am trying to set exec-shield protection on Linux as described here but getting the following error on Ubuntu Linux server version 12.04 LTS:

sysctl -w kernel.exec-shield=1

error: “kernel.exec-shield” is an unknown key

How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?

Linux kernel (or patch to kernel) provides ExecShield feature to protect against buffer overflows such as:

Random placement of the stack

Random placement of memory regions

Prevention of execution in memory that should only hold data

Handling of text buffers with care and more.

Ubuntu kernel has No Execute (NX) or Execute Disable (XD) support. This does exactly the same thing to prevent code execution on a per memory page basis. If you are using Intel processors you should see the following message when system boots:

dmesg | grep –color  [NX|DX]*protection

Sample outputs:

Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel

This is the equivalent of the CentOS or SL or RHEL (Red Hat) Exec Shield kernel security feature. If you do not see the message, reboot the server and set XD/NX protection using BIOS setup.

Make sure kernel.randomize_va_space enabled

Type the following command:

sysctl -w kernel.randomize_va_space=1

OR, edit the file /etc/sysctl.conf and append/modify as follows:

kernel.randomize_va_space = 1

The randomize_va_space can have any one of the following values:

0 – Do not randomize stack and vdso page.

1 – Turn on protection and randomize stack, vdso page and mmap.

2 – Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.

I highly recommend that you read our faq “Linux Kernel /etc/sysctl.conf Security Hardening Via Sysctl” for more information.

See also

RHEL / CentOS / Fedora LinuxL Disable or Enable ExecShield Buffer Overflows Protection

Ubuntu security features

Man pages: sysctl(8),dmesg(1)

apt-get upgrade

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following packages have been kept back:

linux-headers-virtual linux-image-virtual mysql-client-5.5 mysql-server-5.5

mysql-server-core-5.5

The following packages will be upgraded:

base-files dosfstools linux-libc-dev linux-libc-dev:i386

4 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.

Need to get 1,847 kB of archives.

After this operation, 2,048 B of additional disk space will be used.

Do you want to continue [Y/n]?

How do I fix this issue and install linux-headers-virtual linux-image-virtual packages which have been kept back in Ubuntu Linux LTS version 12.04.2?

If you are running virtual or cloud images, there is no need to get newer enablement stacks and are thus recommended to remain on the original Precise stack. You only need the newer kernel when

You need to support a wider variety of hardware on an existing LTS release, the 12.04.2 and newer point releases will ship with an updated kernel and X stack by default.

These newer hardware enablement stacks will be comprised of the newer kernel and X stacks from 12.10 (Quantal), 13.04 (Raring), 13.10 (Saucy), and 14.04 (T name TBD).

These enablement stacks are only intended for use on x86 hardware at this time.

If you really want to upgrade virtual/cloud images, try:

$ sudo apt-get dist-upgrade

Sample outputs:

Reading package lists… Done

Building dependency tree

Reading state information… Done

Calculating upgrade… Done

The following NEW packages will be installed:

libterm-readkey-perl linux-headers-3.2.0-52 linux-headers-3.2.0-52-virtual

linux-image-3.2.0-52-virtual

The following packages will be upgraded:

base-files dosfstools linux-headers-virtual linux-image-virtual

linux-libc-dev linux-libc-dev:i386 mysql-client-5.5 mysql-server-5.5

mysql-server-core-5.5

9 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.

Need to get 50.2 MB of archives.

After this operation, 102 MB of additional disk space will be used.

Do you want to continue [Y/n]? y

….

….

..

Searching for GRUB installation directory … found: /boot/grub

Searching for default file … found: /boot/grub/default

Testing for an existing GRUB menu.lst file … found: /boot/grub/menu.lst

Searching for splash image … none found, skipping …

Found kernel: /vmlinuz-3.2.0-52-virtual

Found kernel: /vmlinuz-3.2.0-31-virtual

Found kernel: /memtest86+.bin

Replacing config file /run/grub/menu.lst with new version

Updating /boot/grub/menu.lst … done

Setting up libterm-readkey-perl (2.30-4build3) …

Setting up mysql-client-5.5 (5.5.32-0ubuntu0.12.04.1) …

Setting up mysql-server-core-5.5 (5.5.32-0ubuntu0.12.04.1) …

Setting up mysql-server-5.5 (5.5.32-0ubuntu0.12.04.1) …

Installing new version of config file /etc/apparmor.d/usr.sbin.mysqld …

mysql start/running, process 1013

Setting up dosfstools (3.0.12-1ubuntu1.1) …

Setting up linux-headers-3.2.0-52 (3.2.0-52.78) …

Setting up linux-headers-3.2.0-52-virtual (3.2.0-52.78) …

Setting up linux-headers-virtual (3.2.0.52.62) …

Setting up linux-image-virtual (3.2.0.52.62) …

You need to reboot the Ubuntu based system, enter:

