Tag Archives | centos

15+ examples for yum update command

Yum is a package manager used on Red Hat, CentOS, and other Linux distributions that use RPM Package Manager. Yum is used to install, update, delete, or otherwise manipulate the packages installed on these Linux systems. In this tutorial, we will cover the yum update command – what it is, how to use it, and all the different commands you may need to know when you wish to upgrade the installed packages on your system. Yum update is the command used to update applications installed on a system. If the command is run without any package names specified, it will update every currently installed package on the system. When running this command, yum will begin by checking its repositories for updated version of the software your system currently has installed. The screenshot below shows the type of output you’ll typically see when first issuing the yum update command.

Continue Reading →

How does yum update work?

Yum update is the command used to update applications installed on a system. If the command is run without any package names specified, it will update every currently installed package on the system.

yum update

When running this command, yum will begin by checking its repositories for updated version of the software your system currently has installed. The screenshot below shows the type of output you’ll typically see when first issuing the yum update command.

yum update command

As you can see, the output from yum first lists the repositories it’s querying, which are the default ones for CentOS: AppStream, Base, and Extras. Below that, yum lists the various packages which it has found updates for.

At the tail end of this output, yum will display the “Transaction Summary,” which shows the total number of packages that are to be installed and upgraded.

yum update summary

In this example, 166 packages are being upgraded, and 6 new packages are being installed.

In case you’re wondering why new packages are being installed when we are only supposed to be upgrading applications, some new software packages may have become part of this Linux distribution, or some upgraded applications may rely on extra packages that are not yet installed.

Once you review the list of software that yum plans to upgrade, you can confirm these changes by typing “y” and hitting enter.

Yum will then perform the upgrades, which may take some time depending on the speed of your connection and the system itself.

Once it has finished, you’ll get a final summary which will list all the packages that were successfully upgraded, as well as any errors that may have been encountered.

yum update complete

Update without gpg checking

GPG keys are used to verify the authenticity of an RPM package. The –nogpgcheck option in yum will instruct it to skip checking GPG signatures on packages. This is useful in cases where you have an unsigned package or you just don’t have the GPG key.

yum update --nogpgcheck

This is a quick solution if you encounter an error like “Package NameOfPackage.rpm is not signed .. install failed!” when running the normal yum update command. The –nogpgcheck option will ignore this warning and proceed with upgrading the package anyway.

Update from a local repo

It’s possible to set up local repositories for yum to query when it does an update. This is often done if you want to use yum to update packages that aren’t included in the default repos, or if you need to upgrade an offline system.

First, place all your updated RPM files in a new folder. In this example, we’ll use /root/rpms.

Next, navigate to the following directory where you can see all the repo files for yum:

cd /etc/yum.repos.d

Local repo files

To set up a local repo, create a new file in this directory.

vi MyRepo.repo

Inside your repo file, configure it in this format, changing the lines as necessary:

[MyRepo]

name=My Local Repo

baseurl=file:///root/rpms

enabled=1

gpgcheck=0

The big difference between a local repo and a remote repo is in the “baseurl” line, where the file:// protocol is specifying a local file, as opposed to the remote protocols http:// or ftp://

Once the file has been saved, apply the correct permissions:

chmod 644 MyRepo.repo

The repository should now be ready to use. Be sure clear yum’s cache before attempting a yum update command:

yum clean all

Show patches

Yum can display available security patches, without installing them, with this command:

yum updateinfo list security

List specific patches

If no output is returned, like in the screenshot above, this means there are no security patches available for any installed software on your system.

Update a single package

If you need to update a certain package without running an update for every application installed, just specify the name of the package in your yum update command.

yum update name-of-package

Multiple packages can be specified, separated by a space. You need to have the name of the package typed perfectly in order for yum to find it in its repositories; if you’re not sure of a package name, first check what packages are currently eligible for updates:

yum check-update

Update all but one package

If you need to run the yum update command but you wish to exclude a package from being updated, you can specify the –exclude option.

A common situation where administrators may find this necessary is with kernel updates, since these are major updates that could cause unpredictable errors on a production server. However, they may still want to run the command to update less sensitive applications.

To exclude a package (in this example, those related to the kernel):

yum update --exclude=kernel*

The asterisk acts as a wildcard, in case there are multiple related packages or you don’t know the full name of the package.

