Servers 101: Keeping your server up to date!

dimitrisp (68)in #tutorial • 8 years ago

This one is a quick but important step to maintaining your server. In the series, we installed a LAMP (Linux/Apache/MySQL/PHP) stack with an email server, did some basic security stuff, added SSH notifications... But I haven't talked to you about updating your server! And in most articles I only told you to update your software repositories, not your packages!

I will be writing a couple of thoughts and facts about software packages in general, and then we will proceed to update our server!

Why is it important?

Software packages installed on our servers have bugs, little lines of codes that are not behaving as intended due to various oversights and/or mistakes. It's not easy to NOT have a bug in a piece of software. There are many things that can go wrong at any time, and by the time we find out what it is, the package has been installed in thousands of servers around the world.

A bug usually makes our server misbehave on various things we've got to do. A not-so-recent example, (but if I only had to mention one, this would be it) is the Heartbleed bug.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Source of the above: heartbleed.com

Some operating systems have what we call "a rolling release". You don't have versions like in Ubuntu every 6 months. It is ONE version that gets updated indefinitely (that means, until the distro is no longer maintained). The most notable "rolling-release" disto is Arch. Also, Debian Unstable is considered a rolling release.

Ubuntu, CentOS, Debian (apart from the Unstable release), Mint, Fedora (and the list goes on, so I should now stop naming all the linux distros I know) are what we call Standard Release. Each version is available for a period of time, and an extended period of time is used for security only updates.

Why am I telling you that?

Because most of you are using CentOS/Debian/Ubuntu for your servers. Every now and then, your server will stop getting updates. At this point you have to get to the hard part and reinstalling everything from the beginning in order to be secure and have the latest versions of your software.

How do we do it?

It is very simple. It may take some time to finish. In some cases, where big changes have happened to some software you use, you'll have problems and you'll have to reconfigure it.

The first step is to back up all the data you can't afford to lose! Web sites, SQL databases, passwords, everything. You could even backup your config files to make it easier to install your software (this is a great idea for Apache, nginx & lighttpd)

Ok, but how do we do it?

Getting impatient there, huh?

Ubuntu/Debian and apt-get based distros:

These are the 3 commands you have to run:

sudo apt-get update
sudo apt-get upgrade
sudo shutdown -r 0

We have covered the first 2 commands. The third command will initiate a restart of your system. This is not always required though. You HAVE to restart when your kernel gets updated. It's good to restart when updating your HTTP server, but it's not required.

CentOS/Fedora and yum-based distros

sudo yum update
sudo shutdown -r 0

CentOS uses yum by default. It is a different package manager. I won't get into more details, we don't need them right now.

This is it. Do this regularly. I would say weekly, unless you happen to hear about some major bug in some software or the linux kernel. If you are not sure that some bug affects you, just do it! There is a command to see the available software package version. First update your repositories sudo apt-get update and then do apt-cache policy <packagename>.

Other stuff in the Server 101 series:

Intro and getting into your server - Single Article
Basic Server Security - 3 Parts
Setting up a Web Server - 4 Parts
Managing Your Server - 4 Parts
caddy - Lightweight Web Server - 1 Part
Emailify your server! - 6 Parts
Setting up a Password-Protected proxy server with Squid - 1 Part
OpenVPN in less than 2 minutes
Piwik - Your personal Google Analytics alternative
Email notifications for SSH Logins

If you need a place to host your servers consider Vultr, Digital Ocean and BuyVM.

These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this.

Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.