# reboot

See See LTS 12.04 support and upgrade policy for more information.

am a new Ubuntu Linux version 12.04 LTS user. How do I stop or start iptables based firewall service on Ubuntu Linux using bash command line options?

You can type the following commands start / stop firewall service on Ubuntu based server or desktop.

a] ufw command – This command is used for managing a Linux firewall and aims to provide an easy to use interface for the user.

b] iptables command – This command is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.

Find status of firewall

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:

$ sudo ufw status

Sample outputs:

Status: inactive

Ubuntu stop iptables service command

Type the following command to unloads firewall and disables firewall on boot:

$ sudo ufw disable

Ubuntu start iptables service command

Type the following command to reloads firewall and enables firewall on boot:

$ sudo ufw enable

Ubuntu reload / restart iptables service command

Type the following command to reloads firewall:

$ sudo ufw reload

Alternative method to enable/disable firewall on Ubuntu and other Linux distros

If you are not using ufw command and/or ufw is not installed, try the following generic methods:

Get IPv4 iptables status

$ sudo iptables -L -n -v

Get IPv6 ip6tables status

$ sudo ip6tables -L -n -v

Save IPv4 iptables firewall

Use the iptables-save command to save current firewall rules:

$ sudo iptables-save > $HOME/firewall.txt

Save IPv6 ip6tables firewall

$ sudo ip6tables-save > $HOME/firewall-6.txt

Restore IPv4 iptables firewall

Use the iptables-restore command to restore firewall rules:

$ sudo iptables-restore < $HOME/firewall.txt

Restore IPv6 ip6tables firewall

$ sudo ip6tables-restore < $HOME/firewall-6.txt

Putting it all together

To stop Ipv4 based iptables firewall, enter:

sudo iptables-save > $HOME/firewall.txt

sudo iptables -X

sudo iptables -t nat -F

sudo iptables -t nat -X

sudo iptables -t mangle -F

sudo iptables -t mangle -X

sudo iptables -P INPUT ACCEPT

sudo iptables -P FORWARD ACCEPT

sudo iptables -P OUTPUT ACCEPT

To stop Ipv6 based iptables firewall, enter:

sudo ip6tables-save > $HOME/firewall-6.txt

sudo ip6tables -X

sudo ip6tables -t mangle -F

sudo ip6tables -t mangle -X

sudo ip6tables -P INPUT ACCEPT

sudo ip6tables -P FORWARD ACCEPT

sudo ip6tables -P OUTPUT ACCEPT

Where,

-F : Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X : Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.

-P chainNameHere ACCEPT : Set the policy for the chain to the given target.

-L : List rules.

-v : Verbose output.

-n : Numeric output. IP addresses and port numbers will be printed in numeric format.

Recommend readings

Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)

Man pages IPv4 firewall: iptables(8),ufw(8),iptables-save(8),iptables-restore(8)

Man pages IPv6 firewall: ip6tables man page

‘m a new Ubuntu Linux user. This seems like a newbie question, but I can not seem to find examples to copy files on Ubuntu. How do I copy file to another directory on Ubuntu Linux using command line terminal application? How can I copy files via terminal on Ubuntu Linux desktop?

