Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

How to Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
For Example, CentOS 7

Type the following yum command:

# uname -r
3.10.0-693.2.2.el7.x86_64

# sudo yum update

CentOS 7 output

====================================================================================================================================================================================================
 Package                                            Arch                                  Version                                                      Repository                               Size
=====================================================================================================================================================================================================
Installing:
 kernel                                             x86_64                                3.10.0-693.11.6.el7                                          updates                                  43 M
 kernel-devel                                       x86_64                                3.10.0-693.11.6.el7                                          updates                                  14 M
Updating:
 iwl100-firmware                                    noarch                                39.31.5.1-57.el7                                             updates                                 152 k
 iwl1000-firmware                                   noarch                                1:39.31.5.1-57.el7                                           updates                                 215 k
 iwl105-firmware                                    noarch                                18.168.6.1-57.el7                                            updates                                 236 k
 iwl135-firmware                                    noarch                                18.168.6.1-57.el7                                            updates                                 245 k
 iwl2000-firmware                                   noarch                                18.168.6.1-57.el7                                            updates                                 239 k
 iwl2030-firmware                                   noarch                                18.168.6.1-57.el7                                            updates                                 248 k
 iwl3160-firmware                                   noarch                                22.0.7.0-57.el7                                              updates                                 1.5 M
 iwl3945-firmware                                   noarch                                15.32.2.9-57.el7                                             updates                                  90 k
 iwl4965-firmware                                   noarch                                228.61.2.24-57.el7                                           updates                                 103 k
 iwl5000-firmware                                   noarch                                8.83.5.1_1-57.el7                                            updates                                 296 k
 iwl5150-firmware                                   noarch                                8.24.2.2-57.el7                                              updates                                 149 k
 iwl6000-firmware                                   noarch                                9.221.4.1-57.el7                                             updates                                 169 k
 iwl6000g2a-firmware                                noarch                                17.168.5.3-57.el7                                            updates                                 312 k
 iwl6000g2b-firmware                                noarch                                17.168.5.2-57.el7                                            updates                                 312 k
 iwl6050-firmware                                   noarch                                41.28.5.1-57.el7                                             updates                                 245 k
 iwl7260-firmware                                   noarch                                22.0.7.0-57.el7                                              updates                                 1.1 M
 kernel-headers                                     x86_64                                3.10.0-693.11.6.el7                                          updates                                 6.0 M
 kernel-tools                                       x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
 kernel-tools-libs                                  x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
 linux-firmware                                     noarch                                20170606-57.gitc990aae.el7                                   updates                                  35 M
 microcode_ctl                                      x86_64                                2:2.1-22.2.el7                                               updates                                 1.1 M
 python-perf                                        x86_64                                3.10.0-693.11.6.el7                                          updates                                 5.1 M
Removing:
 kernel                                             x86_64                                3.10.0-514.21.1.el7                                          @updates                                148 M

Transaction Summary
=====================================================================================================================================================================================================
Install   2 Packages
Upgrade  22 Packages
Remove    1 Package

Total download size: 120 M
Is this ok [y/d/N]:

You must reboot your Linux server using shutdown/reboot command:

$ sudo reboot

$ uname -r
3.10.0-693.11.6.el7.x86_64

Verify all 3 CVEs (you must see output:

$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

[root@webhost ~]# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}

Run the following dnf command if you are using a Fedora Linux:

# sudo dnf --refresh update kernel

OR

# sudo dnf update

Reboot the Linux box:

$ sudo reboot

Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

How to Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Always keep backups. So backup now to an offsite location.

Note the Linux kernel version running the following command:

# uname -r

Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
Type the following yum command:

# sudo yum update

You must reboot your Linux server using shutdown/reboot command:

# sudo reboot

Run the following dnf command if you are using a Fedora Linux:

# sudo dnf --refresh update kernel

OR

# sudo dnf update

Reboot the Linux box:

# sudo reboot

Meltdown And Spectre Security Flaws

Articles and Information regarding the Meltdown And Spectre Security Flaws

Links:
https://meltdownattack.com/
https://hothardware.com/news/researchers-disclose-meltdown-and-spectre-cpu-vulnerabilities
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Patches:

VMware
https://lists.vmware.com/pipermail/security-announce/2018/000397.html
https://esxi-patches.v-front.de/ESXi-5.5.0.html#2017-09-14

How To’s
Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux
Fix the Meltdown on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Install Proftpd in CentOS 7

How to Add Proftpd in CentOS 7 for ftp access.

Step 1: Add the EPEL Repository
ProFTPD is part of Extra Packages for Enterprise Linux (EPEL), which is a community repository of non-standard packages for the RHEL distribution. First, we’ll install the EPEL repository:

# rpm -iUvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

Step 2: Install ProFTPD

Let’s update first:

# yum -y update

Then let’s install ProFTPD and any required packages:

# yum -y install proftpd

Step 3: Configure ProFTPD
For a refresher on editing files with vim see: New User Tutorial: Overview of the Vim Text Editor

Let’s edit the configuration file for ProFTPD:

# nano /etc/proftpd.conf

Change the ServerName to the hostname of your server. In the case below, ftp.domainname.com is an example:

ServerName “ftp.domainname.com”

Enabling TLS In ProFTPD
Add and modify the lines as below.


# nano /etc/proftpd.conf
[...]
DefaultRoot                     ~ !adm
PassivePorts 60000 65535
[...] 

#
  TLSEngine                     on
  TLSRequired                   on
  TLSRSACertificateFile         /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile      /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite                ALL:!ADH:!DES
  TLSOptions                    NoCertRequest
  TLSVerifyClient               off
  TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
  TLSLog                        /var/log/proftpd/tls.log
#  
#    TLSSessionCache            shm:/file=/var/run/proftpd/sesscache
#  
#
[...] 

Exit and save the file with the command :wq .

Restart the ProFTPD service:

# systemctl restart proftpd

Then set the ProFTPD service to start at boot:

# systemctl enable proftpd

And verify your work by checking the status of ProFTPD:

# systemctl status proftpd

Step 4: Allow ProFTPD Through the Firewall
Allow the default FTP port, port 21, through firewalld:

# firewall-cmd --permanent --add-port=21/tcp
# firewall-cmd --add-port=60000-65535/tcp --permanent

And reload the firewall:

firewall-cmd --reload

In order to use TLS, we must create an SSL certificate. Create it in /etc/pki/tls/certs, we can generate the SSL certificate as follows:

# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem

[root@webhost certs]# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem -nodes -days 365
Generating a 1024 bit RSA private key
.++++++
...........................................................++++++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Austin
Organization Name (eg, company) [Default Company Ltd]:TestCo
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:webhost.domainname.com
Email Address []:test@gmail.com

# chmod  0440 /etc/pki/tls/certs/proftpd.pem

Restart:

# systemctl restart proftpd.service

View Apache Statistics with Apache mod_status module

The Apache mod_status module is something that can be very useful when troubleshooting high CPU or Memory usage with Apache.

Taken it directly from the Apache documentation:

– The number of worker serving requests.
– The number of idle worker.
– The status of each worker, the number of requests that worker has performed and the total number of bytes served by the worker.
– A total number of accesses and byte count served.
– The time the server was started/restarted and the time it has been running for.
– Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request.
– The current percentage CPU used by each worker and in total by all workers combined.
– The current hosts and requests being processed.

Setting it up is simple.


# CentOS 6 / CentOS 7
[root@web01 ~]# vim /etc/httpd/conf.d/status.conf


# Ubuntu 12.04
[root@web01 ~]# vim /etc/apache2/conf.d/status.conf
</code>
<code>
# Ubuntu 14.04
[root@web01 ~]# vim /etc/apache2/conf-available/status.conf

Using the correct location for your distro use the following configuration to enable mod_status. Update the AuthUserFile line accordingly for your distro:


<IfModule mod_status.c>
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On

# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Uncomment and change the ".example.com" to allow
# access from other hosts.
#
<Location /server-status>
     SetHandler server-status
     Order deny,allow
     Deny from all
     Allow from localhost ip6-localhost
     <IfModule mod_rewrite.c>
          RewriteEngine off
     </IfModule>
     Allow from 127.0.0.1

# On CentOS / RedHat systems, uncomment the following line
     AuthUserFile /etc/httpd/status-htpasswd

# On Debian / Ubuntu systems, uncomment the following line
#     AuthUserFile /etc/apache2/status-htpasswd

     AuthName "Password protected"
     AuthType Basic
     Require valid-user

     # Allow password-less access for allowed IPs
     Satisfy any
</Location>

</IfModule>

Once you have the configuration in place, you can secure it with a username and password:


# CentOS 6 / CentOS 7
[root@web01 ~]# htpasswd -c /etc/httpd/status-htpasswd serverinfo
[root@web01 ~]# service httpd restart




# Ubuntu 12.04
[root@web01 ~]# htpasswd -c /etc/apache2/status-htpasswd serverinfo
[root@web01 ~]# service apache2 restart



# Ubuntu 14.04
[root@web01 ~]# htpasswd -c /etc/apache2/status-htpasswd serverinfo
[root@web01 ~]# a2enconf status.conf
[root@web01 ~]# service apache2 restart

Now go to:


http://serverip/server-status

You can have the /server-status page refresh automatically by using the following in the URL:


http://serverip/server-status?refresh=2

It may give you some idea of what client, or what types of requests, are causing the resource contention issues. Usually it is a specific web application misbehaving, or a specific client is attacking a site.

IPV6 Error Google Email

I recently received an error when sending an email to google:


2607:f8b0:4003:0c17:0000:0000:0000:001b failed after I sent the message.
Remote host said: 550-5.7.1 [2607:5201:1110:3110:ec4:7aff:fe7d:88f3] Our system has detected that
550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR
550-5.7.1 records and authentication. Please review
550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information
550 5.7.1 . t203si2123379oib.437 - gsmtp

The fix is to disable IPv6 in CentOS and postfix

Resources:
https://wiki.centos.org/FAQ/CentOS6#head-d47139912868bcb9d754441ecb6a8a10d41781df

CentOS / RHEL 7 : How to disable IPv6


https://serverfault.com/questions/732187/sendmail-can-not-deliver-to-gmail-ipv6-sending-guidelines-regarding-ptr-record

For Plesk:
https://support.plesk.com/hc/en-us/articles/115002922789-How-to-disable-IPv6-addresses-on-a-Plesk-server-

How To Set Up a Firewall Using Firewalld on CentOS 7


Turning on the Firewall

# sudo systemctl start firewalld.service

We can verify that the service is running and reachable by typing:

# firewall-cmd --state
output
running

We can see which zone is currently selected as the default by typing:

# firewall-cmd --get-default-zone
output
public


firewall-cmd --get-active-zones
output
public
interfaces: eth0 eth1

We can print out the default zone’s configuration by typing:

# firewall-cmd --list-all
output
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Exploring Alternative Zones. To get a list of the available zones, type:

# firewall-cmd --get-zones
output
block dmz drop external home internal public trusted work

We can see the specific configuration associated with a zone by including the –zone= parameter in our –list-all command:

# firewall-cmd --zone=home --list-all
output
home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

You can output all of the zone definitions by using the –list-all-zones option. You will probably want to pipe the output into a pager for easier viewing:

# firewall-cmd --list-all-zones | less

Selecting Zones for your Interfaces
Unless you have configured your network interfaces otherwise, each interface will be put in the default zone when the firewall is booted.

Changing the Zone of an Interface for the Current Session

You can transition an interface between zones during a session by using the –zone= parameter in combination with the –change-interface= parameter. As with all commands that modify the firewall, you will need to use sudo.

For instance, we can transition our eth0 interface to the “home” zone by typing this:

# sudo firewall-cmd --zone=home --change-interface=eth0
output
success


# firewall-cmd --get-active-zones
output
home
interfaces: eth0
public
interfaces: eth1

If the firewall is completely restarted, the interface will revert to the default zone:

sudo systemctl restart firewalld.service
firewall-cmd --get-active-zones
output
public
interfaces: eth0 eth1

Changing the Zone of your Interface Permanently

# sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0

At the bottom of the file, set the ZONE= variable to the zone you wish to associate with the interface. In our case, this would be the “home” interface:

/etc/sysconfig/network-scripts/ifcfg-eth0
. . .

DNS1=2001:4860:4860::8844
DNS2=2001:4860:4860::8888
DNS3=8.8.8.8
ZONE=home

Save and close the file.

To implement your changes, you’ll have to restart the network service, followed by the firewall service:

sudo systemctl restart network.service
sudo systemctl restart firewalld.service

After your firewall restarts, you can see that your eth0 interface is automatically placed in the “home” zone:

# firewall-cmd --get-active-zones
output
home
interfaces: eth0
public
interfaces: eth1

Adjusting the Default Zone


# sudo firewall-cmd --set-default-zone=home
output
home
interfaces: eth0 eth1
Setting Rules for your Applications

Adding a Service to your Zones

The easiest method is to add the services or ports you need to the zones you are using. Again, you can get a list of the available services with the –get-services option:

firewall-cmd --get-services
output
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

You can get more details about each of these services by looking at their associated .xml file within the /usr/lib/firewalld/services directory. For instance, the SSH service is defined like this:

/usr/lib/firewalld/services/ssh.xml


SSH
Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

You can enable a service for a zone using the –add-service= parameter.

For instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our “public” zone for this session by typing:

sudo firewall-cmd --zone=public --add-service=http

You can leave out the –zone= if you wish to modify the default zone. We can verify the operation was successful by using the –list-all or –list-services operations:

firewall-cmd --zone=public --list-services
output
dhcpv6-client http ssh

We can make our “public” zone change permanent by typing:

# sudo firewall-cmd --zone=public --permanent --add-service=http

You can verify that this was successful by adding the –permanent flag to the –list-services operation. You need to use sudo for any –permanent operations:

sudo firewall-cmd --zone=public --permanent --list-services
output
dhcpv6-client http ssh

Your “public” zone will now allow HTTP web traffic on port 80. Add https:

sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --zone=public --permanent --add-service=https

Adding Other ports
We can verify that this was successful using the –list-ports operation:

firewall-cmd --list-ports
output
5000/tcp

It is also possible to specify a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses UDP ports 4990 to 4999, we could open these up on “public” by typing:

# sudo firewall-cmd --zone=public --add-port=4990-4999/udp
After testing, we would likely want to add these to the permanent firewall. You can do that by typing:
sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --list-ports
output
success
success
4990-4999/udp 5000/tcp

Creating Your Own Zones
While the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function.

For instance, we could create the two zones we discussed above by typing:

sudo firewall-cmd --permanent --new-zone=publicweb
sudo firewall-cmd --permanent --new-zone=privateDNS
You can verify that these are present in your permanent configuration by typing:


# sudo firewall-cmd --permanent --get-zones
output

block dmz drop external home internal privateDNS public publicweb trusted work
As stated before, these won’t be available in the current instance of the firewall yet:

firewall-cmd --get-zones
output
block dmz drop external home internal public trusted work

Reload the firewall to bring these new zones into the active configuration:

sudo firewall-cmd --reload
firewall-cmd --get-zones
output
block dmz drop external home internal privateDNS public publicweb trusted work

Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the active instance and then transfer those changes to the permanent configuration after testing. For instance, for the “publicweb” zone, you might want to add the SSH, HTTP, and HTTPS services:

sudo firewall-cmd --zone=publicweb --add-service=ssh
sudo firewall-cmd --zone=publicweb --add-service=http
sudo firewall-cmd --zone=publicweb --add-service=https
firewall-cmd --zone=publicweb --list-all
output
publicweb
interfaces:
sources:
services: http https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Likewise, we can add the DNS service to our “privateDNS” zone:

sudo firewall-cmd --zone=privateDNS --add-service=dns
firewall-cmd --zone=privateDNS --list-all
output
privateDNS
interfaces:
sources:
services: dns
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

We could then change our interfaces over to these new zones to test them out:

sudo firewall-cmd --zone=publicweb --change-interface=eth0
sudo firewall-cmd --zone=privateDNS --change-interface=eth1

At this point, you have the opportunity to test your configuration. If these values work for you, you will want to add the same rules to the permanent configuration. You can do that by re-applying the rules with the –permanent flag:

sudo firewall-cmd --zone=publicweb --permanent --add-service=ssh
sudo firewall-cmd --zone=publicweb --permanent --add-service=http
sudo firewall-cmd --zone=publicweb --permanent --add-service=https
sudo firewall-cmd --zone=privateDNS --permanent --add-service=dns

You can then modify your network interfaces to automatically select the correct zones.

We can associate the eth0 interface with the “publicweb” zone:

sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0
[label /etc/sysconfig/network-scripts/ifcfg-eth0
. . .


IPV6_AUTOCONF=no
DNS1=2001:4860:4860::8844
DNS2=2001:4860:4860::8888
DNS3=8.8.8.8
ZONE=publicweb

And we can associate the eth1 interface with “privateDNS”:

sudo nano /etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/network-scripts/ifcfg-eth1
. . .

NETMASK=255.255.0.0
DEFROUTE='no'
NM_CONTROLLED='yes'
ZONE=privateDNS
Afterwards, you can restart your network and firewall services:

sudo systemctl restart network
sudo systemctl restart firewalld

Validate that the correct zones were assigned:

firewall-cmd --get-active-zones
output
privateDNS
interfaces: eth1
publicweb
interfaces: eth0

And validate that the appropriate services are available for both of the zones:

firewall-cmd --zone=publicweb --list-services
output
http htpps ssh
firewall-cmd --zone=privateDNS --list-services
output
dns

You have successfully set up your own zones. If you want to make one of these zones the default for other interfaces, remember to configure that behavior with the –set-default-zone= parameter:

sudo firewall-cmd --set-default-zone=publicweb

To configure your firewall to start at boot, type:

sudo systemctl enable firewalld

Show List Of Network Cards in Linux

How do I display a list of all network cards under Linux operating systems?

You can use any one of the following command to list network cards installed under Linux operating systems. Please note that the ifconfig and ip commands will also display interfaces information about vpn, loopback, and other configured interfaces.

  • lspci command : List all PCI devices.
  • lshw command : List all hardware.
  • dmidecode command : List all hardware data from BIOS.
  • ifconfig command : Outdated network config utility.
  • ip command : Recommended new network config utility.
  • lspci command

Type the following command:

# lspci | egrep -i --color 'network|ethernet'

Sample outputs:

09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5761e Gigabit Ethernet PCIe (rev 10)
0c:00.0 Network controller: Intel Corporation Ultimate N WiFi Link 5300

lshw command

The lshw command can extract detailed information on the hardware configuration of the machine including network cards. Type the following command:

# lshw -class network

Sample outputs:

  *-network DISABLED      
       description: Wireless interface
       product: Ultimate N WiFi Link 5300
       vendor: Intel Corporation
       physical id: 0
       bus info: pci@0000:0c:00.0
       logical name: wlan0
       version: 00
       serial: 00:21:6a:ca:9b:10
       width: 64 bits
       clock: 33MHz
       capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless
       configuration: broadcast=yes driver=iwlwifi driverversion=3.2.0-0.bpo.1-amd64 firmware=8.83.5.1 build 33692 latency=0 link=no multicast=yes wireless=IEEE 802.11abgn
       resources: irq:46 memory:f1ffe000-f1ffffff
  *-network
       description: Ethernet interface
       product: NetXtreme BCM5761e Gigabit Ethernet PCIe
       vendor: Broadcom Corporation
       physical id: 0
       bus info: pci@0000:09:00.0
       logical name: eth0
       version: 10
       serial: b8:ac:6f:65:31:e5
       size: 1GB/s
       capacity: 1GB/s
       width: 64 bits
       clock: 33MHz
       capabilities: pm vpd msi pciexpress bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=tg3 driverversion=3.121 duplex=full firmware=5761e-v3.71 ip=192.168.1.5 latency=0 link=yes multicast=yes port=twisted pair speed=1GB/s
       resources: irq:48 memory:f1be0000-f1beffff memory:f1bf0000-f1bfffff

ifconfig and ip command

To see all configured network devices, enter:

