Server Maintanance - August 2005
 

Hello Folks.

Im plan on doing server maintanance on the weekend from the 19th to the 21st of August, including kernel update, opensshupdate and a few security changes:

- php_safe mode on
- hardened php
- hardened userlevel
- chrooted home directories for everyone
- NO root login, ONLY sudo execution

Additionally, there will be a few other changes.

JUST A NOTICE BEFOREHAND, EXPECT DOWNTIME OF ALL NONESSENTIAL SERVICES (Gameservers, CVS, etc).

All major services will be routed thru server-one (my box) during this time, so the downtime should be kept to a minimum, and all ESSENTIAL services (http, mail, database) will be operational (hopefully)

Do I have council approval ?

Nova 8)

Re: Server Maintanance - August 2005
 

approved, nigga :D

see ya on octoberfest :P

Re: Server Maintanance - August 2005
 

8o oh my god

Is it really necessary ? There ought to be immense benefits for everybody if you plan to do so else I don't really see why we should take such a risk !

Re: Server Maintanance - August 2005
 

risk ? what risk ?

• kernel update = formaility, if it doesnt work i can boot recue system
• openssh update = necessary, quite a lot of security updates out
• chrooted user directory = worst it could do is lock a few people out of the ftp for a while
• services update = good idea in general
• php safe mode and hardening = GOOD idea in general, i just hadnt gotten around to it yet
• sudo and sudoers = once its setup, its VERY VERY usefull.

imo thos is low risk high gain server surgery, and you dont have to do a thing ... :D

Re: Server Maintanance - August 2005
 

Don't You think guys the server is too much times updated? Everytime (every update I mean) after the update we got a lot of troubles (including additional downtime, not working for a while some services they were working before update etc.).
Instead inceasing the security by instantly update the server (if any new software appears for it), maybe just focus on making good backups of the server to get it back to work if someone really destroy it (because it is not 100% safe because of not installed some new stuff). I guess restoring the server from the backup is less troubles and shorter down-time than all down-times we need for every update.
I'm not any expert of servers, so I can't say You "do it - it's good" - or "don't do it - it's bad", but having some experience browsing other forums I may attest - our forum has the longest down-times from all I'm browsing. Dunno - other admins (of other forums) probably don't care so much for every update and their servers aren't attacked so often (I really don't remember any bigger down-time of other forum because got attcked/hacked), but - as the most important fro me - they just work.

"Something better is always an enemy of something good".

That's my opinion.

Re: Server Maintanance - August 2005
 

Well, the last update was kind of interrupted, and i left a lot of things unfinished, this is a package listing for the update, with the important one's bold:

