Protect Your Server Against the Dirty COW Linux Vulnerability

Check Vulnerability

Ubuntu/Debian

To find out if your server is affected, check your kernel version.

uname -rv

If your version is earlier than the following, you are affected:

  • 4.8.0-26.28 for Ubuntu 16.10
  • 4.4.0-45.66 for Ubuntu 16.04 LTS
  • 3.13.0-100.147 for Ubuntu 14.04 LTS
  • 3.2.0-113.155 for Ubuntu 12.04 LTS
  • 3.16.36-1+deb8u2 for Debian 8
  • 3.2.82-1 for Debian 7
  • 4.7.8-1 for Debian unstable

CentOS

Some versions of CentOS can use this script provided by RedHat for RHEL to test your server’s vulnerability. To try it, first download the script.

  • wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Then run it with bash.

  • bash rh-cve-2016-5195_1.sh

If you’re vulnerable, you’ll see output like this:

Output
Your kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .

Fix Vulnerability

Fortunately, applying the fix is straightforward: update your system and reboot your server.

On Ubuntu and Debian, upgrade your packages using apt-get.

  • sudo apt-get update && sudo apt-get dist-upgrade

You can update all of your packages on CentOS 5, 6, and 7 with sudo yum update, but if you only want to update the kernel to address this bug, run:

  • sudo yum update kernel

Finally, on all distributions, you’ll need to reboot your server to apply the changes.

  • sudo reboot

mysql restart from cron using shell script

check crontab -u root -l - list of cron for user root
cd /home/smruti/
sudo nano mysql-check.sh
==========================================================
#!/bin/bash
/usr/bin/mysqladmin ping| grep 'mysqld is alive' > /dev/null 2>&1
if [ $? != 0 ]
then
    sudo service mysqld restart
fi
======================================
save as  mysql-check.sh
To make it executable chmod 0755 mysql-check.sh
create cron job  crontab -e from command 
type * * * * * sh -x /home/smruti/mysql-check.sh
press esc :wq for save

check it by type sudo service mysqld stop
it will automatically start after 1 min.

[FIX] phpmyadmin some feature/controluser

Installation:
Universal installer with OS Checker

Code: Select all
curl -O -k https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma.sh && chmod +x pma.sh && ./pma.sh

or

Code: Select all
sudo wget –no-check-certificate https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma.sh && chmod +x pma.sh && ./pma.sh

OS Installation:
Ubuntu

Code: Select all
curl -O -k https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma-ubuntu.sh && chmod +x pma-ubuntu.sh && ./pma-ubuntu.sh

or

Code: Select all
sudo wget –no-check-certificate https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma-ubuntu.sh && chmod +x pma-ubuntu.sh && ./pma-ubuntu.sh

Debian

Code: Select all
curl -O -k https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma-debian.sh && chmod +x pma-debian.sh && ./pma-debian.sh

or

Code: Select all
wget –no-check-certificate https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma-debian.sh && chmod +x pma-debian.sh && ./pma-debian.sh

CentOS

Code: Select all
curl -O -k https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma-centos.sh && chmod +x pma-centos.sh && ./pma-centos.sh

or

Code: Select all
wget –no-check-certificate https://raw.githubusercontent.com/skurudo/phpmyadmin-fixer/master/pma-centos.sh && chmod +x pma-centos.sh && ./pma-centos.sh

What the script does:
– we don’t use pwgen for generation password anymore, no extra utilities;
– check wget/curl before downloading dump for database;
– universal installer with os detector by Sergey Rodin (VestaCP – https://vestacp.com);
– options savedsearches / navigationhiding / users / usergroups are set (for 4.x phpmyadmin);
– added table pma__usergroups (for 4.x phpmyadmin);
– sql dump on github now;
– sh files on github too.

Tested on different servers: Debian 7/8, Ubuntu 12/14/15, CentOS 6/7

Support 3.x and 4.x version of phpmyadmin
Last edited by skurudo on Sun Jan 17, 2016 8:31 pm, edited 3 times in total.
-> DigitalOcean competition – please, support us
-> fix for phpmyadmin – nice and sweet now

nginx for subfolder wordpress configuration

server {
listen      ipaddressofserver:80;
server_name xxx.xom www.xxx.com;
root        /home/username/public_html;
index       index.php index.html index.htm;
access_log  /var/log/nginx/domains/domain.xxx.com.log combined;
access_log  /var/log/nginx/domains/domain.xxx.com.bytes bytes;
error_log   /var/log/nginx/domains/domain.xxx.com.error.log error;

