I know this could belong in the Security forum, but it's more of a RedHat question I think.

Basically, I want to make sure my server is secure. How do I download all the latest patches and install them? I want to do this automatically. Thanks.

No, you don't want to do that automatically. Never automatically install patches.

But, you can use /usr/sbin/up2date to get the latest updates.

You have to register first, but once that's done you can just do /usr/sbin/up2date --nox -u once in a while.

Read the man pages for up2date.

Up2date is one way. I remember a post in one of the forums for another source for RedHat updates and rpms. I have the link but not at my PC (road trip). Do a search.

One word of caution with up2date. Be sure to include the programs you do not want automatically upgraded in the exclude section when you run up2date. For example you may not want to blindly upgrade your kernal or perl before fully testing. The docs will tell you how to do this.

Also, run up2date -l before up2date -u to see what updates are available before installing. You will want to make sure the available updates and security pacthes will not cause any issues with existing programs running on your server. The notices you receive from RedHat network will pretty much discuss each upgrade and patch.

Don

Don

When I say automatically install the updates, I mean, after I have typed a command to update the computer, it will retrieve all the updates available at that time and only update again when I type in that update command.

Now, I've never liked patching a linux system. Ever since my early uses with Mandrake when I ran their patch utility, I rebooted and could not boot my system. Apparently I had to do a kernel re-compile, whatever that meant (well, I guess I know what a re-compile is, but no idea how to do it).

Basically, I just want to secure this thing without having any headaches. That's what I'm a bit afraid to patch my system. I don't want it to become unbootable suddenly or an update to suddenly break my web hosting services. How can I ensure this?

So, specifically, how do I read about all the past updates?

Also, I tried to register, but it prompted me about some proxy settings and I don't think I have any so I hit enter, then it just gave me SSL connection problem messages. Any ideas?

If you got SSL problems after that, chances are you need an updated version of up2date, because the RH Signing key for up2date expired recently.

I received this email about it (as I'm sure others may have):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The certificate used by up2date and rhn_register to communicate with the
Red Hat Network reached its end of life on August 28th 2003. Users
attempting to connect to Red Hat Network will see SSL connection or
certificate verification failures.

New versions of the up2date and rhn_register clients are now available
which are required for continued access to Red Hat Network.

* RHSA-2003:267 for Red Hat Linux:
https://rhn.redhat.com/errata/RHSA-2003-267.html

* RHSA-2003:268 for Red Hat Enterprise Linux:
https://rhn.redhat.com/errata/RHSA-2003-268.html

New versions of the up2date client that contain the new certificate are
immediately available for download at:

https://rhn.redhat.com/help/latest-up2date.pxt

For users who would prefer to install the new certificate directly, it is
available at:

https://rhn.redhat.com/help/ssl_cert.pxt

- -the Red Hat Network Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/TyhaXlSAg2UNWIIRAvoUAJ9VBtDcCHMF+bWRTmjRMbAWVJtH4g CeKsgn
3CD242nITihAS/PsashBmn4=
=eDDg
-----END PGP SIGNATURE-----

I heard about that. So that's what they were talking about!

Well ok, I went to this site:

https://rhn.redhat.com/help/latest-up2date.pxt

We have RedHat 7.3. So, I looked at this list:

Red Hat Linux 7.3 i386

* up2date-2.8.40-3.7.3.i386.rpm - MD5 Checksum: 3643d7774d7e60a1aeb79c8fecbf624c
* up2date-gnome-2.8.40-3.7.3.i386.rpm - MD5 Checksum: 89977334ec0d3a2a720c3303602fc8dd
* rhn_register-2.8.27-1.7.3.i386.rpm - MD5 Checksum: d7bf0711fa45f56851a7c22ab77cbd93
* rhn_register-gnome-2.8.27-1.7.3.i386.rpm - MD5 Checksum: bba643b64654418b04b9a5bfe9efd85a


Now, do I need all of those? I don't even have Gnome I don't think. The instructions tell me that I need them though, I think. Please advise.

I love hitting one button to patch & update my windows server. he he :D

Originally posted by JoshPet
I love My Mac and My Linux Server. :D
(From another thread)

You don't need the Gnome packages. They'd not even install since you don't have the required libs.

Thanks!

Ok, I installed the RPMs and ran rhn_register. However, I feel a bit overwhelmed. I got to this step:

Step 3 : Register a System Profile - Packages

RPM information is important to determine what updated software packages are relevant to this system.

Include RPM packages installed on this system in my System Profile

You may deselect individual packages by unchecking them below.


I'm so confused!! I have NO idea what to select and de-select. I haven't heard of most of those packages. What do I do!? I'm in the middle of the registration process and don't know what to click...please advise.

Originally posted by Monsoonstorm
I love hitting one button to patch & update my windows server. he he :D

(From another thread)
Too bad for you that you have to replace that button every 2 weeks due to over use. :)

I haven't heard of most of those packages.Select them all.

