Category Archives: Linux Servers and Software

General Linux server and software information.

CVE-2015-0235 Ghost glibc Debian Wheezy CentOS 5.11 6.6 gethost security issue

So another security issue on Linux.  I have multiple servers to worry about and they are mostly based on two distributions of Debian and CentOS.

Because it is a newly found vulnerability some mirror sites are not up to date so in trying to patch my servers I found the following to be helpful.

Debian

Check this for https://security-tracker.debian.org/tracker/CVE-2015-0235 the Debian versions that are affected.

My Debian Wheezy servers showed:

[code]$ ldd –version
ldd (Debian EGLIBC 2.13-38+deb7u6) 2.13[/code]

or even older

[code]$ ldd –version
ldd (Debian EGLIBC 2.13-38+deb7u4) 2.13[/code]

so I ran the following on them

[code]# apt-get update && apt-get dist-upgrade[/code]

Watching and hitting the Y for yes when prompted. I could have used apt-get upgrade but I figured since I was doing upgrades I might as well do them completely. I like this post for a great explanation of the differences between the two options http://askubuntu.com/questions/194651/why-use-apt-get-upgrade-instead-of-apt-get-dist-upgrade.

and after the patching I get

[code]# ldd –version
ldd (Debian EGLIBC 2.13-38+deb7u7) 2.13[/code]

which tells me that I have the latest and should not be vulnerable.

CentOS

CentOS on one server was version 5.11 and did not want to update anything when I tried to use

[code]# yum update glibc[/code]

So I checked and ran an update but found the same result, ie the mirror that yum used was not giving out a 27th January 2015 update. So I made a change in the /etc/yum.repos.d/CentOS-Base.repo file to comment out the mirrorlist line and enable (uncomment) the baseurl line which goes direct to the CentOS servers that have patches from today that address the issue.

How to tell which version of CentOS you have?

[code]# cat /etc/*release*[/code]

will respond with something like

[code]CentOS release 6.5 (Final)[/code]

So the process is to update glibc specifically and

[code]# yum update glibc[/code]

Which should prompt for and find updates like this:

[code]

Resolving Dependencies
–> Running transaction check
—> Package glibc.i686 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc.x86_64 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc.i686 0:2.12-1.149.el6_6.5 will be an update
—> Package glibc.x86_64 0:2.12-1.149.el6_6.5 will be an update
—> Package glibc-common.x86_64 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc-common.x86_64 0:2.12-1.149.el6_6.5 will be an update
—> Package glibc-devel.i686 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc-devel.x86_64 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc-devel.i686 0:2.12-1.149.el6_6.5 will be an update
—> Package glibc-devel.x86_64 0:2.12-1.149.el6_6.5 will be an update
—> Package glibc-headers.x86_64 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc-headers.x86_64 0:2.12-1.149.el6_6.5 will be an update
—> Package glibc-static.x86_64 0:2.12-1.149.el6_6.4 will be updated
—> Package glibc-static.x86_64 0:2.12-1.149.el6_6.5 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
glibc i686 2.12-1.149.el6_6.5 updates 4.3 M
glibc x86_64 2.12-1.149.el6_6.5 updates 3.8 M
glibc-common x86_64 2.12-1.149.el6_6.5 updates 14 M
glibc-devel i686 2.12-1.149.el6_6.5 updates 984 k
glibc-devel x86_64 2.12-1.149.el6_6.5 updates 983 k
glibc-headers x86_64 2.12-1.149.el6_6.5 updates 612 k
glibc-static x86_64 2.12-1.149.el6_6.5 updates 1.4 M

Transaction Summary
================================================================================
Upgrade 7 Package(s)

Total download size: 26 M
Is this ok [y/N]:

[/code]

This is where I hit Y for yes and watched it continue to download and upgrade glibc.

Finally for all of the servers I used a test script for CVE-2015-0235 glibc ghost that was provided from elsewhere.

Next is VMWare, Watchguard, and anything else that might have glibc.

Responsive Frameworks: Bootstrap, Foundation, and others

Search for ‘compare responsive frameworks’ and you are lead to an array of blog posts and commentaries on the topic.

I do not propose to reiterate stuff already said by others, but simply to consider what the frameworks might mean for me and the environment that I intend to apply a framework to.

My references are currently:

Regardless, of which framework, apparently consideration of which stylesheet language is used by the framework is another consideration. Is one ‘better’ than another or just ‘different’ ?

