Yum update only security-related packages

yum -y install yum-plugin-security

# To display all updates that are security relevant, and get a reutrn code on whether there are security updates enter:
yum --security check-update

# To upgrade packages that have security errata (upgrades to the latest available package) use:
yum --security update

# To upgrade packages that have security errata (upgrades to the last security errata package) use:
yum --security update-minimal

# See yum-security man page for more information:
man 8 yum-security

thanks, cyberciti

CentOS 7 / RHEL firewalld settings

CentOS 7 has adopted firelwalld by default over the previous iptables, which will require some new steps to configure your firewall:

# new CentOS/RHEL 7 Firewall: 
	(see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html )
 
# create a new service e.g. for webmin:
 
$ cat /etc/firewalld/services/webmin.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Webmin</short>
  <description>Server admin service. Restrict access and do not leave running.</description>
  <port protocol="tcp" port="10000"/>
</service>
 
# add service to zone:
 
nano /etc/firewalld/zones/public.xml 
# OR
$ firewall-cmd --permanent --zone=public --add-service=webmin
 
# reload to add:
 
$ firewall-cmd --reload
 
# check:
$ firewall-cmd --zone=public --list-all
 
 
## apache / httpd:
$ firewall-cmd --permanent --add-service=http
$ firewall-cmd --permanent --add-service=https
$ systemctl restart firewalld

more info info: see:

http://linuxmanpages.net/manpages/fedora20/man5/firewalld.zone.5.html

http://searchdatacenter.techtarget.com/tip/A-few-ways-to-configure-Linux-firewalld?abRg=f

https://www.certdepot.net/rhel7-get-started-firewalld/

Example for setting mysql 3306 and 3307 to LAN (eth1 in this case, using “dmz” zone):

firewall-cmd --zone=public --change-interface=eth0 --permanent
firewall-cmd --zone=dmz --change-interface=eth1 --permanent
 
firewall-cmd --zone=dmz --permanent --add-service=mysql
firewall-cmd --zone=dmz --permanent --add-service=mysql-ro
 
# verify:
firewall-cmd --permanent --zone=public --list-all
firewall-cmd --permanent --zone=dmz --list-all
 
firewall-cmd --reload
 
#if any network settings were updated:
# NOTE: may disrupt network, take care on production machine
systemctl restart network.service
 
# to make sure firewalld settings are updated:
systemctl restart firewalld.service

mysql-ro (port 3307) service: /etc/firewalld/services/mysql-ro.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>MySQL</short>
  <description>MySQL Database Server - secondary port</description>
  <port protocol="tcp" port="3307"/>
</service>

Convert .ppk key to OpenSSH key on Mac or Linux

On Windows you can use putty.exe tool, for Mac or Linux:

Linux: sudo [yum | apt-get] install putty-tools
OS X: brew install putty

puttygen id_dsa.ppk -O private-openssh -o id_dsa

Apache password protect directory

Password protect a directory on Apache is another syntax I use intermittently enough to forget the exact syntax. This assumes you have command-line access to your server to create the password file. If you are using the apache config in an htaccess file (easiest but not the best for production sites), make sure you have the appropriate apache permissions for that directory (AllowOverride).

first, create (-c) or update the password file:

htpasswd [ -c ] [ -m ] [ -D ] passwdfile username

-c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.
-m Use MD5 encryption for passwords. On Windows, Netware and TPF, this is the default.
-D Delete user. If the username exists in the specified htpasswd file, it will be deleted.

Then, update apache config (or htaccess):

AuthUserFile /var/www/path/to/.htpasswd
AuthName "Title for Protected Site"
AuthType Basic
Require valid-user

You can also allow from just certain IP addresses or domains either instead or in addition to user/pass. A whole or partial IP can be specified like so:

Allow from apache.org
Allow from 192.168.1.104
Allow from 10 172.20
Allow from 2001:db8::a00:20ff:fea7:ccea

(Note that IP and domain info can be faked pretty easily, so this method should not be used on anything too sensitive. In those cases, a public-private key/browser certificate system is best.)

There are also times that you want to restrict access to or from certain user agents. This can be done like so:

SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>

for more info on htaccess see: Apache Tutorial: .htaccess files