Keep a Cloud Server up-to-date
Although package updates cannot completely prevent cyberattacks, you can avoid compromised servers if the servers are kept up-to-date with the proper appropriate security fixes. Keeping your servers up-to-date should be a key component of your security strategy.
This article describes how to update packages on your Rackspace public cloud server and how to keep them updated.
Migrate away from EOL operating systems
After an operating system (OS) reaches its end-of-life (EOL) date, it is no longer
supported by the OS provider, nor does it receive security updates. For example, CentOS
5, Debian 6 (Squeeze), and Ubuntu 12 LTS have reached their EOL date. Check your OS's
home page for EOL dates, and plan to migrate to a newer OS before the EOL date.
Enable automatic updates when creating a server
When you create a new Rackspace public cloud server through the Cloud Control Panel,
you can enable automatic updates.
In the Recommended Installs section of the Create Server page, select the Operating
system security patched applied on selected images option.
Note: This option is not available for all types of cloud servers.
Enable automatic updates on existing cloud servers
If your existing Rackspace public cloud servers do not have automatic updates enabled,
you can enable them manually. See the following steps for your OS.
Windows 2008
- Connect to the server.
- From the Start menu, select Control Panel > System and Security.
- In the Windows Update section, click Turn automatic updating on or off.
- In the drop-down menu, select Install updates automatically (recommended).
- Select the check box under Recommended Updates so that the recommended updates are automatic.
- To allow all users the option to install updates on the server, select the check box
under Who can install updates.
Windows 2012
- Connect to the server.
- Click the Windows icon in the lower-left corner and select Control
Panel > System and Security. - In the Windows Update section, click Turn automatic updating on or off.
- In the drop-down menu, select Install updates automatically (recommended).
- Select the check box under Recommended Updates so that the recommended
updates are automatic. - To enable updates for other Microsoft products at the same time that Windows
updates are completed, select the check box under Microsoft Update.
Debian or Ubuntu 14.04 and 16.04
-
Connect to the server.
-
Run
sudo apt install unattended-upgrades
. -
Run
vim /etc/apt/apt.conf.d/50unattended-upgrades
to open the configuration file. -
Any line beginning with "//" will be ignored when the command is run. Delete the "//" before the
${distro\_id}:${distro\_codename}-update;
line. To do this, enter "i" on your keyboard, use the directional pad to navigate to the line. Press the del key twice to delete the "//". -
Click the esc key, and then enter the keys
:wq
to save the configuration. If successful, a message stating that the file was properly written appears. -
Use
vim /etc/apt/apt.conf.d/10periodic
to set the desired recurrence time for each of the updates. Click the "i" key on your keyboard to enter "Insert" mode. Use the keys on the your keyboard to navigate to the number between quotes that you want to change. Press the del key twice to remove the number, and then enter the number of times you want the server to update each day. -
Click the esc key, and then enter the keys
:wq
to save the configuration. If successful, a message stating that the file was properly written appears. -
(Optional) Set up notifications for automatic package updates (time of installation, packages installed, errors during installation) by entering
sudo apt-get install apticron
-
Enter vim /etc/apt/apt.conf.d/50unattended-upgrades to configure unattended upgrades. Scroll down to the portion that has the line
//Unattended-Upgrade::Mail "root";
and then enter the i key. Enter the del key twice to remove the // at the beginning of the line. Note that the color of the line changes. Move the cursor to the right and enter del key to deleteroot
from in between the quotes. Enter the email you want to use in between the quotes. -
Click the esc key, and then enter the keys
:wq
to save the configuration. If successful, a message stating that the file was properly written appears. -
Enter vim /etc/apticron/apticron.conf and scroll to the portion that begins with "EMAIL". Click the "i" key on your keyboard, then the cursor to the right and delete the
root
located in between quotes by. Enter the email address between the same quotes that you want notifications to be sent. -
Click the esc key, and then enter the keys
:wq
to save the configuration. If successful, a message stating that the file was properly written appears.
Red Hat Enterprise Linux (RHEL 6) & CentOS 6
-
Connect to your CentOS 6 or RHEL 6 server, and then run yum –y install yum-cron.
-
To view the yum-cron configuration, run vi /etc/sysconfig/yum-cron . By default, the configuration should be set to download and install the updates.
-
(Optional) Set up notifications for automatic package updates (time of installation, packages installed, errors during installation). Press the "i" key on your keyboard to enter "INSERT" mode unless still in it from earlier steps). Use the arrow keys on your keyboard to move down to the section with a "MAILTO=" field. Enter the desired email after "MAILTO=".
-
Click the esc key, and then enter the keys
:wq
to save the configuration. If successful, a message stating that the file was properly written appears. -
Start the yum-cron service, run /etc/inid.d/yum-cron start.
-
To configure the server to start the yum-cron service during a reboot, run chkconfig yum-cron on
Red Hat Enterprise Linux 7 (RHEL 7) & CentOS 7
-
Connect to your CentOS 7 or RHEL 7 server, and then run yum –y install yum-cron.
-
Run vi /etc/sysconfig/yum-cron to view the configuration for yum-cron.
-
Check that
download\_updates
andapply\_updates
are set to "yes" so that automatic updates are enabled. -
(Optional) Notifications can be set up so that the output of the yum updates is emailed to inform the user what updates completed and what updates failed. Use the arrow keys on the keyboard to move down to the section titled "emitters". The
emit\_via
value should should be set tostdio
. -
Move your cursor to the "email" section.
-
Update the configuration to change the
email\_to
field to the email you want the output you to be sent. -
Click the esc key, and then enter the keys
:wq
to save the configuration. If successful, a message stating that the file was properly written appears. -
Run systemctl status yum-cron to check that the yum-cron service is already active. If the service is inactive, run
systemctl start yum-cron
. -
Make sure that the yum-cron service is set to start during a reboot systemctl list-unit-files –type=service Find the
yum-cron.service
process in the file and make sure it is set toenabled
. If the process isdisabled
run systemctl enable yum-cron. -
Run systemctl list-unit-files –type=service to find the yum-cron service again. The service should not be set to
enabled
.
Updated about 1 year ago