…and I have a lot of reading to do. My goal is to better understand options beyond the non-responsive Blueprint CSS framework that I have been using with osCmax.

 

 

 

osCmax and Templates, Responsive, CSS, and frameworks

A few years back I was working up a site in osCmax (osCommerce fork) and while the templating system was good it left a lot of issues with cross browser compatibility. I blogged several posts and some lengthy commentary on how I set it up with Blueprint, a CSS framework.

Revisiting osCmax recently I am now looking again at templates or themes and I have noted that Blueprint has not been updated since 2011 only a short while after my last efforts into my Blueprint for osCmax efforts.

As a result, I am doing more reading, and particularly on the more recent Responsive frameworks. Blueprint may well have atrophied simply due to the rapid increase in mobility issues for web design.

I’d observe that in some cases I expect that I do not need a responsive website and unless I know that I am working to a market that has a prevalence of mobile visits, then what is the point ? I have a particular site that I manage and I know from its’ stats over 10 years or more of views, that even today 80% of users are PC based and the 20% tend to be more unknowns than emphatically mobile. Further, even if the 20% were all mobile users, they may well be ok with the existing CSS styles that still present the site in a usable fashion on a tablet. Phone and small screen users may also be ok, and even if I ‘ask the audience’ do I get a response that I can use?

At this stage I am thinking that if I do deploy a responsive framework, then I will do so as a backend ‘good idea’ to maybe future-proof the site for an advent of a mobile tipping point. And to achieve that I should review the possible frameworks, just not from a ‘mobile-first’ perspective.

 

 

Debian Linux openvpn connect to Watchguard VPN

I have a Debian Server that I wanted to connect to a Watchguard VPN.

OpenVPN is the tool that I used and the following is based on JoKi’s excellent blog entry with my own adjustments to address the issues that I found.

To start you do need to install and run a connection using the Watchguard MobileVPN on your Windows box to get the configuration files in

C:Usersyour_user_name_hereAppDataRoamingWatchGuardMobile VPN

It took me a while to work out that I had to run it to get the config files created, installing alone is not enough.

Installation in Debian is straightforward

#apt-get install openvpn

Once that is done go to the newly created /etc/openvpn and copy the files from the abovementioned Watchguard directory to it.

ca.crt
client.crt
client.ovpn
client.pem

Now it should all be good to go.

#openvpn --config client.ovpn

Except that I was getting all sorts of errors and warnings……

Wed Nov 12 12:16:50 2014 VERIFY X509NAME ERROR: /O=watchguard_technologies/0.0=f ireware/CN=fireware_sslvpn_server, must be /O=watchguard_technologies/ITU-T=fire ware/CN=fireware_sslvpn_server
Wed Nov 12 12:16:50 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:140 90086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Nov 12 12:16:50 2014 TLS Error: TLS object -> incoming plaintext read error
Wed Nov 12 12:16:50 2014 TLS Error: TLS handshake failed
Wed Nov 12 12:16:50 2014 Fatal TLS error (check_tls_errors_co), restarting
Wed Nov 12 12:16:50 2014 SIGUSR1[soft,tls-error] received, process restarting
Wed Nov 12 12:16:50 2014 Restart pause, 5 second(s)

Everything I read said that the certificate files would be the issue, but that was not logical to me as they were direct from the Watchguard device and not ones I was creating.

But I checked them anyway with

#openssl verify -CAfile ca.crt client.crt

Next I tried addressing the verify X509 Name error by changing the client.ovpn file entry changing

tls-remote

to

verify-x509-name

and messed around with that for a while until in disgust I commented the line out to try and confirm that it was triggering the error.

Of course, it worked first time !!!  Argghhhh!!

So the answer to the above is to remove the tls-remote line completely from the configuration file.

tls-remote “/O=watchguard_technologies/ITU-T=fireware/CN=fireware_sslvpn_server”

Either comment it with # at the start of the line or delete it.

Once that was sorted I had a working connection all that remained was to

#mv client.ovpn client.conf

create an auth.txt file with

myusername
mysecretpassword

#chmod to 0600 auth.txt

Edit the client.conf file to have

auth-user-pass auth.txt

and finally start it as a service
#service openvpn start client

and the last bit of the puzzle, to add it as a service to automatically start

#update-rc.d openvpn enable

Thanks to JoKi for getting me started.