New Linux Kernel Zero day Exploit Vulnerability CVE-2016-0728

New Linux Kernel Zero day Exploit Vulnerability CVE-2016-0728

The PPR research team recently found a 0-day local privillege escalation vulnerability in the linux kernel. This vulnerability has existed since 2012. This bug is cased buy a reference leak in the keyrings facility.

We already performed mitigation procedures in our proactive clients servers. If you don’t have a proactive management plan, please contact us asap

How to test My Kernel?

You can use the following C code to test it.

/* $ gcc leak.c -o leak -lkeyutils -Wall */
/* $ ./leak */
/* $ cat /proc/keys */


int main(int argc, const char *argv[])
    int i = 0;
    key_serial_t serial;

    serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring");
    if (serial < 0) {
        return -1;

    if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) {
        return -1;

    for (i = 0; i < 100; i++) {
        serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring");
        if (serial < 0) {
            return -1;

    return 0;

It will a sample output like as follows,

@ohome:~$ gcc leak.c -o leak -lkeyutils -Wall
@ohome:~$ cat /proc/keys
@ohome:~$ ./leak
@ohome:~$ cat /proc/keys
3fa2af76 I--Q--- 100 perm 3f3f0000 1000 1000 keyring leaked-keyring: empty

You can download the a full exploit from here. It will take around 30 to 40 minutes to finish the forking. Well as you know time is not an issue in privillege excalation exploit.


This was affected by almost all kernel version(3.x + ) Initially disable the following in sysctl.conf


After that upgrade your kernel version. There may be already a patch for the kernel in your OS.


1. PPR Research Page

How to install and configure Bind DNS Cluster in Linux

1. Introduction

Short for Domain Name System (or Service or Server), an internet service that converts domain names into IP addresses. Domain names are much easier to remember than IP addresses.

Information from all the domain name servers across the Internet are gathered together and housed at the Central Registry. Host companies and Internet Service Providers interact with the Central Registry on a regular schedule to get updated DNS information.

2. Requirements

For master DNS Server:

OS : Centos 7
IP Address :

For slave DNS Server:

OS : Ubuntu 14.04
IP Address :

3. Setup Master DNS Server

Install the bind packages

# yum install bind* -y

To configure the DNS server follow the below step.

# vi /etc/named.conf

// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {
        listen-on port 53 {;; }; ## MASTER ##  
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost;; }; ## RANGE ##
        allow-transfer { localhost;; }; ## SLAVE ##

zone "." IN {
        type hint;
        file "";

zone "" IN {
type master;
file "";
allow-update { none; };

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

To create zone files as mentioned in /etc/named.conf, follow the steps below.

Important: Please make sure that you replace ‘@’ with ‘’ in both the zone files.

Create forward zone file.

# vi /var/named/

$TTL 86400
@   IN  SOA (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
@       IN  NS
@       IN  NS
@       IN  A 
@       IN  A 
masterdns       IN  A
secondarydns    IN  A

Create reverse zone file.

# vi /var/named/

$TTL 86400
@   IN  SOA (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
@       IN  NS
@       IN  NS
@       IN  PTR
masterdns       IN  A
secondarydns    IN  A
18     IN  PTR
19     IN  PTR

Add the following line in /etc/resolv.conf

# vi /etc/resolv.conf


Now start the named service

# systemctl named start
# chkconfig named on

Verify DNS configuration and zone files for any syntax errors

# named-checkconf /etc/named.conf 

# named-checkzone /var/named/

Output is as follows:

zone loaded serial 2011071001

Now we need to check the reverse zone.

# named-checkzone /var/named/

Output is as follows:

zone loaded serial 2011071001

Now you can test the DNS server using the following commands. Testing with any one of the command is fine.