Alternatively:

yum update -x 'kernel*'

Exclude multiple packages

You can exclude multiple packages with more –exclude flags.

yum update --exclude=kernel* --exclude=httpd

Use this flag as in the example above, or the -x flag, as many times as needed.

Check when last yum update ran

To see a list of yum transactions, with the date and time they were ran, use the yum history command.

yum history

Check yum update history

In the screenshot above, you can see that the last time yum updated software was on January 4th.

Rollback (revert) update

A great feature of yum is that it allows you to undo a recent update, thus restoring the upgraded packages to their previous versions.

Each yum action (install, update, erase, etc) is assigned a transaction ID, and this ID must be specified when undoing a yum update. To see a list of transaction IDs for recent yum operations, use this command:

yum history

List yum history

In the screenshot above, you can see the last operation run with yum was to install the httpd package. Undoing an installation or an update works the same way, so in this example, we will undo this recent installation of httpd. As shown in the screenshot, this transaction has an ID of 7.

To undo this change and roll back the program to its previous version, issue this command:

yum history undo 7

Undo yum update

As usual, yum will summarize the changes to be made and ask if you’d like to proceed with a Y/N prompt. Enter Y and the specified transaction will be undone.

yum undo report

Clean up a failed yum update (Troubleshooting)

If one or more packages fail to upgrade successfully when you run the yum update command, the system can end up with duplicate packages installed (2 versions of the same program).

Sometimes, following the rollback instructions in the section above can fix the problem. If that doesn’t work, you can remove duplicate packages on your system with this command:

package-cleanup --dupes

Yum stores a cache of information for packages, metadata, and headers. If you encounter an error, clearing yum’s cache is a good first step in troubleshooting. Use the following command to do that:

yum clean all

yum clean command

Skip errors

When updating or installing a package, that package may require additional software in order to run correctly. Yum is aware of these dependencies and will try to resolve them during updates by installing or upgrading the extra packages that are needed.

If yum has trouble installing the necessary dependencies, it produces an error and doesn’t proceed further. This is a problem if you have other packages that need to be updated.

To instruct yum to proceed with updating other packages and skipping the ones with broken dependencies, you can specify the –skip-broken command in your yum update command.

yum update --skip-broken

Get a list of packages that need an update

Running the yum update command as normal, with no additional options, will output a list of available updates.

yum update

If you’d like to see some additional information about the package updates available, type this command:

yum updateinfo

To see information about security updates that are available for the system, type this command:

yum updateinfo security

Difference between yum check updates and list update

Although the two commands sound similar, so there is a difference between checking for updates and listing updates in yum.

yum list updates

The command to list updates, shown above, will list all the packages in the repositories that have an update available. Keep in mind that some of the packages in the repositories may not even be installed on your system.

yum check-update

The command to check for updates, seen above, is a way to check for updates without prompting for interaction from the user. This is the command you would opt for if you were coding a script to check for updates, for example.

The check-update command will return an exit value of 100 if there are packages that have updates available, and it will return an exit value of 0 if there are no available updates.

A value of 1 is returned if an error is encountered. Use these exit codes to code your script accordingly.

Notify when updates are available

There are a few packages that can help manage yum updates on your system. Some can even notify administrators when yum has updates that are available to be installed. One such service is called yum-cron.

Install yum-cron using yum:

yum install yum-cron

Set the yum-cron service to start at boot:

systemctl enable yum-cron.service

systemctl start yum-cron.service

Configure the settings for yum-cron inside the configuration file using vi or your preferred text editor:

vi /etc/yum/yum-cron.conf

In this file, you can specify if the updates should be automatically applied or not. If you’d only like to receive notifications, fill out the email information inside the configuration file. Yum-cron will then send you an email anytime there are updates available for your system.

apply_updates = no #don’t apply updates automatically

email_from = root@localhost

email_to = admin@example.com

email_host = localhost

What port does yum update use

Yum uses port 80 when checking for updates. If you look inside the repository files on your system, you’ll see that all of the links inside begin with http.

If you need to create a rule in your firewall to allow yum to function, you need to allow port 80.

Yum update vs upgrade

So far, we have only talked about the yum update command in this tutorial, but there’s another very similar command: yum upgrade.

yum upgrade

There is a small difference between these two commands. Yum update will update the packages on your system, but skip removing obsolete packages.

