DCCP Linux Kernel local privilege escalation vulnerability (CVE-2017-6074)

A vulnerability has been found in the DCCP Linux kernel module which allows a local, unprivileged user to escalate privileges on a Linux system. DCCP is used to manage network traffic congestion in the application layer.

This issue affects Red Hat and CentOS releases 5, 6, and 7, as well as other Linux distributions. You should update your Kernel as soon as possible.

To mitigate without a Kernel upgrade, run the following command and reboot your system:

echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf

This will disable the DCCP module from loading on boot.

More information can be found here on Red Hat’s website.

Posted in CentOS, Linux, RedHat | Leave a comment

Red Hat 7 Get back eth Network Device Names

On installation of Red Hat or CentOS 7, boot the Anaconda installer with net.ifnames=0 parameter.

On installer boot, hit the esc key.

anaconda-1

On the “boot” prompt, enter linux net.ifnames=0 and hit enter. The installer will now boot.

anaconda-2

Go into the network settings in the installer, and you should now see your network devices named eth0, eth1, etc.

anaconda-3

Posted in Uncategorized | Leave a comment

Dirty COW Red Hat/CentOS patches released

Patches to fix the Dirty COW vulnerability have been released by Red Hat and CentOS for RHEL/CentOS. The patch is presented as a kernel upgrade and should be applied as soon as possible. You can read more about this patch on Red Hat’s website.

To patch your server, simply run the following command:

yum install kernel

After the kernel is installed, reboot your server. Once your server comes back online, you can confirm the patched kernel is now running with the following command:

uname -r

For RHEL/CentOS 6 systems, you should see “2.6.32-642.6.2.el6” from the output of the command.

For RHEL/CentOS 7 systems, you should see “3.10.0-327.36.3.el7” from the output of the command.

Posted in Uncategorized | Leave a comment

Linux audit “Backlog limit exceeded”

If you’re running a busy Linux system, you may see the following error in your Kernel logs:
“audit: backlog limit exceeded”.

For example:
Linux audit "Backlog limit exceeded" 1

To alleviate the message output in your logs, you can increase the audit buffer.

Edit /etc/audit/audit.rules and increase the value for “-b”. For Red Hat Linux 6 systems, the default value is 320.
Linux audit "Backlog limit exceeded" 2

Determining the appropriate value may require some time and experimentation. As a general rule, we suggest doubling the value and then observing it’s affects. It is recommended not to set the value too high, as it may cause increased system resource usage.

Once your value is set, save the file and restart the auditd service.
Linux audit "Backlog limit exceeded" 3

Please note that the “audit: backlog limit exceeded” message is a generic message and could be a symptom of a bigger issue (most common, log writing issues due to ext4 file system issues). Further troubleshooting may be necessary.

Posted in Uncategorized | Leave a comment

Getting started with AWS – Elastic IP – Associating a Static IP

amazon.com_web_services

On the left side menu, under “Network & Security”, click “Elastic IPs”. On the main screen, click “Allocate New Address”.

aws-staticip-1

In the pop-up window, select “Yes, Allocate”

aws-staticip-2

Select the Elastic IP, click the “Actions” menu drop down, and select “Associate Address”.

aws-staticip-3

Next to “Instance”, type in the name of your EC2 server or it’s instance ID. Then select the instance search result for the EC2 server that you’ll be assigning the IP to. Then click the “Associate” button.

aws-staticip-4

You will now see an Elastic IP assigned to your EC2 server.

aws-staticip-5

Posted in AWS | Leave a comment

Getting started with AWS – Creating a CentOS 6 server (EC2)

amazon.com_web_services

Select top left menu Services > Compute > EC2AWS 1

Under “Create Instance”, select “Launch Instance”AWS 2

Go to “AWS Marketplace”  and search for “centos”. Select “CentOS 6 (x86_64) – with Updates HVM”

AWS 3

Choose an instance type. t2.micro is a good, cheap option to start out or use for basic testing. You can easily upgrade later on. Click “Review and Launch” on the bottom right.

AWS 4

You will now see a review screen of your EC2 server. You can provision the server from here by clicking “Launch”.

AWS 5

You will be asked to generate an SSH key to use to connect to your new EC2 server. AWS 6

You can now use this SSH key to connect to your server with the dynamic public IP address listed in your account under “Instances”.

Posted in Uncategorized | Leave a comment

MySQL 5.6 “innodb_table_stats” not found

Fix this annoying error in MySQL 5.6

On systems that were upgraded from MySQL 5.5 to 5.6 (Oracle, Percona, etc.) – you may see the following error:

Error: Table “mysql”.”innodb_table_stats” not found.

Here’s a more complete example:

2016-06-14 15:08:03 7f82b3fff700 InnoDB: Error: Table "mysql"."innodb_table_stats" not found.
2016-06-14 15:08:03 7f82b3fff700 InnoDB: Recalculation of persistent statistics requested for table "mydb1"."cron_schedule" but the required persistent statistics storage is not present or is corrupted. Using transient stats instead.
2016-06-14 15:08:04 7f82b3fff700 InnoDB: Error: Table "mysql"."innodb_table_stats" not found.
2016-06-14 15:08:04 7f82b3fff700 InnoDB: Recalculation of persistent statistics requested for table "mydb2"."cron_schedule" but the required persistent statistics storage is not present or is corrupted. Using transient stats instead.

Why is this error occuring?

MySQL 5.6 introduces a new “persistent optimizer statistics” feature which stores statistical data about your databases in the “mysql” database. These tables do not get created when upgrading from MySQL 5.5 to 5.6, which causes heavy error logging in mysqld.log.

How to fix the innodb_table_stats not found error

To fix this issue, you need to manually create the tables:

DROP TABLE IF EXISTS `innodb_index_stats`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `innodb_index_stats` (
 `database_name` varchar(64) COLLATE utf8_bin NOT NULL,
 `table_name` varchar(64) COLLATE utf8_bin NOT NULL,
 `index_name` varchar(64) COLLATE utf8_bin NOT NULL,
 `last_update` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
 `stat_name` varchar(64) COLLATE utf8_bin NOT NULL,
 `stat_value` bigint(20) unsigned NOT NULL,
 `sample_size` bigint(20) unsigned DEFAULT NULL,
 `stat_description` varchar(1024) COLLATE utf8_bin NOT NULL,
 PRIMARY KEY (`database_name`,`table_name`,`index_name`,`stat_name`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin STATS_PERSISTENT=0;
/*!40101 SET character_set_client = @saved_cs_client */;

DROP TABLE IF EXISTS `innodb_table_stats`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `innodb_table_stats` (
 `database_name` varchar(64) COLLATE utf8_bin NOT NULL,
 `table_name` varchar(64) COLLATE utf8_bin NOT NULL,
 `last_update` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
 `n_rows` bigint(20) unsigned NOT NULL,
 `clustered_index_size` bigint(20) unsigned NOT NULL,
 `sum_of_other_index_sizes` bigint(20) unsigned NOT NULL,
 PRIMARY KEY (`database_name`,`table_name`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin STATS_PERSISTENT=0;
/*!40101 SET character_set_client = @saved_cs_client */;

DROP TABLE IF EXISTS `slave_master_info`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `slave_master_info` (
 `Number_of_lines` int(10) unsigned NOT NULL COMMENT 'Number of lines in the file.',
 `Master_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the master binary log currently being read from the master.',
 `Master_log_pos` bigint(20) unsigned NOT NULL COMMENT 'The master log position of the last read event.',
 `Host` char(64) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '' COMMENT 'The host name of the master.',
 `User_name` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The user name used to connect to the master.',
 `User_password` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The password used to connect to the master.',
 `Port` int(10) unsigned NOT NULL COMMENT 'The network port used to connect to the master.',
 `Connect_retry` int(10) unsigned NOT NULL COMMENT 'The period (in seconds) that the slave will wait before trying to reconnect to the master.',
 `Enabled_ssl` tinyint(1) NOT NULL COMMENT 'Indicates whether the server supports SSL connections.',
 `Ssl_ca` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Authority (CA) certificate.',
 `Ssl_capath` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path to the Certificate Authority (CA) certificates.',
 `Ssl_cert` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL certificate file.',
 `Ssl_cipher` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connection.',
 `Ssl_key` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL key file.',
 `Ssl_verify_server_cert` tinyint(1) NOT NULL COMMENT 'Whether to verify the server certificate.',
 `Heartbeat` float NOT NULL,
 `Bind` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Displays which interface is employed when connecting to the MySQL server',
 `Ignored_server_ids` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number of server IDs to be ignored, followed by the actual server IDs',
 `Uuid` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The master server uuid.',
 `Retry_count` bigint(20) unsigned NOT NULL COMMENT 'Number of reconnect attempts, to the master, before giving up.',
 `Ssl_crl` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Revocation List (CRL)',
 `Ssl_crlpath` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path used for Certificate Revocation List (CRL) files',
 `Enabled_auto_position` tinyint(1) NOT NULL COMMENT 'Indicates whether GTIDs will be used to retrieve events from the master.',
 PRIMARY KEY (`Host`,`Port`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 STATS_PERSISTENT=0 COMMENT='Master Information';
/*!40101 SET character_set_client = @saved_cs_client */;

