Yum update only security-related packages

yum -y install yum-plugin-security

# To display all updates that are security relevant, and get a reutrn code on whether there are security updates enter:
yum --security check-update

# To upgrade packages that have security errata (upgrades to the latest available package) use:
yum --security update

# To upgrade packages that have security errata (upgrades to the last security errata package) use:
yum --security update-minimal

# See yum-security man page for more information:
man 8 yum-security

thanks, cyberciti

CentOS 7 / RHEL firewalld settings

CentOS 7 has adopted firelwalld by default over the previous iptables, which will require some new steps to configure your firewall.

Rule Permanence

In firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the old rules will be reverted.

Most firewall-cmd operations can take the --permanent flag to indicate that the non-ephemeral firewall should be targeted. This will affect the rule set that is reloaded upon boot. This separation means that you can test rules in your active firewall instance and then reload if there are problems. You can also use the --permanent flag to build out an entire set of rules over time that will all be applied at once when the reload command is issued.

Some key take-aways:

  • check active zones: firewall-cmd --get-active-zones
  • use “permanent” flag for rules you want to persist reload: firewall-cmd --permanent --zone=public --add-service=https
  • Add service FOR EACH ZONE you want. Leaving out the zone will just apply it to the default zone only.

    more info:

  • redhat.com – Security_Guide sec-Using_Firewalls
  • digitalocean – how-to-set-up-a-firewall-using-firewalld-on-centos-7
    # CentOS/RHEL 7 Firewall: 
     
    # add service to zone:
     
    $ firewall-cmd --permanent --zone=public --add-service=ssh
     
    # reload to add:
     
    $ firewall-cmd --reload
    # _or_ firewall-cmd --reload
     
    # check:
    $ sudo firewall-cmd --state
    $ firewall-cmd --zone=public --list-all
     
     
    ## apache / httpd:
    $ firewall-cmd --permanent --zone=public --add-service=http
    $ firewall-cmd --permanent --zone=public --add-service=https
    $ systemctl reload firewalld

    more info info: see:

    http://linuxmanpages.net/manpages/fedora20/man5/firewalld.zone.5.html

    http://searchdatacenter.techtarget.com/tip/A-few-ways-to-configure-Linux-firewalld?abRg=f

    https://www.certdepot.net/rhel7-get-started-firewalld/

    https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos

    Example for setting mysql 3306 and 3307 to LAN (eth1 in this case, using “dmz” zone):

    Pre-configured services are in: /etc/firewalld/services (or similar).
    You can create your own like:

    firewall-cmd --zone=public --change-interface=eth0 --permanent
    firewall-cmd --zone=dmz --change-interface=eth1 --permanent
     
    firewall-cmd --zone=dmz --permanent --add-service=mysql
    firewall-cmd --zone=dmz --permanent --add-service=mysql-ro
     
    # verify:
    firewall-cmd --permanent --zone=public --list-all
    firewall-cmd --permanent --zone=dmz --list-all
     
    firewall-cmd --reload
     
    #if any network settings were updated:
    # NOTE: may disrupt network, take care on production machine
    systemctl restart network.service
     
    # to make sure firewalld settings are updated:
    systemctl restart firewalld.service

    mysql-ro (port 3307) service: /etc/firewalld/services/mysql-ro.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>MySQL</short>
      <description>MySQL Database Server - secondary port</description>
      <port protocol="tcp" port="3307"/>
    </service>
  • Convert .ppk key to OpenSSH key on Mac or Linux

    On Windows you can use putty.exe tool, for Mac or Linux:

    Linux: sudo [yum | apt-get] install putty-tools
    OS X: brew install putty

    puttygen id_dsa.ppk -O private-openssh -o id_dsa

    Apache password protect directory

    Password protect a directory on Apache is another syntax I use intermittently enough to forget the exact syntax. This assumes you have command-line access to your server to create the password file. If you are using the apache config in an htaccess file (easiest but not the best for production sites), make sure you have the appropriate apache permissions for that directory (AllowOverride).

    first, create (-c) or update the password file:

    htpasswd [ -c ] [ -m ] [ -D ] passwdfile username

    -c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.
    -m Use MD5 encryption for passwords. On Windows, Netware and TPF, this is the default.
    -D Delete user. If the username exists in the specified htpasswd file, it will be deleted.

    Then, update apache config (or htaccess):

    AuthUserFile /var/www/path/to/.htpasswd
    AuthName "Title for Protected Site"
    AuthType Basic
    Require valid-user

    You can also allow from just certain IP addresses or domains either instead or in addition to user/pass. A whole or partial IP can be specified like so:

    Allow from apache.org
    Allow from 192.168.1.104
    Allow from 10 172.20
    Allow from 2001:db8::a00:20ff:fea7:ccea

    (Note that IP and domain info can be faked pretty easily, so this method should not be used on anything too sensitive. In those cases, a public-private key/browser certificate system is best.)

    There are also times that you want to restrict access to or from certain user agents. This can be done like so:

    SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
    <Directory /docroot>
    Order Deny,Allow
    Deny from all
    Allow from env=let_me_in
    </Directory>

    for more info on htaccess see: Apache Tutorial: .htaccess files