Yum upgrade will also update all the packages on your system, but it will also remove the obsolete packages.

This inherently makes yum update the safer option, since you don’t have to worry about accidentally removing a necessary package when updating your software.

Use some discretion when issuing the yum upgrade command, since it may not preserve some packages that you are still using.

At last, I hope you find the tutorial useful.

keep coming back.

0

Fedora’nın özelleştirdiği depo EPEL 8.0 sürümüne güncellendi

Resmi CentOS veya Red Hat Enterprise Linux (RHEL) depolarında bulunmayan yazılım paketlerini yükleme olanağı sağlayan EPEL (ek paketler) deposu, 8.0 sürümüne güncellendi. Fedora çatısı altında, gönüllüler tarafından sürdürülen ve RHEL/CentOS gibi sistemler için kapsamlı bir paket deposu projesi olan EPEL, an itibari ile binlerce paket sunuyor. Yani sisteminize EPEL’i de eklerseniz rpmforge ile binlerce kurulabilir pakete erişebiliyorsunuz. EPEL; iyi muhafaza edilen bir depo olmasının yanında, içinde barındırılan yazılım için herhangi bir ticari destek sözleşmesi içermiyor. EPEL’i sisteme yum depo’su olarak tanıtmak için http://fedoraproject.org/wiki/EPEL adresinden edinebileceğiniz RPM dosyasını kurmanız yeterli. EPEL ve diğer üçüncü taraf depolar arasındaki farklar hakkında Fedora wiki‘de ilgili konu açılmış bulunmaktadır. EPEL 8.0 hakkında ayrıntılı bilgi edinmek için sürüm duyurusunu inceleyebilirsiniz.

Continue Reading →

EPEL 8.0 edinmek için aşağıdaki linkten yararlanabilirsiniz.

Ayrıca Fedora paket kaynaklarını gözden geçirebilirsiniz. Açılımı Extra Packages for Enterprise Linux olan EPEL deposunu sisteminize eklemek konusunda syslogs.org üzerinde yayımlanan şu yazıyı inceleyebilirsiniz.

0

Secure Linux Server Using Hardening Best Practices

In the previous post we talked about some Linux security tricks and as I said, we can’t cover everything about Linux hardening in one post, but we are exploring some tricks to secure Linux server instead of searching for ready Linux hardening scripts to do the job without understanding what’s going on, However, the checklist is so long so let’s get started. This is important if you are not securing your server physically. If you are using Systems prior to CentOS 7, all you have to do is to comment out the following line in /etc/inittab file.

Continue Reading →

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Otherwise, if you are using CentOS 7 use the following command:

$ ln -s /dev/null /etc/systemd/system/ctrl-alt-del.target

Secure Mounted Filesystems

Each of your Linux file systems is mounted so you can the files inside it. You can mount your file systems using different options.

You can type these options in the /etc/fstab file.

LABEL=/ / ext4 defaults 1 1

The first column is just a label for your device.

The second column is the location of the mounted filesystem.

The third column is the file system type like ext4.

The fourth column contains security options which are the most important one for us.

The last two columns control the options for the dump and fsck commands.

There are many different ways to control how file systems are mounted and the following list shows some of them:

auto                       It will be mounted automatically at boot time.

noauto                   It will not be mounted automatically at boot time.

exec                       You can execute binaries on this file system.

noexec                  You can’t execute binaries on this file system.

suid                       setuid bits are permitted.

nosuid                  No setuid bits.

user                       non-root users can mount this device.

nouser                  No user except root can mount this device.

owner                   Only owner can mount the device.

ro                          Mount device read-only.

rw                          Mount device read-write.

defaults                Make your file system’s options: rw, suid, exec, auto, nouser.

The exec and noexec options enable you to control whether binary execution is allowed or not.

You can mount /home securely with noexec like this:

/dev/hda1 /home ext4 noexec 0 2

Keep in mind that this line will prevent the execution of binaries on /home, so if you have any executables, you should take care of that.

You can mount /tmp with noexec option as a step of hardening, but keep in mind that some programs might not work properly because they use /tmp to execute. So you can test your software with this mount option, if it goes well then it’s OK.

If you have binaries that have the setuid and setgid bits, and you set the nosuid option, the setuid and setgid bits will be neglected.

Only root users can mount file systems, but if you want other users to do that, you can set the user, nouser options. If you set the user option, then any user can mount or unmount file systems.

