Author: The Geek Decoder

Cron Format

January 22, 2018 The Geek Decoder No Comments Administration

How Cron works:

<Minute> <Hour> <Day_of_the_Month> <Month_of_the_Year> <Day_of_the_Week>

* * * * * *
| | | | | | 
| | | | | +-- Year              (range: 1900-3000)
| | | | +---- Day of the Week   (range: 1-7, 1 standing for Monday)
| | | +------ Month of the Year (range: 1-12)
| | +-------- Day of the Month  (range: 1-31)
| +---------- Hour              (range: 0-23)
+------------ Minute            (range: 0-59)

Examples:


0 0 * * * *                         Daily at midnight

5 minutes after midnight each day

05     0      *       *       *       root

How to setup FTP server / users on Windows 2012 R2

January 12, 2018 The Geek Decoder No Comments Windows 2012 Server

Introduction

This tutorial should assist with creating FTP server on Windows 2012 R2 – Depend on your version – Your setting might be slightly different.

Even there are too many free third-party tools like Filezilla that provide a client access to FTP serve..

Here you have the steps I followed to set up my FTP server in Windows 2012 R2.
The steps below assume you are using IIS 8.5 that comes by default with Windows 2012 R2

Prerequisites

  • A Windows 2012 R2 server.
  • An administrative account.

1- Enable Web Server (IIS) role and FTP Server role service.

  1. Log in to the server by using an administrative account
  2. Open Server Manager
  3. Go to Manage > Add Roles and Features
  4. Click Next
  5. Select Role-based or feature-based installation
  6. Click Next
  7. Select Select a server from the server pool, and select your server
  8. Click Next.
  9. Scroll down and put a check mark in Web Server (IIS)
  10. An Add features window pops up. Put a check mark in the Include management tools (if applicable) option
  11. Click Add Features button
  12. Click Next
  13. Click Next
  14. Click Next
  15. Scroll down and put a check mark in: FTP serverFTP Service and FTP Extensibility.
  16. Click Next
  17. Click Install
  18. When installation is finished, click Close

2- Create FTP users

You need to create users in Windows in order to be able to use FTP services.
You can use either local or domain users.
In this case, I will create some local users.
The only thing that changes if you use domain users is, when you log in to FTP, you must use the domain/account format.

  1. In Server Manager go to Tools
  2. Click Computer Management
  3. Click Local Users and Groups
  4. Click Users
  5. In the center pane, right-click a blank area and then select New User…
  6. Enter the username information and click the Create button
  7. Create as many usernames you need here.

Optionally, you can create a group that contains all the FTP users in the Groups folder and add the users you created above.

3- Configuring FTP global IIS settings.

You need to configure some global settings for your IIS server before creating your FTP site.
It is very easy, follow the steps below:

  1. In Server Manager go to Tools
  2. Click Internet Information Services (IIS) manager.
  3. In the left pane, double-click the server icon (in the tree below the option Start Page)
  4. If a window pops up asking about Microsoft Web Platform, select Do not show this message, and click the No button
  5. In the center pane, double-click the FTP Authentication icon
  6. If you want to allow anonymous users,right-click Anonymous Authentication and set it to Enable.
  7. To allow access to the windows users you created in Part Two above, right-click Basic Authentication and set it to Enable.
  8. In the left pane, double-click the server icon.
  9. Double click the FTP Authorization Rules option
  10. Delete all rules in the center pane.
  11. After all rules have been deleted, right-click a blank area in the center pane and select the option Add Allow Rule…
  12. Click the option Specified users.
  13. In the text box type the usernames (separated by commas) you created in Part Two above.
  14. Check either the boxes Read or Write depending the access you want to grant to the user or group of users you are adding.
  15. Click the OK button
  16. Repeat steps 8 to 15 if you want to add more users with different Read / Write permissions.

4- Creating FTP site.

  1. Open Windows Explorer
  2. Navigate to C:\inetpub\ftproot
  3. This is the default local folder where the FTP directory tree will be saved
  4. You can create your own folder in another directory or hard drive if you want.
  5. Create your own folder at this point if it is desired.
  6. Open Server Manager
  7. Go to Tools
  8. Click on Internet Information Services (IIS) Manager
  9. In the left pane, right-click the server icon (in the tree below the option Start Page)
  10. Click Add FTP Site
  11. In FTP site name type a friendly name for your site. (My FTP Site  for example)
  12. In Physical path browse to the folder you creates in steps 2 to 5
  13. Click Next
  14. In IP Address, click the drop down menu, and select the server’s IP address you want to assign to the site
  15. Port remains as 21 by default. You can change it if you want.
  16. Ensure the option Start FTP site automatically is checked
  17. Select the No SSL option if you are nor required to use certificates. Otherwise, select one of the other options.
  18. Click Next
  19. In the Authentication section, put a check mark in Anonymous If you want to allow anonymous users.
  20. Put a check mark also in Basic to allow access to users created in Part Two.
  21. In the Allow access to: drop down menu, select: Specified Users
  22. In the text box type the usernames of the users you created in Part Two.
  23. Check the box Read to grant read access to users.
  24. Check the box Write to grant write access to users.
  25. Click Finish

5- IIS Firewall setup.

