Updating the OS Packages of Your Server
Posted by on 05 July 2019 01:10 PM
|
|
IntroductionTo keep your server secure and up to date, it is important to update the OS packages on your server. This guide explains how you can perform these updates, depending on what OS and Control Panel is used by your server. If you have questions about the update process, contact support@eapps.com. If you would like eApps to perform these updates for you, contact sales@eapps.com. Note that for severe security issues, eApps may apply patches to your server, or provide specific instructions to you about what you need to do to mitigate the security issues.
CentOS (with or without ISPmanager control panel)Generating the Repository CacheFirst, fetch the latest list of packages from the configured repositories. If you are using ISPmanager, this will include the ISPsystem repository as well as the eApps repository. All commands need to be done as root. # yum makecache
After the repository cache is generated, you can apply updates to a single package or to all installed packages. Updating A Single PackageYou can update a single package using the following syntax: # yum update <package_name>
For example, to update the # yum update openssl
You may be interested in updating a single package if you want to mitigate a recently discovered vulnerability. In CentOS, security patches may be "backported" to a package without updating the major version number. This is important to keep in mind when scanning your server for PCI compliance. Most PCI scan vendors tend to only look at the major version number of a package and not the security patches it has. You can check the ChangeLog of a package to determine if a security patch is applied using the following syntax: # rpm -q --changelog <package_name> | grep <CVE_ID>
Here, we are checking if the # rpm -q --changelog openssl | grep CVE-2018-5407 - fix CVE-2018-5407 - EC signature local timing side-channel key extraction
The fix is included in this version of Updating All Installed PackagesYou can see a list of packages that have updates available with the following syntax: # yum update
You will be presented with a list of packages that have available updates before they are applied so you can confirm. Note: Updating all packages will also update ISPmanager packages and update the control panel to the latest version. Be sure to check the ChangeLog of the software you are using before applying updates. The ChangeLog for ISPmanager can be found here: https://www.ispsystem.com/software/ispmanager/changelog CentOS (cPanel/WHM control panel)cPanel provides their own repositories and update mechanism. While it is possible to use yum as with a regular CentOS install, it is strongly recommended to use the update method built into the control panel. For instructions on how to update your cPanel & WHM server, see https://documentation.cpanel.net/display/CKB/How+to+Update+Your+System CentOS (Plesk control panel)Plesk can apply software updates through the control panel on Linux. For information on how to do this, see https://docs.plesk.com/en-US/onyx/administrator-guide/server-administration/system-updates-plesk-for-linux-only.75822/ Windows (Plesk control panel)To apply updates to Plesk itself (on Windows and Linux), see https://docs.plesk.com/en-US/onyx/administrator-guide/70989/ Windows (no control panel)Windows updates are enabled by default and will automatically be downloaded. They will not be applied until you confirm.Manually Checking For Updates (Windows 2008, Windows 2012)See Microsoft's official documentation for manual Windows Update checking: https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-updateManually Checking For Updates (Windows 2016)
Active HoursYou can select a timeframe in which Windows will not automatically restart. Note that this timefrae can only be 12 hours. Restart OptionsYou can select a custom date and time for an automatic reboot to occur. Debian & Ubuntu (no control panel)Generating the Repository CacheAs with CentOS, you need to fetch a list of available updates first. All commands need to be run as root # apt-get update
After the repository cache is generated, you can apply updates to a single package or to all installed packages. Updating A Single PackageYou can update a single package using the following syntax: # apt-get --only-upgrade install <package_name>
For example, to update the # apt-get --only-upgrade install openssl As with CentOS, You can get the ChangeLog of a package to determine if a certain security patch is applied using the following syntax: # apt changelog openssl
You will be presented with the ChangeLog in your pager. To search through this document, you can scroll up and down or you can use the / character plus your query, such as: /CVE-2019-1543
You will be taken to the search result and it will be highlighted. openssl (1.1.0k-1~deb9u1) stretch-security; urgency=medium To exit, press Updating All Installed Packages
| |
|