≡ Menu

red hat enterprise

Critical Red hat / Fedora Linux Openssh Security Update

Last week one or more of Red Hat's servers got cracked. Now, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. The intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only).

This update has been rated as having critical security impact. If your Red hat based server directly connected to the Internet, immediately patch up the system.

From the RHN announcement:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test
the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than
those of official Red Hat subscribers.

Following products are affected:
=> Red Hat Desktop (v. 4)
=> Red Hat Enterprise Linux (v. 5 server)
=> Red Hat Enterprise Linux AS (v. 4)
=> Red Hat Enterprise Linux AS (v. 4.5.z)
=> Red Hat Enterprise Linux Desktop (v. 5 client)
=> Red Hat Enterprise Linux ES (v. 4)
=> Red Hat Enterprise Linux ES (v. 4.5.z)
=> Red Hat Enterprise Linux WS (v. 4)

How do I patch up my system?

Login as the root and type the following command:
# yum update

This is the main reason I don't use Fedora in a production.

More information:

Now, Red hat did not disclosed how the hell attacker got in to the server. I'd like to know more about that - was it 0 day bug or plain old good social engineering hack?

Updated for accuracy - CentOS is not affected by this bug, see the comments below.

CentOS / Red Hat Enterprise Linux 5.2 Poor NFS Performance and Solution

A few days ago I noticed that NFS performance between a web server node and NFS server went down by 50%. NFS was optimized and the only thing was updated Red Hat kernel v5.2. I also noticed same trend on CentOS 5.2 64 bit edition.

NFS server crashed each and every time web server node tried to store a large file 20-100 MB each. Read performance was fine but write performance went to hell. Finally, I had to rollback the updates. Recently, while reading Red Hat site I came across the solution.

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5:

* a 50-75% drop in NFS server rewrite performance, compared to Red Hat
Enterprise Linux 4.6, has been resolved.

After upgrading kernel on both server and client my issue resolved:
# yum update

Linux: Install Urchin 6 Web Analytics Software

Web analytics is the study of online behaviour in order to improve it. There are two categories; off-site and on-site web analytics. Google's Urchin 6 can be installed under Linux kernel 2.6 or 2.4 for Apache web log analysis. Urchin 6 is just like Google Analytics the most widely used hosted web analytics system. It is targeted at ecommerce or enterprise users:

Urchin Software from Google analyzes traffic for one or more websites and provides easy-to-understand reports on your visitors - where they come from, how they use your site, what converts them into customers, and much more. If you have content behind a security firewall or on an intranet or internal network that prevents you from using the Google Analytics service, Urchin Software from Google is for you.

In this small tutorial you will learn about installing Urchin 6 Web Analytics under Red Hat Enterprise Linux 5.x.

Step #1: Download Urchin 6

Visit offical site to grab latest Urchin 6 for Linux kernel 2.6. You can also use wget command as follows:
$ cd /tmp
$ wget http://dl.google.com/urchin/current_urchin6_linux2.6_kernel.zip

Step #2: Create MySQL database to store urchin data

First, connect to mysql server, enter:
$ mysql -h server-ip -u root -p
$ mysql -u root -p
Once connected type the following two command to create urchin database:
mysql> create database urchin character set utf8;
Create urchin user and grant all permissions:
mysql> GRANT ALL ON urchin.* to 'urchin'@'localhost' IDENTIFIED BY 'mySecreteUrchinPassword';
mysql> quit;

Step #3: Install Urchin

Untar urchin software:
$ unzip current_urchin6_linux2.6_kernel.zip
$ mkdir urchin
$ tar -zxvf urchin6402_linux2.6_kernel.tar.gz -C urchin

Install urchin software, enter:
$ cd urchin
$ ./install.sh

Follow on screen instructions, at the end you should see information as follows:

Installation Directory: /usr/local/urchin
Webserver Port: 9999
Webserver User: nobody
Webserver Group: nobody
SQL Server Type: mysql
SQL Server:
SQL Port: 3306
SQL Database: urchin
SQL User: urchin
SQL Password: (set but not displayed)
Initialize configuration database during install: Yes
Automatic monthly geodata updates: Yes
Start Webserver and Scheduler: Yes
Please select continue or exit [Default: 1]
   1. Continue
   2. Exit
Installing Urchin
Configuring Urchin to use existing SQL server
-- Initializing SQL database for Urchin
-- Configuring SQL parameters in urchin.conf
Creating webserver configuration
Setting file ownership and permission
Starting the Urchin webserver and scheduler daemon
Urchin webserver started on port 9999
Urchin SLAVE scheduler started
Urchin MASTER scheduler started
-- Installation Complete
The Urchin administrative interface should be ready to use at
To start or stop the Urchin webserver or scheduler, run 'urchinctl start'
or 'urchinctl stop' from the installation bin directory.
The administrative interface default username is admin and the password
is urchin.  A wizard will direct you through the process of licensing
the product and changing the default password.  We strongly recommend
that you change the default value to something more secure.

Configure Urchin

You need to open default port using iptables. A sample rule, adjust it according to your setup:
/sbin/iptables -A INPUT -i ${PUB_IF} -p tcp --destination-port 9999 -j ACCEPT
Next, type the following url to start the Urchin administrative interface:

Fig.01: Urchin 6 Login Screen

Fig.01: Urchin 6 Login Screen

The default username is admin and the password is urchin. A wizard will direct you through the process of licensing the product and changing the default password. You must obtained license from Urchin software authorized consultants.

Red Hat Enterprise Linux 4 Kernel Bug Fix Update

Updated kernel packages that fix several bugs, while adding an enhancement are now available for Red Hat Enterprise Linux 4.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following bugs:

* the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have make DNS spoofing attacks easier.

The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder.

* A set of patches detailed as "sys_times: Fix system unresponsiveness during many concurrent invocation of sys_times()" and "Minor code cleanup to sys_times() call" introduced regression which caused a kernel panic under high load. These patches were reverted in the current release.

* A process could hang in an uninterruptible state while accessing application data files due to race condition in asynchronous direct I/O system calls.

* USB devices would not be detected on a PowerEdge R805 system. USB devices are now able to be detected on the aforementioned system with this update.

Further, these updated packages add the following enhancement:

* Added HDMI support for AMD ATI chipsets RS780, RV610, RV620, RV630, RV635, RV670 and RV770.

How do I upgrade my kernel on RHEL 4.x?

Type the following command as root user:
# up2date -uf

Linux Condor security and bug fix update

Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management.

A flaw was found in the way Condor interpreted wildcards in authorization lists. Certain authorization lists using wildcards in DENY rules, such as DENY_WRITE or HOSTDENY_WRITE, that conflict with the definitions in ALLOW rules, could permit authenticated remote users to submit computation jobs,
even when such access should have been denied. (CVE-2008-3424)

How do I fix this bug in Condor Software?

Type the following command to fix this bug
# up2date -u
If you are using Red Hat Enterprise MRG 1, enter:
# yum update

Bug Fixed in this update

* the /etc/condor/condor_config file started with "What machine is your
central manager?". The following line was blank, instead of having the
"CONDOR_HOST" option, causing confusion. The "What machine..." text is now

* condor_config.local defined "LOCK = /tmp/[lock file]". This is no longer
explicitly defined; however, lock files may be in "/tmp/", and could be
removed by tmpwatch. A "LOCK_FILE_UPDATE_INTERVAL" option, which defaults
to eight hours, has been added. This updates the timestamps on lock files,
preventing them from being removed by tools such as tmpwatch.

* when a "SCHEDD_NAME" name in condor_config ended with an "@", the
system's hostname was appended. For example, if "SCHEDD_NAME = test@" was
configured, "condor_q -name test@" failed with an "Collector has no record
of schedd/submitter" error. Now, the hostname is not appended when a name
ends with an "@". In High Availability (HA) Schedd deployments, this allows
a name to be shared by multiple Schedds.

* when too few arguments were passed to "condor_qedit", such as
"condor_qedit -constraint TRUE", a segfault occurred. Better argument
handling has been added to resolve this.

* due to missing common_createddl.sql and pgsql_createddl.sql files,
it was not possible to use Quill. Now, these files are included in

* "condor_submit -dump ad [file-name]" caused a segfault if the [file-name]
job contained "universe = grid".

* previously, a condor user and group were created if they did not exist,
without specifying a specific UID and GID. Now, UID and GID 64 are used.
The effect of this change is non-existent if upgrading the condor packages.
If an existing condor user and group are manually changed, problems with
file ownership will occur.

Configuration changes (from the Condor release notes - see link below):

* a new CKPT_SERVER_CHECK_PARENT_INTERVAL variable sets the time interval
between a checkpoint server checking if its parent is running. If the
parent server has died, the checkpoint server is shut down.

* a new CKPT_PROBE variable to define an executable for the helper process
Condor uses for information about the CheckpointPlatform attribute.

* STARTER_UPLOAD_TIMEOUT now defaults to 300 seconds.

* new variables (booleans) PREEMPTION_REQUIREMENTS_STABLE and
PREEMPTION_RANK_STABLE, configure whether attributes used in

default value of 5, defines the number of simultaneous WS destroy commands
that can be sent to a server for type gt4 grid universe jobs.

* now, VALID_SPOOL_FILES automatically includes the "SCHEDD.lock" lock file
for condor_schedd HA failover.

* the default value for SEC_DEFAULT_SESSION_DURATION has been changed from
8640000 seconds (100 days) to 86400 seconds (one day).

Important: these updated packages upgrade Condor to version 7.0.4. For a
full list of changes, refer to the Condor release notes:

condor users should upgrade to these updated packages, which resolve these

Linux IPv6 Default Route Not Working

CentOS / Fedora / Red Hat Enterprise / Other Linux distro has weird bug in kernel itself.

I've tested this on Linux 2.6.18-92.1.1.el5 x86_64. The default IPv6 route, as configured in /etc file does not work. You need to add it manually using route command.

# ip route add {IPv-6-IP} dev {device}
# ip route add 2000::/3 dev eth2
Now, you can ping to IPv6 site, enter:
# ping6 ipv6.google.com
Sample output:

PING ipv6.google.com(2001:4860:0:2001::68) 56 data bytes
64 bytes from 2001:4860:0:2001::68: icmp_seq=0 ttl=59 time=37.3 ms
64 bytes from 2001:4860:0:2001::68: icmp_seq=1 ttl=59 time=36.7 ms
64 bytes from 2001:4860:0:2001::68: icmp_seq=2 ttl=59 time=36.9 ms
64 bytes from 2001:4860:0:2001::68: icmp_seq=3 ttl=59 time=36.9 ms

Project Spacewalk: Red Hat Open Sourced RHN Software

Today, at the Red Hat Summit in Boston, Mass., Red Hat introduced Project Spacewalk. RHN has provided patches and software for Red Hat Enterprise Linux operating system. Spacewalk is an open source (GPLv2) Linux systems management solution. It is the upstream community project from which the Red Hat Network Satellite product is derived. From the press release:

Spacewalk is the upstream project upon which RHN Satellite will now be based. Spacewalk will work with Red Hat Enterprise Linux, Fedora and other Red Hat Enterprise Linux derivative distributions like CentOS and Scientific Linux. Spacewalk will bring together a growing community of new users along with seasoned systems management veterans. In this way, the Satellite product can grow (as Linux itself does) with the combined efforts of the open source leader, Red Hat, and an invigorated community. Both will work together to expand the capabilities and stature of the upstream project. This will translate into faster adoption of new, innovative ideas and technologies into the downstream Satellite product.

(Fig.01: Spacewalk in action)

=> You can download spacewalk software here.