  1. In Server Manager go to Tools
  2. Click Internet Information Services (IIS) manager.
  3. In the left pane, double-click the server icon (in the tree below the option Start Page)
  4. In the center pane, double-click the FTP Firewall Support icon
  5. In the Data Channel Port Range box, make sure the value is 0-0 to use the default port range.
  6. Or, you can change it if you want by your own set of ports.
  7. Click Apply
  8. Close Internet Information Services (IIS) Manager

6- Windows Firewall setup.

By default, all exceptions needed for FTP are added to the Windows Firewall at the time you enable the FTP Server role.
Anyway, for troubleshooting purposes, I will show the configuration that needs to be in place in order to allow FTP traffic in your server.

  1. Open Server Manager
  2. In the left pane, click Local Server
  3. In the right pane, click the hyperlink beside the Windows Firewall option. It should say Public:On  (or Off).
  4. The Windows firewall window opens. In the left pane click Advanced Settings
  5. The Windows Firewall with Advanced Security window opens. In the left pane click Inbound Rules.
  6. In the right pane, verify there’s a rule called FTP Server (FTP Traffic-In)
  7. Double click this rule.
  8. In the General tab, verify the option Enabled is checked.
  9. Go to the Protocols and Ports tab.
  10. Verify the Protocol type is TCP and the Local port value is 21.
  11. Go to the Advanced tab
  12. Make sure the profiles: DomainPrivate and Public are checked.
  13. Click OK button
  14. Execute the same validation in steps 7-13 for the FTP Server Passive (FTP Passive Traffic-In)rule. Except that the local port value in this rule should be1024-65535
  15. Execute the same validation in steps 7-13 for the FTP Server Secure (FTP SSL Traffic-In) rule.Except that the local port value in this rule should be 990
  16. In the left pane, click Outbound Rules
  17. Execute the same validation in steps 7-13 for the FTP Server (FTP Traffic-Out) rule. Except that the local port value in this rule should be 20
  18. Execute the same validation in steps 7-13 for the FTP Server Secure (FTP SSL Traffic-Out) rule. Except that the local port value in this rule should be 989
  19. Close all windows.

 7- Testing

  • The last part is to test your work.
  • Make sure you can connect to the FTP service, first from the local machine and then form a remote computer.
  • Try to log in, put files, get files, show folder contents, etc

Add Gzip to Plesk Server

January 12, 2018 The Geek Decoder No Comments Administration, Plesk

Instructions
Login to your Plesk server.
Select the domain you wish to enable gzip for from the left hand side.
Click in Apache and nginx settings:

Down the bottom, add the following to the “Additional nginx directives” field:

gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp image/svg+xml;
gzip_vary on;

Click OK to save.
Verify with GTMetrix.com

Another way is to set up deflate.

First you need to check the module mod_deflate is enabled on the server.

In plesk:

Or, in ssh:

 
# httpd -M |grep deflate

Then you need to create the file /etc/httpd/conf.d/deflate.conf


# vim /etc/httpd/conf.d/deflate.conf

and add the following into it.

 
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
DeflateCompressionLevel 8
</ifmodule>

Restart Apache


/etc/init.d/httpd restart

Chech here – https://checkgzipcompression.com

R1Soft error Failed to backup LVM/MD Configuration

January 10, 2018 The Geek Decoder No Comments R1Soft

R1Soft error will resemble something like – “Failed to backup LVM/MD Configuration” with running LVM based commands from R1Soft.

Usually due to an upstream vendor or repo update of the LVM binary that conflicts with the R1soft native configuration “lvm.static” command.

Error:

Failed backup of LVM configuration
Failed to execute command ‘lvm.static pvs -o pv_fmt,pv_uuid,dev_size,pv_name,pv_mda_free,pv_mda_size,pv_all,seg_all,pvseg_all,vg_all,lv_all –nameprefixes –noheadings –units b –nosuffix –unquoted’

Workaround:

# mv /usr/sbin/r1soft/lib/lvm.static /usr/sbin/r1soft/lib/lvm.static_orig


# ln -s /sbin/lvm /usr/sbin/r1soft/lib/lvm.static

Nmap Script to Test SSL Versions and Cipher Suites

January 9, 2018 The Geek Decoder No Comments Administration

Included in NMap is a script called ssl-enum-ciphers, which will let you scan a target and list all SSL protocols and ciphers that are available on that server. You can also narrow it down by specifying a port number with the -p option.

This tool comes in handy if you’re doing a vulnerability scan and you need to make some changes to a server and you want to test those changes. This will allow you to perform a quick scan without needing to do a complete vulnerability scan.

$ nmap --script ssl-enum-ciphers -p 443 testdomain.com

Starting Nmap 7.40 ( https://nmap.org ) at 2018-01-09 12:18 CST
Nmap scan report for testdomain.com (192.99.236.66)
Host is up (0.065s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Error 401: Unauthorized: Access is denied due to invalid credentials

January 5, 2018 The Geek Decoder No Comments Administration

When getting an error in Windows 2008 R2, Error 401: Unauthorized: Access is denied due to invalid credentials

See – https://www.codeproject.com/Answers/418802/Unauthorized-Access-is-denied-due-to-invalid-c#answer1

Specifically Solution 6 with a minor adjustment.