You need to use cp command to copy file to another directory or external usb disk. The command line syntax is as follows to copy files via terminal:

cp old_name new_name

OR

cp [options] old_name new_name

OR

cp source dest

OR

cp /path/to/source /path/to/dest/directory/

Examples: Copy file1.txt to /tmp directory

Open the Terminal and type the following command in the current directory to copy a file called file1.txt with the same name into /tmp/ directory:

cp file1.txt /tmp/

Use ls command to verify new files:

ls /tmp/

ls -l /tmp/

ls -l /tmp/file1.txt

You can copy multiple files into another directory. In this example, copy the files called foo.txt, bar.doc, resume.pdf into a directory called /media/backup/

cp  foo.txt bar.doc resume.pdf /media/backup/

Cp command can explain what is being done with -v option:

cp  -v foo.txt bar.doc resume.pdf /media/backup/

Sample session from all cp commands featured in this tutorials:

Animated gif: Ubuntu Linux copy files via terminal using cp command demo

Ubuntu make a backup of each existing destination file

In this example, copy file named birthday_party.avi to /media/usbpen/ and make a backup of each existing destination file:

cp -b birthday_party.avi /media/usbpen/

Copy ~/Documents/ folder to /media/usbpen/

Pass the -r (recursive) option to cp command. In this example, make a copy of an existing directory called ~/Documents/, inclusive of all it contents (i.e., files, subdirectories, their subdirectories, etc.), to directory called /media/usbpen/:

cp -r ~/Documents/ /media/usbpen/

Copy files interactively

Pass the -i optipn to cp command to prompts the user to the screen before copying a file that would overwrite an existing file:

cp -i file1.txt /tmp/

If you do not wish to overwrite an existing file i.e. overrides a previous -i option, try:

cp -n file1.txt /tmp/

Copy all files in a directory to another directory by using the star wildcard

To copy all files from ~/Pictures/ to /nfs/backups/pics/ directory, enter:

cp ~/Pictures/* /nfs/backups/pics/

In this example, copy all of the files in the current directory that have the filename extension .py into another existing directory called /nfs/backups/python/:

cp *.py /nfs/backups/python

Dealing with permission denied error

If you try to copy files to /root/ or any other system areas, you will see an error that read as follows:

cp backdoor3.c /usr/

cp: /usr/backdoor3.c: Permission denied

Use the sudo command to copy files when you need superuser privileges on Ubuntu Linux:

sudo cp backdoor3.c /usr/

Tip: Searching for commands without knowing their exact names

You can use apropos command to displays a list of all topics in the built-in user manual that are related to the subject. The syntax is:

apropos query

apropos query | less

apropos keywords | grep  something

In this example, get the list of editing programs/commands that are available on a system:

apropos editor

apropos editor | less

Sample outputs:

ed                   (1)  – text editor

ex                   (1p)  – text editor

mcedit               (1)  – Internal file editor of GNU Midnight Commander

nano                 (1)  – Nano s ANOther editor, an enhanced free Pico clone

psed                 (1)  – a stream editor

sed                  (1p)  – stream editor

sed                  (1)  – stream editor for filtering and transforming text

vi                   (1p)  – screen-oriented (visual) display editor

vim                  (1)  – Vi IMproved, a programmers text editor

Finally, use whatis and man command to obtain information about the mcedit or vi command that apropos provides:

whatis mcedit

whatis vi

man vi

man mcedit

And there you have it, cp command that copies files and directories on Ubuntu based systems. I strongly suggest that your read cp(1) or see our cp command examples page for more information.

‘m a new Ubuntu Linux user and my cloud hosting company installed MySQL server by default. I need to remove it and delete it from my server as I have no use of MySQL server. How can I uninstall MySQL on a Ubuntu based systems?

Typically following Mysql packages are installed on the Debian or Ubuntu Linux systems:

mysql-client – The latest version of MySQL database client.

mysql-server – The latest version of MySQL database server.

mysql-common – MySQL database common files.

How do I uninstall Mysql server?

Just use the apt-get command as follows remove both MySQL server and client in Ubuntu Linux:

sudo apt-get –purge remove mysql-client mysql-server mysql-common

sudo apt-get autoremove

Sample outputs (pay attention to package names):

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following packages were automatically installed and are no longer required:

linux-headers-3.2.0-31-virtual linux-headers-3.2.0-31

Use  apt-get autoremove  to remove them.

The following packages will be REMOVED:

libdbd-mysql-perl* libmysqlclient18* mysql-client* mysql-client-5.5* mysql-common* mysql-server*

mysql-server-5.5*

0 upgraded, 0 newly installed, 7 to remove and 0 not upgraded.

After this operation, 67.5 MB disk space will be freed.