$~ dig

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57668
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;		IN	A

;; AUTHORITY SECTION:		86400	IN	SOA 2015112001 86400 7200 3600000 86400

;; Query time: 0 msec
;; WHEN: Fri Jan 15 02:23:30 IST 2016
;; MSG SIZE  rcvd: 108

Do an nslook for the domain name

# nslookup



4. Setup slave DNS server

Install the bind packages.

# apt-get install bind9 bind9utils bind9-doc

To configure slave DNS server follow the below step.

# vi /etc/bind/named.conf

Make sure it contains the following lines. If not, add them.

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Save and quit the file.

# vi /etc/bind/named.conf.local

Add the following lines to it

zone"" {
        type slave;
        file "/var/named/";
        masters {; };

Add the following line in /etc/resolv.conf

# vi /etc/resolv.conf


Give permissions and change ownership

# chmod -R 755 /etc/bind
# chown -R bind:bind /etc/bind

Now restart the bind service

# service bind9 restart

Add dns-nameservers in /etc/network/interfaces

# vi /etc/network/interfaces

auto venet0:0
iface venet0:0 inet static
        dns-search home

Now test the DNS server using the following commands. Testing with any one of the command is fine.

$~ dig masterdns.inhouse.local

; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> masterdns.inhouse.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21775
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;masterdns.inhouse.local.	IN	A

.			6364	IN	SOA 2016011401 1800 900 604800 86400

;; Query time: 0 msec
;; WHEN: Fri Jan 15 00:02:14 MSK 2016
;; MSG SIZE  rcvd: 127


$~ dig secondarydns.inhouse.local

; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> secondarydns.inhouse.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2592
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;secondarydns.inhouse.local.	IN	A

.			6600	IN	SOA 2016011401 1800 900 604800 86400

;; Query time: 0 msec
;; WHEN: Fri Jan 15 00:02:50 MSK 2016
;; MSG SIZE  rcvd: 130

# nslookup


5. Finishing point

BIND includes a utility called rndc which allows command line administration of the named daemon from the localhost or a remote host.

You can now reload rndc on both servers.

# rndc reload

Zimbra Server Migration and Zimbra Account Transfer – The Perfect Method

1. Introduction

Zimbra project doesn’t have a cross migration or proper account transfer documentation. All they tell is to do copy the folder /opt/zimbra to your new servers. But if any of those files infected with a rootkit or other malicious scripts , then your new server also will be compromised. So never sync or copy the entire directory of your zimbra installation. Zimbra also tell you to upgrade your production server to the latest version before migration. But improper upgrade may result in entire data lose. With this procedure you can do:

  • Migrate zimbra from one Operating System To another.
  • Migrate zimbra account between any hardware and Operating systems configurations.
  • No interruption on production server like software upgrade or service disable.
  • Migrate zimbra from old version to a new version server
  • Zimbra cross migrations without copying entire directories.

2. Requirement

You need an old server with zmibra account and a new fresh server with the Os you wish. Dont’ create or make any custom configuration or setting in you new server. Please make sure to set your new servers hostname same as the old one.

  • Old server
    • Need ssh root login
    • Need zimbra admin logins
    • Enough HDD space to store backups
  • New server
    • Must be installed with latest stable zimbra
    • Need ssh root logins
    • Need zimbra admin logins
    • Enough HDD space to store backups

3. Presetup

You need to setup an ssh key from the new server’s root account to the old server’s root account.
Reduce the TTL of MX records of your domain to 500 seconds . So that you can easily switch the domain’s IP after migration. Please remember to schedule the migration task on non peek hours.

Create a directory in both new and old server into which we store all required files and data for doing the migration

[root@zimbra ~]# mkdir /backups/zmigrate
[root@zimbra ~]# chown zimbra.zimbra /backups/zmigrate
[root@zimbra ~]# su - zimbra

All operation in your Zimbra server must be performed as Zimbra user itself, otherwise you will get permission and ownership issues in your zimbra server

4. Backup all data from Old server

We are going to copy all data from old server without interrupting the services.