I ran /usr/sbin/up2date -l and this is what I got:

Name Version Rel
----------------------------------------------------------
XFree86-font-utils 4.2.1 13.73.3
XFree86-libs 4.2.1 13.73.3
XFree86-xfs 4.2.1 13.73.3
fetchmail 5.9.0 21.7.3
file 3.39 8.7x
fileutils 4.1 10.1
glibc 2.2.5 43
glibc-common 2.2.5 43
glibc-devel 2.2.5 43
gnupg 1.0.7 7
hwdata 0.14.1 1
iptables 1.2.8 8.72.3
krb5-devel 1.2.4 11
krb5-libs 1.2.4 11
lv 4.49.4 3.7x.1
lynx 2.8.4 18.1
man 1.5j 7.7x.0
mm 1.1.3 11
mm-devel 1.1.3 11
mod_ssl 2.8.12 2
modutils-devel 2.4.18 3.7x
mysql 3.23.56 1.73
mysql-devel 3.23.56 1.73
mysql-server 3.23.56 1.73
nfs-utils 0.3.3 6.73
nscd 2.2.5 43
pam 0.75 46.7.3
pam-devel 0.75 46.7.3
pine 4.44 19.73.0
python 1.5.2 43.73
python-devel 1.5.2 43.73
quota 3.06 9.7
sendmail-cf 8.11.6 25.73
sendmail-devel 8.11.6 25.73
shadow-utils 20000902 9.7
stunnel 3.22 5.7.3
tcpdump 3.6.3 17.7.3.3
xinetd 2.3.11 1.7x
ypserv 2.8 0.73E
zlib 1.1.4 8.7x
zlib-devel 1.1.4 8.7x

The following Packages were marked to be skipped by your configuration:

Name Version Rel Reason
-------------------------------------------------------------------------------
kernel 2.4.20 20.7 Pkg name/pattern
kernel-source 2.4.20 20.7 Pkg name/pattern


So now, what do I need to do? I'm assuming then that this will NOT upgrade my kernel and the most it will require of me in terms of doing anything to the server after running the up2date command is a reboot?

Now, to understand whether to upgrade these packages or not, I need to read about all the updates? That seems like a huge task.....If so, where do I go for this? How do I figure out if they break anything? I'm running PSA 6 and RH 7.3, so if anybody just knows of anything not to update off the top of their head, let me know. Thanks for the help guys.

I'd recommend to update everything, including the kernel packages.

Information about the packages is available at https://rhn.redhat.com/ where you can also see info about your machine.

Username and password are what you set them when you registered.

Wouldn't we have to recompile or something with a kernel update? I have no clue how to recompile, I'm a novice programmer.

I thought it was a good idea to skip the kernel/php update? Isn't that something that is best done manually for testing purposes? Most of the time I compile a custom kernel ... I have never used the patches from ftp.kernel.org. How safe is applying the kernel patches? It just worries me since I am doing it from remote, and I can't just pop a boot disk in the floppy if something screws up.

I went to the RedHat site, logged in, and oddly enough they only show 3 things that I need to upgrade. However, when I run up2date -l, I get a huge list (around 50 things). Do you know why from the command line RH says one thing and from their website they say another?

Wouldn't we have to recompile or something with a kernel update?No. The RHN packages are binary ones.

First you run
/usr/sbin/up2date --nox -p
then
/usr/sbin/up2date --nox -u
then you do
/usr/sbin/up2date --nox -f kernel kernel-source
then reboot (using the reboot command, not SB RapidReboot)

Or you can customize the -u to be a list of packages you want, in case there's one you don't want.
But looking at your list the only one you should be wary about is sendmail. You may have to reconfig sendmail after updating.

As always, keep a backup. Although I've never heard of major problems arising from using up2date.

Well, that sounds simple enough.

I guess I only have 2 concerns left:

1) I have never configured sendmail (default SB config seems to work fine), so I would have no clue what changed or how to change it. If this is the case, do you suggest I simply skip updating sendmail?

2) I have no idea how to make a backup. SB doesn't provide a 2nd HD or anything like that, and I've heard of rsynch, but honestly, I don't know what I would even need to back up. Ideas?

Originally posted by OOagent137
Well, that sounds simple enough.

I guess I only have 2 concerns left:

1) I have never configured sendmail (default SB config seems to work fine), so I would have no clue what changed or how to change it. If this is the case, do you suggest I simply skip updating sendmail?

2) I have no idea how to make a backup. SB doesn't provide a 2nd HD or anything like that, and I've heard of rsynch, but honestly, I don't know what I would even need to back up. Ideas?

If you have not munged any of the .mc files in /etc/mail, the sendmail upgrade should go smoothly and regenerate the proper sendmail.cf once it is done. If you find any files named blah.rpmsave in /etc/mail after the upgrade, you might want to check them out .. this means rpm found a file that may not work with the newer package so it was moved out of the way. If it is something you need, you'll have to merge the changes into the new file.