Do you want to continue [Y/n]? y

(Reading database … 105097 files and directories currently installed.)

Removing mysql-server …

Removing mysql-server-5.5 …

mysql stop/waiting

Purging configuration files for mysql-server-5.5 …

Removing mysql-client …

Removing mysql-client-5.5 …

Removing libdbd-mysql-perl …

Removing libmysqlclient18 …

Purging configuration files for libmysqlclient18 …

Removing mysql-common …

Purging configuration files for mysql-common …

dpkg: warning: while removing mysql-common, directory  /etc/mysql  not empty so not removed.

Processing triggers for ureadahead …

Processing triggers for man-db …

Processing triggers for libc-bin …

ldconfig deferred processing now taking place

Delete /etc/mysql/ directory using rm command:

$ sudo rm -rf /etc/mysql/

Understanding apt-get command options

–purge : Remove given packages and config files.

remove : Uninstall packages.

autoremove : Force to remove packages that were automatically installed to satisfy dependencies for other packages and are now no longer needed.

See also

Ubuntu Linux: Install MySQL Server Version 5

buntu Linux version 14.04 LTS has been released. How do I upgrade to a newer version of Ubuntu 14.04 LTS from Ubuntu 13.10 or 12.04 LTS?

You can upgrade from minor or major release of Ubuntu easily and recommended for all users.

Back up any important data on the Ubuntu server

Make a backup – it cannot be stressed enough how important it is to make a backup of your system before you do this. Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Type the following commands to see current version:

$ uname -mrs

$ lsb_release -a

Sample outputs:

Linux 3.2.0-51-generic x86_64

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 12.04.4 LTS

Release: 12.04

Codename: precise

How do I upgrade to a newer version of Ubuntu, such as v14.04, from an older v13.10 on a server system?

Type the following command to update package list and instal the update-manager-core package if it is not already installed:

$ sudo apt-get update

$ sudo apt-get install update-manager-core

Next, type the following command to upgrade the Ubuntu server to the latest release such as LTS 14.04 from the command-line. This is the recommended command as the server has no graphic environment or if the server is to be upgraded over a remote connection using ssh client:

$ sudo do-release-upgrade

The do-release-upgrade will launch the upgrade tool. You need to follow the on-screen instructions.

Fixing and forcing upgrade

You may end up getting the following message on screen when you run sudo do-release-upgrade

Checking for a new Ubuntu release

No new release found

Warning: The following method will check if upgrading to the latest devel (also known as unstable) release is possible via -d option.

To force upgrade pass the -d option to sudo do-release-upgrade command:

sudo do-release-upgrade -d

A note about upgrading from Ubuntu 13.10 on a desktop system

First, you need to remove all 3rd party binary drivers such as NVIDIA or AMD graphics card driver. Once removed and rebooted the desktop, press Alt+F2 and type in update-manager into the command box:

update-manager

Update Manager should open up and tell you: New distribution release ‘14.04 LTS’ is available. Just click Upgrade and follow the on-screen instructions to upgrade your desktop systems.

Please note that all LTS desktop users need to wait till the first release called Ubuntu LTS v14.04.1 will be released by Canonical LTD. If you do not want to wait till LTS v14.04.1, pass the -d option to the update-manager command as follows to upgrade Ubuntu 12.04 LTS to Ubuntu 14.04 LTS:

sudo update-manager  -d

Reboot the server/desktop

Finally, reboot the system:

$ sudo reboot

Verify, your new settings:

$ lsb_release -a

$ uname -mrs

$ tail -f /var/log/app/log/file

Finally, reinstall 3rd party binary drivers.

ow can I analyze line rate taking log file as input on a Linux system? How do I find the IP flooding my Apache/Nginx/Lighttpd web-server on a Debian or Ubuntu Linux?

You need to use a tool called logtop. It is a system administrator tool to analyze line rate taking log file as input. It reads on stdin and print a constantly updated result displaying, in columns in the following format:

Line number, count, frequency, and the actual line

How do install logtop on a Debian or Ubuntu based system?

Simply type the following apt-get command:

$ sudo apt-get install logtop

Sample outputs:

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following NEW packages will be installed:

logtop

0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.

Need to get 15.7 kB of archives.

After this operation, 81.9 kB of additional disk space will be used.