Right click on the folder in Explorer and choose Properties.

In Security tab add ‘IIS_IUSRS’ and ‘NETWORK SERVICE’ and give full control to both user.

Also check Authentication. Set up the Anonymous Authentication to Application Pool Identity. Check others and disable as needed.

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

January 5, 2018 The Geek Decoder No Comments Administration

How to Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
For Example, CentOS 7

Type the following yum command:

# uname -r
3.10.0-693.2.2.el7.x86_64


# sudo yum update

CentOS 7 output

====================================================================================================================================================================================================
 Package                                            Arch                                  Version                                                      Repository                               Size
=====================================================================================================================================================================================================
Installing:
 kernel                                             x86_64                                3.10.0-693.11.6.el7                                          updates                                  43 M
 kernel-devel                                       x86_64                                3.10.0-693.11.6.el7                                          updates                                  14 M
Updating:
 iwl100-firmware                                    noarch                                39.31.5.1-57.el7                                             updates                                 152 k
 iwl1000-firmware                                   noarch                                1:39.31.5.1-57.el7                                           updates                                 215 k
 iwl105-firmware                                    noarch                                18.168.6.1-57.el7                                            updates                                 236 k
 iwl135-firmware                                    noarch                                18.168.6.1-57.el7                                            updates                                 245 k
 iwl2000-firmware                                   noarch                                18.168.6.1-57.el7                                            updates                                 239 k
 iwl2030-firmware                                   noarch                                18.168.6.1-57.el7                                            updates                                 248 k
 iwl3160-firmware                                   noarch                                22.0.7.0-57.el7                                              updates                                 1.5 M
 iwl3945-firmware                                   noarch                                15.32.2.9-57.el7                                             updates                                  90 k
 iwl4965-firmware                                   noarch                                228.61.2.24-57.el7                                           updates                                 103 k
 iwl5000-firmware                                   noarch                                8.83.5.1_1-57.el7                                            updates                                 296 k
 iwl5150-firmware                                   noarch                                8.24.2.2-57.el7                                              updates                                 149 k
 iwl6000-firmware                                   noarch                                9.221.4.1-57.el7                                             updates                                 169 k
 iwl6000g2a-firmware                                noarch                                17.168.5.3-57.el7                                            updates                                 312 k
 iwl6000g2b-firmware                                noarch                                17.168.5.2-57.el7                                            updates                                 312 k
 iwl6050-firmware                                   noarch                                41.28.5.1-57.el7                                             updates                                 245 k
 iwl7260-firmware                                   noarch                                22.0.7.0-57.el7                                              updates                                 1.1 M
 kernel-headers                                     x86_64                                3.10.0-693.11.6.el7                                          updates                                 6.0 M
 kernel-tools                                       x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
 kernel-tools-libs                                  x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
 linux-firmware                                     noarch                                20170606-57.gitc990aae.el7                                   updates                                  35 M
 microcode_ctl                                      x86_64                                2:2.1-22.2.el7                                               updates                                 1.1 M
 python-perf                                        x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
Removing:
 kernel                                             x86_64                                3.10.0-514.21.1.el7                                          @updates                                148 M

Transaction Summary
=====================================================================================================================================================================================================
Install   2 Packages
Upgrade  22 Packages
Remove    1 Package

Total download size: 120 M
Is this ok [y/d/N]:

You must reboot your Linux server using shutdown/reboot command:

$ sudo reboot


$ uname -r
3.10.0-693.11.6.el7.x86_64

Verify all 3 CVEs (you must see output:

$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'


[root@webhost ~]# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}

Run the following dnf command if you are using a Fedora Linux:

# sudo dnf --refresh update kernel

OR

# sudo dnf update

Reboot the Linux box:

$ sudo reboot

Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

January 5, 2018 The Geek Decoder No Comments Administration, CentOS 6, CentOS 7, Security

How to Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Always keep backups. So backup now to an offsite location.

Note the Linux kernel version running the following command:

# uname -r

Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
Type the following yum command:

# sudo yum update

You must reboot your Linux server using shutdown/reboot command:

# sudo reboot

Run the following dnf command if you are using a Fedora Linux:

# sudo dnf --refresh update kernel

OR

# sudo dnf update

Reboot the Linux box:

# sudo reboot

Meltdown And Spectre Security Flaws

January 5, 2018 The Geek Decoder No Comments Administration, Security

Articles and Information regarding the Meltdown And Spectre Security Flaws

Links:
https://meltdownattack.com/
https://hothardware.com/news/researchers-disclose-meltdown-and-spectre-cpu-vulnerabilities
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Patches:

VMware
https://lists.vmware.com/pipermail/security-announce/2018/000397.html
https://esxi-patches.v-front.de/ESXi-5.5.0.html#2017-09-14

How To’s
Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux