centos

Drown security vulnerability

Protect yourself from drown attack by updating your openssl package.
Redhat patched openssl 1.0.1e

# rpm -q --changelog openssl-1.0.1e-51.el7_2.4.x86_64 | head
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

goto https://drownattack.com/ for more info

CentOS 7 dhcp + custom ‘search domain’

I’m running CentOS 7 on my workstation these days, like it a lot.
At work our dhcp setup dns search for the domain containing our windows hosts but the Unix and Linux hosts I work with are in an other domain.
In the network manager gui in gnome3 I can’t seem to figure out where to add this second search domain, so I’ve been adding it manually to resolv.conf after each boot …

Got tired of that so i added:

DOMAIN='myDomain.no'

in /etc/sysconfig/network-scripts/ifcfg-eno1 and did a

systemctl restart network.service

problem solved.

thnx superuser.com

UPDATE 30th october 2015:
This does not work at all at my workstation at my new job.
I’m not using NetworkManager any more, not sure if that’s the reason though.

By setting SEARCH in /etc/sysconfig/network instead things got a lot better:

# /etc/sysconfig/network
SEARCH='example.com sub.example.com'

View changelog for a package in Fedora/CentOS/Redhat

A really cool, and handy, feature of rpm is the ability to view the changelog for a package you’ve installed, or recently updated:

$ rpm -q --changelog gnome-shell | less

* Wed Apr 16 2014 Florian Müllner <fmuellner@redhat.com> - 3.8.4-32
- Improve vertical monitor layouts
  Resolves: rhbz#1096186

* Wed Mar 19 2014 Florian Müllner <fmuellner@redhat.com> - 3.8.4-31
- Fix some more background memory leaks
  Resolves: rhbz#1027192

* Wed Mar 12 2014 Ray Strode <rstrode@redhat.com> 3.8.4-30
- Fix automatic shield lifting when smartcard is inserted
  Resolves: #1063488

* Mon Mar 10 2014 Ray Strode <rstrode@redhat.com> 3.8.4-29
- Don't show user list if require smartcard is true
  Resolves: #1063390

proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so) in CentOS 6.5

After updating packages in CentOS 6.5 proftpd started logging

proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so)

It seems the proftp pam module is wrong.
The non working /etc/pam.d/proftpd config look like this:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

When I instead use the following config, which I found on the internet, I got it working again:

#%PAM-1.0M-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so

sources:
syamkumar-linux.blogspot.no
blog.justla.me

CentOS 6.x, fail2ban and proftpd

fail2ban in CentOS 6.x can sometimes be a bit troublesome, at least compared to the Debian/Ubuntu implementation (imho) .
I suspect I’ve solved the CentOS 6.x, fail2ban and proftpd integration different every time I’ve set it up so this tim ‘Ill write it down.
With this configuration I got fail2ban to ban failed proftpd ftp login’s with ‘default’ fail2ban config apart from enabling the proftpd-iptables ‘jail’ in /etc/fail2ban/jail.conf

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=root@localhost]
logpath  = /var/log/secure
maxretry = 4

What did the trick was to have proftpd to log AUTH to /var/log/secure, in the right format.
In /etc/proftpd.conf comment out the default LogFormat auth directive and add your own:

#LogFormat                      auth    "%v [%P] %h %t \"%r\" %s"
ExtendedLog /var/log/secure AUTH auth
LogFormat auth "%v %t "%r" [%h] %s"

strace to the rescue

So I’m installing the latest servicepack from HP on a proliant server running CentOS 6.4 .
Running

# ./hpsum

just died with a returncode of 127 .

Strace is just great for situations like these.

# strace ./cpsum
[...]
old_mmap(0xb30c000, 195144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb30c000
brk(0xb33c000)                          = 0xb3d9000
open("/lib/ld-linux.so.2", O_RDONLY)    = -1 ENOENT (No such file or directory)

Sooo I was missing som library. Finding the package that provides that lib is easy:

# yum provides /lib/ld-linux.so.2
[...]
glibc-2.12-1.107.el6_4.2.i686 : The GNU libc libraries
Repo        : updates
Matched from:
Filename    : /lib/ld-linux.so.2
[...]

The hpsum is ELF 32-bit, and I’m running X86-64, so I had to install several 32bit packages:

# yum install glibc.i686 libuuid.i686 libSM.i686 libXrender.i686 fontconfig.i686 zlib-1.2.3-29.el6.i686

Finding out which packages I needed was a matter of running hpsum and a mix of yum search / yum provides / yum install .

disable IPv6 name lookups in Centos

As a kind of followup on my previous post, I’ve been increasingly annoyed by how puppet agent update on my Centos hosts takes a looong time. F.example I’m up in 120 seconds for my LAMP puppet profiles.
I suspected yum to be the slowdown, but my previous post from today gave me a hint that maybe puppet does something IPv6’ish stuff too .
I had a look at

 # tcpdump -vvvvv 'port 53'

while doing a puppet update, and I see a lot of:

[myhostname].42349 > ns1.[mydomain].domain: [bad udp cksum 5599!] 18560+ AAAA? puppet.[mudomain]. (36)
15:09:33.326822 IP (tos 0x0, ttl 64, id 61459, offset 0, flags [none], proto UDP (17), length 133)
    ns1.[mydomain].domain > [myhostname].42349: [udp sum ok] 18560 q: AAAA? puppet.[mydomain]. 0/1/0 ns: [mydomain]. [50m40s] SOA ns1.[my SOA]. hostmaster.[my SOA]. 1378837114 14400 3600 777600 3600 (105)

So those AAAA request does indeed look like some IPv6 lookups are happening.
Looking at the resolv.conf man page, and with help from wiki.echochat.org I tried adding to
resolv.conf:

[...]
options single-request-reopen
[...]

and suddenly puppet agent update took roughly 3 seconds, instead of 120 seconds …
Cool ! 🙂

CentOS http and php

setting up Apache, mysql and php on a Centos box. Centos default to

short_open_tag = Off
[/bash]
In php.ini. This means if you’re like me and throwing up a phpinfo.php script to test php after installation, remember to either set this setting to On, or remember to specify php in top of you php scripts (I’ve goten lazy, haven’t specified that for a while) .
While I’m at it, got to rant a bit about:
Debian just makes it all so much easier configuring Apache !!