4.1 Find all domains

You need to find all the domains from your old server. We will store the domain list in a file called domains.txt. You need to back all the domains list as follows,

zimbra@zimbra:~$ cd /backups/zmigrate
zimbra@zimbra:/backups/zmigrate$ zmprov gad > domains.txt
zimbra@zimbra:/backups/zmigrate$ cat domains.txt

Now remove all domains and subdomains related with the main hostname of your server , from this list (domains.txt) because it was already created in your new server. So there is no need to create a new domain with the same name.

4.2 Find all admin accounts

Most of these servers will have only one admin. But some servers have multiple admins. So it will be good to find all admin accounts. We will store the admins list in admins.txt

zimbra@zimbra:/backups/zmigrate$ zmprov gaaa > admins.txt
zimbra@zimbra:/backups/zmigrate$ cat admins.txt

4.3 Find all email accounts

Next step is to find all the email accounts hosted in your old server. Get a list of your email accounts and save in the file emails.txt . So from this file we can see how many accounts that need to migrate.

zimbra@zimbra:/backups/zmigrate$ zmprov -l gaa >emails.txt
zimbra@zimbra:/backups/zmigrate$ cat emails.txt

Please remove all the email accounts from the file /backups/zmigrate/emails.txt with a starting words like spam, virus, ham, galsync . There is no need to restore these accounts. Even if you still need to restore , you can do it. I don’t like spam and virus emails.

4.4 Get all distribution lists

You need to get all the distributions list and store it in a file called distributinlist.txt.

zimbra@zimbra:~$ zmprov gadl > /backups/zmigrate/distributinlist.txt
zimbra@zimbra:~$ cat /backups/zmigrate/distributinlist.txt

4.5 Get all members in distribution lists

In this step we are going to collect all members in each of these distributions. We will create a folder called distributinlist_members and create a file under this folder named distributinlist.txt , then store all the distributions members.

zimbra@zimbra:~$ mkdir /backups/zmigrate/distributinlist_members
zimbra@zimbra:~$ for i in `cat /backups/zmigrate/distributinlist.txt`; do zmprov gdlm $i > /backups/zmigrate/distributinlist_members/$i.txt ;echo "$i"; done

4.6 Find all email account’s passwords

Now need to find the encrypted password of all of your old email accounts and store it under a folder named userpass/ as follows:

zimbra@zimbra:/backups/zmigrate$ mkdir userpass
zimbra@zimbra:/backups/zmigrate$ for i in `cat emails.txt`; do zmprov  -l ga $i userPassword | grep userPassword: | awk '{ print $2}' > userpass/$i.shadow; done

4.7 Backup all user names , Display names and Given Names

Zimbra will accept a Names and Disaplay names in email accounts during account creation. So we need to restore those data too. We will create a directory called userdata/ which contains these details of each of those email accounts

zimbra@zimbra:/backups/zmigrate$ mkdir userdata
zimbra@zimbra:/backups/zmigrate$ for i in `cat emails.txt`; do zmprov ga $i  | grep -i Name: > userdata/$i.txt ; done

4.8 Now backup all email account

This will take some time to take backup of all email accounts. So you can run this command behind “screen”. A tgz file will be created with each emails name. We will use this files to transfer email accounts.

zimbra@zimbra:/backups/zmigrate$ for email in `cat /backups/zmigrate/emails.txt`; do for i in `cat ../emails.txt `; do zmmailbox -z -m $i getRestURL '/?fmt=tgz' > $i.tgz ;  echo $email ; done

This tgz files contains

  • Mail
  • Contacts
  • Calendars
  • Briefcase
  • Tasks
  • Searches
  • Tags
  • Folders

All subfolders are included, except Junk and Trash. There is no way to include these in the big dump, but they can be exported separately:

4.9 Now backup alias

Some times your server may have email aliases for certain accounts. So you need to copy those aliases too. We will create a sub folder called alias/ for storing the backup of Alias.

