Rsync remote attack-CVE-2014-9512

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.

 

Timeline

January 5, 2015 MITRE reserved CVE
February 12, 2015 NVD published advisory

Authority references

Vendor & other references

GHOST: glibc vulnerability (CVE-2015-0235)

Background Information

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

Impact

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

A list of affected Linux distros

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older
  • SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Desktop 11 SP3
  • Arch Linux glibc version <= 2.18-1

Resolution

Update the glibc and nscd packages on your system using:

Fix for Centos/RHEL/Fedora 5,6,7:

  •  yum update glibc
  • Restart ALL running services or reboot the server as an alternative.

Fix for Ubuntu:

  • sudo apt-get clean
  • sudo apt-get update
  • sudo reboot

How can I test or preview my website before switching DNS?

 

  1. Locate the HOSTS file on your computer. Typically it is in one of the following locations:
    • Windows NT/2000/XP/2003/Vista/7 – C:\windows\system32\drivers\etc\hosts
    • Windows 95/98/Me – C:\windows\hosts
  2. Open this file with a text editor such as Notepad or Wordpad.
    • Right-click on Notepad and select the option to Run as Administrator – otherwise you may not be able to open this file.Then, open the file. Consider performing a “Save As” so you have an original copy of the file that you can restore later. You will see two columns of information, the first containing IP addresses and the second containing host names. By default, a windows hosts file should be similar to the following:
      (In Windows 7 Press and hold Ctrl+Shift while opening the Notepad/Wordpad).

    • Filename: hosts

      127.0.0.1 localhost


      You can add additional lines to this file that will point requests for a particular domain to your new server’s IP address.

      Example:


      Filename: hosts

      127.0.0.1 localhost
      123.123.123.123 example.com

  3. Save your changes (be sure to save as a host file, not as a text file).
    Windows wants to save it as text (.txt) so you need to

    1. Change save as type to all files and then
    2. Click on host  (the original file).
  4. Restart any currently open browsers.
  5. You may also want to flush your DNS cache. In Windows XP, go to Start, and then Run, then type “cmd” and hit enter.
    Type the following:ipconfig /flushdns
  6. In your web browser you should see your site as it appears on your testing server when typing http://example.com/ but still be able to see the site on its current web server by visiting http://www.example.com/

How to Edit Your Hosts File on an Apple Macintosh Using Mac OSX

Let us assume for this example your testing server has an IP address 123.123.123.123 and you wish to visit that server when you type “http://example.com” into a web browser BUT still wish to still see the site as the rest of World Wide Web does when you enter “http://www.example.com” into your browser instead.

  1. Open Terminal, which is in Applications, then the Utilities folder. To do this go to the Finder (Desktop) and from the main main bar at the top of the screen choose “Go” and then “Utilities”. Find the Terminal application icon and double click.
  2. You may want to first make a backup copy of your existing hosts file:
    sudo cp /private/etc/hosts /private/etc/hosts-orig

    Enter your user password at the prompt.Then type the following command to edit your hosts file:

    sudo nano /private/etc/hosts

    Enter your user password at the prompt if asked.

  3. You will see a file with contents similar to the following:

    Filename: hosts

    ##

    # Host Database

    #

    # localhost is used to configure the loopback interface

    # when the system is booting. Do not change this entry.

    ##

    127.0.0.1 localhost

    255.255.255.255 broadcasthost

    ::1 localhost

    fe80::1%lo0 localhost

    Using the arrow keys on your keyboard, navigate around this file an add your domain and IP address to the bottom of the file. For example:


    Filename: hosts

    ### Host Database## localhost is used to configure the loopback interface# when the system is booting. Do not change this entry.##127.0.0.1 localhost

    255.255.255.255 broadcasthost

    ::1 localhost

    fe80::1%lo0 localhost

    123.123.123.123 example.com


  4. When done editing the hosts file, press the keyboard combination Control+O to save the file.
    Then press the Enter on the filename prompt to confirm the Save operation. Finally press the keyboard combination Control-X to exit the editor.You may also need to grant yourself sudo priveleges, if you got a permission error in Step 2. In your “Help” menu, search for “root” and select the instructions for “Enabling the root user.” Follow those instructions.
  5. Restart any currently open browsers. You may also want to flush your DNS cache.
    Type the following command into your Terminal window:dscacheutil -flushcache
  6. In your web browser you should see your site as it appears on your testing server when typing http://example.com/ but still be able to see the site on its current web server by visiting http://www.example.com/

How do I assign additional IP addresses in RedHat/CentOS?

