Fix GHOST: glibc vulnerability CVE-2015-0235

Red Hat Product Security released on January 27, 2015 details about a critical vulnerability that affects glibc and which is known as GHOST. This vulnerability was assigned CVE-2015-0235 and is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library – hence the name GetHOST.

Fortunately the fix is easy it just involves running a yum update on the system. For CentOS, RHEL or Fedora we can check the RPM version installed using:

rpm -q glibc

In order to fix this glibc vulnerability you’ll need to simply:

yum update glibc

and reboot the system. If it’s not possible to reboot the system we can also restart all the services that use glibc. In order to determine which services need to be restarted we can run this command:

lsof +c 15 | grep libc- | awk '{print $1}' | sort -u

The output should be something similar to this:

[root@CentOS ~]# lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
agetty
auditd
avahi-daemon
awk
bash
crond
dbus-daemon
gdbus
gmain
grep
in:imjournal
iprdump
iprinit
iprupdate
JS
lsof
master
mysqld
mysqld_safe
NetworkManager
nginx
php-fpm
pickup
polkitd
qmgr
rs:main
rsyslogd
runaway-killer-
sort
sshd
systemd
systemd-journal
systemd-logind
systemd-udevd
tuned

We can restart the public facing services to temporary fix this for certain services but the best way to go would be by rebooting the machine.

Once that’s done we can check again the version and make sure we’re safe:

[root@CentOS ~]# rpm -qa | grep glibc
glibc-2.17-55.el7_0.5.x86_64
glibc-common-2.17-55.el7_0.5.x86_64

https://access.redhat.com – CVE-2015-0235

Disable SELinux on CentOS 7

How to disable SELinux on CentOS 7 or most Linux operating systems?

SELinux stands for Security-Enhanced Linux and is a Linux kernel security module that provides a mechanism for supporting access control security policies. If you’ve recently installed your CentOS 7(works for CentOS 4,5,6 as well) and you don’t want to use SELinux, the easiest way would be to disable it first and then make sure it won’t start upon reboot.

We can verify the status using sestatus which should return enabled along with some variables or disabled if it’s already turned off:


[root@server ~]# sestatus
SELinux status: disabled

In order to disable it for the time being, until the machine is rebooted we can simply use the setenforce command:


[root@server ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

Simply running setenforce Permissive from shell as root:

[root@server ~]# setenforce Permissive

OR:

[root@server ~]# setenforce 0

should to the trick but we also need to make sure it remains permanent. In order to do this we’ll simply edit SELinux’s configuration file located under: /etc/sysconfig/selinux and alter the SELINUX variable to disabled:

[root@server ~]# vi /etc/sysconfig/selinux

After saving the file and exiting the editor SELinux should be off and it shouldn’t interfere unless you enable it again. It recommended that we reboot the machine after changing SELinux between modes. If you plan to install cPanel/WHM on the machine this is a mandatory step. cPanel/WHM doesn’t work on your machine with SELinux set to Enforcing(1).

Please note that if we disable SELinux on CentOS 7 it doesn’t mean the machine will be less protected, however the OS will be more permissive. For example an user would be able to set 777 permissions for sensitive files like SSH Keys which means that other users will be able to see them.

Read more about SELinux:

SELinux on Wikipedia
HowTos SELinux

How To Add swap on CentOS 7

What is swap?

Swap space on Linux is an area on the machine’s hard drive where the operating system will write data that cannot be held in the memory. Swap is usually used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on the hard drives, which have a slower access time than physical memory. Due to these factors, relying on swap all the times isn’t recommended and it should be limited.

Pre-flight checks

After installing the OS(in this case CentOS 7) we’ll need to log in to the machine from console or SSH. Before doing anything we should check a few things in order to make sure we have enough room for swap and if swap isn’t already enabled. This can be done using swapon utility, using the -s flag that will print the status:

[root@web ~]# swapon -s

If this returns no output then it means we don’t have swap. Next we’ll check RAM usage using the free utility and the -m parameter:

[root@web ~]# free -mo
total used free shared buffers cached
Mem: 994 851 142 6 39 218
Swap: 0 0 1023

Since swap will be written on the disk we’ll need to check that we have enough disk space available. In order to do so df and the -h parameter(human-friendly reading format) will be used:

[root@web ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 30G 2.7G 26G 10% /
devtmpfs 490M 0 490M 0% /dev
tmpfs 498M 0 498M 0% /dev/shm
tmpfs 498M 6.5M 491M 2% /run
tmpfs 498M 0 498M 0% /sys/fs/cgroup

We have plenty of disk space for this task as such we can proceed to the next step.

How to enable swap on CentOS 7

We’ll create a 1GB swap file called swap in the / location. In order to do this we’ll use fallocate

fallocate -l 1G /swap

The swap file should be created almost instantly and you should see the command prompt again. We can check that the swap file was created using ls

[root@web ~]# ls -lh /swap
-rw------- 1 root root 1.0G Jan 18 03:22 /swap

Before proceeding we’ll need to secure it, in order to make sure only root can read/write on it by using chmod

chmod 600 /swap

We have the file that will be used as swap and we’ll need to instruct the operating system to use it. In order to do so we’ll use mkswap which should return something similar to this:

root@web ~]# mkswap /swap
Setting up swapspace version 1, size = 1048572 KiB
no label, UUID=df691846-69f2-4157-86a6-4002cadef825

We now have a swap space and we can enable it using swapon:

swapon /swap

swapon -s should reflex this change along with free -m:

[root@web ~]# swapon -s
Filename Type Size Used Priority
/swap file 1048572 0 -1
[root@web ~]# free -m
total used free shared buffers cached
Mem: 994 851 142 6 40 219
-/+ buffers/cache: 592 401
Swap: 1023 0 1023

This means that we have successfully enabled swap on the machine, however we’ll need to make sure it starts on reboot. In order to do so we’ll edit /etc/fstab using your favorite editor(vi in this case):

vi /etc/fstab

and add the following line:

/swap swap swap sw 0 0

We have successfully enabled swap on CentOS 7 which should start on reboot.