zimbra@zimbra:/backups/zmigrate$ mkdir -p alias/
zimbra@zimbra:/backups/zmigrate$ for i in `cat emails.txt`; do zmprov ga  $i | grep zimbraMailAlias |awk '{print $2}' > alias/$i.txt ;echo $i ;done

Some of your email accounts don’t have alias. So the above created files may be an empty file. Remove those empty files as follows,’\

zimbra@zimbra:/backups/zmigrate$ find alias/ -type f -empty | xargs -n1 rm -v 

4.10 Rsync folder to new server

Now we have all the required data to do the migration process. As a summery :

  • /backups/zmigrate – Have all the backups stored
  • /backups/zmigrate/domains.txt – Contains the domains names
  • /backups/zmigrate/emails.txt – Contains the list of email accounts
  • /backups/zmigrate/distributinlist.txt – Contains the distribution lists
  • /backups/zmigrate/distributinlist_members – Contains the members in each of your distributions
  • /backups/zmigrate/userpass – Contains the encrypted password of your email accounts
  • /backups/zmigrate/userdata – containts the email accounts user informations
  • /backups/zmigrate/alias – Contains all the aliases of your email accounts

Also the parent folder /backups/zmigrate contains a lot of zip file which are the data inside emails.

Now rsync the files as follows,

root@newserver # rsync -avp -e 'ssh -p 22' root@old-server-ip:/backups/zmigrate /backups/

5. Restore in new server

So after finishing the rsync process , we need to restore this in your new server as follows:

All this operations must be carried out as zimbra sudo user itself. Don’t use root account to store the backups

[root@zimbra ~]# su - zimbra

5.1 Restore all domains

Now create all the domains that we have from the file /backups/zmigrate/domains.txt

[zimbra@zimbra zmigrate]$ for i in `cat /backups/zmigrate/domains.txt `; do  zmprov cd $i zimbraAuthMech zimbra ;echo $i ;done

You can also verify the domains created from the zimbra admin panel too

5.2 Create email accounts and set the old password

We need to create the email accounts for storing the mails. We also need to set the old passwords too. We already collected the account info and passwords.

To Create email accounts and restore passwords . Please use the following script to create it

#Scrit  for creating the email accounts
for i in `cat $USERS`
givenName=$(grep givenName: $USERDDATA/$i.txt | cut -d ":" -f2)
displayName=$(grep displayName: $USERDDATA/$i.txt | cut -d ":" -f2)
shadowpass=$(cat $USERPASS/$i.shadow)
zmprov ca $i CHANGEme cn "$givenName" displayName "$displayName" givenName "$givenName" 
zmprov ma $i userPassword "$shadowpass"

5.3 Restore email accounts

Now we are going to restore the emails from the Zip file. This process may take some hours. So it will be good to run behind “screen” command.

[zimbra@zimbra zmigrate]$ for i in `cat /backups/zmigrate/emails.txt`; do zmmailbox -z -m $i postRestURL "/?fmt=tgz&resolve=skip" /backups/zmigrate/$i.tgz ;  ; echo "$i -- finished "; done -- finished -- finished 

5.4 Now recreate the distribution lists

It is time to recreate all the distribution lists as follows.

[zimbra@zimbra zmigrate]$ for i in `cat distributinlist.txt`; do zmprov cdl $i ; echo "$i -- done " ; done
2a852fd8-6e66-426e-a76d-15192536042a -- done 

5.5 Restore the distribution lists

After creating the distribution lists we need to add all the members inside the distribution lists. We have the distribution lists in the folder distributinlist_members/ and the list is in distributionlist.txt file. Please use the following small script to restore the distribution lists.