If you are using CPanel, you should add the IP addresses through WHM.  Do not follow these instructions if you are using CPanel.

If you want to assign the addresses 3.2.1.1 – 3.2.1.20 to your server, you will need to create a RANGE file.

cd /etc/sysconfig/network-scripts
ls ifcfg-eth1-range*

If you already have a range file, you will need to create a new one for the new range of IPs you are adding, eg ‘nano ifcfg-eth1-range1` .  If you have one named range1, name the next range2 and so on.

nano ifcfg-eth1-range1

Place the following text in the file:

IPADDR_START=192.168.0.10
IPADDR_END=192.168.0.110
CLONENUM_START=0

Note: CLONENUM_START defines where the alias will start.  If this is the second range file, you will need to set CLONENUM_START to a value higher than the number of IP addresses assigned.  To check what you currently have used, you can run ‘ifconfig –a | grep eth1’.  This will list devices such as eth1:0, eth1:1, eth1:2, and so on.  If you are currently using upto eth1:16, you will need to set CLONENUM_START to 17 to assign the IPs correctly.

How to Optimize MySQL

CentOS
There is a default my.cnf that comes with mysql (4+5) that will make mysql run a bit quicker if you have 2+ gig of ram cp -f /usr/share/mysql/my-large.cnf /etc/my.cnfThere is also my-huge.cnf, or my-medium.cnf depending on your hardware setup.   Check the contents of these my*.cnf files for the one that’s right for you.

*NOTE* the log-bin option is enabled  by default.  This will quickly use a lot of disk space.  It’s recommended to comment out the log-bin line from your /etc/my.cnf, if it exists.

 

Remember to restart mysql when you are done with your my.cnf tweaking:

Redhat:/sbin/service mysqld restart

FreeBSD:/usr/local/etc/rc.d/mysqld restart

Linux is just the kernel, GNU is the OS.

This is an interesting read and some old history copied from http://www.gnu.org/gnu/linux-and-gnu.html

Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called “Linux”, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.

There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called “Linux” distributions are really distributions of GNU/Linux.

Many users do not understand the difference between the kernel, which is Linux, and the whole system, which they also call “Linux”. The ambiguous use of the name doesn’t help people understand. These users often think that Linus Torvalds developed the whole operating system in 1991, with a bit of help.

Programmers generally know that Linux is a kernel. But since they have generally heard the whole system called “Linux” as well, they often envisage a history that would justify naming the whole system after the kernel. For example, many believe that once Linus Torvalds finished writing Linux, the kernel, its users looked around for other free software to go with it, and found that (for no particular reason) most everything necessary to make a Unix-like system was already available.

What they found was no accident—it was the not-quite-complete GNU system. The available free software added up to a complete system because the GNU Project had been working since 1984 to make one. In the The GNU Manifesto we set forth the goal of developing a free Unix-like system, called GNU. The Initial Announcement of the GNU Project also outlines some of the original plans for the GNU system. By the time Linux was started, GNU was almost finished.

Most free software projects have the goal of developing a particular program for a particular job. For example, Linus Torvalds set out to write a Unix-like kernel (Linux); Donald Knuth set out to write a text formatter (TeX); Bob Scheifler set out to develop a window system (the X Window System). It’s natural to measure the contribution of this kind of project by specific programs that came from the project.

If we tried to measure the GNU Project’s contribution in this way, what would we conclude? One CD-ROM vendor found that in their “Linux distribution”, GNU software was the largest single contingent, around 28% of the total source code, and this included some of the essential major components without which there could be no system. Linux itself was about 3%. (The proportions in 2008 are similar: in the “main” repository of gNewSense, Linux is 1.5% and GNU packages are 15%.) So if you were going to pick a name for the system based on who wrote the programs in the system, the most appropriate single choice would be “GNU”.

But that is not the deepest way to consider the question. The GNU Project was not, is not, a project to develop specific software packages. It was not a project to develop a C compiler, although we did that. It was not a project to develop a text editor, although we developed one. The GNU Project set out to develop a complete free Unix-like system: GNU.

Many people have made major contributions to the free software in the system, and they all deserve credit for their software. But the reason it is an integrated system—and not just a collection of useful programs—is because the GNU Project set out to make it one. We made a list of the programs needed to make a complete free system, and we systematically found, wrote, or found people to write everything on the list. We wrote essential but unexciting (1) components because you can’t have a system without them. Some of our system components, the programming tools, became popular on their own among programmers, but we wrote many components that are not tools (2). We even developed a chess game, GNU Chess, because a complete system needs games too.

By the early 90s we had put together the whole system aside from the kernel. We had also started a kernel, the GNU Hurd, which runs on top of Mach. Developing this kernel has been a lot harder than we expected; the GNU Hurd started working reliably in 2001, but it is a long way from being ready for people to use in general.

Fortunately, we didn’t have to wait for the Hurd, because of Linux. Once Torvalds freed Linux in 1992, it fit into the last major gap in the GNU system. People could thencombine Linux with the GNU system to make a complete free system — a version of the GNU system which also contained Linux. The GNU/Linux system, in other words.

Making them work well together was not a trivial job. Some GNU components(3) needed substantial change to work with Linux. Integrating a complete system as a distribution that would work “out of the box” was a big job, too. It required addressing the issue of how to install and boot the system—a problem we had not tackled, because we hadn’t yet reached that point. Thus, the people who developed the various system distributions did a lot of essential work. But it was work that, in the nature of things, was surely going to be done by someone.

The GNU Project supports GNU/Linux systems as well as the GNU system. The FSF funded the rewriting of the Linux-related extensions to the GNU C library, so that now they are well integrated, and the newest GNU/Linux systems use the current library release with no changes. The FSF also funded an early stage of the development of Debian GNU/Linux.

Today there are many different variants of the GNU/Linux system (often called “distros”). Most of them include non-free software—their developers follow the philosophy associated with Linux rather than that of GNU. But there are also completely free GNU/Linux distros. The FSF supports computer facilities for two of these distributions, Ututoand gNewSense.

Making a free GNU/Linux distribution is not just a matter of eliminating various non-free programs. Nowadays, the usual version of Linux contains non-free programs too. These programs are intended to be loaded into I/O devices when the system starts, and they are included, as long series of numbers, in the “source code” of Linux. Thus, maintaining free GNU/Linux distributions now entails maintaining a free version of Linux too.

Whether you use GNU/Linux or not, please don’t confuse the public by using the name “Linux” ambiguously. Linux is the kernel, one of the essential major components of the system. The system as a whole is basically the GNU system, with Linux added. When you’re talking about this combination, please call it “GNU/Linux”.

If you want to make a link on “GNU/Linux” for further reference, this page and http://www.gnu.org/gnu/the-gnu-project.html are good choices. If you mention Linux, the kernel, and want to add a link for further reference, http://foldoc.org/linux is a good URL to use.

Addendum: Aside from GNU, one other project has independently produced a free Unix-like operating system. This system is known as BSD, and it was developed at UC Berkeley. It was non-free in the 80s, but became free in the early 90s. A free operating system that exists today(4) is almost certainly either a variant of the GNU system, or a kind of BSD system.

People sometimes ask whether BSD too is a version of GNU, like GNU/Linux. The BSD developers were inspired to make their code free software by the example of the GNU Project, and explicit appeals from GNU activists helped persuade them, but the code had little overlap with GNU. BSD systems today use some GNU programs, just as the GNU system and its variants use some BSD programs; however, taken as wholes, they are two different systems that evolved separately. The BSD developers did not write a kernel and add it to the GNU system, and a name like GNU/BSD would not fit the situation.(5)

Notes:

  1. These unexciting but essential components include the GNU assembler, GAS and the linker, GLD, both are now part of the GNU Binutils package, GNU tar, and more.
  2. For instance, The Bourne Again SHell (BASH), the PostScript interpreter Ghostscript, and the GNU C library are not programming tools. Neither are GNUCash, GNOME, and GNU Chess.
  3. For instance, the GNU C library.
  4. Since that was written, a nearly-all-free Windows-like system has been developed, but technically it is not at all like GNU or Unix, so it doesn’t really affect this issue. Most of the kernel of Solaris has been made free, but if you wanted to make a free system out of that, aside from replacing the missing parts of the kernel, you would also need to put it into GNU or BSD.
  5. On the other hand, in the years since this article was written, the GNU C Library has been ported to several versions of the BSD kernel, which made it straightforward to combine the GNU system with that kernel. Just as with GNU/Linux, these are indeed variants of GNU, and are therefore called, for instance, GNU/kFreeBSD and GNU/kNetBSD depending on the kernel of the system. Ordinary users on typical desktops can hardly distinguish between GNU/Linux and GNU/*BSD.

