The Ghost vulnerability – CVE-2015-0235

So there we have another vulnerability affecting the world of opensource. Nick-named as GHOST Vulnerability,  it affects the glibc library shipped along with the linux systems. It has been assigned CVE-2015-0235

As per redhat, GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library.

If this vulnerability is exploited, it allows a remote attacker to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application. The   attacker can trigger a buffer overflow by supplying an invalid hostname argument to an application which uses gethostbyname() function.

You can check if your server is vulnerable executing the following checker in your server.

# vi ghost.sh

#!/bin/bash
#Version 3
# Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/
echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')

echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable"
rv=1
fi
fi
done

if [ $rv -ne 0 ]; then
cat <<EOF

This system is vulnerable to CVE-2015-0235.
EOF
fi
exit $rv

# chmod +x ghost.sh

# ./ghost.sh

After running the above script, if the result is something like this :

Installed glibc version(s)
– glibc-2.5-123.el5_11.1.i686: not vulnerable
– glibc-2.5-123.el5_11.1.x86_64: not vulnerable

The server is free from GHOST vulnerablity, on the other hand, if the result is something like this :

Installed glibc version(s)
– glibc-2.5-118.el5_10.2.x86_64: vulnerable
– glibc-2.5-118.el5_10.2.i686: vulnerable

You will need to update glibc at the earliest ( most of the distro’s have pushed an update )

If you are on a CentOS/Redhat machine, run the following command

# yum update glibc*

Once the update is complete, reboot your server.

 

Turning off mod_gzip using .htaccess rules !

You an read this to find out about mod_gzip, an external module for Apache.

There can be an issue with mod_gzip, when your website is hit with lots of users, attempting to complete some form-submission and if they do not allow enough time for mod_gzip to send the content to the client machine, then the system call can fail and websites may not load during this. You may find some lines corresponding to the following in apache error_logs :

mod_gzip : TRANSMIT_ERROR:ISMEM:32

You may chose to disable mod_gzip for the particular domain, as long as simultaneous users are attempting to complete the forms-related task.

You can edit the .htaccess file for the domain and pass the following codes :

<IfModule mod_gzip.c>
mod_gzip_on No
</IfModule>

Now, mod_gzip would be disabled for the domain !

Configuring mail server locally when ‘A’ record points to remote server !

This post will discuss on how to configure the mail service for a domain locally, when the domain’s A record points to an external server. This includes changing the MX records for the domain from WHM or cPanel interface of the domain.

Edit the DNS zone of the domain from WHM as :

Home »DNS Functions »Edit DNS Zone

Once the interface for editing pops up, find the portion of line which specifies the MX for the domain. It will be in the format :

domain.com.    TTL   IN   MX    priority    mail.domain.com.

Make sure the MX record points to the above format.

Find the line which specifies records for ‘mail’

Originally, it would be something like :

mail           TTL    IN  CNAME        domain.com

Edit the above line to the following :

mail           TTL    IN  A        Local IP

Basically, you have to change the record type from CNAME to A record and specify the local IP of your server.

If this is done for the domain joel1.com, after the change it will look like :

after-edit

Once this is complete, select the option ‘Local Mail Exchanger‘ in the same page, so that mails are configured to accept locally.

localdomains file

 

That’s it !

 

Disabling email alerts from LFD !

LFD ( login failure daemon ) which comes along with the firewall CSF, is a process which runs in the background and that scans for the server logs periodically to find any suspicious activities, process, login attempts etc.

You might receive Lfd excessive resource usage alert which happens when a particular task or process consumes more than an allocated value of system memory or when it runs in the background beyond a particular time-frame. In a bottle neck’d server, where system memory is almost utilized and the resources are consumed equally, you might keep on receiving these alerts which is a real frustration. You can edit the csf config file at /etc/csf/csf.conf to change the settings.

# vi /etc/csf/csf.conf

^ after opening the file, find for the variables – PT_USERMEM and PT_USERTIME. Set those variables to 0 to disable the feature of alerting the user when the limit of memory/time is exceeded by a user/process.

– Once the csf config file is saved, restart csf using # csf -r , also dont forget to restart lfd using # service lfd restart

 

Running your commands/scripts in background – screen !

At times, it is required to run your scripts or commands in the background rather than doing it directly over SSH. There can be a situation when your internet connection can get unstable and things get shaky. Every important stuffs you execute in your server is preferred to be done via screen. screen is often referred to as ‘An admins best buddy’

When screen is called, it creates a single window with a shell in it
(or the specified command) and then gets out of your way so that you can use the program as you normally would.

To install screen in a red-hat based distro, run the following :

# yum install screen

– To start a new screen with the name – test , run the following :

# screen -S test

The above command opens a new window and you can execute/run any commands there. This will stay in the background. You can detach yourself from the screen by pressing the following keys

Ctrl + a followed by Ctrl + d

– To list all the running screens at any point of time, run the following :

# screen -ls

– To re-enter into an already detached screen,

# screen -x test

This will re-attach your window to the screen test, which was created earlier.

– Check out the further options available in screen by :

# man screen

Unable to retrieve license keys in Plesk ?

When trying to retrieve license keys from Plesk panel, are you getting an error :

Licensing Server Unreachable: Unable to connect with licensing server.
Please make sure that your network allows communication to ka.parallels.com:5224.

Login to your server via SSH and check if connections are getting through to the Plesk license server :

# telnet ka.parallels.com 5224
Trying 195.214.233.80...

If it is not getting connected, allow the IP ‘195.214.233.80’ in the server firewall.

# csf -a 195.214.233.80
Adding 195.214.233.80 to csf.allow and iptables ACCEPT...

# telnet ka.parallels.com 5224
Trying 195.214.233.80...
Connected to ka.parallels.com.
Escape character is '^]'.
Connection closed by foreign host.

Once this is done, you can try retrieving the license keys from Plesk.