[zimbra@zimbra zmigrate]$ cat 
# add all memebers to each of these distribution lists
for i in `cat distributinlist.txt`
	for j in `grep -v '#' distributinlist_members/$i.txt |grep '@'` 
	zmprov adlm $i $j
	echo " $j member has been added to list $i"


5.6 Restore Alias accounts

Please use the following script to restore alias. This will add all the aliases in your email accounts.

for i in `cat /backups/zmigrate/emails.txt`
	if [ -f "alias/$i.txt" ]; then
	for j in `grep '@' /backups/zmigrate/alias/$i.txt`
	zmprov aaa $i $j
	echo "$i HAS ALIAS $j --- Restored"

6. Conclusion

So now we migrated all our email accounts. It is time for DNS change. You need to shut down the old zimbra services and change the DNS. After that send some test emails and make sure everything is working fine. Next step is to secure your zimbra server. You need to install ssl certificates and firewall in your new zimbra server. Now you have a new server with new packages and files with the same old email accounts and its data.

7. References

Zimbra Server Migration

How to install Malware Detect ( maldetect or LMD ) in Debian 8

1. Introduction

Malwares are kind of malicious software which damage the system, in order to avoid such harmful threats the user should aware of the changes that he is made in the server.
Linux Malware Detect(LMD) is a malware scanner for Linux released under the GNU GPLv2 license. It is a effective tool in order to find infected files and there by removing threats.

2. Download LMD archive latest version .

Go to /usr/local/src in which we can download the latest LMD.

# wget

3. Extract the downloaded file.

# tar -zxvf maldetect-current.tar.gz

Change present directory location to extracted directory

# cd maldetect-1.5

4. Run Installation Script

Install LMD by running the following script, it is the easiest way to do this installation part.

# ./

5. Edit configuration file

Open LMD main configuration file using vi editor and edit the following parameters.

#  vi /usr/local/maldetect/conf.maldet

Make sure the below value is enabled


To get mail alerts, make it to 1 else 0


The email id , in which you want to get alerts


Set default quarantine action for malware hits


To clean the detected malware


The default suspend action for users wih hits


The minimum userid value that can be suspended


6. Start scanning the system

Run following command to scan the system with LMD. Use maldet followed by directory which you want to scan.

# maldet -m /usr/local/
Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks 
            (C) 2015, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(29347): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
maldet(29347): {scan} building file list for /, this might take awhile...
maldet(29347): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(29347): {scan} file list completed in 0s, found 3070 files...
maldet(29347): {scan} scan of / (3070 files) in progress...
maldet(29347): {scan} 3070/3070 files scanned: 0 hits 0 cleaned
maldet(29347): {scan} scan completed on /: files 3070, malware hits 0, cleaned hits 0, time 96s
maldet(29347): {scan} scan report saved, to view run: maldet --report 160111-0858.29347

7. To Print the result

Print the number of infected files

# maldet --report 160111-0858.29347

HOST:      amal-debian8
SCAN ID:   160111-0858.29347
STARTED:   Jan 11 2016 08:58:50 +0300
COMPLETED: Jan 11 2016 09:00:26 +0300
ELAPSED:   96s [find: 0s]

PATH:          /

Linux Malware Detect v1.5 < >

8. Update virus Signature and LMD

Execute given commands to update virus signatures and LMD version.

Update virus signatures to latest

# maldet -u

This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8348): {sigup} performing signature update check...
maldet(8348): {sigup} local signature set is version 2015121610247
maldet(8348): {sigup} latest signature set already installed

Update LMD to latest

# maldet -d

Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks 
            (C) 2015, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8237): {update} checking for available updates...
maldet(8237): {update} hashing install files and checking against server...
maldet(8237): {update} latest version already installed.

9. Remove infected files

Use following command to remove infected files
Reference: From previous scan my scan ID was 160111-0858.29347, it must be different for you. You can check this from your scan results.

# maldet -n 

How to install and configure Foreman on CentOS 7 or RHEL 7

1. Introduction

Foreman is an open source tool that can help with the management of servers, by providing an easy way to interact with Puppet (or Chef) to automate tasks and application deployment. Foreman provides a robust web user interface, API, and CLI which can be used to provision, configure, and monitor your servers. It is suitable for infrastructures of all sizes, and works with most distributions of Linux.