Any user other than root shouldn’t be allowed to mount file systems.

By setting ro and rw options, you can set your filesystem as read-only or writable.

You can mount any file system as read-only like this:

/dev/hda2 /usr ext4 ro,nodev 0 2

You can mount /boot as read-only using the same way, but keep in mind that if any kernel update arrives, you have to remount it as rw to apply the update like this:

$ mount -o remount,rw /boot

You know mount options and you should be wise enough to take the decision about which directory needs which option to mount with.

Protect /etc/services File

The /etc/services file translates service names to port numbers.

This file is writable by root only, but you may make a mistake without intention.

Well, you can use the immutable attribute to avoid any mistakes.

Also, that prevents accidental deleting or overwriting of such a vital file.

$ chattr +i /etc/services

Remove Unused Accounts

These vendor accounts are preinstalled on your system for some Linux system activity.

If you don’t need those accounts, it’s preferred to remove them using the userdel command, and these are some of the unused users for me.

$ userdel adm

$ userdel games

$ userdel halt

$ userdel lp

$ userdel shutdown

Also, you will need to remove the groups belongs to those accounts if exist using groupdel command

If you check /etc/passwd file, you’ll see that the users are deleted.

If you run your own VPS or server you can set the immutable bit on /etc/passwd and /etc/shadow to prevent any unwanted changes.

$ chattr +i /etc/passwd

$ chattr +i /etc/shadow

If you need to add new users to the system or install a program that will add users, consider removing the immutable flag first.

Hardening Cron Scripts

Some scripts under /etc/cron.d doesn’t have the secured permissions, they are readable to normal users.

Consider fixing the permission for the scripts that are responsible for executing scheduled job on our server so root only can read it.

$ chmod 0700 /etc/cron.daily/*

Normal users don’t need to look at those scripts.

Keep in mind that if you update a program that provides a cron file on your system, consider updating the permission, or you can make a shell script that does the job for you instead.

And the same for the other cron directories like:

/etc/cron.weekly

/etc cron.monthly/

/etc cron.hourly/

Securing SUID Programs

SUID (Set User ID) is a special type of file permissions given to a file. When you want to use a tool like passwd command which writes on files belong to root such as /etc/passwd and /etc/shadow, the passwd command must have this SUID permission to enable normal users to use that command.

You may take a look at all programs that have this permission and consider removing that permission from unnecessary programs that you think that normal users won’t need it.

$ find / -type f -user root -perm -4000 -print

All these programs have SUID bit and normal users can run them as root. To remove that permission, you can use this command:

$ chmod a-s /bin/mount

Keep in mind that some programs need that permission to work so be careful when doing that.

Risky World-Writable Files and Directories

World-writable directories and files can lead to serious problems if the attacker gains access to them.

He will be allowed to modify or delete any file, and this is a serious problem.

To get all writable files in your web folder, use this command:

$ find /home/*/public_html -type f -writable -exec ls -la {} \;

And writable directories:

$ find /home/*/public_html -type d -writable -exec ls -ld {} \;

You may find writable directories and files in some locations like /var/mail which has no problem, but on web folders, you have to be careful about that much.

You can use some integrity check tool like tripwire.

This tool will scan the system for any public writable files and directors and warn you, so you can take action about them.

Risky Symlinks

Symlinks or symbolic links are useful if they used for a good purpose to simplify your work, but the attacker in some cases uses any scripting language on your server to build a symlink to travel between directories and see your files, steal passwords and gain access to all websites on the server, so it’s very important to keep any eye on that.

The following command searches for any symlink and deletes it.

$ find -L /home/*/public_html -type l –delete

You can change the path based on your server paths, you may also create a shell script to find those symlinks and send to your email so you can investigate how it was created.

#!/bin/bash
find /home/*/public_html/ -type l >> /root/symlinks
cat /root/symlinks | cut -d"/" -f3 | uniq >> /root/out
echo "Symlinks:"|mail -s "Symlinks in $(hostname)" user@domain.com < /root/out > /root/symlinks > /root/out

There are many ways to stop symlink creation, if you are using PHP, you can disable some serious functions, and apply Symlinks only if owner matches for your server if you are using apache.

This trick is very useful, especially when dealing with compromised systems.

There is a lot to talk about securing PHP; maybe we should make another post about that, but let’s keep simple for now.

