Posts

Apache Webserver, PHP, and Software Collections on RHEL7

The relatively short lifespan of PHP versions does not bode well with Extended Release Operating Systems like Red Hat Enterprise Linux and CentOS. The longevity of the OS is, perhaps, one of the most attractive features for server owners and Administrators. However, as with most things in life, there's always a trade-off. Extended Release Operating Systems provide a long "shelf life" and ongoing support and development for the most important part of a server. It's not surprising then that "bleeding edge" software isn't readily available in the default software repositories. This creates a dilemma in the days of DevOps and increasing Internet penetration. Software Collections have made this type of scenario less problematic. Software Collections provides a repository for more recent, development versions of software that are always separated from the system-wide software installations of a server. This allows us, for example, to run different ver…

Resource Load Tips and Tricks

Redirect dynamic page to static page if resource issues arise from high traffic to a single Webpagesar -qtop -cnetstat -antplsof -itcplsof -i :80

When you see the PID that is connecting to a remote port 80 rather than accepting a connection to local port 80, use lsof -p on that pid number to find the working directory of it.

Security
Check if we support insecure SSLv2:
openssl s_client -connect 127.0.0.1:443 -ssl2Check for outbound connections to remote port 80netstat -atnp |awk '$5 ~ /80/ {print $0}'The script above this line uses regex to search for "80" within the 5th column of the `netstat -atnp` command outputnetstat -atnp |awk '$5 ~ /80$/ {print $0}'Will do the same, making sure the string search looks for "80" at the end of a stringnetstat -atnp |awk '$5 ~ /:80$/ {print $0}'Will do the same, making sure the string search looks for "80" at the end of a string AND is preceded by a colon.


Red Hat Addresses Critical Firefox Vulnerability

On April 26th, 2016, Red Hat 5, 6, and 7 along with its community-supported counterpart CentOS have released a major new Firefox upgrade to address a number of Critical vulnerabilities in the Extend Support Release (ESR) version of Mozilla's browser software.  The version number jumps to 45 from the current 38.  According to the Security Advisory, Mozilla reported that the Firefox version available for Enterprise Linux distributions--i.e. 38.8--could allow
 "A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
(CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2814)"
Upstream, Mozilla's Security Advosories page for the Extended Support Release (ESR) of Firefox tracks this issue and has some relevant links for the different vulnerabilities addressed by this major update.

firefox-45.1.0-1.el7_2.src.rpm

Buffer Overflow in libstagefright  First, the…

RHEL 7 and CentOS 7 syslog Rate Limit

https://access.redhat.com/solutions/1417483 In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module Lower Ratelimit Interval Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely! grep -i rate /etc/systemd/journald.conf #RateLimitInterval=30s #RateLimitBurst=1000 RateLimitInterval=10s RateLimitBurst=3000 grep -i rate /etc/rsyslog.conf #$imjournalRatelimitInterval 600 <--default $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000 journal corruption journalctl --verify journalctl --force

Centos 7 pulseaudio

Image
Centos 7 doesn't come with an option for `awesome-wm` installation.  Therefore, the only way to make use of this light-weight tiling manager one has to enable Fedora 19 repo or build the package from source.  For the Fedora 19 repo approach, see:

https://gist.github.com/ILMostro/1909a50e1858d0ee7e10

To use without GDM, GNOME's display manager, and without gnome services, one has to be aware of certain shortcomings that the gnome-services provide by default.  One such shortcoming is the lack of built-in Sound and Volume management.  Never fret, though, as there is a solution; namely, the PulseAudio-focused tools pavucontrol and pavumeter.  These packages are available from the "nux-desktop" repository available at at http://li.nux.ro/repos.html .
nux-desktop My unofficial, as-is, not for profit RPM repositories for EL (RHEL, CentOS, ScientificLinux etc): These repos may or may not be up to date or behave the way you expect them to; use them at your OWN RISK!

Some of…

cPanel Removal

It's a poorly-kept secret that cPanel wants to prevent Server owners and/or administrators from being able to purge their systems from the rootkit-like software.  While they've recently made a change claiming to focus on support for primarily rpm-based Linux distributions, i.e. mainly Red Hat and CentOS; cPanel software breaks almost EVERYTHING RHEL/rpm-related on the system!

Their use of binary packages and perl scripts along with choosing to disable SELinux completely puts this outdated and soon-to-be obsolete software in direct conflict with anything Linux! I wish they had switched to support Windows instead.

In any case, here's yet another blog post online outlining the procedure attempting to, relatively cleanly, remove cPanel from a VPS running CentOS 7 in a Virtuozzo container.
yum list \*cpanel\* yum remove \*cpanel\*
Remove the line in /etc/yum.conf starting with "exclude".
# cat /etc/yum.conf [main] #; exclude=courier* dovecot* exim* filesystem httpd…

LUKS Encryption and Unattended boot on Headless Servers

The anaconda installer on Redhat-based Linux distributions provides the user with an option to encrypt the /home partition by selecting a simple check-box. This adds an obviously valuable security/privacy feature to the system if it's selected. Consequently, this prompts the user for a password during the boot process, which then decrypts the partition and mounts it in the designated location on the filesystem. The default behaviour is not very well suited for unattended reboots or on headless servers. The crypttab(5) manual page provides great information on how to facilitate the process for unattended boots: DESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two …