Technologist

Tech stuff about Cloud, DevOps, SysAdmin, Virtualization, SAN, Hardware, Scripting, Automation and Development

Browsing Posts tagged security

Running on runlevel 5 is not a good idea for a server, I try to run servers on runlevel 3 with as minimal packages as needed. But sometimes you need a graphical application or a browser for some reason or another. You can use VNC to connect to the server and do it over SSH to make sure the communication is encrypted.

This guide is to enable VNC over SSH on a Linux Server. I will use CentOS 5.2 server for this guide.

I will allow only user john to be able to VNC/SSH to the server. Since I will be testing GUI based stuff, I will need a graphical environment installed. I do not need to run my server in graphical mode, but I need to have the proper packages installed.

1) Install the X Window System group

[root@server ~]# yum groupinstall “X Window System”

2) Install the vncserver

[root@server ~]# yum install vnc-server

3) As the user that will use VNC, create VNC password

[john@server ~]$ vncpasswd

4) Modify VNC configuration to allow X (/home/john/.vnc/xstartup)

 #!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

5) Start the vncserver as the user who will have access, use a display number that you will remember, here I am using 2. Also use the following arguments to make sure it ONLY listens to the localhost.

[john@server ~]$ vncserver :2 -geometry 1024×768 -nolisten tcp -nohttpd -localhost

6) Check that the VNC service is only listening locally

[john@server ~]$ netstat -ntlp

tcp 0 0 127.0.0.1:5902 0.0.0.0:* LISTEN 7927/Xvnc

7) Ok, now lets connect using VNC over SSH
From a remote station you will start an SSH session and forward an arbitrary port(e.g. 5544) to the vnc server’s localhost address on port 5092. (It ends with 2 because you started the vnc server with :2)
That means that whenever you are on Server2 and you send packets to localhost on port 5544, those packets will be forwarded through the SSH tunnel to the vnc Server localhost on port 5902.

[alex@server2 ~]$ ssh -L5544:localhost:5902 john@server.example.com

8 ) Now on Server2 start a VNC client/viewer and on the server address, enter:

localhost:5544

9) Enjoy your secure VNC session!

VNC over SSH

VNC over SSH

VMware Update Manager is a tool to automate and streamline the process of applying updates, patches or upgrades to a new version. VUM is fully integrated within vCenter Server and offers the ability to scan and remediate ESX/ESXi hosts, virtual appliances, virtual machine templates, and online and offline virtual machines running certain versions of Windows, Linux, and some Windows applications.

In this post you will learn how to Configure VMware Update Manager.
To install VMware Update manager follow Install VMware Update Manager.

  1. VUM Configuration
  2. Create a Baseline
  3. Create a Baseline Group
  4. Attach Baseline to Host/Cluster
  5. Remediate/Patch

1. VUM Configuration
Open Update Manager (Admin View)
Go to Home -> Update Manager

Under the configuration tab, Click on Patch Download Schedule to change the schedule and add an email notification.
Also change the Patch Download Settings to download only what you need, in my case I don’t need windows/linux VM patches or ESX 3.x patches so I am deselecting those.

2. Create a Baseline
There are two types of baselines: Dynamic and Fixed. Fixed baselines are used when you need to apply a specific patch to a system, while dynamic baselines are used to keep the system current with the latest patches. In this guide we will create a Dynamic Baseline.

Go to the Patch Baselines tab and click Create… on the upper right side.

The following screenshots are for a Security patches only baseline:

Give it a name and description

Select Dynamic

Choose Criteria

Review and click Finish

3. Create a Baseline Group
Baseline Groups, are combinations of non conflicting baselines. You can use a Baseline Group to combine multiple dynamic patch baselines, for example the default Critical Patches Baseline and the HostSecurity baseline we created in the previous step

This will create a Baseline Group that includes Critical and Security Patches:
Go to the Patch Baselines tab and click Create… (The Create link that is next to Baseline Groups)

Give it a name and select Host or VM, in this case it is Host

No upgrades, just patches

Select the individual Baselines you want to group

Leave defaults

Review and click Finish

This is how it should look

Now you are all set to attach your Baselines to a Host or to a Cluster.

4. Attach Baseline to Host/Cluster

Go into the Hosts and Clusters View (CTRL+SHIFT+H), select the Host/Cluster you want to attach the baseline to. In this guide I will attach the baseline to the Cluster.

Click on the Cluster, go to the Update Manager tab and click Attach…

Select the Individual or Group Baselines you want to apply to the Cluster and click Attach

You will back at the Hosts and Cluster view, click on Scan…

Once the scan has completed it will show you if you are compliant or not and then you have to remediate (patch).

5. Remediate/Patch
You can remediate the whole cluster or a host at a time, I prefer to do it a host at a time, but it is up to you.

Right click the Cluster/Host you want to patch, and select Remediate…

Select the Baseline you want to remediate

It will list all the patches that will be applied, here you can deselect some patches in case you don’t want them

You can do it immediately or schedule it to happen at a different time

Review the summary and execute

The server will go into maintenance mode and patches will be applied, also, if needed, the server will be rebooted as well.

And that is it, the Host/Cluster is now compliant and patched for Critical and Security patches.