In this tutorial, we will show you how to install Foreman with Puppet, and start using it to manage your servers. We will use Foreman for its reporting and External Node Classifier (ENC) capabilities, to ease the management of Puppet.

2. Features

  • Discover, provision and upgrade your entire bare-metal infrastructure
  • Create and manage instances across private and public clouds
  • Group your hosts and manage them in bulk, regardless of location
  • Review historical changes for auditing or troubleshooting
  • Extend as needed via a robust plugin architecture
  • Automatically build images (on each platform) per system definition to optimize deployment

3. Operating System

This article is based on RHEL 7 / CentOS 7 .

4. Prerequisites

Before installing Foreman, make sure you have setup a hostname and its dns properly for your server. You can edit the file /etc/hosts and update it as follows:( it is an example )  sapin-centos7

Also update the hostname file too inside /etc/hostname

5. Install Foreman on CentOS 7 / RHEL 7

Foreman can be installed in different methods. The recommended way is with the puppet based Foreman Installer but you may also use your distribution’s package manager or install directly from source.

The Foreman installer is a collection of Puppet modules that installs everything required for a full working Foreman setup. It uses native OS packaging (e.g. RPM and .deb packages) and adds necessary configuration for the complete installation.

The Foreman installer will install the necessary components such as the Foreman web UI, Smart Proxy, Passenger (for the puppet master and Foreman itself), and optionally TFTP, DNS and DHCP servers.

5.1. Configure EPEL, Puppet and Foreman repositories

Please run the below command for enabling the EPEL , pupet and forman repos.

# rpm -ivh
#rpm -ivh
#rpm -ivh

Enable the RHEL Optional and RHSCL repos on RHEL 7 ### run the below command.

# yum-config-manager --enable rhel-7-server-optional-rpms rhel-server-rhscl-7-rpms

5.2. Download Foreman installer

Run the following command to download Foreman installer.

# yum -y install foreman-installer

5.3. Start installation of foreman

# foreman-installer

Once the installation is completed, you will see an output like below where you would find the initial username and password to access the Foreman.

Installing             Done                                               [100%] [......................................................................................]
  * Foreman is running at
      Initial credentials are admin / KMq5Eoo8KHVtQPeh
  * Foreman Proxy is running at
  * Puppetmaster is running at port 8140
  The full log is at /var/log/foreman-installer/foreman-installer.log

Note down initial username and password, you need this for accessing Foreman’s dashboard.

Username :: admin
Password :: testpas

5.4. Configure Foreman (Optional)

If your Foreman host is not visible in Hosts –> All Hosts tab, you should run below command which will send the first Puppet report to Foreman, automatically creating the host in Foreman’s database.

# puppet agent --test

You will get an out like below

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for
Info: Applying configuration version '1452312143'
Notice: Finished catalog run in 0.08 seconds

Puppet 3+ will show a warning the first time that the node can’t be found, this can be ignored.

6. Access Foreman Web Console

You can access the Foreman via web browser https://your-ip-address or https://FQDN

You should get login page, enter your Foreman credentials.


To list down the available hosts, goto Hosts –> All Hosts from Menu. Since we do not have any puppet clients, All Hosts tab would only list your Foreman host, with an “O” status. This indicates its status is OK, with no changes made on the last Puppet run. If your Foreman host is not shown here, check out configuring Foreman.

host formam

7. Download and Install NTP module

One of the more important requirement of puppet is to have an accurate time-keeping, to do this, we will install Puppet NTP module for managing the NTP service.

If you have Puppet 2.7.14 or higher, install the module automatically from Puppet Forge to our “production” environment (the default).

Use following command to install NTP module on Foreman (Puppet master) host.

# puppet module install -i /etc/puppet/environments/production/modules saz/ntp

You will get the below out.