Securing Log Files

Your last line of defense is the log files. Log files for each running service tell you everything about that service, so you can keep track of everything happened on your system.

In worst scenarios (like gaining root access), the attacker might delete those log files and left you without any evidence of what had happened.

Consider copying your log files to a different place or schedule a regular backup of log files to somewhere else that shouldn’t be accessible to the attacker if he gains access to your system.

Securing Linux Resources

Securing Linux Resources is a must because users can jeopardize the stability of your server if they left to use server resources without limits.

You can allocate how much memory for each user, how many processes and other server resources.

Under /etc/security, there is a file called limits.conf, in this file you can specify the limits for your users like this:

* hard rss 500000

* hard nproc 50

The first line says for all users, limit the memory usage to 500 MB.

The second line says for all users, limit the number of processes to 50 processes.

All these restriction rules applied to all users expect root user.

The asterisk on both lines means all users, and some systems have users running services like www or mysql users and these service users are used by all users on the system and if we apply our restriction rules for them too, that can lead to problems.

A good solution for this problem is to add a special group and add our users to that group and apply our restriction rules to that group.

In this case, the rules will be applied for every user in this group and not to the whole users of the group.

@myusers hard rss 500000

@myusers hard nproc 50

Hardening /proc Directory

The /proc directory or as they call it (process information pseudo-file system) gives you hints about the currently running processes. Linux is installed by default to allow normal users to see that information. You can see what processes belong to root and all other user’s processes.

Before you use this trick, as you can see that normal user can see all processes even root processes:

Secure Linux Server ps -ef

The hidepid mount option allows you to hide process IDs. It takes a value of 0, 1, 2.

$ mount -o remount,rw,hidepid=2 /proc

And you can write it to /etc/fstab to make it permanent so after reboot, the process IDs remains hidden.

proc /proc proc defaults,hidepid=2 0 0

proc directory Hardening Best Practices

After that command, you are only allowed to see your processes. Only root users can see all processes for all users.

$ ps -ef

Secure Linux Server ps -ef

Another mount option is gid which allows users in a specific group to see /proc directory.

If the group you want to assign the permission to has ID of 100, you can write it like this:

$ mount -o remount,rw,gid=100 /proc

Also, you can write it in /etc/fstab file:

proc /proc proc defaults,gid=100 0 0

The last advice for you is to keep your system and software updated always, that will protect you from many threats.

I hope you find these hardening tricks useful. Keep coming back.

Thank you.

likegeeks.com

0

Netinternet CentOS ve Ubuntu Mirror Hizmeti

caylakpenguenDeğerli dostumuz @caylakpenguen, bugün Ubuntu ve Centos ve diğer Linux dağıtımlarına yönelik olarak kullanılan Netinternet mirror hizmetiyle ilgili bir yazı yazmış. Yazı şöyle: “Bildiğiniz gibi Ubuntu ve Centos ve Diğer Linux Dağıtımları için Resmi Mirror Hizmeti Linux Kullanıcıları Derneğinin Sunucularından sağlanıyor. Bu bağlamda Mirror hizmetinin daha sağlıklı bir şekilde yürümesini sağlamak amacıyla Ülkemizin öndegelen internet servis sağlayıcılarından Netinternet firması, Ubuntu ve Centos dağıtımları için resmi yansı hizmeti vermeye 2015 yılında başlamış. Firmanın resmi bloğunda mirror hizmeti duyurulmuş durumdadır. Yeni ve Hızlı mirror hizmetinden faydalanmak için. sources.list dosyanızda değişiklik yapmamız gerekiyor.

Continue Reading →

“Ubuntu ve Türevleri için:
sudo sed -i 's/tr.archive.ubuntu.com/mirror.ni.net.tr/g' /etc/apt/sources.list
sudo apt-get update

CentoS için:
cd /etc/yum.repos.d/
cp -rp CentOS-Base.repo Netinternet-CentOS.repo
sed -i 's/mirror.centos.org/mirror.ni.net.tr/g' /etc/yum.repos.d/Netinternet-CentOS.repo

İlgili işlemleri root yetkisiyle yapmanız gerekiyor.

Kaynak : https://www.netinternet.com.tr/blog/netinternet-centos-ve-ubuntu-mirror-hizmeti

caylak.truvalinux.org.tr

0