 2006 5:50 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
The change to /var/www/vhosts is standard on new Plesk installations. Changed somewhere around 7.5.x.


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Apr 11, 2006 7:30 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
is /var still a 500m partition? :P I was working on scripting something up using parted to fix that as well.


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Apr 11, 2006 10:33 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 669
Here's the current FC4 partition table as 1and1 makes it (on a Root Server 2)

Quote:
[root@u######## etc]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 479M 150M 305M 33% /
none 505M 0 505M 0% /dev/shm
/dev/sda5 4.7G 979M 3.8G 21% /usr
/dev/sda7 63G 345M 63G 1% /var
/dev/sda6 4.7G 148K 4.7G 1% /home


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Apr 11, 2006 5:42 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
Oh yeah, thats definitely no better. I'll have to rekick the atomicorp.com box and take another stab at a parted script to fix it.


Top
 Profile  
 
 Post subject:
Unread postPosted: Wed Apr 12, 2006 3:26 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue May 10, 2005 1:24 pm
Posts: 193
A parted script to fix this issue would be greatly appreciated. I have been fooling around trying to fix it myself and getting no where. BTW, there is still a problem with the image used by 1and1 and they now suggest to install fc2 with 7.5.4. Here is the email they sent me in response to my problems...

Quote:
Thank you for contacting us.

We are currently working with SWsoft regarding the problems you've experienced with our Plesk 8 image. As of right now, we advise that you reimage with Fedora Core 2 with Plesk 7.5.

If you have any further questions please do not hesitate to contact us.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 58 posts ]  Go to page 1, 2, 3, 4  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group