[ebuild U ] sys-apps/man-1.6-r1 [1.6]
[ebuild U ] sys-apps/man-pages-2.07 [2.05]
[ebuild U ] sys-libs/zlib-1.2.3 [1.2.2]
[ebuild U ] dev-db/mysql-4.0.25-r2 [4.0.24-r1]
[ebuild U ] sys-auth/pam_mysql-0.6.0 [0.5]
[ebuild U ] app-shells/bash-3.0-r12 [3.0-r11]
[ebuild U ] sys-devel/gcc-config-1.3.12-r2 [1.3.11-r3]
[ebuild U ] sys-libs/glibc-2.3.5-r1 [2.3.5]
[ebuild U ] media-sound/mpg123-0.59s-r10 [0.59s-r9]
[ebuild U ] net-misc/asterisk-1.0.9 [1.0.8]
[ebuild U ] app-arch/sharutils-4.5 [4.2.1-r11]
[ebuild U ] mail-filter/razor-2.77 [2.74]
[ebuild U ] net-nds/openldap-2.2.27-r1 [2.2.26-r2]
[ebuild U ] net-misc/openssh-4.1_p1-r1 [3.9_p1]
[ebuild U ] app-editors/nano-1.3.8 [1.3.7]
[ebuild U ] sys-devel/automake-1.9.6 [1.8.0]
[ebuild U ] mail-client/mutt-1.5.9 [1.5.8-r2]
[ebuild U ] net-misc/wget-1.10 [1.9.1-r5]
[ebuild U ] net-dns/bind-9.3.1-r3 [9.2.5-r4]
[ebuild U ] media-libs/tiff-3.7.3 [3.7.2]
[ebuild U ] dev-libs/libxml2-2.6.20-r2 [2.6.19]
[ebuild U ] dev-libs/libxslt-1.1.14-r2 [1.1.13-r1]
[ebuild U ] sys-apps/file-4.14 [4.13]
[ebuild U ] media-libs/freetype-2.1.10 [2.1.9-r1]
[ebuild U ] app-arch/bzip2-1.0.3-r5 [1.0.3-r4]
[ebuild U ] sys-libs/gpm-1.20.1-r5 [1.20.1-r4]
[ebuild U ] app-text/aspell-0.60.3 [0.60.2]
[ebuild U ] net-analyzer/net-snmp-5.2.1.2 [5.2.1-r1]
[ebuild U ] dev-php/php-4.4.0 [4.1.0_rc2]
[ebuild U ] app-arch/gzip-1.3.5-r8 [1.3.5-r7]
[ebuild U ] net-libs/courier-authlib-0.57 [0.55.20050320]
[ebuild U ] net-mail/courier-imap-4.0.4 [4.0.1-r2]
[ebuild U ] sys-devel/autoconf-wrapper-3.1 [3-r1]
[ebuild U ] net-ftp/ncftp-3.1.9 [3.1.8-r1]
[ebuild U ] dev-util/dialog-1.0.20050306 [1.0.20050206]
[ebuild U ] sys-apps/debianutils-2.14.1-r1 [2.13.2]
[ebuild U ] sys-apps/sandbox-1.2.12 [1.2.9]
[ebuild U ] sys-apps/portage-2.0.51.22-r2 [2.0.51.22-r1]
[ebuild U ] app-portage/gentoolkit-dev-0.2.5 [0.2.4]
[ebuild U ] dev-util/pkgconfig-0.18.1-r1 [0.17.2-r1]
[ebuild U ] dev-libs/libpcre-6.1 [5.0]
[ebuild U ] net-analyzer/nmap-3.83 [3.81]
[ebuild U ] mail-filter/dspam-3.4.9 [3.4.8]
[ebuild U ] net-www/apache-2.0.54-r13 [2.0.54-r11]
[ebuild NS ] dev-php/mod_php-4.4.0-r1
[ebuild U ] net-misc/ntp-4.2.0.20050303 [4.2.0.20040617-r2]
[ebuild U ] net-dns/libidn-0.5.18 [0.5.17]
[ebuild U ] dev-libs/gmp-4.1.4-r1 [4.1.4]
[ebuild U ] app-antivirus/clamav-0.86.2 [0.86.1]
[ebuild U ] sys-apps/iproute2-2.6.11.20050330 [2.6.11.20050310-r1]
[ebuild U ] sys-libs/com_err-1.38 [1.37]
[ebuild U ] sys-libs/ss-1.38 [1.37]
[ebuild U ] sys-fs/e2fsprogs-1.38 [1.37-r1]
[ebuild U ] app-editors/vim-core-6.3.084-r2 [6.3.075]
[ebuild U ] app-editors/vim-6.3.084 [6.3.075]
[ebuild U ] sys-apps/module-init-tools-3.2_pre7-r1 [3.2_pre7]
[ebuild U ] net-www/mod_auth_mysql-3.0.0 [2.8.1]
[ebuild U ] net-ftp/ftp-0.17-r5 [0.17-r4]
[ebuild U ] net-dns/c-ares-1.2.1-r1 [1.2.1]
[ebuild U ] sys-apps/shadow-4.0.11.1-r2 [4.0.7-r2]
[ebuild U ] sys-apps/pam-login-4.0.11.1-r2 [3.17]
[ebuild U ] dev-util/subversion-1.2.1 [1.2.0]
[ebuild U ] app-admin/sudo-1.6.8_p9-r2 [1.6.8_p9-r1]
[ebuild U ] sys-apps/sysvinit-2.86-r1 [2.86]
[ebuild U ] sys-apps/baselayout-1.12.0_pre5 [1.11.12-r4]
[ebuild U ] net-dns/bind-tools-9.3.1 [9.2.5]
[ebuild U ] sys-process/fcron-2.9.7 [2.9.6]
[ebuild U ] sys-boot/grub-0.96-r3 [0.96-r2]
[ebuild U ] net-misc/rsync-2.6.6 [2.6.5]
[ebuild U ] net-firewall/iptables-1.3.2 [1.3.1-r4]
[ebuild U ] app-antivirus/f-prot-4.6.0-r1 [3.5.4-r1]