Get:1 http://mirrors.service.networklayer.com/ubuntu/ precise/universe logtop amd64 0.3-1 [15.7 kB]

Fetched 15.7 kB in 0s (0 B/s)

Selecting previously unselected package logtop.

(Reading database … 114954 files and directories currently installed.)

Unpacking logtop (from …/logtop_0.3-1_amd64.deb) …

Processing triggers for man-db …

Setting up logtop (0.3-1) …

Syntax

The syntax is as follows:

logtop [OPTIONS] [FILE]

command | logtop

command1 | filter | logtop

command1 | filter | logtop [options] [file]

Examples

Here are some common examples of logtop.

Show the IP address flooding your LAMP server

Type the following command:

tail -f www.cyberciti.biz_access.log | cut -d    -f1 | logtop

Sample outputs:

Fig.01: logtop command in action

See squid cache HIT and MISS log

tail -f cache.log | grep -o  HIT\|MISS  | logtop

To see realtime hit / miss ratio on some caching software log file, enter:

tail -f access.log | cut -d    -f1 | logtop -s 20000

The -s option set logtop to work with the maximum of K lines instead of 10000.

See also

Get Detailed Information About Particular IP address Connections Using netstat Command

logtop home page

‘m a new Ubuntu Linux version 14.04 LTS user. I need additional swap space to improve my Ubuntu server performance. How can I add a swap space on Ubuntu Linux 14.04 LTS using command line over the ssh based session?

Swap space is nothing but a disk storage used to increase the amount of memory available on the Ubuntu Linux server. In this tutorial, you will learn how to create and use a swap file on an Ubuntu Linux server.

What is a swap file on Ubuntu server or desktop system?

As a sysadmin it is necessary to add more swap space after installation on the server. Swap file allows Ubuntu Linux to use hard disk to increase virtual memory.

Virtual Memory = RAM + Swap space/file

Virtual Memory (1GB) = Actual RAM (512MB) + Swap space/file (512MB)

When the Ubuntu server runs low on memory, it swaps a section of RAM (say an idle program like foo) onto the hard disk (swap space) to free up memory for other programs. Then when you need that program (say foo again), kernel swapped out foo program, it changes places with another program in RAM.

Procedure to add a swap file on a Ubuntu Linux

Open the Terminal app or use the ssh client to get into the remote server. Login as a root user using sudo command:

sudo -s

Create a swap file command

Type the following command to create a 2GB swap file on Ubuntu:

# dd if=/dev/zero of=/swapfile bs=1G count=2

Sample outputs:

2+0 records in

2+0 records out

2147483648 bytes (2.1 GB) copied, 20.2256 s, 106 MB/s

Verify that file has been created on the server:

# ls -lh /swapfile

Sample outputs:

-rw-r–r– 1 root root 2.0G Oct 29 14:07 /swapfile

Creating swap space using fallocate command instead of dd command

Instead of the dd command, you can use the the faster fallocate command to create swap file as follows:

# fallocate -l 1G /swapfile-1

# ls -lh /swapfile-1

Sample outputs:

-rw-r–r– 1 root root 1.0G Oct 29 14:11 /swapfile-1

Secure the swap file

Type the following chmod command and chown command to secure and set correct file permission for security reasons:

# chown root:root /swapfile

# chmod 0600 /swapfile

# ls -lh /swapfile

Sample outputs:

-rw——- 1 root root 2.0G Oct 29 14:07 /swapfile

A world-readable swap file is a huge local vulnerability. The above commands make sure only root user can read and write to the file.

Turn on the swap file

First, use the mkswap command as follows to enable the swap space on Ubuntu:

# mkswap /swapfile

Sample outputs:

Setting up swapspace version 1, size = 2097148 KiB

no label, UUID=10231c61-6e55-4dd3-8324-9e2a892e7137

Finally, activate the swap file, enter:

# swapon /swapfile

Verify new swap file and settings on Ubuntu

Type the following command

# swapon -s

Sample outputs:

Filename    Type  Size Used Priority

/dev/sda5                               partition 3998716 704 -1

/swapfile                               file  2097148 0 -2

You can also run the following commands to verify swap file and its usage:

# grep -i –color swap /proc/meminfo

# top

# htop

# atop

How can I disable swapfile on Ubuntu?

You need to use the swapoff command as follows:

# swapoff /swapfile

# swapon -s

Update /etc/fstab file

You need to make sure the swap file enabled when server comes on line after the reboot. Edit /etc/fstab file, enter:

# vi /etc/fstab

Append the following line:

/swapfile none            swap    sw              0       0

Save and close the file.

Tuning the swap file i.e. tuning virtual memory

You can tune the following two settings:

swappiness

min_free_kbytes

vfs_cache_pressure

How do I set swappiness on a Ubuntu server?

The syntax is:

# sysctl vm.swappiness=VALUE

# sysctl vm.swappiness=20

OR

# echo VALUE > /proc/sys/vm/swappiness

# echo 30 > /proc/sys/vm/swappiness

The value in /proc/sys/vm/swappiness file controls how aggressively the kernel will swap memory pages. Higher values increase agressiveness, lower values descrease aggressiveness. The default value is 60. To make changes permanent add the following line to /etc/sysctl.conf:

echo  vm.swappiness=30  >> /etc/sysctl.conf

For database server such as Oracle or MySQL I suggest you set a swappiness value of 10. For more information see the official Linux kernel virtual memory settings page.

See also:

Linux display system hardware status information gathered from /proc filesystem in easy format (includes swap info)

Man pages – mkswap(8),swapon(8),dd(1),free(1),vmstat(1),top(1)

‘m a new Ubuntu Linux user. How do I install the LEMP stack on an Ubuntu Linux 14.04 LTS server using command line options to serve dynamic web apps?

As one of the most popular Linux distribution in the world, Ubuntu has released the latest version on April 17, 2014. The latest version is 14.04 with code name Trusty Tahr. Ubunt 14.04 is a LTS (Long Term Support) version. This means that Ubuntu 14.04 will be supported for the next 5 years from the release date. In this tutorial we will cover Nginx, MySQL and PHP installation on Ubuntu Linux v14.04.

What is new in Ubuntu 14.04 (Trusty Tahr) version?

You may see it on cyberciti.biz or visit the Ubuntu home page at ubuntu.com.

Nginx Installation

Nginx is one of the robust web server in Linux world. Nginx is a free, open source, high performance HTTP server and reverse proxy, as weell as an IMAP/POP3 proxy server. Now, we are going to install Nginx web server.

First, make sure system is upto date:

$ sudo apt-get update

$ sudo apt-get upgrade

#1 – Download and Install Nginx

The easiest way to download and install Nginx is using apt-get command. Here is the command:

$ sudo apt-get install nginx

Fig.01: Download and Install Nginx on Ubuntu Linux

Just wait until installation is get done on the system.

#2 – Test Nginx

Once it get done, you can open your browser and type url http://localhost or http://your_ip_address to test it. If everything goes normal, you will see Nginx welcome page:

Fig.02: Welcome nginx page on Ubuntu Linux

MySQL Installation On Ubuntu

MySQL is one of the most powerful database management system in Linux world. Next, we are going to install it with PHP support.

#1 – Install MySQL and PHP support

Type the following command:

$ sudo apt-get install mysql-server php5-mysql

Fig.03: Ubuntu Linux Install MySQL to Manage Site Data with PHP

During the installation, MySQL will ask you to enter MySQL root password, other wise the installation will not continue. Type the password you want, then press OK to continue the installation.

#2 – Test MySQL

Once mysql installation finished, we can test it. Open your console and type the following command:

$ mysql -u root -p

Fig.04: Ubuntu test Mysql installation

If you type your password correctly, the you will see the mysql prompt.

#3 – Securing access to MySQL

If we are going to use MySQL as a production database, we may want to secure it. MySQL provides a shell script to help us securing it. Just type the following command on your console:

$ sudo mysql_secure_installation

Here are the steps to do it.