DROP TABLE IF EXISTS `slave_relay_log_info`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `slave_relay_log_info` (
 `Number_of_lines` int(10) unsigned NOT NULL COMMENT 'Number of lines in the file or rows in the table. Used to version table definitions.',
 `Relay_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the current relay log file.',
 `Relay_log_pos` bigint(20) unsigned NOT NULL COMMENT 'The relay log position of the last executed event.',
 `Master_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the master binary log file from which the events in the relay log file were read.',
 `Master_log_pos` bigint(20) unsigned NOT NULL COMMENT 'The master log position of the last executed event.',
 `Sql_delay` int(11) NOT NULL COMMENT 'The number of seconds that the slave must lag behind the master.',
 `Number_of_workers` int(10) unsigned NOT NULL,
 `Id` int(10) unsigned NOT NULL COMMENT 'Internal Id that uniquely identifies this record.',
 PRIMARY KEY (`Id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 STATS_PERSISTENT=0 COMMENT='Relay Log Information';
/*!40101 SET character_set_client = @saved_cs_client */;

DROP TABLE IF EXISTS `slave_worker_info`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `slave_worker_info` (
 `Id` int(10) unsigned NOT NULL,
 `Relay_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
 `Relay_log_pos` bigint(20) unsigned NOT NULL,
 `Master_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
 `Master_log_pos` bigint(20) unsigned NOT NULL,
 `Checkpoint_relay_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
 `Checkpoint_relay_log_pos` bigint(20) unsigned NOT NULL,
 `Checkpoint_master_log_name` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
 `Checkpoint_master_log_pos` bigint(20) unsigned NOT NULL,
 `Checkpoint_seqno` int(10) unsigned NOT NULL,
 `Checkpoint_group_size` int(10) unsigned NOT NULL,
 `Checkpoint_group_bitmap` blob NOT NULL,
 PRIMARY KEY (`Id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 STATS_PERSISTENT=0 COMMENT='Worker Information';
/*!40101 SET character_set_client = @saved_cs_client */;

As soon as these tables are created, MySQL should start storing data in these tables and the error logging about “innodb_table_stats not found” should stop.

Posted in MySQL | Leave a comment

CentOS 6.8 Released

CentOS

Along with the release of RHEL 6.8, the CentOS team have announced the availability of CentOS 6.8. You can read the Release Notes here.

Posted in CentOS | Leave a comment

Red Hat Enterprise Linux 6.8 Released

10-04_6_2_redhat_logo
Red Hat has released update 8 of RHEL 6. Read the press release here.

Along with security updates, this release features the ability to expand the XFS file system to up 300TB, and the ability to create a deployable snapshot of your running system. You can find out more about this technology, called Relax-and-Recover, here.

More detailed information about this release can be found in the release notes here.

Posted in Uncategorized | Leave a comment

OpenSSL DROWN Vulnerability

OpenSSL Drown

Red Hat has released a new patch for OpenSSL which fixes some serious security vulnerabilities, particularly with SSL enabled websites. There’s currently an attack method that hackers are using on vulnerable systems called DROWN. You can read more about it here – https://drownattack.com/

I would suggest updating the OpenSSL package on your web servers, and disabling older and vulnerable SSL connection types (SSLv2 and SSLv3).

Recommended course of action:
• Update OpenSSL. Red Hat and CentOS 5 and 6 packages available as of March 1
• Check Apache, Nginx, and Postfix settings to ensure that SSLv2 and SSLv3 are disabled

https://rhn.redhat.com/errata/RHSA-2016-0302.html
https://rhn.redhat.com/errata/RHSA-2016-0301.html

Posted in Uncategorized | Leave a comment