Notice: Preparing to install into /etc/puppet/environments/production/modules ...
Notice: Downloading from ...
Notice: Installing -- do not interrupt ...
└── saz-ntp (v2.3.2)

In Foreman’s web console, go to Configure > Puppet Classes and click Import from hostname ( to read the available Puppet classes from the puppet master and populate Foreman’s database.

puppet class

Select the NTP module and click the update button.


After clicking the update button, you will see something like below. The “ntp” class will appear in the Puppet class list if installed correctly. Click on First NTP class on the left.


Now, Click the Smart Class Parameter and then select server list on the left side. Tick the Override checkbox so Foreman manages the “server list” parameter of the class, then click Submit.


Go to Hosts –> All Hosts, edit the Foreman host.


Go to Puppet Classes tab and expand the ntp module and click the + icon to add the ntp class to the host, then click submit.

This time, it will take you automatically to the host details page. Click on YAML, it will show the ntp class and the server list parameter, as passed to Puppet via the ENC (external node classifier) interface.



At last, run the following command on the Foreman host to see the NTP service automatically reconfigured by Puppet and the NTP module.

# puppet agent --test

Verify the installation of NTP module by going to Hosts –> All Hosts –> Select Foreman Host –> Reports –> Select latest report.


8. Conclusion


We have successfully configured Foreman and now it is ready to accept agents / nodes. It’s time to add some new hosts to Foreman.

9. Reference.

How to install Nginx as Reverse Proxy in front of Apache on Ubuntu 15.10

1.0 Introduction

Nginx or “engine-x” is a high-performance web server with low memory usage, created by Igor Sysoev in 2002. Nginx is not just a web server, it can be used as a reverse proxy for many protocols like HTTP, HTTPS, POP3, SMTP, and IMAP and as a load balancer and HTTP cache as well.

In this tutorial, I will install and configure Nginx as a caching reverse proxy for an Apache web server on Ubuntu 15.10, Nginx is used as the front end and Apache as the back end. Nginx will run on port 80 to respond to requests from a user/browser, the request will then be forwarded to the apache server that is running on port 8080.

2.0 Install Apache and PHP

Log in to your ubuntu server as a root user.

Before install the package you have to update the apt cache using “apt-get”

#apt-get update

Then install apache with the apt-get command.

# apt-get install apache2

Once apache is installed, we must install PHP.

# apt-get install php5 php5-mysql libapache2-mod-php5

3.0 Configure Apache and PHP

By default, apache listens on port 80. We have to configure apache to run on port 8080 for our proxy setup as port 80 will be used by nginx later. We have to edit the apache configuration file “/etc/apache2/ports.conf”. And then proceed with the virtual host configuration in the “/etc/apache2/sites-available/” directory.

First change the port for apache to 8080 by editing the file “ports.conf” with the vim editor.

#vim /etc/apache2/ports.conf

On line 5, change port 80 to 8080 as follows.

Listen 8080

Now go to the virtualhost directory and edit the file “000-default.conf”.

   #cd sites-available/
   #vim 000-default.conf

Make sure your configuration is same as below



    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Test the configuration and restart apache

  #apachectl configtest
  #systemctl restart apache2

Create a new file with the name “info.php” in the directory “/var/www/html/” with the following content

  #cd /var/www/html/
  #echo "" > info.php

Visit your site in browser


4.0 Install Nginx

Install Nginx with the following apt-get command

#apt-get install nginx

5.0 Configure Nginx

Once Nginx is installed, configure Nginx to act as reverse proxy for the apache web server that running on port 8080.
Go to the nginx configuration directory and edit the file “nginx.conf”.

  #cd /etc/nginx/
  #vim nginx.conf

Enable Gzip compression for Nginx by uncomment the gzip lines.

        # Gzip Settings
       gzip on;
        gzip_disable "msie6";
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

The most important is :

  • gzip on : to turn gzip compression.
  • gzip_types : is list of MIME-types which you want to turn the compression.
  • gzip_proxied any : is enable compression for proxied request.