Can I add more RAM to my 32 bit Operating System (OS)?

Some 32 bit Operating Systems (OS) limit the amount of RAM they will support. Exceeding that limit may contribute to a number of problems. Therefore it is not supported. Upgrading to a 64 bit Operating Systems (OS) is recommended. A list of 32 bit Operating Systems (OS) with limited RAM is below.

 

Operating System (OS)

Bit

RAM Limit (GB)

CloudLinux 5 32 bit 64
CloudLinux 6 32 bit 8
Debian 6 32 bit 32
RHEL/CentOS 5 Minimal/LAMP 32 bit 64
RHEL/CentOS 6 Minimal/LAMP 32 bit 16
Ubuntu 8.04 LTS 32 bit 64
Ubuntu 10.04 LTS 32 bit 64
Ubuntu 12.04 LTS 32 bit 64

How to increase /tmp partition size on a non-control panel server

Stop Apache and MySQL services.

# /etc/init.d/httpd stop; /etc/init.d/mysql stop

Take a backup of /tmp

# cp -rp /tmp /tmp.bak

Create a partition of 2GB using the below command

# dd if=/dev/zero of=/usr/temp-disk bs=2M count=1024

Create the file system on it using the mke2fs command

# mke2fs -j /usr/temp-disk

Unmount the current /tmp partition

# umount /tmp

Mount the new /tmp filesystem using the below command

# mount -t ext3 -o rw,noexec,nosuid,loop /usr/temp-disk /tmp

Set the correct permission for /tmp

# chmod 1777 /tmp

To verify the partition, execute:

# mount

Restore the content of old /tmp.bkp directory

# cp -rp /tmp.bak/* /tmp

Start Apache and MySQL services.

# /etc/init.d/httpd start; /etc/init.d/mysql start

To make sure this partition is mounted automatically after every reboot, edit the /etc/fstab and replace /tmp entry line with the following one.

/usr/temp-disk /tmp ext3 rw,noexec,nosuid,loop 0 0

How To: Install memcached on CentOS 6

Memcached is a distributed, high-performance, in-memory caching system that is primarily used to speed up sites that make heavy use of databases. It can however be used to store objects of any kind. Nearly every popular CMS has a plugin or module to take advantage of memcached, and many programming languages have a memcached library, including PHP, Perl, Ruby, and Python. Memcached runs in-memory and is thus quite speedy, since it does not need to write to disk. Here’s how to install it on CentOS 6:

 

Memcached does have some dependencies that need to be in place. Install libevent using yum:

yum install libevent libevent-devel

The memcached install itself starts with

To start installing memcached, change your working directory to /usr/local/src and download the latest memcached source:

cd /usr/local/src
wget http://memcached.googlecode.com/files/memcached-1.4.15.tar.gz

Uncompress the tarball you downloaded and change into the directory that is created:

tar xvzf memcached-1.4.15.tar.gz
cd memcached-1.4.15

Memcached is actively developed, so the version used in this tutorial may be out of date by the time you read this. As of this writing, 1.4.15 is the latest stable version. Check memcached.org for a newer version before proceeding with the installation.

Next, configure your Makefile. The simplest way is to run:

./configure

Additional configure flags are available and can improve performance if your server is capable. For 64-bit OSes, you can enable memcached to utilize a larger memory allocation than is possible with 32-bit OSes:

./configure --enable-64bit

If your server has multiple CPUs or uses multi-core CPUs, enable threading:

./configure --enable-threads

If your server supports it, you can use both flags:

./configure --enable-threads --enable-64bit

n.b.: if the configure script does not run, you may have to install compiling tools on your server. That is as simple as

yum install gcc
yum install make

Once the configure script completes, build and install memcached:

make && make install

Last but not least, start a memcached server:

memcached -d -u nobody -m 512 -p 11211 127.0.0.1

Put another way, the previous command can be laid out like this:

memcached -d -u [user] -m [memory size] -p [port] [listening IP]

Let’s go over what each switch does in the above command:

-d
Tell memcached to start up as a backgrounded daemon process
-u
Specify the user that you want to run memcached
-m
Set the memory that you want to be allocated my memcached
-p
The port on which memcached will listen.

 

Hotlink protection: How-To prevent people from stealing your files

 

Create an .htaccess file in your public_html directory with the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com.*$ [NC]
RewriteRule .(gif|jpg)$ – [F]

Where domain.com is your domain.