IIAB/Security: Difference between revisions
< IIAB
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
Some security tips that will become more professional as time goes on |
'''''Some security tips — that will become more professional as time goes on — towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking.''''' |
||
== The following applies to Debian, Raspbian (and presumably Ubuntu?) servers == |
|||
* The following applies to CentOS-based XSCE school servers, towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking. |
|||
* In 2016, several chose to run the following quasi-weekly: |
|||
apt-get update |
|||
apt-get upgrade or apt-get dist-upgrade |
|||
apt-get autoclean |
|||
apt-get autoremove (some consider this last step risky, though no known IIAB/XSCE problems have resulted) |
|||
* In 2017, James Cameron suggested one may also use "apt" instead of "apt-get" like this; |
|||
apt update |
|||
apt full-upgrade |
|||
apt-get clean may be more comprehensive than "apt-get autoclean" |
|||
Also he suggests there's a package for automated unattended upgrades, called "unattended-upgrades" for those willing who require that (and are willing to bear the risks!) |
|||
== The following applies to CentOS and Fedora servers == |
|||
* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code>(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services). |
* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code>(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services). |
||
Line 11: | Line 28: | ||
* In the past we ran "yum update" or "yum -y update" (followed by "yum clean all" among those who were daring) but arguably that still installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!) |
* In the past we ran "yum update" or "yum -y update" (followed by "yum clean all" among those who were daring) but arguably that still installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!) |
||
== Security Blowback / Survival Tips == |
|||
* If you notice Wikipedia-like items are no longer accessible from http://schoolserver.lan, try running the following as root: |
* If you notice Wikipedia-like items are no longer accessible from http://schoolserver.lan, try running the following as root: |
Revision as of 20:29, 22 February 2017
Some security tips — that will become more professional as time goes on — towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking.
The following applies to Debian, Raspbian (and presumably Ubuntu?) servers
- In 2016, several chose to run the following quasi-weekly:
apt-get update apt-get upgrade or apt-get dist-upgrade apt-get autoclean apt-get autoremove (some consider this last step risky, though no known IIAB/XSCE problems have resulted)
- In 2017, James Cameron suggested one may also use "apt" instead of "apt-get" like this;
apt update apt full-upgrade apt-get clean may be more comprehensive than "apt-get autoclean"
Also he suggests there's a package for automated unattended upgrades, called "unattended-upgrades" for those willing who require that (and are willing to bear the risks!)
The following applies to CentOS and Fedora servers
- Run
yum -y update --security
if your system already has yum-security installed, typically viayum install yum-security
(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).
- Please also consider commands:
- yum updateinfo list security all
- yum updateinfo list security installed
- yum updateinfo list security available
- In the past we ran "yum update" or "yum -y update" (followed by "yum clean all" among those who were daring) but arguably that still installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)
Security Blowback / Survival Tips
- If you notice Wikipedia-like items are no longer accessible from http://schoolserver.lan, try running the following as root:
xsce-make-kiwix-lib systemctl restart kiwix-serve
- If ownCloud updates itself, users visiting http://schoolserver.lan/owncloud may face error message "You don't have permission to access /owncloud on this server." Fix guideline forthcoming from Tim Moody. NEW PROGNOSIS FEB 2017: Josh Dennis may move IIAB/XSCE to http://box/docs based on http://Nextcloud.com, which has stronger community support than ownCloud.