I've never really heard of an RPM upgrade completely toasting a system. I have seen kernel upgrades leave a system unbootable, but that is something that we can easily fix. Whenever you do a kernel upgrade, make sure your old kernel is still located in /boot and there is an entry in /etc/grub.conf for the old kernel. You should always keep local copies of your valuable content and configuration files. There is really no sense in keeping a backup of every single file on your system, because all of the OS files can be replaced with a reload. :) Most of the control panels have backup utilities as well.

-knightfoo

Well knightfoo, I've never touched anything in sendmail. The only configuring we've done is through Plesk. None of those programs listed ring a bell to any changes I've made, so I'm pretty sure I haven't touched them. So, if I've never touched any of that stuff, would I run into blah.rpmsave files?

What I'm thinking is I'll just run these 2 commands:

/usr/sbin/up2date --nox -p
then
/usr/sbin/up2date --nox -u

Then I'll see how that goes (do I need to reboot afterwards?). If all goes well, I'll see about backing up my kernel or whatever you described knightfoo and then see how that goes. Thanks for all the help guys.

This is an older thread, but since I'm running into the exact same questions right now, I thought I would post here...

I have four Red Hat systems with ServerBeach. It seems that RedHat will only let me register one system for free though, and that I have to buy "entitlements" for additional systems.

Is that something that should be included with my SB server rental, or is that considered an "optional" service? If so, if all I want to do is get the important OS upgrades, am I ok with the $20/year "Update Service Entitlement", or do I need one of the more expensive packages?

Thanks!

Originally posted by letheos
This is an older thread, but since I'm running into the exact same questions right now, I thought I would post here...

I have four Red Hat systems with ServerBeach. It seems that RedHat will only let me register one system for free though, and that I have to buy "entitlements" for additional systems.

Is that something that should be included with my SB server rental, or is that considered an "optional" service? If so, if all I want to do is get the important OS upgrades, am I ok with the $20/year "Update Service Entitlement", or do I need one of the more expensive packages?

Thanks!

Your ServerBeach system is already registered with RHN through the ServerBeach RHN account and entitlement. You do not need to register your server again .. actually, you won't be able to register your server again. You can use up2date to check for updates and install them from an SSH session.

-knightfoo

:confused: Err... actually...

I was somehow able to register 2 of them already. Red Hat gave me a "Demo" entitlement for the first one, and says I need to purchase a RHN entitlement for the second one I registered.

Here's what happens:

When I tried up2date --list (for the first time), I got a list of options, where I just hit Enter. Then I got this message:

Your GPG keyring does not contain the Red Hat, Inc. public key.
Without it, you will be unable to verify that packages Update Agent
downloads are securely signed by Red Hat.

Your Update Agent options specify that you want to use GPG.

To install the key, run the following as root:

rpm --import /usr/share/rhn/RPM-GPG-KEY


I ran the above command, and it seems like nothing happened. But then when I did up2date --list again, the Red Hat Network Registration utility popped-up, and guided me through registering my system with RHN. I had opened an RHN account previously, so this worked fine, I might add...

I registerd two of my systems that way before I found out that I would have to pay for any additional systems beyond the first one.

I have two more systems that I haven't registered yet, but up2date --list returns the same message about the Red Hat, Inc. public key. After following the instructions there, up2date opens up the RHN Registration utility on those also.

What now? :confused:

Can I submit a ticket and have ServerBeach re-register the systems? If they were supposed to have already been registered, why do my other 2 system seem to want me to register them with RHN before I can use up2date?

Only the Red Hat Enterprise Linux ES 3.0 servers are registered with RHN by ServerBeach. You can register your other Red Hat Linux servers under your own RHN account, but you cannot register the RHEL ES 3.0 servers without an entitlement. When you buy Red Hat ES 3 from ServerBeach, you are basically renting our entitlement. Your Red Hat ES 3 server will already be registered with RHN when you receive the login information. If you have changed the RHN registration, you will need to submit a ticket to have ServerBeach register your server again.

-knightfoo

Only the Red Hat Enterprise Linux ES 3.0 servers are registered with RHN by ServerBeach.

So in other words, if my servers aren't RHEL ES 3.0, I'm on my own with registering them with RHN.

Correct?

Originally posted by letheos
So in other words, if my servers aren't RHEL ES 3.0, I'm on my own with registering them with RHN.

Correct?

Correct. It won't matter after April though, support for Red Hat 9 will be discontinued.

-knightfoo

With my fedora box, when I try run up2date, it gives me this message:

Your GPG keyring does not contain the Red Hat, Inc. public key.
Without it, you will be unable to verify that packages Update Agent downloads
are securely signed by Red Hat.

Your Update Agent options specify that you want to use GPG.

To install the key, run the following as root:

rpm --import /usr/share/rhn/RPM-GPG-KEY


SO I run rpm --import /usr/share/rhn/RPM-GPG-KEY
as a root user, and it doesn't give any sort of error or confirm message.
But then it still gives me that error when I try run up2date...
am I missing something?