location = /favicon.ico {
log_not_found off;
access_log off;
}

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /subfolder{
try_files $uri $uri/ /subfolder/index.php?$args;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires     max;
}

location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return  404;
}

fastcgi_pass    127.0.0.1:9001;
fastcgi_index   index.php;
include         /etc/nginx/fastcgi_params;
}
}

error_page  403 /error/404.html;
error_page  404 /error/404.html;
error_page  500 502 503 504 /error/50x.html;

location /error/ {
alias   /home/username/domain.com/document_errors/;
}

location ~* “/\.(htaccess|htpasswd)$” {
deny    all;
return  404;
}

include     /etc/nginx/conf.d/phpmyadmin.inc*;
include     /etc/nginx/conf.d/phppgadmin.inc*;
include     /etc/nginx/conf.d/webmail.inc*;

include     /home/username/conf/web/nginx.domain.conf*;
}

Install vesta control panel with nginx php5-fpm mysql

Now execute the command below to download Vestacp installation file:
1.curl -O http://vestacp.com/pub/vst-install.sh

2. run below command

bash vst-install.sh –nginx yes –phpfpm yes –apache no –vsftpd yes –proftpd no –exim no –dovecot no –spamassassin no –clamav no –named yes –iptables yes –fail2ban yes –mysql yes –postgresql no –remi yes –quota no

 

 

mysql restart shell script

#!/bin/bash
# mysql root/admin username
MUSER=”root”
# mysql admin/root password
MPASS=”xxxxxxx”
#nano /usr/etc/mysql/debian.cnf
# mysql server hostname
MHOST=”localhost”
#Shell script to start MySQL server i.e. path to MySQL daemon start/stop script.
# Debain uses following script, need to setup this according to your UNIX/Linux/BSD OS.
MSTART=”/etc/init.d/mysql start”
# Email ID to send notification
#EMAILID=”name@gmail.com”
# path to mail program
#MAILCMD=”$(which mail)”
# path mysqladmin
MADMIN=”/usr/bin/mysqladmin”

#### DO NOT CHANGE anything BELOW ####
MAILMESSAGE=”/tmp/mysql.fail.$$”

$MADMIN -h $MHOST -u $MUSER -p${MPASS} ping 2>/dev/null 1>/dev/null
if [ $? -ne 0 ]; then
echo “” >$MAILMESSAGE
echo “Error: MySQL Server is not running/responding ping request”>>$MAILMESSAGE
echo “Hostname: $(hostname)” >>$MAILMESSAGE
echo “Date & Time: $(date)” >>$MAILMESSAGE
# try to start mysql
$MSTART > /dev/null
# see if it is started or not
o=$(ps cax | grep -c ‘ mysqld$’)
if [ $o -eq 1 ]; then
sMess=”MySQL Server MySQL server successfully restarted”
else
sMess=”MySQL server FAILED to restart”
fi
# Email status too
echo “Current Status: $sMess” >>$MAILMESSAGE
echo “” >>$MAILMESSAGE
echo “*** This email generated by $(basename $0) shell script ***” >>$MAILMESSAGE
echo “*** Please don’t reply this email, this is just notification email ***” >>$MAILMESSAGE
# send email
#$MAILCMD -s “MySQL server” $EMAILID < $MAILMESSAGE
else # MySQL is running 🙂 and do nothing
:
fi
# remove file
rm -f $MAILMESSAGE

configure vsftpd ubuntu15.10 with nginx

sudo apt-get update
sudo apt-get install vsftpd

sudo nano /etc/vsftpd.conf

========================================
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd’s
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 “any” address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
#listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd’s)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages – messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using “root” for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command “SIZE /big/file” in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot’ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the “-R” option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as “ncftp” and “mirror” assume
# the presence of the “-R” option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd’s settings don’t fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

==========================================
sudo service vsftpd restart

sudo mkdir /home/admin
sudo useradd admin
chown -R admin:admin /home/admin/files/

With certain version of vsftpd you may receive the following error: 500 OOPS: vsftpd: refusing to run with writable root inside chroot().
Not to worry! Create a new directory for the user receiving the error (user2 in this case) that is a subdirectory of their home directory (/home/user2). For example:

Fix permissions for user2‘s home directory:
chmod a-w /home/admin/
mkdir /home/admin/files
chown admin:admin /home/admin/files/