Help with RH/CentOS
70 views
Skip to first unread message
Rohit Yadav
May 28, 2012, 12:26:19 AM5/28/12
to foss-...@googlegroups.com
Hey folks,
This is serious, I want you all to read and contribute your comments.
As you may know the VPN server was down for 2-3 days (why? it was all vandalism)
RHEL6 is what was running and we had to reinstall it but we lost access to RHN (RedHat Network); without RHN one cannot update/upgrade/install pkgs from redhat's repos.
When the server came, pankaj yadav (min07) registered the institutional server with his personal email but not his name; without the RHN login/password, we cannot register the machine.
We emailed Dell/RedHat support, their reply was that pankajd...@gmail.com is the admin email of the RHEL server subscription without whose permission they cannot transfer the subscription; hence I cannot install/upgrade pkgs.
Pk's had some issues with the management team, but `rm -fr /` is no way to behave. I'm tired of defending my friend at multiple levels, he just demoted himself to a cracker?
As my inbox was flooded by the VPN users, I found a way around by using CentOS x86_64 rpms. This is a bad hack, we want to install more services, so you can have access to computation (we've a powerful server and a small cluster) as well, I need your help, the rpms used were really old and I see VPN server crashing every now and then.
Now that pk's absconding, it's will be almost a week now and neither pk nor his min07 friends would entertain my call/email. In a recent reply I got this morning, one of his min07 friends tells me that they've swore some oath, total BS; or may be they are just kidding. This is serious. If the server goes down, who suffers, everyone who uses VPN/Squid proxy on 10.3.31.250.
This is serious, I want you all to read and contribute your comments.
As you may know the VPN server was down for 2-3 days (why? it was all vandalism)
RHEL6 is what was running and we had to reinstall it but we lost access to RHN (RedHat Network); without RHN one cannot update/upgrade/install pkgs from redhat's repos.
When the server came, pankaj yadav (min07) registered the institutional server with his personal email but not his name; without the RHN login/password, we cannot register the machine.
We emailed Dell/RedHat support, their reply was that pankajd...@gmail.com is the admin email of the RHEL server subscription without whose permission they cannot transfer the subscription; hence I cannot install/upgrade pkgs.
Pk's had some issues with the management team, but `rm -fr /` is no way to behave. I'm tired of defending my friend at multiple levels, he just demoted himself to a cracker?
As my inbox was flooded by the VPN users, I found a way around by using CentOS x86_64 rpms. This is a bad hack, we want to install more services, so you can have access to computation (we've a powerful server and a small cluster) as well, I need your help, the rpms used were really old and I see VPN server crashing every now and then.
Now that pk's absconding, it's will be almost a week now and neither pk nor his min07 friends would entertain my call/email. In a recent reply I got this morning, one of his min07 friends tells me that they've swore some oath, total BS; or may be they are just kidding. This is serious. If the server goes down, who suffers, everyone who uses VPN/Squid proxy on 10.3.31.250.
I'm asking the community how can we regain contact with him, get back our server's subscription?
Lastly, we need volunteers for managing the WMG VPN server and the grid, contact on w...@itbhu.ac.in
Shishir Mittal
May 28, 2012, 12:52:22 AM5/28/12
to foss-...@googlegroups.com
A. Gather proofs of what you say.
B. Have a telecon with the customer care for RHN. The servers are still the property of the institute. Explain the situation and ask them what it takes to change the admin id.
C. Take the issue to the highest level (WMG head/ IT-Director etc.) Explore the possibility of some type of heavy penality (may be financial). The degree has not been awarded yet! People just can't mess up with Institute property like that.
--
Shishir
--
You received this message because you are subscribed to the Google Groups "FOSS@ITBHU" group.
To view this discussion on the web visit https://groups.google.com/d/msg/foss-itbhu/-/j6UZbn-fztMJ.
To post to this group, send email to foss-...@googlegroups.com.
To unsubscribe from this group, send email to foss-itbhu+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/foss-itbhu?hl=en.