Re: Server Maintanance - August 2005
 

I love server updates ;)

Re: Server Maintanance - August 2005
 

same :D

Re: Server Maintanance - August 2005
 

I love gentoo


(and fbsd)

Re: Server Maintanance - August 2005
 

I love Rick. :P:P:P:P:P:P
Hahahahahahaah. :D:D:D

Re: Server Maintanance - August 2005
 

gentoo is the love1111!!!!@!oneoneonelolpwned :D

Re: Server Maintanance - August 2005
 

Update mania = Crash the server. :P:D

Re: Server Maintanance - August 2005
 

/me blocks THE_STORM from ICQ :|

Re: Server Maintanance - August 2005
 

this is getting outta hand but I sorta agree with KWo

What you could do would be to download a dump of the server's filesystem to a local machine of yours, take the time to do the updates there, and test EVERYTHING on it.

Did we get hacked once ?

Re: Server Maintanance - August 2005
 

Sounds like a good idea. Or start with the updates which doesn't affect much(ie the ones that Nova didn't made bold).

Well...BU isn't that populair :) But gentoo is pretty minimal(for linux) so that may help too.

Re: Server Maintanance - August 2005
 

Just a joke. Don't be so angry. :|

Re: Server Maintanance - August 2005
 

if it has to be done, it has to be done. Critical updates that is. For all other stuff, i don't see a real reason. If we are 'so small', there is no real benefit in gettin as secured as the Pentagon itself.:)

Re: Server Maintanance - August 2005
 

hrhrhrhr, i'm on holidays folks

good look and may the emerge be with you :)

Thanks for the birthday whishes everyone *G*

Re: Server Maintanance - August 2005
 

Can we update GCC? Dethpod has been able to make .so files for me nearly half the size of the ones I generate on the BU server using the same makefile..

Re: Server Maintanance - August 2005
 

That's probably because he strips the debug symbols, not because of GCC itself.

man strip :)

Re: Server Maintanance - August 2005
 

Sooner or later, the update is gonna HAVE to be done. And i'd rather have it sooner, while im still jobless and have the TIME to immediately correct any problems that arise ...

Seb

Re: Server Maintanance - August 2005
 

well if critical updates should be done, why not fix a few other things while you're at it? And remember - if it's not broke, it doesn't have enough features.

Re: Server Maintanance - August 2005
 

@PMB: he said he just runs the makefile.. he doesn't even know what strip is.. even though strip does take off 300kB from the ones I've made..

Re: Server Maintanance - August 2005
 

Server Update Finished. No major problems anticipated / encountered.

let me know if anything goes haywire.

Seb

Re: Server Maintanance - August 2005
 

Is this really done everything now? I got the email message like so:

So - will be any downtime during the next weekend or not?
Or it was just Nova joking with me (because of my opinion about updating the server)? ;)

Re: Server Maintanance - August 2005
 

got that too..

Re: Server Maintanance - August 2005
 

nice work nova, no downtime seen :D

Re: Server Maintanance - August 2005
 

See, wasnt that bad was it :D

Re: Server Maintanance - August 2005
 

I feel like a virgin raped in her sleep :|

nah :D good job Nova