ServerBuddies Support Blog

SELinux Policy for Your Parallels Plesk Panel Server

To configure SELinux you need to know the rules that should be added into the system policy.

SELinux reports all denied messages into the /var/log/audit/audit.log file and these messages can be easily converted into the rules using the /usr/bin/audit2allow utility.

Also, /var/log/messages.* files can be examined for the SELinux deny messages.

Protect Server Files by Default

One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.

For instance, consider the following example:

This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server’s configuration:

Protect a server within a network by using a TCP Wrapper.

The Xinetd super server that comes with most Linux distributions includes a built-in TCP wrapper.

It can be used to explicitly define network services to accept incoming connections from specified servers and networks.

The TCP wrappers implements access control through the use of two files, /etc/hosts.allow and /etc/hosts.deny

A recommended security-strategy is to block all incoming requests by default, but allow specific hosts or networks to connect.

To deny everything by default, add the following line to /etc/hosts.deny:

To accept incoming SSH connections from e.g. nodes lab1, lab2 and lab3, add the following line to /etc/hosts.allow

To accept incoming SSH connections from all servers from a specific network, add the name of the subnet to /etc/hosts.allow.

For example:

To accept incoming ssh connections from IP address 192.168.0.1 and subnet 192.168.5, add the following line to /etc/hosts.allow:

You can even tell xinetd to limit the rate of incoming connections. The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions.

Upgrading Your Redhat Server.

Check your kernel release before upgrade.

If run without any packages, update will update every currently installed package.

After the upgrade check the kernel release.

yum update

If run without any packages, update will update every currently installed package.
If one or more packages are specified,Yum will only update the listed packages. While updating packages, yum will ensure that all dependencies are satisfied.

If no package matches the given package name(s), they are assumed to be a shell glob and any matches are then installed. If the –obsoletes flag is present yum will include package obsoletes in its calculations - this makes it better for distro-version changes, for example: upgrading from somelinux 8.0 to somelinux 9.

yum upgrade : Is the same as the update command with the –obsoletes flag set.

yum is an interactive, automated update program which can be used for maintaining systems.

Yum Options:

FILES

SEE ALSO

The File Transport Protocol, or FTP, is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.

vsftpd - A standalone, security oriented implementation of the FTP service.

Change the FTP Greeting Banner:

To change the greeting banner for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file:

To simplify management of multiple banners, place all banners in a new directory called /etc/banners/.

To reference this greeting banner file for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file: