Editing 2016-06 mercury admin

Upgrade notes for mercury.bonmot.ca Date: 22 June 2016 Notes 20:29h Initial update went OK. Looking for broken things. 20:46h Starting the dovecot configuration. http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL 2016-06-22T21:30 - Dan Restart postfix with: postfix reload Restart dovecot with /etc/init.d/dovecot stop / start I cleared the TLS error in postfix/main.cf - you had just accidentally changed smtpd_tls_key_file to smtpd_tls_key Lol. ===To Do=== [ ] Get the dovecot TLS smtp thing working [ ] Get the emails to postmaster stopped [ ] Move this document to ~denny/solaris/ where all the other sysadmin notes for mercury are. ===Done=== * [x] Turn off the log rotate script - we have our own. Mkdir /etc/logs.daily/DISABLED/ and move “logrotate” into it * [x] [ ] Get a self signed SSL cert installed. Followed instructions in https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix ===Doug's Notes=== > apt-get update > apt-get upgrade Drupal Notes: drupal7 (7.14-2+deb7u1) unstable; urgency=high In order to avoid a remote code execution vulnerability (described in https://drupal.org/SA-CORE-2013-003), it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites' "files" directories (both public and private, in case you have both configured). This file's contents should include the following declarations: # Turn off all options we don't need. Options None Options +FollowSymLinks # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule> You will find a copy of this file in /usr/share/doc/drupal7/files.htaccess, but, as it's not in a Debian-controlled directory (but on a local one), we cannot install it for you. -- Gunnar Wolf <gwolf@debian.org> Wed, 20 Nov 2013 19:17:41 -0600 mysql-5.5 (5.5.33+dfsg-0+wheezy1) wheezy-security; urgency=high mysql-server-5.5 ships with the upstream mysql_install_db script which creates a database "test" and sets up permissions that allow anonymous access, without a password, from localhost to the "test" database and any databases starting with "test_" that users might have created after installing mysql-server. During the migration of mysql-5.1 to mysql-5.5 in Debian the patches to drop these permissions and the creation of the test databases were not applied. This update resolves this issue for new installations of mysql-server-5.5. If you are updating from a previous version of mysql-5.5 it is recommended to check your installation and to drop these privileges and databases manually. Further information can be found at the MySQL 5.5 Reference Manual[1]. [1] http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html -- Salvatore Bonaccorso <carnil@debian.org> Sat, 14 Dec 2013 22:15:25 +0100 samba (2:3.6.6-6+deb7u10) wheezy-security; urgency=high This Samba security release addresses both Denial of Service and Man in the Middle vulnerabilities. A significant number of patches were back-ported, and in some areas of winbindd the behaviour is now more like Samba 4.2 than 3.6 This new security patch implements new smb.conf options and a number of stricter behaviours to prevent Man in the Middle attacks on our network services, as a client and as a server. Between these changes, compatibility with a large number of older software versions has been lost in the default configuration. See the release notes in WHATNEW.txt for more information. Here are some additional hints how to work around the new stricter default behaviors: * As a File Server, compatibility with the Linux Kernel cifs client depends on which configuration options are selected, please use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2". * As a file or printer client and as a domain member, out of the box compatibility with Samba less than 4.0 and other SMB/CIFS servers, depends on support for SMB signing or SMB2 on the server, which is often disabled or absent. You may need to adjust the "client ipc signing" to "no" in these cases. However, all of these can be worked around by setting smb.conf options in Samba, see the 4.2.0 and 4.2.11 release notes (because many of the fixes are backported from there) at https://www.samba.org/samba/history/samba-4.2.0.html and https://www.samba.org/samba/history/samba-4.2.11.html and the Samba wiki for details, workarounds and suggested security-improving changes to these and other software packages. New smb.conf options and defaults: * raw NTLMv2 auth = no * allow dcerpc auth level connect = no Suggested further improvements after patching: It is recommended that administrators set these additional options, if compatible with their network environment: server signing = mandatory ntlm auth = no client signing = mandatory Without "server signing = mandatory", Man in the Middle attacks are still possible against our file server and classic/NT4-like/Samba3 Domain controller. (It is now enforced on Samba's AD DC.) Note that this has heavy impact on the file server performance, so you need to decide between performance and security. These Man in the Middle attacks for smb file servers are well known for decades. Without "ntlm auth = no", there may still be clients not using NTLMv2, and these observed passwords may be brute-forced easily using cloud-computing resources or rainbow tables. Without "client signing = mandatory" we will not be able to detect a MitM attack between our client tools or winbindd and the server or AD DC. Later versions of Samba implement additional features to protect these communications. Setting this option may however disable connections to servers that have smb signing disabled (the default, as above). wget (1.13.4-3+deb7u2) stable-security; urgency=high