1. ENTER YOUR ROOT PASSWORD
2. Enter your current root password to continue to the next step.
3. Fig.05: MySQL enter your root db password
4. 2.CHANGE THE ROOT PASSWORD
5. If you want to change it, press Y. Otherwise, press N.
6. Fig.06: MySQL security
7. 3.REMOVE ANONYMOUS USER
8. It is recommended to remove anonymous user to mitigate risk who can log in into your database.
9. Fig.07: MySQL security
10. 4.DISALLOW ROOT LOGIN REMOTELY
11. To make sure that no one remote your database as root from another machines, we need to disallow root login remotely.
12. Fig.08: MySQL security
13. 5.REMOVE TEST DATABASE
14. Sometimes some MySQL installation will create a database named ëtestí for testing purpose. We can remove it if we donít use it.
15. Fig.09: MySQL security
16. 6.RELOAD PRIVILEGE TABLES
17. Then we need to reloading the privilege tables to ensure all changes made so far will take effect immediately.
18. Fig.10: MySQL security
19. 7.DONE
20. Fig.11: MySQL security
21. PHP Installation For Server Side Scripting
22. Since PHP is popular, a lot of websites is built using PHP language. As of January 2013, PHP was installed on more than 240 millions websites. Now we are going to install PHP on Ubuntu 14.04
23. #1 – Download and install PHP
24. As usual, we can download and install PHP using apt-get command. Just type the following command on your Ubuntu console or over the ssh based session:
25. $ sudo apt-get install php5-fpm

Fig.12: Install PHP for Server Side Processing on Ubuntu

And wait for the installation to complete.

Configure Nginx to work with PHP and MySQL Server on Ubuntu

Now we have all components installed. The next step is we need to configure Nginx with PHP and MySQL. Let’s start to configure them.

#1 – Configure PHP5-FPM

PHP5-FPM configuration file is located at /etc/php5/fpm/php.ini. Open it with your text editor

$ sudo vi /etc/php5/fpm/php.ini

Change this parameter, from:

cgi.fix_pathinfo=1

to:

cgi.fix_pathinfo=0

Save and close the file and then restart php5-fpm service, type:

$ sudo service php5-fpm restart

#2 – Configure Nginx

Nginx configuration file is located at /etc/nginx/nginx.conf. But basically, we don’t need to touch it. The configuration of nginx website is located in /etc/nginx/sites-available/default file.

Open it, and uncomment lines:

location ~ \.php$ {

fastcgi_split_path_info ^(.+\.php)(/.+)$;

#       # NOTE: You should have  cgi.fix_pathinfo = 0;  in php.ini

#

#       # With php5-cgi alone:

#        fastcgi_pass 127.0.0.1:9000;

#       # With php5-fpm:

fastcgi_pass unix:/var/run/php5-fpm.sock;

fastcgi_index index.php;

include fastcgi_params;

}

Then restart the services.

$ sudo service nginx restart

Please make sure, on Ubuntu 14.04, we cannot use fastcgi_pass 127.0.0.1:9000. So make sure that the line is commented. Otherwise, on my machine, I got this error :

$ tail /var/log/nginx/error.log

2014/11/04 16:57:04 [emerg] 3216#0:  fastcgi_pass  directive is not allowed here in /etc/nginx/sites-enabled/default:59

2014/11/04 16:58:21 [emerg] 3256#0:  fastcgi_pass  directive is not allowed here in /etc/nginx/sites-enabled/default:59

On Ubuntu 14.04, I use the following line:

fastcgi_pass unix:/var/run/php5-fpm.sock

When I restart the Nginx and I still got the following error message:

2014/11/04 17:02:05 [emerg] 3295#0:  fastcgi_pass  directive is not allowed here in /etc/nginx/sites-enabled/default:61

2014/11/04 17:04:58 [emerg] 3410#0:  fastcgi_pass  directive is not allowed here in /etc/nginx/sites-enabled/default:61

Please make sure that you already uncomment this line:

location ~ \.php$ {

#3 – Configure MySQL

After the configuration section is done, now we need to test them to make sure that our configuration is working as required. On Ubuntu 14.04 the root document folder is located in /usr/share/nginx/html. So create a file called /usr/share/nginx/html/phpinfo.php with the following code:

<? phpinfo(); ?>

After restarting PHP-FPM and Nginx, open the browser and browse to the php file, we got only a blank screen. No error message on the screen. No error message on PHP-FPM and Nginx log file.

Then we changed /usr/share/nginx/html/phpinfo.php file code on the root document of Nginx, as follows:

<?php phpinfo(); ?>

And then open the browser again and type url http://your_ip_address/phpinfo.php

It seem that by default, we can not use short php-tag like this:

<? … your code … ?>

To enable short php tag, we need to change the value of short_open_tag parameter on php.ini file:

Change the value from Off to On. Then restart your php5-fpm :

sudo service php5-fpm restart

Then try again to test your phpinfo file. Next, we will see if the MySQL support is enabled or not. Scroll down the php configuration screen on your browser, if you see MySQL block there, then MySQL support already enabled.

You are now ready to use Nginx, PHP5 and MySQL on Ubuntu server. I hope this quick article help anyone who wish to install Linux, Nginx, PHP and MySQL on Ubuntu 14.04.

This quick tutorial was contributed by Pungki Arianto. You can too contribute to nixCraft.

very serious security problem has been found in the virtual floppy drive QEMU’s code used by many computer virtualization platforms including Xen, KVM, VirtualBox, and the native QEMU client. It is called VENOM vulnerability. How can I fix VENOM vulnerability and protect my Linux server against the attack? How do I verify that my server has been fixed against the VENOM vulnerability?

This is tagged as high severity security bug and it was announced on 13th May 2015. The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase. Since the VENOM vulnerability exists in the hypervisorâ€s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.).

What is the VENOM security bug (CVE-2015-3456)?

From the RHEL bugzilla:

An out-of-bounds memory access flaw was found in the way QEMU’s virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the hosting QEMU process.

Fig.01 Venom bug

This issue affects the versions of the kvm, xen, and QEMU packages while VMware, Hyper-V, and Bochs are unaffected. This issue affects all x86 and x86-64 based HVM Xen and QEMU/KVM guests, regardless of their machine type.

A list of affected Linux distros

RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x

CentOS Linux version 5.x, 6.x and 7.x

OpenStack 5 for RHEL 6

OpenStack 4 for RHEL 6

OpenStack 5 for RHEL 7

OpenStack 6 for RHEL 7

Red Hat Enterprise Virtualization 3

Debian Linux code named stretch, sid, jessie, squeeze, and wheezy [and all other distro based on Debian]

SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP3)

SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)

SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)

SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

SUSE Linux Enterprise Server 12

SUSE Linux Enterprise Expanded Support 5, 6 and 7

Ubuntu 12.04

Ubuntu 14.04

Ubuntu 14.10

Ubuntu 15.04

Fix the VENOM vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Type the following yum command as the root user:

sudo yum clean all

sudo yum update

Reboot all your virtual machines on those hypervisors.

Fix the VENOM vulnerability on a Debian Linux

Type the following apt-get command as the root user:

sudo apt-get clean

sudo apt-get update

sudo apt-get upgrade

Reboot all your virtual machines on those hypervisors.

Fix the VENOM vulnerability on a Ubuntu Linux

Type the following apt-get command as the root user:

sudo apt-get clean

sudo apt-get update

sudo apt-get upgrade

Reboot all your virtual machines on those hypervisors.

Fix the VENOM vulnerability for Oracle VirtualBox on a Linux/OSX/MS-Windows/Solaris Unix

You need to download and update a VirtualBox 4.3 maintenance release by visiting this page.

Do I need to reboot my host server?

No need to reboot the host server. But, you need to reboot all your virtual machines on those hypervisors. This cannot be avoided. Sample commands to get list, stop, and start KVM,QEMU are as follows:

Following the update, the guests (virtual machines) ##

need to be powered off and started up again for the update to take effect. ##

Reboot a vm will not work ##

List all running vms ##

virsh list –all

Stop vm called db1 ##

virsh shutdown db1

Again start vm called db1 ##

virsh start db1

See “KVM: Starting / Stopping Guest Operating Systems With virsh Command” for more info.

General workaround (may not work at all so patch ASAP)

The emulated floppy seems to be loaded by default in qemu and kvm. You can disable the floopy support and start qemu without floppy emulation but vga enabled (or any other option as required):

qemu  -nodefaults -vga std …

Another workaround on CentOS/SUSE/Red hat Linux Enterprise Server is to manage the virtual machines by libvirt. See libvirt and qemu man pages for more info.

More info

See the following external links for more info on this bug:

Debian Linux security tracker

RHEL security tracker

Original CrowdStrike announcement

Xen security tracker

qemu/KVM/Xen: floppy driver allows VM escape (“VENOM” vulnerability, CVE-2015-3456)