Right under gzip settings, add these proxy cache settings:

 # Proxy Cache Settings
 proxy_cache_path /var/cache levels=1:2 keys_zone=reverse_cache:60m inactive=90m max_size=1000m;

Now we will configure a virtualhost in the directory “/etc/nginx/sites-available”

New virtualhost configuration file named “reverse.conf”.

   #cd /etc/nginx/sites-available
   #vim reverse.conf

Paste the configuration below:

   server {
    listen 80;

    # Site Directory same in the apache virtualhost configuration
    root /var/www/html; 
    index index.php index.html index.htm;

    # Domain

    location / {
        try_files $uri $uri/ /index.php;

    # Reverse Proxy and Proxy Cache Configuration
    location ~ \.php$ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;

        # Cache configuration
        proxy_cache reverse_cache;
        proxy_cache_valid 3s;
        proxy_no_cache $cookie_PHPSESSID;
        proxy_cache_bypass $cookie_PHPSESSID;
        proxy_cache_key "$scheme$host$request_uri";
        add_header X-Cache $upstream_cache_status;

    # Enable Cache the file 30 days
    location ~* .(jpg|png|gif|jpeg|css|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
        proxy_cache_valid 200 120m;
        expires 30d;
        proxy_cache reverse_cache;
        access_log off;

    # Disable Cache for the file type html, json
    location ~* .(?:manifest|appcache|html?|xml|json)$ {
        expires -1;

    location ~ /\.ht {
        deny all;

Take backup the “default” configuration file from “/etc/nginx/sites-available” directory.

  #mv default default.bak

Then activate the new virtualhost configuration.

#ln -s /etc/nginx/sites-available/reverse.conf /etc/nginx/sites-enabled/

Test the nginx configuration and restart nginx.

  #nginx -t
  #systemctl restart nginx

6.0 Configure Logging

In this step, I will configure apache to log the real ip of the visitor instead of the local IP. Install the apache module “libapache2-mod-rpaf” and edit the module configuration file.

   #apt-get install libapache2-mod-rpaf
   #cd /etc/apache2/mods-available/
   #vim rpaf.conf

Add the server IP to the line 10.

  RPAFproxy_ips ::1

Restart apache

   #systemctl restart apache2

Test rpaf by viewing the apache access log with the tail command

#tail -f /var/log/apache2/access.log

How to upgrade OpenSSL on Centos 7 or RHEL 7

1. Introduction

OpenSSL is a library that provides cryptographic functionality, specifically SSL/TLS for popular applications such as secure web servers, MySQl databases and email applications. The list parameters standard-commands, digest-commands, and cipher-commands output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present openssl utility.

2. Requirements

You may need an operating system RHEL 7 or Centos 7 in your dedicated or vps server. Please make sure to set a hostname for your server and its dns is pointing to the IP address of the server.

3. Installation

Get the current version with “openssl version” and “yum info openssl” command :

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

You can also check the available version in the vendors directory too.

# yum info openssl

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Installed Packages
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 51.el7_2.1
Size        : 1.5 M
Repo        : installed
From repo   : updates
Summary     : Utilities from the general purpose cryptography library with TLS
            : implementation
URL         :
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

Available Packages
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 51.el7_2.2
Size        : 711 k
Repo        : updates/7/x86_64
Summary     : Utilities from the general purpose cryptography library with TLS
            : implementation
URL         :
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

To download the latest version of OpenSSL, do as follows:

# cd /usr/local/src
# wget
# tar -zxf openssl-1.0.2-latest.tar.gz

To manually compile OpenSSL and install/upgrade OpenSSL, do as follows:

# cd openssl-1.0.2a
# ./config
# make
# make test
# make install

If the old version is still displayed or installed before, please make a copy of openssl bin file :

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

Now verify the OpenSSL version.

# openssl version
OpenSSL 1.0.2e 3 Dec 2015

Note: Compiling Openssl major version may case issues with other system binaries. So please do the needfull to avoid the corruptions.