# ifconfig -a

OR

# ip link show

OR

# ip a

Sample outputs:

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether b8:ac:6f:65:31:e5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::baac:6fff:fe65:31e5/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0:  mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:21:6a:ca:9b:10 brd ff:ff:ff:ff:ff:ff
4: pan0:  mtu 1500 qdisc noop state DOWN 
    link/ether 92:0a:e7:31:e0:83 brd ff:ff:ff:ff:ff:ff
5: vmnet1:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.121.1/24 brd 192.168.121.255 scope global vmnet1
    inet6 fe80::250:56ff:fec0:1/64 scope link 
       valid_lft forever preferred_lft forever
6: vmnet8:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.179.1/24 brd 192.168.179.255 scope global vmnet8
    inet6 fe80::250:56ff:fec0:8/64 scope link 
       valid_lft forever preferred_lft forever

/proc/net/dev

The dev pseudo-file contains network device status information. This gives the number of received and sent packets, the number of errors and collisions and other basic statistics.

$ cat /proc/net/dev

Sample outputs:

Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
    lo:   20097     179    0    0    0     0          0         0    20097     179    0    0    0     0       0          0
vmnet8:       0       0    0    0    0     0          0         0        0      33    0    0    0     0       0          0
  pan0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
 wlan0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth0: 592509534  623058    0    0    0     0          0      1053 122269656  401567    0    0    0     0       0          0
vmnet1:       0       0    0    0    0     0          0         0    

How to increase space on a Ubuntu boot partition

How can I increase the space on an Ubuntu Boot Partition?

When trying to install programs on my Ubuntu server but the server is not allowing me to do that because the boot partition ‘/dev/sda1’ is full.

/dev/sda1       236M   236M  0M  100% /boot

By default Ubuntu has a small /boot partition. When you have auto updates enabled this can cause some issues as newer kernels are not automatically purged. So, you will need to increase the size of the Ubuntu Boot Partition.

You can add the following to your crontab to run every Sunday night at 11:30PM to clean out old kernels. You can do so by running crontab -e as root and adding the following line at the bottom of that file.


30 23 * * 6 apt-get autoremove

You will also want to reboot every so often so newer kernels are being used and newer kernels are not causing the issues. I would suggest rebooting at your earliest convenience and running


# apt-get autoremove 

to load the newest kernel and delete the older kernels already installed on your server.

However, once rebooted and the autoremove command is done more disk space will be free.

Info

$ df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            990M  4.0K  990M   1% /dev
tmpfs           201M  716K  200M   1% /run
/dev/dm-0        15G  1.9G   12G  14% /
none            4.0K     0  4.0K   0% /sys/fs/cgroup
none            5.0M     0  5.0M   0% /run/lock
none           1001M     0 1001M   0% /run/shm
none            100M     0  100M   0% /run/user
/dev/sda1       236M   72M  152M  32% /boot

$ du -shcx /boot/*
1.2M /boot/abi-3.16.0-30-generic
1.2M /boot/abi-3.16.0-77-generic
169K /boot/config-3.16.0-30-generic
169K /boot/config-3.16.0-77-generic
6.7M /boot/grub
21M /boot/initrd.img-3.16.0-30-generic
21M /boot/initrd.img-3.16.0-77-generic
du: cannot read directory ‘/boot/lost+found’: Permission denied
12K /boot/lost+found
174K /boot/memtest86+.bin
175K /boot/memtest86+.elf
176K /boot/memtest86+_multiboot.bin
3.4M /boot/System.map-3.16.0-30-generic
3.4M /boot/System.map-3.16.0-77-generic
6.1M /boot/vmlinuz-3.16.0-30-generic
6.2M /boot/vmlinuz-3.16.0-77-generic
70M total

			

/var/cpanel/secdatadir/ip.pag file massive

Source: https://forums.cpanel.net/threads/var-cpanel-secdatadir-ip-pag-file-massive.565591/

This can add to server load and slow loading times as it gets scanned every page load.

You also might want to disable mod_unique_id for modsec too. It will prevent that file from growing and being scanned.

Clear the file
yum install ea-modsec-sdbm-util
Should also help keep that file in check if he chooses not to disable it