Wow - I'd never had any security breaches and in the last 3 months I've had 2, and possibly, another. This is an idiotic question but I just started using Centos after using Slackware for years. I'm in a panic, at the moment, as there may be an issue with a shopping cart on my server (and the server, itself). This is on Centos 5.5 with SELinux disabled and no firewall. Those things are disabled (1) because security has never really been a problem, and, (2) because I run a mail server and they make all of that significantly more complicated. And, all IP addresses are blocked for FTP and SSH (using the /etc/hosts.deny file) with the exception of one (my place of employment - and I'm the only employee). So if there's a problem I am assuming it's a vulnerability in a web-based script. Good lord - at this point, I don't know. Anyway - should there be a folder at /var/log called conman - and one called conman.old? Is this a package that I would have had to install, in other words...? I've Googled it and it's not clear to me if this is a default package that gets installed with Centos, usually, or some sort of hack. I know that it's a real Nix package but does it get generated/installed during a standard installation of Centos?
Thanks for any input.
Question regarding conman folder in /var/log
Re: Question regarding conman folder in /var/log
I normally avoid the CentOS forums for various reasons, but Akemi mentioned this post on one of the IRC channels and I had a few moments to spare.
There is so much FUD in this I don't quite know where to start.
You have an Internet facing machine with no firewall and SELinux disabled and you are surprised that you've had security problems? Really?
There is absolutely *no* reason not to be running run SELinux enabled; running without a firewall is nuts. Your claims that SELinux and a firewall makes your webserver more complicated is just plain wrong. You also make a statement of "security has never really been a problem". Meh. Security is *always* a problem. Thinking otherwise is just silly.
I'm sorry if this comes across as gruff and rude but you have a responsibility to others on the Internet to keep your server(s) as secure as possible; when you don't you are placing the rest of us at additional risk and that's extremely selfish. I am not a fan of the Red Hat firewall utilities but the fact is they *work*; and tools are provided to assist you with setting up and maintaining the firewall ruleset.
As far as SELinux...
Spend the time to read the documentation and other resources and you will find that it is time very well spent.
A real life example of why SELinux is a good thing: [url=http://www.linuxjournal.com/article/9176]http://www.linuxjournal.com/article/9176[/url]
All useful resources for SELinux:
[url=http://wiki.centos.org/HowTos/SELinux]http://wiki.centos.org/HowTos/SELinux[/url]
[url=http://wiki.centos.org/TipsAndTricks/SelinuxBooleans]http://wiki.centos.org/TipsAndTricks/SelinuxBooleans[/url]
[url=http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/]http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/[/url]
[url=http://fedorasolved.org/security-solutions/selinux-module-building]http://fedorasolved.org/security-solutions/selinux-module-building[/url]
[url=http://centoshelp.org/security/selinux-common-commands-troubleshooting]http://centoshelp.org/security/selinux-common-commands-troubleshooting[/url]
Also [url=http://www.centos.org/docs/5/]http://www.centos.org/docs/5/[/url] and [url=http://wiki.centos.org]http://wiki.centos.org[/url] are treasure troves of information.
As for your question regarding /var/log/conman and /var/log/conman.old - these are legitimate directories. "rpm -qf /var/log/conman" will show you what package owns the directory, in this case "conman" and then "rpm -qi conman" will tell you what the package is. "rpm -qvl conman" will list the other contents of the package. You can verify the integrity of the package with "rpm -V conman" if you feel a need to do so.
I've not done a manual install for years so I don't know for sure whether this package is installed by default but gut hunch says no as it is somewhat of a niche package. Read the description as givenby "rpm -qi conman" to determine if you need it and if you don't then remove it.
Now that is out of the way, I don't see any evidence from your original post as to what makes you believe that your server has been compromised other than there "might" be a problem with your cart. Guessing games are completely unproductive. Do you have evidence that there has been a compromise? If so, what is that evidence?
There is so much FUD in this I don't quite know where to start.
You have an Internet facing machine with no firewall and SELinux disabled and you are surprised that you've had security problems? Really?
There is absolutely *no* reason not to be running run SELinux enabled; running without a firewall is nuts. Your claims that SELinux and a firewall makes your webserver more complicated is just plain wrong. You also make a statement of "security has never really been a problem". Meh. Security is *always* a problem. Thinking otherwise is just silly.
I'm sorry if this comes across as gruff and rude but you have a responsibility to others on the Internet to keep your server(s) as secure as possible; when you don't you are placing the rest of us at additional risk and that's extremely selfish. I am not a fan of the Red Hat firewall utilities but the fact is they *work*; and tools are provided to assist you with setting up and maintaining the firewall ruleset.
As far as SELinux...
Spend the time to read the documentation and other resources and you will find that it is time very well spent.
A real life example of why SELinux is a good thing: [url=http://www.linuxjournal.com/article/9176]http://www.linuxjournal.com/article/9176[/url]
All useful resources for SELinux:
[url=http://wiki.centos.org/HowTos/SELinux]http://wiki.centos.org/HowTos/SELinux[/url]
[url=http://wiki.centos.org/TipsAndTricks/SelinuxBooleans]http://wiki.centos.org/TipsAndTricks/SelinuxBooleans[/url]
[url=http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/]http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/[/url]
[url=http://fedorasolved.org/security-solutions/selinux-module-building]http://fedorasolved.org/security-solutions/selinux-module-building[/url]
[url=http://centoshelp.org/security/selinux-common-commands-troubleshooting]http://centoshelp.org/security/selinux-common-commands-troubleshooting[/url]
Also [url=http://www.centos.org/docs/5/]http://www.centos.org/docs/5/[/url] and [url=http://wiki.centos.org]http://wiki.centos.org[/url] are treasure troves of information.
As for your question regarding /var/log/conman and /var/log/conman.old - these are legitimate directories. "rpm -qf /var/log/conman" will show you what package owns the directory, in this case "conman" and then "rpm -qi conman" will tell you what the package is. "rpm -qvl conman" will list the other contents of the package. You can verify the integrity of the package with "rpm -V conman" if you feel a need to do so.
I've not done a manual install for years so I don't know for sure whether this package is installed by default but gut hunch says no as it is somewhat of a niche package. Read the description as givenby "rpm -qi conman" to determine if you need it and if you don't then remove it.
Now that is out of the way, I don't see any evidence from your original post as to what makes you believe that your server has been compromised other than there "might" be a problem with your cart. Guessing games are completely unproductive. Do you have evidence that there has been a compromise? If so, what is that evidence?
Question regarding conman folder in /var/log
[quote]
gman88 wrote:
Anyway - should there be a folder at /var/log called conman - and one called conman.old?[/quote]
Yes.
Or, at least, it's on every CentOS machine that I've looked at. And it's empty on all of them.
gman88 wrote:
Anyway - should there be a folder at /var/log called conman - and one called conman.old?[/quote]
Yes.
Or, at least, it's on every CentOS machine that I've looked at. And it's empty on all of them.