Netflix has identified several vulnerabilities in the TCP networking stack that affects all Linux users with un-patched kernels. The vulnerabilities have been assigned CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479.
All three issues have already been mitigated for all our VPS customers.
The original advisory says...
The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels
We are not aware of anyone abusing this exploit yet, however that is likely to change rapidly over the next few days. More information is available below.
In the advent of containerized applications it can be quite daunting to get started with docker and multiple containers in a cluster. In this post we will go through some of the terminology and how to get started in a simplified case for a single host, multiple containers application stack, with containers for wordpress, mysql and a reverse proxy using ngnix.
(Photo by Allagash Brewing)
Every year the staff at Rimu look forward to the latest Linux.conf.au conference. Some of us go in person, some watch online, but we all love it, and love to catch up with whats going on.
This year it was in Christchurch and Juan and I (Liz) went down to attend in person.
Christchurch was amazing, Juan took the time to race about on a Lime Scooter, and we all caught up with old regular LCA attendees.
Spent a fair amount of time in the common rooms where we had soldaring, RaspberryPis, DonkeyCars, and a TV hooked up to a laptop playing JackBox Games.
Are you seeing this message about your server ?
Action may be required to prevent your Let's Encrypt certificate renewals
If you already received a similar e-mail, this one contains updated
Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days
This is an issue caused by the certbot binary being out of date. We are seeing it on a few systems, and it seems there is an easy fix for it!
Add backports by adding a line into /etc/apt/sources.list like this
deb http://ftp.debian.org/debian stretch-backports
apt-get update ; apt-get install certbot python-certbot-apache -t stretch-backports
Anything else you will need to download the binary for as per https://certbot.eff.org/
If you get stuck doing any of this, pop in a support ticket and we can help out.
At RimuHosting we're enthusiastic about how Let's Encrypt gives website owners a great way to secure their websites. And certbot is the tool we usually recommend to get a Let's Encrypt certificate. We find it's easy to use and works well on recent distributions.
However, sometimes issuing or renewing a certificate fails. A common reason is that certbot cannot complete the authentication requirements with the Let's Encrypt servers.
If you run in to this type of problem when getting a certificate we are happy to fix it for you. Lodge an SSL Cert ticket at https://rimuhosting.com/ticket/startticket.jsp, and we'll get your certificate sorted and website secured quickly. If you'd rather tackle it yourself, read on to find how to fix one possible cause of this problem. Continue reading
At RimuHosting it is our mission to help take the hassle out of our customer's hosting.
In a recent Hosting Advice article Christine Preusler touches on our 24x7 support, our global network of data centres and our customer focussed attention to detail.
A top-10 website hosting review focuses on our diverse network of data centers, our support for customers with complex hosting needs, and our VM on dedicated hosting.
LetsEncrypt/Certbot is a wonderful cheap way to have an SSL cert to secure things. It works out of the box and no issues for the most part until you have things like proxy pass or other things.
The fix is fairly easy however, and this works well in particular with those running tomcat behind apache
Create a config for letsencrypt in say /etc/httpd/conf/letencrypt.conf or /etc/apache/ that looks something like this
We have had Debian 9 images available since shortly after it became available. But missed announcing it. So here it is, Debian 9 is code named "Stretch" and is available as a setup option on all our plans.
As with other newer images, there is only a 64 bit image for new setups or re-installs. Most customers are now ordering 64 bit distros. And some distros only come in a 64 bit flavor now. Customers with an existing 32bit install also have the option to crossgrade to a 64bit install in place.
The Stretch install is compact but comes with MySQL and Apache out of the box, along with a bunch of other great tools preinstalled to help you get up and running faster. Most of the changes from Jessie are incremental, but there are a few highlights from the release notes:
- Gcc version jumps from 4.7 to 6.3
- PHP version 7.0 is now installed by default, bringing a ton of performance improvements, especially for cpu and memory usage
- Mariadb is now the default mysql variant
If you're wishing to upgrade from older debian releases to Stretch, see our upgrade notes.
Note also that Debian 7 "Wheezy" is officially past end of support now, users still running this release or older should update as soon as possible. Please open a support ticket if you have any questions on how to go about that.
The latest long term support (LTS) release of Ubuntu is now available for new installs. Ubuntu 18.04, also known as Bionic Beaver can be ordered at https://rimuhosting.com/order/v2orderstart.jsp. It's also an option to consider if you reinstall an existing VPS.
The official release notes for version of Ubuntu are available at https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes. This release of Ubuntu will be supported until April 2023. Ubuntu is one of the most popular linux server platforms, based on the solid Debian distribution. This release brings an update for Apache to version 2.4.29, with HTTP/2 support enabled. PHP has also been updated to version 7.2.x. The MySQL database server 5.7.22 is installed in our VPSs and MariaDB server 10.1.29 is also available.
We are currently seeing a high volume of Drupal exploits running a lot of arbitrary code, including crypto mining, attacking other servers and similar due to this exploit https://www.drupal.org/sa-core-2018-002
If you want to find out if you have any vulnerable Drupal installs quickly and easily i wrote a shell script for that . Just run the following from console
wget --no-check-certificate http://blog.rimuhosting.com/files/drupaldetect.sh
It will output something like this ..
root@servername:~# bash drupaldetct.sh
You have version 7.58 located at /var/www/vsc/
You have version 7.58 located at /var/www/vsfrts/
You have version 7.23 located at /var/www/corehtapts/
Looks like Drupal at /var/www/mgvec/ , but can't tell the version
You have version 7.50 located at /var/www/courtland/drupal/
You have version 7.0 located at /var/www/richvvrve/drupal/
You have version 7.58 located at /var/www/mrvegc2/
You have version 7.32 located at /var/www/ridvervee/drupal/
Any version prior to 7.58 is exploitable, and its safe to assume you should replace ALL the files as per https://www.drupal.org/docs/develop/security/your-drupal-site-got-hacked-now-what