Rohit Yadav
May 28, 2012, 1:05:00 AM5/28/12
to foss-...@googlegroups.com
Thanks Shishir bhaiya for the suggestions.
I've called one his friends for the last time, he confirmed that pk is in hostel.
If he still fails to contact us, we'll take the actions as you suggested.
Regards.
I've called one his friends for the last time, he confirmed that pk is in hostel.
If he still fails to contact us, we'll take the actions as you suggested.
Regards.
Atul Aggarwal
May 28, 2012, 1:17:38 AM5/28/12
to foss-...@googlegroups.com
Rahul also make sure he has no control over other Itbhu services (such as email or other servers). --
Regards,
Atul Aggarwal
Regards,
Atul Aggarwal
Rohit Yadav
May 28, 2012, 3:06:44 AM5/28/12
to foss-...@googlegroups.com
Thanks everyone, the matter seems to be almost resolved now.
Regards.
Regards.
For more options, visit this group at http://groups.google.com/group/foss-itbhu?hl=en.
Shobhit Jindal
May 28, 2012, 3:11:21 AM5/28/12
to foss-...@googlegroups.com
We have a simple doc/sheet where what people have what type of access is listed?
One such should be present with WMG head/internally.
-Shobhit
Rohit Yadav
May 29, 2012, 4:37:43 PM5/29/12
to foss-...@googlegroups.com
For VPN/Squid users,
The VPN and Squid Proxy services have been restored using a backup, and old certificate and hence the clients should work fine. The server is reachable at;
Global: http://14.139.228.215
Local: http://10.3.31.250
If anyone is interested in inspecting vpn server's config files and source code of log-generator, the lastest version (minus the secret stuff) can be found here: https://github.com/bhaisaab/hacktools/tree/master/vpnmon
The way we're authenticating is receiving passwords from a openvpn client and sending a http POST to Google/GDATA-API using curl which would return a SID (session ID) if the supplied credentials are alright, otherwise it returns an error. We blindly regex if SID is contained in the returned string and authenticate the user successfully. I feel the way this mechanism in its current implementation is weak, insecure (for example anyone with access to the server can echo the vars and redirect to a file). Any idea on how we can have a better way of doing this? Can OAuth be implemented, but how exactly?
At present I suggest all of the users enable 2-factor auth, so that even if someone gets hold of your password they won't be able to access your itbhu.ac.in/email account. As a precaution please change your itbhu.ac.in email passwords.
The log page gets statically generated every one minute: http://14.139.228.215/stats.html (I'm not sure if this information should be made public, comment?).
Some frequently used free and opensource softwares and Linux distro ISOs are available at http://14.139.228.215/files and anyone may email me or wmg to download/mirror anything you may need.
Best regards.
The VPN and Squid Proxy services have been restored using a backup, and old certificate and hence the clients should work fine. The server is reachable at;
Global: http://14.139.228.215
Local: http://10.3.31.250
If anyone is interested in inspecting vpn server's config files and source code of log-generator, the lastest version (minus the secret stuff) can be found here: https://github.com/bhaisaab/hacktools/tree/master/vpnmon
The way we're authenticating is receiving passwords from a openvpn client and sending a http POST to Google/GDATA-API using curl which would return a SID (session ID) if the supplied credentials are alright, otherwise it returns an error. We blindly regex if SID is contained in the returned string and authenticate the user successfully. I feel the way this mechanism in its current implementation is weak, insecure (for example anyone with access to the server can echo the vars and redirect to a file). Any idea on how we can have a better way of doing this? Can OAuth be implemented, but how exactly?
At present I suggest all of the users enable 2-factor auth, so that even if someone gets hold of your password they won't be able to access your itbhu.ac.in/email account. As a precaution please change your itbhu.ac.in email passwords.
The log page gets statically generated every one minute: http://14.139.228.215/stats.html (I'm not sure if this information should be made public, comment?).
Some frequently used free and opensource softwares and Linux distro ISOs are available at http://14.139.228.215/files and anyone may email me or wmg to download/mirror anything you may need.
Best regards.
Reply all
Reply to author
Forward
0 new messages