Exim Cheatsheet

I’m gathering a list of useful commands to use on an Exim 4.x server(with cPanel). Exim is the default Mail Transfer Agent on cPanel servers and you should have at least a small idea on how it works before using them.

File locations and Message-IDs

Exim uses Message-IDs to refer to messages in the queue. These IDsare are mixed-case alpha-numeric, and take the form of: XXXXXX-YYYYYY-ZZ(e.g. 1YDDgQ-000Cjf-CS). Most commands interact with the queue based on these IDs if you chose to use exim or exim’s tools to manage them. These messages are stored in files which are located under the following default paths in your system and there are three files for each message. If your queue has 10.000 emails you’re looking at 30.000 used Innodes on your system.

/var/spool/exim/msglog
Contains logging information for each message, files have the same name as the message-ID
/var/spool/exim/input
Contains header and data files the same name the message-ID along with a suffix to determine if this is a header file (-H) or a data one (-D)

The msglog and input folders contain multiple subfolders that help dealing with large mail queues and avoid causing problems due to high number of files in a single folder.

Basic Queue information

Print the amount of messages in the queue:
root@mail [~]# exim -bpc

Print more details from the queue like time in the queue, size of the message, message-ID, sender, recipient along with status:
root@mail [~]# exim -bp

Print stats based on the latest mail log:
root@mail [~]# eximstats /var/log/exim_mainlog

Print exim’s configuration:
root@mail [~]# exim -bP

Print what exim’s doing:
root@mail [~]# exiwhat

View headers for one message:
root@mail [~]# exim -Mvh [message ID]

View body for one message:
root@mail [~]# exim -Mvb [message ID]

Using exiqgrep to search the queue

Search for messages sent from sender at domain.com:
root@mail [~]# exiqgrep -f [sender]@domain.com

Search for messages sent TO recipient at domain.com:
root@mail [~]# exiqgrep -r [recipient]@domain.com

Print all message IDs from the queue:
root@mail [~]# exiqgrep -i

Search for messages older than 12 hours:
root@mail [~]# exiqgrep -o 43200

Search for messages newer than 12 hours:
root@mail [~]# exiqgrep -y 43200

Manage the queue

Start a queue run:
root@mail [~]# exim -q -v

Force a queue run:
root@mail [~]# exim -qff

Force a queue run for local email delivery:
root@mail [~]# exim -q1 -v

Remove a(multiple) message(s) from the queue:
root@mail [~]# exim -Mrm [message ID1] [message ID2] [message ID3]

Remove messages sent by jonathan@domain.com:
root@mail [~]# exiqgrep -i -f 'jonathan@domain.com' | xargs exim -Mrm

Remove all frozen messages from the queue:
root@mail [~]# exiqgrep -z -i | xargs exim -Mrm

Remove all messages from the queue:
root@mail [~]# exiqgrep -i | xargs exim -Mrm

If you have 999999999 emails in the queue due to an account compromise or a problem with your mailing system the above method might be slow. You can remove the queue content manually, including folders and files and re-create new ones, with minimal downtime to the mail service:
root@mail [~]# mv /var/spool/exim /var/spool/exim.OLD
root@mail [~]# mkdir -p /var/spool/exim/input
root@mail [~]# mkdir -p /var/spool/exim/msglog
root@mail [~]# mkdir -p /var/spool/exim/db
root@mail [~]# chown -R exim:exim /var/spool/exim/
root@mail [~]# /etc/init.d/exim restart
root@mail [~]# rm -rf /var/spool/exim.OLD

Documentation:

Exim Internet Mailer – Exim Homepage
Exim Utilities
Exim Command Line

Install CSF on CentOS with cPanel/WHM

We’ve just finished installing cPanel/WHM on a CenOS machine so the next logical step would be to install some security protection. The tool of choice nowadays is CSF(ConfigServer Security & Firewall) which is an SPI iptables firewall developed by Way to the Web Limited. This is a short guide which describes how to install CSF on CentOS and verify that is working properly.

The first step would be to download CSF from their site using wget. The output should be something similar to this:

[root@web ~]# wget http://www.configserver.com/free/csf.tgz
--2015-01-25 02:34:51-- http://www.configserver.com/free/csf.tgz
Resolving www.configserver.com (www.configserver.com)... 85.13.195.235
Connecting to www.configserver.com (www.configserver.com)|85.13.195.235|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://download.configserver.com/csf.tgz [following]
--2015-01-25 02:34:51-- http://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 601886 (588K) [application/x-gzip]
Saving to: ‘csf.tgz’
100%[==================================================================================================================>] 601,886 489KB/s in 1.2s
2015-01-25 02:34:52 (489 KB/s) - ‘csf.tgz’ saved [601886/601886]

It’s a small file so the download should finish immediately. Next we’ll extract the archive using tar, change directory and install CSF on CentOS :

[root@web ~]# tar -xzf csf.tgz
[root@web ~]# cd csf
[root@web csf]# sh install.sh

We will edit the configuration file located under /etc/csf/csf.conf and add your SSH port to the exceptions list(In case we’re using something else than the default 22). Once that’s done and we’ve went through all the options in the configuration file we can adjust the following variable:

TESTING = "0"

and restart the service using csf -r. This would disable testing mode and the firewall is ready for use.

There are many options and we can also configure alerts and messages content that we receive in your email by altering the template files that exist within /etc/csf/ folder.