From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001 From: Darshit Shah <darnir@gmail.com> Date: Sun, 07 Sep 2014 19:11:17 +0000 Subject: CVE-2014-4877: Arbitrary Symlink Access Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. This commit changes the default settings in Wget such that Wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the Wget invokation command. -- Thorsten Alteholz <debian@alteholz.de> Wed, 29 Oct 2014 19:00:14 +0100 apache2 (2.2.22-13+deb7u2) stable; urgency=medium * This release adds support for SSL/TLS ECC keys and ECDH ciphers. If this change causes problems with some older clients, see /usr/share/doc/apache2/README.Debian.gz for a work-around. -- Stefan Fritsch <sf@debian.org> Sun, 25 May 2014 13:05:40 +0200 php5 (5.4.45-0+deb7u2) wheezy-security; urgency=medium * PHP 5.4 has reached end-of-life on 14 Sep 2015 and as a result there will be no more new upstream releases. The security support of PHP 5.4 in Debian will be best effort only and you are strongly advised to upgrade to latest stable Debian release that includes PHP 5.6 that will reach end of security support on 28 Aug 2017. -- Ond?ej Sur? <ondrej@debian.org> Sun, 04 Oct 2015 17:05:37 +0200 php5 (5.4.4-14+deb7u9) stable; urgency=medium * The default PHP FPM socket permission has been changed from 0666 to 0660 to mitigate security vulnerability (CVE-2014-0185) in PHP FPM that allowed any local user to run a PHP code under the active user of FPM process via crafted FastCGI client. The default Debian setup now correctly sets the listen.owner and listen.group to www-data:www-data in default www pool configuration (/etc/php5/fpm/pool.d/www.conf). If you have more FPM instances or a webserver not running under www-data user you need to adjust the configuration of FPM pools in /etc/php5/fpm/pool.d/ so the accessing process has rights to access the socket. -- Ond?ej Sur? <ondrej@debian.org> Mon, 12 May 2014 14:23:05 +0200 ca-certificates (20130119+deb7u1) stable; urgency=low Update mozilla/certdata.txt to version 1.97 Certificates added (+), removed (-), and renamed (~): + "ACCVRAIZ1" + "Atos TrustedRoot 2011" + "CA Disig Root R1" + "CA Disig Root R2" + "China Internet Network Information Center EV Certificates Root" + "D-TRUST Root Class 3 CA 2 2009" + "D-TRUST Root Class 3 CA 2 EV 2009" + "E-Tugra Certification Authority" + "PSCProcert" + "SG TRUST SERVICES RACINE" + "StartCom Certification Authority" ~ "StartCom Certification Authority"_2 (both StartCom CAs now included with duplicate CKA_LABEL fix) + "Swisscom Root CA 2" + "Swisscom Root EV CA 2" + "T-TeleSec GlobalRoot Class 2" + "TURKTRUST Certificate Services Provider Root 2007" + "TWCA Global Root CA" + "TeliaSonera Root CA v1" + "Verisign Class 3 Public Primary Certification Authority" ~ "Verisign Class 3 Public Primary Certification Authority"_2 (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix) - "Equifax Secure eBusiness CA 2" - "Firmaprofesional Root CA" - "TC TrustCenter Universal CA III" - "TDC OCES Root CA" - "Wells Fargo Root CA" <pre> dpkg: warning: subprocess old pre-removal script returned error exit status 1 dpkg: trying script from the new package instead ... Stopping MySQL database server: mysqld failed! invoke-rc.d: initscript mysql, action "stop" failed. dpkg: error processing /var/cache/apt/archives/mysql-server-5.5_5.5.49-0+deb7u1_i386.deb (--unpack): subprocess new pre-removal script returned error exit status 1 Stopping MySQL database server: mysqld failed! invoke-rc.d: initscript mysql, action "stop" failed. Starting MySQL database server: mysqld already running. Preparing to replace libdbi-perl 1.622-1 (using .../libdbi-perl_1.622-1+deb7u1_i386.deb) ... Unpacking replacement libdbi-perl ... Preparing to replace mysql-client-5.5 5.5.31+dfsg-0+wheezy1 (using .../mysql-client-5.5_5.5.49-0+deb7u1_i386.deb) ... Unpacking replacement mysql-client-5.5 ... Preparing to replace mysql-server-core-5.5 5.5.31+dfsg-0+wheezy1 (using .../mysql-server-core-5.5_5.5.49-0+deb7u1_i386.deb) ... Unpacking replacement mysql-server-core-5.5 ... Preparing to replace sysv-rc 2.88dsf-41 (using .../sysv-rc_2.88dsf-41+deb7u1_all.deb) ... Unpacking replacement sysv-rc ... Processing triggers for man-db ... Errors were encountered while processing: /var/cache/apt/archives/mysql-server-5.5_5.5.49-0+deb7u1_i386.deb E: Sub-process /usr/bin/dpkg returned an error code (1) root@mercury:/etc/dovecot# apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common apt-utils bind9 bind9-host bind9utils binutils bsd-mailx ca-certificates cpio dbconfig-common dnsutils dovecot-core dovecot-imapd dovecot-pop3d dpkg-dev drupal7 dselect expat fail2ban ghostscript graphicsmagick imagemagick initscripts isc-dhcp-client isc-dhcp-common libapache2-mod-php5 libapr1 libbind9-80 libdns88 libdpkg-perl libgif4 libgpgme11 libgraphicsmagick3 libgs9 libgs9-common libisc84 libisccc80 libisccfg82 liblwres80 libnet-server-perl libsnmp-base libsnmp15 locales lsb-release mime-support multiarch-support mutt mysql-server-5.5 nmap openssh-client openssh-server openssl php-pear php5 php5-cli php5-common php5-gd php5-mysql procmail proftpd-basic python python-minimal python2.7 python2.7-minimal rpcbind rsyslog sasl2-bin screen sendmail-base sendmail-cf sendmail-doc sensible-mda snmp ssl-cert sudo tcpdump tzdata unzip wget whois x11-common xinetd 87 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 74 not fully installed or removed. Need to get 0 B/68.9 MB of archives. After this operation, 2200 kB disk space will be freed. Do you want to continue [Y/n]? </pre>

Summary:

This change is a minor edit.

Username: